Mounted appimages stops doh-client.service from starting

[SpookyYomo]

I believe doh-client is stating the entirety of $TMPDIR, which leads to a failure when trying to read into a folder that has been created by app images. Example journalctl output when I have neovim and musescore appimages (appimages are mounted to $TMPDIR!) open:

Jun 18 20:36:13 framework systemd[1]: doh-client.service: Scheduled restart job, restart counter is at 1357.
Jun 18 20:36:13 framework systemd[1]: Started DNS-over-HTTPS Client.
Jun 18 20:36:13 framework (doh-client)[22998]: doh-client.service: Failed to stat() POSIX shared memory segment /dev/shm/.mount_nvim-ljPfjji: Permission den>
Jun 18 20:36:13 framework (doh-client)[22998]: doh-client.service: Failed to stat() POSIX shared memory segment /dev/shm/.mount_musescNgiAme: Permission den>
Jun 18 20:36:13 framework (doh-client)[22998]: doh-client.service: Failed to stat() POSIX shared memory segment /dev/shm/.mount_nvim-ljPfjji: Permission den>
Jun 18 20:36:13 framework (doh-client)[22998]: doh-client.service: Failed to stat() POSIX shared memory segment /dev/shm/.mount_musescNgiAme: Permission den>
Jun 18 20:36:13 framework (doh-client)[22998]: doh-client.service: Failed to stat() POSIX shared memory segment /dev/shm/.mount_nvim-ljPfjji: Permission den>
Jun 18 20:36:13 framework (doh-client)[22998]: doh-client.service: Failed to stat() POSIX shared memory segment /dev/shm/.mount_musescNgiAme: Permission den>
Jun 18 20:36:13 framework (doh-client)[22998]: doh-client.service: Failed to stat() POSIX shared memory segment /dev/shm/.mount_nvim-ljPfjji: Permission den>
Jun 18 20:36:13 framework (doh-client)[22998]: doh-client.service: Failed to stat() POSIX shared memory segment /dev/shm/.mount_musescNgiAme: Permission den>
Jun 18 20:36:13 framework (doh-client)[22998]: doh-client.service: Failed to stat() POSIX shared memory segment /dev/shm/.mount_nvim-ljPfjji: Permission den>
Jun 18 20:36:13 framework (doh-client)[22998]: doh-client.service: Failed to stat() POSIX shared memory segment /dev/shm/.mount_musescNgiAme: Permission den>
Jun 18 20:36:13 framework (doh-client)[22998]: doh-client.service: Failed to stat() POSIX shared memory segment /dev/shm/.mount_nvim-ljPfjji: Permission den>
Jun 18 20:36:13 framework (doh-client)[22998]: doh-client.service: Failed to stat() POSIX shared memory segment /dev/shm/.mount_musescNgiAme: Permission den>
Jun 18 20:36:13 framework (doh-client)[22998]: doh-client.service: Failed to stat() POSIX shared memory segment /dev/shm/.mount_nvim-ljPfjji: Permission den>
Jun 18 20:36:13 framework (doh-client)[22998]: doh-client.service: Failed to stat() POSIX shared memory segment /dev/shm/.mount_musescNgiAme: Permission den>
Jun 18 20:36:13 framework (doh-client)[22998]: doh-client.service: Failed to stat() POSIX shared memory segment /dev/shm/.mount_nvim-ljPfjji: Permission den>
Jun 18 20:36:13 framework (doh-client)[22998]: doh-client.service: Failed to stat() POSIX shared memory segment /dev/shm/.mount_musescNgiAme: Permission den>
Jun 18 20:36:13 framework (doh-client)[22998]: doh-client.service: Failed to stat() POSIX shared memory segment /dev/shm/.mount_nvim-ljPfjji: Permission den>

from journalctl; and then it attempts to restart as per systemd service....
I can't quite read Go, but I think it probably has something to do with

dns-over-https/doh-client/main.go

Line 49 in 82c5f0d

_, err = os.Stat(fmt.Sprintf("/proc/%d", pid))

after my attempt at debugging.
This often means that if I wake my machine from sleeping/hibernate, I need to close all existing appimages to have my internet work, which is quite disruptive.

---

Additional information:

[ ~ ] ➜ systemd-analyze cat-config systemd/system/doh-client.service
# /usr/lib/systemd/system/doh-client.service
[Unit]
Description=DNS-over-HTTPS Client
Documentation=https://github.com/m13253/dns-over-https
After=network.target
Before=nss-lookup.target
Wants=nss-lookup.target

[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
ExecStart=/usr/bin/doh-client -conf /etc/dns-over-https/doh-client.conf
LimitNOFILE=1048576
Restart=always
RestartSec=3
Type=simple
DynamicUser=yes

[Install]
WantedBy=multi-user.target

# /etc/systemd/system/doh-client.service.d/override.conf
[Unit]
After=multi-user.target
StartLimitBurst=7
StartLimitIntervalSec=720

[Service]
Type=idle
Restart=always
RestartSec=20

[ ~ ] ➜ cat /etc/dns-over-https/doh-client.conf 
# DNS listen port
listen = [
    "127.0.0.1:53",
    "127.0.0.1:5380",
    "[::1]:53",
    "[::1]:5380",

    ## To listen on both 0.0.0.0:53 and [::]:53, use the following line
    # ":53",
]

# HTTP path for upstream resolver

[upstream]

# available selector: random or weighted_round_robin or lvs_weighted_round_robin
upstream_selector = "random"

# weight should in (0, 100], if upstream_selector is random, weight will be ignored

## Google's resolver, good ECS, good DNSSEC
#[[upstream.upstream_ietf]]
#    url = "https://dns.google/dns-query"
#    weight = 50

## CloudFlare's resolver, bad ECS, good DNSSEC
## ECS is disabled for privacy by design: https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details/#edns-client-subnet
#[[upstream.upstream_ietf]]
#    url = "https://cloudflare-dns.com/dns-query"
#    weight = 50

## CloudFlare's resolver, bad ECS, good DNSSEC
## ECS is disabled for privacy by design: https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details/#edns-client-subnet
## Note that some ISPs have problems connecting to 1.1.1.1, try 1.0.0.1 if problems happen.
#[[upstream.upstream_ietf]]
#    url = "https://1.1.1.1/dns-query"
#    weight = 50

## DNS.SB's resolver, good ECS, good DNSSEC
## The provider claims no logging: https://dns.sb/doh/
#[[upstream.upstream_ietf]]
#    url = "https://doh.dns.sb/dns-query"
#    weight = 50

## Quad9's resolver, bad ECS, good DNSSEC
## ECS is disabled for privacy by design: https://www.quad9.net/faq/#What_is_EDNS_Client-Subnet
[[upstream.upstream_ietf]]
    url = "https://9.9.9.9/dns-query"
    weight = 20

[[upstream.upstream_ietf]]
    url = "https://base.dns.mullvad.net/dns-query"
    weight = 80

## CloudFlare's resolver for Tor, available only with Tor
## Remember to disable ECS below when using Tor!
## Blog: https://blog.cloudflare.com/welcome-hidden-resolver/
#[[upstream.upstream_ietf]]
#    url = "https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/dns-query"
#    weight = 50


[others]
# Bootstrap DNS server to resolve the address of the upstream resolver
# If multiple servers are specified, a random one will be chosen each time.
# If empty, use the system DNS settings.
# If you want to preload IP addresses in /etc/hosts instead of using a
# bootstrap server, please make this list empty.
bootstrap = [

    # Google's resolver, good ECS, good DNSSEC
    "8.8.8.8:53",
    "8.8.4.4:53",

    # CloudFlare's resolver, bad ECS, good DNSSEC
    #"1.1.1.1:53",
    #"1.0.0.1:53",

]

# The domain names here are directly passed to bootstrap servers listed above,
# allowing captive portal detection and systems without RTC to work.
# Only effective if at least one bootstrap server is configured.
passthrough = [
    "captive.apple.com",
    "connectivitycheck.gstatic.com",
    "detectportal.firefox.com",
    "msftconnecttest.com",
    "nmcheck.gnome.org",
    "networkcheck.kde.org",

    "pool.ntp.org",
    "time.apple.com",
    "time.asia.apple.com",
    "time.euro.apple.com",
    "time.nist.gov",
    "time.windows.com",
]

# Timeout for upstream request in seconds
timeout = 30

# Disable HTTP Cookies
#
# Cookies may be useful if your upstream resolver is protected by some
# anti-DDoS services to identify clients.
# Note that DNS Cookies (an DNS protocol extension to DNS) also has the ability
# to track uesrs and is not controlled by doh-client.
no_cookies = true

# Disable EDNS0-Client-Subnet (ECS)
#
# DNS-over-HTTPS supports EDNS0-Client-Subnet protocol, which submits part of
# the client's IP address (/24 for IPv4, /56 for IPv6 by default) to the
# upstream server. This is useful for GeoDNS and CDNs to work, and is exactly
# the same configuration as most public DNS servers.
no_ecs = false

# Disable IPv6 when querying upstream
#
# Only enable this if you really have trouble connecting.
# Doh-client uses both IPv4 and IPv6 by default and should not have problems
# with an IPv4-only environment.
# Note that DNS listening and bootstrapping is not controlled by this option.
no_ipv6 = true

# Disable submitting User-Agent
#
# It is generally not recommended to disable submitting User-Agent because it
# is still possible to probe client version according to behavior differences,
# such as TLS handshaking, handling of malformed packets, and specific bugs.
# Additionally, User-Agent is an important way for the server to distinguish
# buggy, old, or insecure clients, and to workaround specific bugs.
# (e.g. doh-server can detect and workaround certain issues of DNSCrypt-Proxy
# and older Firefox.)
no_user_agent = false

# Enable logging
verbose = false

# insecure_tls_skip_verification will disable necessary TLS security verification.
# This option is designed for testing or development purposes,
# turning on this option on public Internet may cause your connection
# vulnerable to MITM attack.
insecure_tls_skip_verify = false
[ ~ ] ➜ uname -a
Linux framework 7.0.11-arch1-1 #1 SMP PREEMPT_DYNAMIC Tue, 02 Jun 2026 18:26:58 +0000 x86_64 GNU/Linux
[ ~ ] ➜ pacman -Q dns-over-https 
dns-over-https 2.3.10-1

[m13253]

This is so strange to me… because the error log says /dev/shm but the code is /proc.
I am suspecting any third-party libraries that uses shared memory to perform inter-process communication, instead of this PID file. But I have absolutely no clue.

[SpookyYomo]

My suggestion might be a red herring as I struggled to debug with GDB nor read go.
To replicate,

1. Run any long lived appimage. nvim is a suggestion.
2. systemctl restart doh-client

My $TMPDIR had been set to /dev/shm.