Changes in vendor/github.com/docker/docker should be first done in https://github.com/moby/moby repo and vendored back here.

cc @robmry @thaJeztah

We need to figure out a way for build containers to use something similar to the internal resolver used by custom bridge networks (127.0.0.11) - it proxies DNS requests from the container, making upstream requests from the host's network namespace when necessary.

(At the moment, we use addresses from the host's resolv.conf, but they may not work in the container's network namespace - including nameservers with localhost addresses like systemd's 127.0.0.53, or IPv6 nameservers in an IPv4-only build container. If there are no nameservers the container can use, we fall back to Google's DNS.)

Once that's done, we'll be able to completely get rid of the code that looks at /run/systemd/resolve/resolv.conf (and the Google DNS fallbacks, and the default-bridge network would be able to use the internal resolver, making it more like other networks).

However, once that's done, the build container will still need a special-case for host networking. (It just needs a copy of the host's resolv.conf in that case. There's no need for a DNS proxy, because there's no container namespace to escape from).

So, for this fix, it might be best to deal with that special case in executor/oci/resolvconf.go now - for host networking, just don't call resolvconf.Path and use /etc/resolv.conf? (Then, no need to update vendored code.)

That's a good idea. I've refactored the code and tested it which seems to work the same.

It's perhaps worth checking this is called with the expected netMode?

Done. I've had to move the whole block into the iterator over the network modes. Can you please check if that's okay like this?