Chapter 5. Networking

5.1. DNS configuration details

5.1.1. General DNS setup

The OpenShift cluster managed by CodeReady Containers uses 2 DNS domain names, crc.testing and apps-crc.testing. The crc.testing domain is for core OpenShift services. The apps-crc.testing domain is for accessing OpenShift applications deployed on the cluster.

For example, the OpenShift API server will be exposed as api.crc.testing while the OpenShift console is accessed through console-openshift-console.apps-crc.testing. These DNS domains are served by a dnsmasq DNS container running inside the CodeReady Containers virtual machine.

Running crc setup will adjust your system DNS configuration so that it can resolve these domains. Additional checks are done to verify DNS is properly configured when running crc start.

5.1.2. Linux

On Linux, depending on your distribution, CodeReady Containers expects the following DNS configuration:

5.1.2.1. NetworkManager + systemd-resolved

This configuration is used on Fedora 33 or newer, and on Ubuntu Desktop editions.

  • CodeReady Containers expects NetworkManager to manage networking.
  • CodeReady Containers configures systemd-resolved to forward requests for the testing domain to the 192.168.130.11 DNS server. 192.168.130.11 is the IP of the CodeReady Containers virtual machine.
  • systemd-resolved configuration is done through a NetworkManager dispatcher script in /etc/NetworkManager/dispatcher.d/99-crc.sh:

    #!/bin/sh
    resolvectl domain crc ~testing
    resolvectl dns crc 192.168.130.11
    resolvectl default-route crc false
    
    exit 0
Note

systemd-resolved is also available as an unsupported Technology Preview on Red Hat Enterprise Linux and CentOS 8.3. After configuring the host to use systemd-resolved, any CodeReady Containers dnsmasq configurations need to be removed and the above script needs to be created with executable permissions.

Configure the CodeReady Containers binary to skip startup checks for dnsmasq and NetworkManager configuration:

$ crc config set skip-check-crc-dnsmasq-file true
$ crc config set skip-check-network-manager-config true

5.1.2.2. NetworkManager + dnsmasq

This configuration is used on Fedora 32 or older, on Red Hat Enterprise Linux, and on CentOS.

  • CodeReady Containers expects NetworkManager to manage networking.
  • NetworkManager uses dnsmasq through the /etc/NetworkManager/conf.d/crc-nm-dnsmasq.conf configuration file.
  • The configuration file for this dnsmasq instance is /etc/NetworkManager/dnsmasq.d/crc.conf:

    server=/crc.testing/192.168.130.11
    server=/apps-crc.testing/192.168.130.11
    • The NetworkManager dnsmasq instance forwards requests for the crc.testing and apps-crc.testing domains to the 192.168.130.11 DNS server.

5.1.3. macOS

On macOS, CodeReady Containers expects the following DNS configuration:

  • CodeReady Containers creates a /etc/resolver/testing file which instructs macOS to forward all DNS requests for the testing domain to the CodeReady Containers virtual machine.
  • CodeReady Containers also adds an api.crc.testing entry to /etc/hosts pointing at the VM IP address. The oc executable requires this entry. See OpenShift issue #23266 for more information.

5.2. Starting CodeReady Containers behind a proxy

Prerequisites

  • To use an existing oc executable on your host machine, export the .testing domain as part of the no_proxy environment variable.
  • The embedded oc executable does not require manual settings. For more information about using the embedded oc executable, see Accessing the OpenShift cluster with oc.

Procedure

  1. Define a proxy using the http_proxy and https_proxy environment variables or using the crc config set command as follows:

    $ crc config set http-proxy http://proxy.example.com:<port>
    $ crc config set https-proxy http://proxy.example.com:<port>
    $ crc config set no-proxy <comma-separated-no-proxy-entries>
  2. If the proxy uses a custom CA certificate file, set it as follows:

    $ crc config set proxy-ca-file <path-to-custom-ca-file>

The crc executable will be able to use the defined proxy once set through environment variables or CodeReady Containers configuration.

Note
  • Proxy-related values set in the configuration for CodeReady Containers have priority over values set through environment variables.
  • SOCKS proxies are not supported by OpenShift Container Platform.

5.3. Setting up CodeReady Containers on a remote server

Follow this procedure to configure a remote server to run a CodeReady Containers OpenShift cluster.

Note
  • It is strongly advised to perform this procedure on a local network. Exposing an insecure server on the internet comes with many security implications.
  • All of the commands in this procedure must be run on the remote server.
  • This procedure assumes the use of a Red Hat Enterprise Linux, Fedora, or CentOS server.

Prerequisites

Procedure

  1. Start the cluster:

    $ crc start

    Ensure that the cluster remains running throughout this procedure.

  2. Install the haproxy package and other utilities:

    $ sudo dnf install haproxy policycoreutils-python-utils jq
  3. Modify the firewall to allow communication with the cluster:

    $ sudo systemctl start firewalld
    $ sudo firewall-cmd --add-port=80/tcp --permanent
    $ sudo firewall-cmd --add-port=6443/tcp --permanent
    $ sudo firewall-cmd --add-port=443/tcp --permanent
    $ sudo systemctl restart firewalld
  4. For SELinux, allow listening to TCP port 6443:

    $ sudo semanage port -a -t http_port_t -p tcp 6443
  5. Create a backup of the default haproxy configuration:

    $ sudo cp /etc/haproxy/haproxy.cfg{,.bak}
  6. Configure haproxy for use with the cluster:

    $ export CRC_IP=$(crc ip)
    $ sudo tee /etc/haproxy/haproxy.cfg &>/dev/null <<EOF
    global
        debug
    
    defaults
        log global
        mode http
        timeout connect 5000
        timeout client 500000
        timeout server 500000
    
    frontend apps
        bind 0.0.0.0:80
        option tcplog
        mode tcp
        default_backend apps
    
    frontend apps_ssl
        bind 0.0.0.0:443
        option tcplog
        mode tcp
        default_backend apps_ssl
    
    backend apps
        mode tcp
        balance roundrobin
        server webserver1 $CRC_IP:80 check
    
    backend apps_ssl
        mode tcp
        balance roundrobin
        option ssl-hello-chk
        server webserver1 $CRC_IP:443 check
    
    frontend api
        bind 0.0.0.0:6443
        option tcplog
        mode tcp
        default_backend api
    
    backend api
        mode tcp
        balance roundrobin
        option ssl-hello-chk
        server webserver1 $CRC_IP:6443 check
    EOF
  7. Start the haproxy service:

    $ sudo systemctl start haproxy

5.4. Connecting to a remote CodeReady Containers instance

Follow this procedure to connect a client machine to a remote server running a CodeReady Containers OpenShift cluster.

Note
  • It is strongly advised to connect to a server that is only exposed on your local network.
  • All of the commands in this procedure must be run on the client.
  • This procedure assumes the use of a Red Hat Enterprise Linux, Fedora, or CentOS client.

Prerequisites

Procedure

  1. Install the dnsmasq package:

    $ sudo dnf install dnsmasq
  2. Enable the use of dnsmasq for DNS resolution in NetworkManager:

    $ sudo tee /etc/NetworkManager/conf.d/use-dnsmasq.conf &>/dev/null <<EOF
    [main]
    dns=dnsmasq
    EOF
  3. Add DNS entries for CodeReady Containers to the dnsmasq configuration:

    $ sudo tee /etc/NetworkManager/dnsmasq.d/external-crc.conf &>/dev/null <<EOF
    address=/apps-crc.testing/SERVER_IP_ADDRESS
    address=/api.crc.testing/SERVER_IP_ADDRESS
    EOF
    Note

    Comment out any existing entries in /etc/NetworkManager/dnsmasq.d/crc.conf. These entries are created by running a local instance of CodeReady Containers and will conflict with the entries for the remote cluster.

  4. Reload the NetworkManager service:

    $ sudo systemctl reload NetworkManager
  5. Log in to the remote cluster as the developer user with oc:

    $ oc login -u developer -p developer https://api.crc.testing:6443

    The remote OpenShift Web Console is available at https://console-openshift-console.apps-crc.testing.