From fc8e0cd3627049e20fd00b74b4969d35a350bb13 Mon Sep 17 00:00:00 2001
From: Eugene Blikh <bigbes@gmail.com>
Date: Tue, 19 May 2026 12:57:35 +0300
Subject: [PATCH] =?UTF-8?q?patches:=20ubuntu/genimg=20=E2=80=94=20move=20g?=
 =?UTF-8?q?uest=20DNS=20override=20to=20end=20of=20script?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 patches/builds-images-ubuntu-genimg.patch | 40 +++++++++++++++++------
 1 file changed, 30 insertions(+), 10 deletions(-)

diff --git a/patches/builds-images-ubuntu-genimg.patch b/patches/builds-images-ubuntu-genimg.patch
index b650510bb4241ed01bcc0b792d5c7aedb95bf6df..a4b05fbf05634e097b228a66ea845bbd38add42d 100644
--- a/patches/builds-images-ubuntu-genimg.patch
+++ b/patches/builds-images-ubuntu-genimg.patch
@@ -32,11 +32,22 @@ fail on any host that doesn't happen to satisfy their hidden assumptions.
    `git.srht.bigb.es`) to their *public* address. On a self-hosted forge whose
    public IP routes back through the user's own ISP, the worker container
    can't NAT-hairpin to itself and every `git clone` from a build dies with
-   "Couldn't connect to server". Use QEMU SLIRP's built-in DNS proxy
-   (`10.0.2.3`) instead: SLIRP forwards each query through the host process's
-   `/etc/resolv.conf`, which inside the worker container is Docker's embedded
-   resolver, which knows the LAN DNS — so internal hostnames resolve to the
-   LAN IP and the path stays entirely on-LAN.
+   "Couldn't connect to server". The fix is to use QEMU SLIRP's built-in DNS
+   proxy (`10.0.2.3`) in the *guest*: SLIRP forwards each query through the
+   host process's `/etc/resolv.conf`, which inside the worker container is
+   Docker's embedded resolver, which knows the LAN DNS — so internal hostnames
+   resolve to the LAN IP and the path stays entirely on-LAN.
+
+   Subtle constraint: the script's `/mnt/etc/resolv.conf` is dual-purpose —
+   `chroot`'d `apt-get` reads it during debootstrap, *and* the same file is
+   what the booted guest uses. SLIRP's `10.0.2.3` only exists *inside* a
+   QEMU SLIRP guest; on the image-builder host it's unroutable, so swapping
+   the file early breaks `apt-get install linux-image-generic` with
+   "Temporary failure resolving 'archive.ubuntu.com'". Leave the public DNS
+   in place for the build, then overwrite `/mnt/etc/resolv.conf` with
+   `nameserver 10.0.2.3` at the end of the script — after all apt operations,
+   immediately before `sync`. This way the build still works and the booted
+   guest gets the SLIRP DNS proxy.
 
 Apply when refreshing the apk recipe tree on the image-builder host:
 
@@ -53,12 +64,11 @@ Apply when refreshing the apk recipe tree on the image-builder host:
  trap cleanup EXIT
 
  if [ "$arch" = "amd64" ]
-@@ -85,9 +86,8 @@
+@@ -85,9 +86,9 @@
  rm -f /mnt/etc/resolv.conf
--echo 'nameserver 8.8.8.8' >/mnt/etc/resolv.conf
--echo 'nameserver 8.8.4.4' >>/mnt/etc/resolv.conf
+ echo 'nameserver 8.8.8.8' >/mnt/etc/resolv.conf
+ echo 'nameserver 8.8.4.4' >>/mnt/etc/resolv.conf
 -cat >/mnt/etc/systemd/network/25-ens3.network <<EOF
-+echo 'nameserver 10.0.2.3' >/mnt/etc/resolv.conf
 +cat >/mnt/etc/systemd/network/25-ethernet.network <<EOF
  [Match]
 -Name=ens3
@@ -66,7 +76,7 @@ Apply when refreshing the apk recipe tree on the image-builder host:
 
  [Network]
  Address=10.0.2.15/24
-@@ -163,7 +163,7 @@
+@@ -163,7 +164,7 @@
    name = builds.sr.ht
    email = builds@sr.ht
  EOF
@@ -75,3 +85,13 @@ Apply when refreshing the apk recipe tree on the image-builder host:
 
  if [ "$arch" != "amd64" ]
  then
+@@ -174,4 +175,9 @@
+ 	cp /mnt/boot/initrd.img $arch/initrd.img
+ fi
+
++# Switch the *guest's* DNS to QEMU SLIRP's built-in proxy. Must run last,
++# after all apt operations — 10.0.2.3 is unroutable from the image-builder
++# host, so swapping it in earlier breaks debootstrap's apt-get.
++rm -f /mnt/etc/resolv.conf
++echo 'nameserver 10.0.2.3' >/mnt/etc/resolv.conf
+ sync