Regression: since 1.0.0 we can no longer start a VZ instance while offline (no DNS servers configured in /etc/resolv.conf)

[jandubois]

While you typically need to be online when creating a new instance (to run apt-get etc. to install fuse or whatever), it is possible to start/stop an instance without an active network connection.

This still works with QEMU, but has been broken for VZ since the 1.0.0 release. Bisecting shows the root cause is the gvisor-tap-vsock upgrade in #2797.

ha.stderr.log:

{"level":"debug","msg":"ResolveVMType: resolved VMType \"vz\" (explicitly specified in []*LimaYAML{o,y,d}[1])","time":"2024-12-24T12:52:26-08:00"}
{"level":"debug","msg":"Creating iso file /Users/jan/.lima/default/cidata.iso","time":"2024-12-24T12:52:26-08:00"}
{"level":"debug","msg":"Using /var/folders/ds/jk3wz4n96d54wp16s0tg7d2r0000gn/T/diskfs_iso1284586756 as workspace","time":"2024-12-24T12:52:26-08:00"}
{"level":"debug","msg":"Failed to detect CPU features. Assuming that AES acceleration is available on this Apple silicon.","time":"2024-12-24T12:52:27-08:00"}
{"level":"debug","msg":"OpenSSH version 9.8.1 detected","time":"2024-12-24T12:52:27-08:00"}
{"level":"debug","msg":"AES accelerator seems available, prioritizing [email protected] and [email protected]","time":"2024-12-24T12:52:27-08:00"}
{"level":"info","msg":"hostagent socket created at /Users/jan/.lima/default/ha.sock","time":"2024-12-24T12:52:27-08:00"}
{"level":"info","msg":"Starting VZ (hint: to watch the boot progress, see \"/Users/jan/.lima/default/serial*.log\")","time":"2024-12-24T12:52:27-08:00"}
{"level":"debug","msg":"Start udp DNS listening on: 127.0.0.1:60351","time":"2024-12-24T12:52:27-08:00"}
{"level":"debug","msg":"Start tcp DNS listening on: 127.0.0.1:61522","time":"2024-12-24T12:52:27-08:00"}
{"level":"fatal","msg":"cannot add network services: no DNS servers configured in /etc/resolv.conf","time":"2024-12-24T12:52:27-08:00"}

[jandubois]

gvisor-tap-vsock v0.8.0 no longer works with an empty /etc/resolv.conf on the host.

It used to crash (containers/gvisor-tap-vsock#417) and has been "fixed" to throw an error instead (containers/gvisor-tap-vsock#420).

You are obviously limited in what you can do while offline, but you used to be able to build and run local containers, or even k8s (with imagePullPolicy: Never).

[jandubois]

I've created a PR (containers/gvisor-tap-vsock#443) that resolves the issue in my testing (using this in go.mod):

replace github.com/containers/gvisor-tap-vsock => github.com/jandubois/gvisor-tap-vsock v0.0.0-20241224225548-fc1d5abe196f

I don't know if this will be acceptable to upstream, and what our options are, if it is not.