How to resolve default-route-openshift-image-registry.apps-crc.testing for podman machine

[praveenkumar]

• podman socket is associated with podman-machine instance
• podman client we run on the host which able to resolve default-route-openshift-image-registry.apps-crc.testing and podman login works as expected but when it try to push the image from podman-machine instance then default-route-openshift-image-registry.apps-crc.testing is resolve able but it resolve to 127.0.0.1 and then on the podman-machine it doesn’t see any port 80 or 443 in used. Because gvisor-tap-vsock DNS code forwards the DNS request for default-route-openshift-image-registry.apps-crc.testing to the host DNS stack since it does not know about it. Then the host DNS stack tells it it is 127.0.0.1

✗ podman machine ssh
Connecting to vm podman-machine-default. To close connection, use `~.` or `exit`

Last login: Thu Oct 26 17:18:15 2023 from 192.168.127.1

[core@localhost ~]$ podman login --tls-verify=false -u kubeadmin -p sha256~ZXNKqd_ZD6H8QJunOilCXuekkObv0gqoWbhb68oruHc default-route-openshift-image-registry.apps-crc.testing
Error: authenticating creds for "default-route-openshift-image-registry.apps-crc.testing": pinging container registry default-route-openshift-image-registry.apps-crc.testing: Get "http://default-route-openshift-image-registry.apps-crc.testing/v2/": dial tcp 127.0.0.1:80: connect: connection refused

[core@localhost ~]$ dig +short default-route-openshift-image-registry.apps-crc.testing
127.0.0.1

Question is how we should able to solve it for the users who are building the image using podman-machine instance and try to push it to openshift internal registry which expose by CRC. Some of the options we discussed on the slack internally but we want to open this discussion to broader audience to figure out best way.

• https://github.com/containers/gvisor-tap-vsock/commit/db793a53210ad35bfbb2a1bfbbdb23c026946d10 is an option to achieve this (add a default-route-openshift-image-registry.apps-crc.testing DNS entry to podman-machine internal DNS but podman's gvproxy doesn't exposes api in the host. We also need to update https://github.com/containers/gvisor-tap-vsock/blob/6271c40a27bce7900cd68d39e6b86974b2e66076/cmd/gvproxy/main.go#L290-L298 to have this api as part of listener. After that CRC daemon can update the entry if podman machine is running or PD can add if it see CRC is running.

• Another option to add default-route-openshift-image-registry.apps-crc.testing to 192.168.127.254 as part of gvproxy same way it is added for gateway.containers.internal and this way it is always part of gvproxy even crc is running or not.

• crc daemon watching for podman-machine instances, and adding the necessary DNS entries but it means if podman-machine is run after crc then again user need to perform manual step.

Workaround

Currently the work around for this situation is add 192.168.127.254 for default-route-openshift-image-registry.apps-crc.testing for podman machine instance.

$ podman machine ssh -- 'echo "192.168.127.254 default-route-openshift-image-registry.apps-crc.testing" | sudo tee -a  /etc/hosts'  

observed by some of other folks https://github.com/crc-org/crc/issues/3246

[cfergeau]

Another option, but I don't know if it's doable would be to improve gvisor-tap-vsock DNS resolution code: if a DNS request is resolved by the host and it returns 127.0.0.1, then change it to 192.168.127.254 which is the host IP from the virtual networking stack perspective.

[cfergeau]

Currently the work around for this situation is to add 192.168.127.254 for default-route-openshift-image-registry.apps-crc.testing in /etc/hosts in the podman machine instance.

As a short term workaround, could "something" do this automatically when both crc and podman-machine are used? Maybe the crc extension?

[cfergeau]

Another option, but I don't know if it's doable would be to improve gvisor-tap-vsock DNS resolution code: if a DNS request is resolved by the host and it returns 127.0.0.1, then change it to 192.168.127.254 which is the host IP from the virtual networking stack perspective.

The relevant code in gvisor-tap-vsock is https://github.com/containers/gvisor-tap-vsock/blob/c25d478e99ce5f9518901a833752c98e49405919/pkg/services/dns/dns.go#L92-L111

[dgolovin]

@cfergeau @praveenkumar should we open issue for gvisor to fix it?

[praveenkumar]

I discussed with @cfergeau and we are thinking if it is possible for crc-extenstion to run the https://github.com/crc-org/crc/issues/3897#issuecomment-1814280133 workaround for time being until we figure out better option.

BTW @dgolovin did you try the work around?

[dgolovin]

@praveenkumar it works from podman machine, but how I do the same from host OS? I started CRC instance only and I want to push image to CRC internal registry.

[praveenkumar]

it works from podman machine, but how I do the same from host OS?

host OS already have dns mapping for internal registry so it should just works. Which platfrom are you trying?

[dgolovin]

@praveenkumar I am on latest macOS Sonoma

[dgolovin]

@praveenkumar I am on Mac M1 macOS Sonoma. I do see default-route-openshift-image-registry.apps-crc.testing in hosts file along with developer console and api hosts but I cannot login into it using developer or kubadmin users.

[dgolovin]

@praveenkumar correction. I cannot login from podman desktop registries settings, but I can using 'podman login' command.

[dgolovin]

@praveenkumar it works in latest release, so I can login using podman login command, but there seems to be an issue when I try to login form podman-desktop registries page. So DNS resolution works for me now on macOS.

[praveenkumar]

@praveenkumar it works in latest release, so I can login using podman login command, but there seems to be an issue when I try to login form podman-desktop registries page. So DNS resolution works for me now on macOS.

https://github.com/crc-org/crc/issues/3897#issue-1965318439 actually describe why it is not work for podman-desktop registry page but it also have following workaround and that should work

podman machine ssh -- 'echo "192.168.127.254 default-route-openshift-image-registry.apps-crc.testing" | sudo tee -a  /etc/hosts'

[dgolovin]

@praveenkumar I am not following here. Podman Desktop registry page does not use podman login it seems to work with registry through REST api directly and it does not work.

[praveenkumar]

@praveenkumar I am not following here. Podman Desktop registry page does not use podman login it seems to work with registry through REST api directly and it does not work.

@dgolovin yes it works with API so this is what I did to add this registry to podman desktop registry option.

• Start podman machine and openshift local using podman desktop
• Once both are running successfully add open terminal and add this workaround

  podman machine ssh -- 'echo "192.168.127.254 default-route-openshift-image-registry.apps-crc.testing" | sudo tee -a  /etc/hosts'

• Open the podman desktop registry option and click Add registry
• Use default-route-openshift-image-registry.apps-crc.testing as url
  • kubeadmin as username
  • Use output of oc whoami -t as password (make sure you are logged in cluster as kubeadmin)
• You will see a invalid Certificate which means it is not trusted you should go with yes

And it is now added to PD registry window.

Let me know if still have some confusion around it.

[marcelomrwin]

thank you @praveenkumar Your guidance was essential in overcoming this problem.

[dgolovin]

@praveenkumar sorry for a loooong wait. It does work after applying workaround and I can push to crc internal image registry, but only using `podman push' command. Podman Desktop push does not work, but it is not crc issue.

Thank you @praveenkumar!

[praveenkumar]

@cfergeau should we again relook it again and finalize what should we do?

[cfergeau]

@praveenkumar it works in latest release, so I can login using podman login command, but there seems to be an issue when I try to login form podman-desktop registries page. So DNS resolution works for me now on macOS.

#3897 (comment) actually describe why it is not work for podman-desktop registry page but it also have following workaround and that should work

podman machine ssh -- 'echo "192.168.127.254 default-route-openshift-image-registry.apps-crc.testing" | sudo tee -a  /etc/hosts'

gvisor-tap-vsock also provides a DNS server/API, but gvproxy does not expose this API by default :-/ If the API was exposed, we could use

podman machine ssh -- curl http://192.168.127.1/services/dns/add -X POST -d '{"Name":".apps-crc.testing.","DefaultIP":"192.168.127.254"}'

as an alternative workaround.

[brianmolinaspring]

@praveenkumar Hello guys, are you still using the alternative option? Could this be solved in another way, can you please tell me?

[praveenkumar]

@praveenkumar Hello guys, are you still using the alternative option? Could this be solved in another way, can you please tell me?

As of now we are trying to evaluate what would be the best option to solve this without user to use this workaround. We will soon have something to share.

[brianmolinaspring]

good morning, @praveenkumar , thanks for your response, I will be attentive