Add config to disable hosts file modification

tricktron · tricktron · commit 4bac765c4c67 · 2025-10-15T22:33:47.000+02:00
This change introduces a new configuration setting 'modify-hosts-file'
that allows users to disable CRC's automatic modification of the
/etc/hosts file. The setting defaults to true to maintain backward
compatibility with existing installations.
diff --git a/pkg/crc/config/settings.go b/pkg/crc/config/settings.go
@@ -28,6 +28,7 @@ const (
 	ProxyCAFile              = "proxy-ca-file"
 	ConsentTelemetry         = "consent-telemetry"
 	EnableClusterMonitoring  = "enable-cluster-monitoring"
+	ModifyHostsFile          = "modify-hosts-file"
 	KubeAdminPassword        = "kubeadmin-password"
 	DeveloperPassword        = "developer-password"
 	Preset                   = "preset"
@@ -129,6 +130,9 @@ func RegisterSettings(cfg *Config) {
 	cfg.AddSetting(EnableClusterMonitoring, false, ValidateBool, SuccessfullyApplied,
 		"Enable cluster monitoring Operator (true/false, default: false)")
 
+	cfg.AddSetting(ModifyHostsFile, true, ValidateBool, SuccessfullyApplied,
+		"Allow CRC to modify the system hosts file (true/false, default: true)")
+
 	// Telemeter Configuration
 	cfg.AddSetting(ConsentTelemetry, "", validateYesNo, SuccessfullyApplied,
 		"Consent to collection of anonymous usage data (yes/no)")
diff --git a/pkg/crc/config/settings_test.go b/pkg/crc/config/settings_test.go
@@ -251,6 +251,9 @@ var configDefaultValuesTestArguments = []struct {
 	{
 		EnableClusterMonitoring, false,
 	},
+	{
+		ModifyHostsFile, true,
+	},
 	{
 		ConsentTelemetry, "",
 	},
@@ -331,6 +334,9 @@ var configProvidedValuesTestArguments = []struct {
 	{
 		EnableClusterMonitoring, true,
 	},
+	{
+		ModifyHostsFile, false,
+	},
 	{
 		ConsentTelemetry, "yes",
 	},
diff --git a/pkg/crc/machine/client.go b/pkg/crc/machine/client.go
@@ -64,6 +64,10 @@ func (client *client) networkMode() network.Mode {
 	return crcConfig.GetNetworkMode(client.config)
 }
 
+func (client *client) modifyHostsFile() bool {
+	return client.config.Get(crcConfig.ModifyHostsFile).AsBool()
+}
+
 func (client *client) monitoringEnabled() bool {
 	return client.config.Get(crcConfig.EnableClusterMonitoring).AsBool()
 }
diff --git a/pkg/crc/machine/start.go b/pkg/crc/machine/start.go
@@ -481,8 +481,9 @@ func (client *client) Start(ctx context.Context, startConfig types.StartConfig)
 		SSHRunner: sshRunner,
 		IP:        instanceIP,
 		// TODO: should be more finegrained
-		BundleMetadata: *vm.bundle,
-		NetworkMode:    client.networkMode(),
+		BundleMetadata:  *vm.bundle,
+		NetworkMode:     client.networkMode(),
+		ModifyHostsFile: client.modifyHostsFile(),
 	}
 
 	// Run the DNS server inside the VM
@@ -506,7 +507,11 @@ func (client *client) Start(ctx context.Context, startConfig types.StartConfig)
 	logging.Info("Check DNS query from host...")
 	if err := dns.CheckCRCLocalDNSReachableFromHost(servicePostStartConfig); err != nil {
 		if !client.useVSock() {
-			return nil, errors.Wrap(err, "Failed to query DNS from host")
+			msg := "Failed to query DNS from host"
+			if !servicePostStartConfig.ModifyHostsFile {
+				msg += " (modify-hosts-file=false). Ensure your system DNS/hosts entries resolve the CRC domains."
+			}
+			return nil, errors.Wrap(err, msg)
 		}
 		logging.Warn(fmt.Sprintf("Failed to query DNS from host: %v", err))
 	}
@@ -694,7 +699,7 @@ func createHost(machineConfig config.MachineConfig, preset crcPreset.Preset) err
 		if err := cluster.GenerateUserPassword(constants.GetKubeAdminPasswordPath(), "kubeadmin"); err != nil {
 			return errors.Wrap(err, "Error generating new kubeadmin password")
 		}
-		if err = os.WriteFile(constants.GetDeveloperPasswordPath(), []byte(constants.DefaultDeveloperPassword), 0600); err != nil {
+		if err = os.WriteFile(constants.GetDeveloperPasswordPath(), []byte(constants.DefaultDeveloperPassword), 0o600); err != nil {
 			return errors.Wrap(err, "Error writing developer password")
 		}
 	}
@@ -748,7 +753,7 @@ func enableEmergencyLogin(sshRunner *crcssh.Runner) error {
 	for i := range b {
 		b[i] = charset[rand.Intn(len(charset))] //nolint
 	}
-	if err := os.WriteFile(constants.PasswdFilePath, b, 0600); err != nil {
+	if err := os.WriteFile(constants.PasswdFilePath, b, 0o600); err != nil {
 		return err
 	}
 	logging.Infof("Emergency login password for core user is stored to %s", constants.PasswdFilePath)
@@ -775,7 +780,7 @@ func updateSSHKeyPair(sshRunner *crcssh.Runner) error {
 	}
 
 	logging.Info("Updating authorized keys...")
-	err = sshRunner.CopyData(publicKey, "/home/core/.ssh/authorized_keys", 0644)
+	err = sshRunner.CopyData(publicKey, "/home/core/.ssh/authorized_keys", 0o644)
 	if err != nil {
 		return err
 	}
@@ -874,10 +879,10 @@ func startMicroshift(ctx context.Context, sshRunner *crcssh.Runner, ocConfig oc.
 	if _, _, err := sshRunner.RunPrivileged("Starting microshift service", "systemctl", "start", "microshift"); err != nil {
 		return err
 	}
-	if err := sshRunner.CopyFileFromVM(fmt.Sprintf("/var/lib/microshift/resources/kubeadmin/api%s/kubeconfig", constants.ClusterDomain), constants.KubeconfigFilePath, 0600); err != nil {
+	if err := sshRunner.CopyFileFromVM(fmt.Sprintf("/var/lib/microshift/resources/kubeadmin/api%s/kubeconfig", constants.ClusterDomain), constants.KubeconfigFilePath, 0o600); err != nil {
 		return err
 	}
-	if err := sshRunner.CopyFile(constants.KubeconfigFilePath, "/opt/kubeconfig", 0644); err != nil {
+	if err := sshRunner.CopyFile(constants.KubeconfigFilePath, "/opt/kubeconfig", 0o644); err != nil {
 		return err
 	}
 
@@ -895,5 +900,5 @@ func ensurePullSecretPresentInVM(sshRunner *crcssh.Runner, pullSec cluster.PullS
 	if err != nil {
 		return err
 	}
-	return sshRunner.CopyDataPrivileged([]byte(content), "/etc/crio/openshift-pull-secret", 0600)
+	return sshRunner.CopyDataPrivileged([]byte(content), "/etc/crio/openshift-pull-secret", 0o600)
 }
diff --git a/pkg/crc/services/dns/dns_darwin.go b/pkg/crc/services/dns/dns_darwin.go
@@ -33,8 +33,12 @@ type resolverFileValues struct {
 
 func runPostStartForOS(serviceConfig services.ServicePostStartConfig) error {
 	// Update /etc/hosts file for host
-	if err := addOpenShiftHosts(serviceConfig); err != nil {
-		return err
+	if serviceConfig.ModifyHostsFile {
+		if err := addOpenShiftHosts(serviceConfig); err != nil {
+			return err
+		}
+	} else {
+		logging.Infof("Skipping hosts file modification")
 	}
 
 	if serviceConfig.NetworkMode == network.UserNetworkingMode {
diff --git a/pkg/crc/services/dns/dns_linux.go b/pkg/crc/services/dns/dns_linux.go
@@ -1,11 +1,18 @@
 package dns
 
 import (
+	"github.com/crc-org/crc/v2/pkg/crc/logging"
 	"github.com/crc-org/crc/v2/pkg/crc/services"
 )
 
 func runPostStartForOS(serviceConfig services.ServicePostStartConfig) error {
 	// We might need to set the firewall here to forward
 	// Update /etc/hosts file for host
-	return addOpenShiftHosts(serviceConfig)
+	if serviceConfig.ModifyHostsFile {
+		return addOpenShiftHosts(serviceConfig)
+	} else {
+		logging.Infof("Skipping hosts file modification")
+	}
+
+	return nil
 }
diff --git a/pkg/crc/services/dns/dns_windows.go b/pkg/crc/services/dns/dns_windows.go
@@ -3,6 +3,7 @@ package dns
 import (
 	"fmt"
 
+	"github.com/crc-org/crc/v2/pkg/crc/logging"
 	"github.com/crc-org/crc/v2/pkg/crc/network"
 	"github.com/crc-org/crc/v2/pkg/crc/services"
 )
@@ -11,5 +12,12 @@ func runPostStartForOS(serviceConfig services.ServicePostStartConfig) error {
 	if serviceConfig.NetworkMode != network.UserNetworkingMode {
 		return fmt.Errorf("only user-mode networking is supported on Windows")
 	}
-	return addOpenShiftHosts(serviceConfig)
+
+	if serviceConfig.ModifyHostsFile {
+		return addOpenShiftHosts(serviceConfig)
+	} else {
+		logging.Infof("Skipping hosts file modification")
+	}
+
+	return nil
 }
diff --git a/pkg/crc/services/services.go b/pkg/crc/services/services.go
@@ -7,9 +7,10 @@ import (
 )
 
 type ServicePostStartConfig struct {
-	Name           string
-	SSHRunner      *ssh.Runner
-	BundleMetadata bundle.CrcBundleInfo
-	IP             string
-	NetworkMode    network.Mode
+	Name            string
+	SSHRunner       *ssh.Runner
+	BundleMetadata  bundle.CrcBundleInfo
+	IP              string
+	NetworkMode     network.Mode
+	ModifyHostsFile bool
 }

Original file line number	Diff line number	Diff line change
`@@ -251,6 +251,9 @@ var configDefaultValuesTestArguments = []struct {`
`251`	`251`	`{`
`252`	`252`	`EnableClusterMonitoring, false,`
`253`	`253`	`},`
	`254`	`+ {`
	`255`	`+ ModifyHostsFile, true,`
	`256`	`+ },`
`254`	`257`	`{`
`255`	`258`	`ConsentTelemetry, "",`
`256`	`259`	`},`
`@@ -331,6 +334,9 @@ var configProvidedValuesTestArguments = []struct {`
`331`	`334`	`{`
`332`	`335`	`EnableClusterMonitoring, true,`
`333`	`336`	`},`
	`337`	`+ {`
	`338`	`+ ModifyHostsFile, false,`
	`339`	`+ },`
`334`	`340`	`{`
`335`	`341`	`ConsentTelemetry, "yes",`
`336`	`342`	`},`
Original file line number	Diff line number	Diff line change
`@@ -64,6 +64,10 @@ func (client *client) networkMode() network.Mode {`
`64`	`64`	`return crcConfig.GetNetworkMode(client.config)`
`65`	`65`	`}`
`66`	`66`
	`67`	`+func (client *client) modifyHostsFile() bool {`
	`68`	`+ return client.config.Get(crcConfig.ModifyHostsFile).AsBool()`
	`69`	`+}`
	`70`	`+`
`67`	`71`	`func (client *client) monitoringEnabled() bool {`
`68`	`72`	`return client.config.Get(crcConfig.EnableClusterMonitoring).AsBool()`
`69`	`73`	`}`
Original file line number	Diff line number	Diff line change
`@@ -481,8 +481,9 @@ func (client *client) Start(ctx context.Context, startConfig types.StartConfig)`
`481`	`481`	`SSHRunner: sshRunner,`
`482`	`482`	`IP: instanceIP,`
`483`	`483`	`// TODO: should be more finegrained`
`484`		`- BundleMetadata: *vm.bundle,`
`485`		`- NetworkMode: client.networkMode(),`
	`484`	`+ BundleMetadata: *vm.bundle,`
	`485`	`+ NetworkMode: client.networkMode(),`
	`486`	`+ ModifyHostsFile: client.modifyHostsFile(),`
`486`	`487`	`}`
`487`	`488`
`488`	`489`	`// Run the DNS server inside the VM`
`@@ -506,7 +507,11 @@ func (client *client) Start(ctx context.Context, startConfig types.StartConfig)`
`506`	`507`	`logging.Info("Check DNS query from host...")`
`507`	`508`	`if err := dns.CheckCRCLocalDNSReachableFromHost(servicePostStartConfig); err != nil {`
`508`	`509`	`if !client.useVSock() {`
`509`		`- return nil, errors.Wrap(err, "Failed to query DNS from host")`
	`510`	`+ msg := "Failed to query DNS from host"`
	`511`	`+ if !servicePostStartConfig.ModifyHostsFile {`
	`512`	`+ msg += " (modify-hosts-file=false). Ensure your system DNS/hosts entries resolve the CRC domains."`
	`513`	`+ }`
	`514`	`+ return nil, errors.Wrap(err, msg)`
`510`	`515`	`}`
`511`	`516`	`logging.Warn(fmt.Sprintf("Failed to query DNS from host: %v", err))`
`512`	`517`	`}`
`@@ -694,7 +699,7 @@ func createHost(machineConfig config.MachineConfig, preset crcPreset.Preset) err`
`694`	`699`	`if err := cluster.GenerateUserPassword(constants.GetKubeAdminPasswordPath(), "kubeadmin"); err != nil {`
`695`	`700`	`return errors.Wrap(err, "Error generating new kubeadmin password")`
`696`	`701`	`}`
`697`		`- if err = os.WriteFile(constants.GetDeveloperPasswordPath(), []byte(constants.DefaultDeveloperPassword), 0600); err != nil {`
	`702`	`+ if err = os.WriteFile(constants.GetDeveloperPasswordPath(), []byte(constants.DefaultDeveloperPassword), 0o600); err != nil {`
`698`	`703`	`return errors.Wrap(err, "Error writing developer password")`
`699`	`704`	`}`
`700`	`705`	`}`
`@@ -748,7 +753,7 @@ func enableEmergencyLogin(sshRunner *crcssh.Runner) error {`
`748`	`753`	`for i := range b {`
`749`	`754`	`b[i] = charset[rand.Intn(len(charset))] //nolint`
`750`	`755`	`}`
`751`		`- if err := os.WriteFile(constants.PasswdFilePath, b, 0600); err != nil {`
	`756`	`+ if err := os.WriteFile(constants.PasswdFilePath, b, 0o600); err != nil {`
`752`	`757`	`return err`
`753`	`758`	`}`
`754`	`759`	`logging.Infof("Emergency login password for core user is stored to %s", constants.PasswdFilePath)`
`@@ -775,7 +780,7 @@ func updateSSHKeyPair(sshRunner *crcssh.Runner) error {`
`775`	`780`	`}`
`776`	`781`
`777`	`782`	`logging.Info("Updating authorized keys...")`
`778`		`- err = sshRunner.CopyData(publicKey, "/home/core/.ssh/authorized_keys", 0644)`
	`783`	`+ err = sshRunner.CopyData(publicKey, "/home/core/.ssh/authorized_keys", 0o644)`
`779`	`784`	`if err != nil {`
`780`	`785`	`return err`
`781`	`786`	`}`
`@@ -874,10 +879,10 @@ func startMicroshift(ctx context.Context, sshRunner *crcssh.Runner, ocConfig oc.`
`874`	`879`	`if _, _, err := sshRunner.RunPrivileged("Starting microshift service", "systemctl", "start", "microshift"); err != nil {`
`875`	`880`	`return err`
`876`	`881`	`}`
`877`		`- if err := sshRunner.CopyFileFromVM(fmt.Sprintf("/var/lib/microshift/resources/kubeadmin/api%s/kubeconfig", constants.ClusterDomain), constants.KubeconfigFilePath, 0600); err != nil {`
	`882`	`+ if err := sshRunner.CopyFileFromVM(fmt.Sprintf("/var/lib/microshift/resources/kubeadmin/api%s/kubeconfig", constants.ClusterDomain), constants.KubeconfigFilePath, 0o600); err != nil {`
`878`	`883`	`return err`
`879`	`884`	`}`
`880`		`- if err := sshRunner.CopyFile(constants.KubeconfigFilePath, "/opt/kubeconfig", 0644); err != nil {`
	`885`	`+ if err := sshRunner.CopyFile(constants.KubeconfigFilePath, "/opt/kubeconfig", 0o644); err != nil {`
`881`	`886`	`return err`
`882`	`887`	`}`
`883`	`888`
`@@ -895,5 +900,5 @@ func ensurePullSecretPresentInVM(sshRunner *crcssh.Runner, pullSec cluster.PullS`
`895`	`900`	`if err != nil {`
`896`	`901`	`return err`
`897`	`902`	`}`
`898`		`- return sshRunner.CopyDataPrivileged([]byte(content), "/etc/crio/openshift-pull-secret", 0600)`
	`903`	`+ return sshRunner.CopyDataPrivileged([]byte(content), "/etc/crio/openshift-pull-secret", 0o600)`
`899`	`904`	`}`