Chapter 5. Networking
5.1. DNS configuration details
5.1.1. General DNS setup
The OpenShift cluster managed by CodeReady Containers uses 2 DNS domain names, crc.testing
and apps-crc.testing
. The crc.testing
domain is for core OpenShift services. The apps-crc.testing
domain is for accessing OpenShift applications deployed on the cluster.
For example, the OpenShift API server will be exposed as api.crc.testing
while the OpenShift console is accessed through console-openshift-console.apps-crc.testing
. These DNS domains are served by a dnsmasq
DNS container running inside the CodeReady Containers virtual machine.
Running crc setup
will adjust your system DNS configuration so that it can resolve these domains. Additional checks are done to verify DNS is properly configured when running crc start
.
5.1.2. Linux
On Linux, depending on your distribution, CodeReady Containers expects the following DNS configuration:
5.1.2.1. NetworkManager + systemd-resolved
This configuration is used on Fedora 33 or newer, and on Ubuntu Desktop editions.
- CodeReady Containers expects NetworkManager to manage networking.
-
CodeReady Containers configures
systemd-resolved
to forward requests for thetesting
domain to the192.168.130.11
DNS server.192.168.130.11
is the IP of the CodeReady Containers virtual machine. systemd-resolved
configuration is done through a NetworkManager dispatcher script in/etc/NetworkManager/dispatcher.d/99-crc.sh
:resolvectl domain crc ~testing resolvectl dns crc 192.168.130.11 resolvectl default-route crc false exit 0
5.1.2.2. NetworkManager + dnsmasq
This configuration is used on Fedora 32 or older, on Red Hat Enterprise Linux, and on CentOS.
- CodeReady Containers expects NetworkManager to manage networking.
-
NetworkManager uses
dnsmasq
through the/etc/NetworkManager/conf.d/crc-nm-dnsmasq.conf
configuration file. The configuration file for this
dnsmasq
instance is/etc/NetworkManager/dnsmasq.d/crc.conf
:server=/crc.testing/192.168.130.11 server=/apps-crc.testing/192.168.130.11
-
The NetworkManager
dnsmasq
instance forwards requests for thecrc.testing
andapps-crc.testing
domains to the192.168.130.11
DNS server.
-
The NetworkManager
5.1.3. macOS
On macOS, CodeReady Containers expects the following DNS configuration:
-
CodeReady Containers creates a
/etc/resolver/testing
file which instructs macOS to forward all DNS requests for thetesting
domain to the CodeReady Containers virtual machine. -
CodeReady Containers also adds an
api.crc.testing
entry to/etc/hosts
pointing at the VM IP address. Theoc
executable requires this entry. See OpenShift issue #23266 for more information.
5.2. Starting CodeReady Containers behind a proxy
Prerequisites
-
To use an existing
oc
executable on your host machine, export the.testing
domain as part of theno_proxy
environment variable. -
The embedded
oc
executable does not require manual settings. For more information about using the embeddedoc
executable, see Accessing the OpenShift cluster withoc
.
Procedure
Define a proxy using the
http_proxy
andhttps_proxy
environment variables or using thecrc config set
command as follows:$ crc config set http-proxy http://proxy.example.com:<port> $ crc config set https-proxy http://proxy.example.com:<port> $ crc config set no-proxy <comma-separated-no-proxy-entries>
If the proxy uses a custom CA certificate file, set it as follows:
$ crc config set proxy-ca-file <path-to-custom-ca-file>
The crc
executable will be able to use the defined proxy once set through environment variables or CodeReady Containers configuration.
- Proxy-related values set in the configuration for CodeReady Containers have priority over values set through environment variables.
- SOCKS proxies are not supported by OpenShift Container Platform.
5.3. Setting up CodeReady Containers on a remote server
Follow this procedure to configure a remote server to run a CodeReady Containers OpenShift cluster.
- It is strongly advised to perform this procedure on a local network. Exposing an insecure server on the internet comes with many security implications.
- All of the commands in this procedure must be run on the remote server.
- This procedure assumes the use of a Red Hat Enterprise Linux, Fedora, or CentOS server.
Prerequisites
- CodeReady Containers is installed and set up on the remote server. For more information, see Installing CodeReady Containers and Setting up CodeReady Containers.
-
Your user account has
sudo
permissions on the remote server.
Procedure
Start the cluster:
$ crc start
Ensure that the cluster remains running throughout this procedure.
Install the
haproxy
package and other utilities:$ sudo dnf install haproxy policycoreutils-python-utils jq
Modify the firewall to allow communication with the cluster:
$ sudo systemctl start firewalld $ sudo firewall-cmd --add-port=80/tcp --permanent $ sudo firewall-cmd --add-port=6443/tcp --permanent $ sudo firewall-cmd --add-port=443/tcp --permanent $ sudo systemctl restart firewalld
For SELinux, allow listening to TCP port 6443:
$ sudo semanage port -a -t http_port_t -p tcp 6443
Create a backup of the default
haproxy
configuration:$ sudo cp /etc/haproxy/haproxy.cfg{,.bak}
Configure
haproxy
for use with the cluster:$ export CRC_IP=$(crc ip) $ sudo tee /etc/haproxy/haproxy.cfg &>/dev/null <<EOF global debug defaults log global mode http timeout connect 5000 timeout client 500000 timeout server 500000 frontend apps bind 0.0.0.0:80 option tcplog mode tcp default_backend apps frontend apps_ssl bind 0.0.0.0:443 option tcplog mode tcp default_backend apps_ssl backend apps mode tcp balance roundrobin server webserver1 $CRC_IP:80 check backend apps_ssl mode tcp balance roundrobin option ssl-hello-chk server webserver1 $CRC_IP:443 check frontend api bind 0.0.0.0:6443 option tcplog mode tcp default_backend api backend api mode tcp balance roundrobin option ssl-hello-chk server webserver1 $CRC_IP:6443 check EOF
Start the
haproxy
service:$ sudo systemctl start haproxy
5.4. Connecting to a remote CodeReady Containers instance
Follow this procedure to connect a client machine to a remote server running a CodeReady Containers OpenShift cluster.
- It is strongly advised to connect to a server that is only exposed on your local network.
- All of the commands in this procedure must be run on the client.
- This procedure assumes the use of a Red Hat Enterprise Linux, Fedora, or CentOS client.
Prerequisites
- A remote server is set up for the client to connect to. For more information, see Setting up CodeReady Containers on a remote server.
- NetworkManager is installed and running.
- You know the external IP address of the server.
-
You have the latest OpenShift client executable (
oc
) in your$PATH
on the client.
Procedure
Install the
dnsmasq
package:$ sudo dnf install dnsmasq
Enable the use of
dnsmasq
for DNS resolution in NetworkManager:$ sudo tee /etc/NetworkManager/conf.d/use-dnsmasq.conf &>/dev/null <<EOF [main] dns=dnsmasq EOF
Add DNS entries for CodeReady Containers to the
dnsmasq
configuration:$ sudo tee /etc/NetworkManager/dnsmasq.d/external-crc.conf &>/dev/null <<EOF address=/apps-crc.testing/SERVER_IP_ADDRESS address=/api.crc.testing/SERVER_IP_ADDRESS EOF
NoteComment out any existing entries in
/etc/NetworkManager/dnsmasq.d/crc.conf
. These entries are created by running a local instance of CodeReady Containers and will conflict with the entries for the remote cluster.Reload the NetworkManager service:
$ sudo systemctl reload NetworkManager
Log in to the remote cluster as the
developer
user withoc
:$ oc login -u developer -p developer https://api.crc.testing:6443
The remote OpenShift Web Console is available at https://console-openshift-console.apps-crc.testing.