From 6ad10c8f395df3de3521904121757b58a9bd8618 Mon Sep 17 00:00:00 2001
From: Jamil <jamilbk@users.noreply.github.com>
Date: Tue, 5 Aug 2025 12:24:00 -0400
Subject: [PATCH] fix(ci): use etc-resolv-conf as default in headless image
 (#10126)

The headless client image we ship doesn't have systemd-resolved. By
default, if you try to run it without setting the `FIREZONE_DNS_CONTROL`
var, it will exit with an unhelpful error message that is difficult to
diagnose / debug for anyone unfamiliar to the inner workings of the
headless client:

```
Error: I/O error: No such file or directory (os error 2)

Caused by:
    No such file or directory (os error 2)

Stack backtrace:
   0: anyhow::error::<impl core::convert::From<E> for anyhow::Error>::from
   1: firezone_bin_shared::network_changes::imp::Worker::new_dbus::{{closure}}
   2: firezone_headless_client::main::{{closure}}
   3: tokio::runtime::runtime::Runtime::block_on
   4: firezone_headless_client::main
   5: std::sys::backtrace::__rust_begin_short_backtrace
   6: std::rt::lang_start::{{closure}}
   7: main
```

To fix this, we set `FIREZONE_DNS_CONTROL=etc-resolv-conf` for the user
inside our headless-client image.

---------

Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
---
 rust/Dockerfile                                | 4 ++--
 rust/{docker-init.sh => docker-init-client.sh} | 2 ++
 rust/docker-init-http-test-server.sh           | 3 +++
 website/src/components/Changelog/Headless.tsx  | 7 ++++++-
 4 files changed, 13 insertions(+), 3 deletions(-)
 rename rust/{docker-init.sh => docker-init-client.sh} (65%)
 create mode 100755 rust/docker-init-http-test-server.sh

diff --git a/rust/Dockerfile b/rust/Dockerfile
index 2a09a2e60..e15a8f09e 100644
--- a/rust/Dockerfile
+++ b/rust/Dockerfile
@@ -27,11 +27,11 @@ COPY ./docker-init-relay.sh ./docker-init.sh
 
 # Headless-client specific runtime base image
 FROM runtime_base AS runtime_firezone-headless-client
-COPY ./docker-init.sh ./docker-init.sh
+COPY ./docker-init-client.sh ./docker-init.sh
 
 # HTTP test server specific runtime base image
 FROM runtime_base AS runtime_http-test-server
-COPY ./docker-init.sh ./docker-init.sh
+COPY ./docker-init-http-test-server.sh ./docker-init.sh
 
 # Funnel package specific base image back into `runtime`
 ARG PACKAGE
diff --git a/rust/docker-init.sh b/rust/docker-init-client.sh
similarity index 65%
rename from rust/docker-init.sh
rename to rust/docker-init-client.sh
index 6209cf404..9a1ca539a 100755
--- a/rust/docker-init.sh
+++ b/rust/docker-init-client.sh
@@ -5,4 +5,6 @@ if [ -f "${FIREZONE_TOKEN}" ]; then
     export FIREZONE_TOKEN
 fi
 
+export FIREZONE_DNS_CONTROL=${FIREZONE_DNS_CONTROL:-"etc-resolv-conf"}
+
 exec "$@"
diff --git a/rust/docker-init-http-test-server.sh b/rust/docker-init-http-test-server.sh
new file mode 100755
index 000000000..214eb4c77
--- /dev/null
+++ b/rust/docker-init-http-test-server.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec "$@"
diff --git a/website/src/components/Changelog/Headless.tsx b/website/src/components/Changelog/Headless.tsx
index 5ede2624b..d48ba6d7d 100644
--- a/website/src/components/Changelog/Headless.tsx
+++ b/website/src/components/Changelog/Headless.tsx
@@ -9,7 +9,12 @@ export default function Headless({ os }: { os: OS }) {
   return (
     <Entries downloadLinks={downloadLinks(os)} title={title(os)}>
       {/* When you cut a release, remove any solved issues from the "known issues" lists over in `client-apps`. This must not be done when the issue's PR merges. */}
-      <Unreleased></Unreleased>
+      <Unreleased>
+        <ChangeItem pull="10126">
+          Sets <code>FIREZONE_DNS_CONTROL=etc-resolv-conf</code> by default in
+          the headless client Docker image.
+        </ChangeItem>
+      </Unreleased>
       <Entry version="1.5.2" date={new Date("2025-07-28")}>
         <ChangeItem pull="9985">
           Fixes an issue where control plane messages could be stuck forever on