From 6b59ec8a3562452ba0720e74a1476eff4c05732b Mon Sep 17 00:00:00 2001
From: Thibault Gagnaux <thibault.gagnaux@bit.admin.ch>
Date: Sat, 20 Sep 2025 19:15:01 +0200
Subject: [PATCH] Add config to disable hosts file modification

This change introduces a new configuration setting 'modify-hosts-file'
that allows users to disable CRC's automatic modification of the
/etc/hosts file. The setting defaults to true to maintain backward
compatibility with existing installations.
---
 pkg/crc/config/settings.go          |  4 ++++
 pkg/crc/config/settings_test.go     |  6 ++++++
 pkg/crc/machine/client.go           |  4 ++++
 pkg/crc/machine/start.go            | 23 ++++++++++++++---------
 pkg/crc/services/dns/dns_darwin.go  |  8 ++++++--
 pkg/crc/services/dns/dns_linux.go   |  9 ++++++++-
 pkg/crc/services/dns/dns_windows.go | 10 +++++++++-
 pkg/crc/services/services.go        | 11 ++++++-----
 8 files changed, 57 insertions(+), 18 deletions(-)

diff --git a/pkg/crc/config/settings.go b/pkg/crc/config/settings.go
index b8c24c5242..fccdad84d7 100644
--- a/pkg/crc/config/settings.go
+++ b/pkg/crc/config/settings.go
@@ -28,6 +28,7 @@ const (
 	ProxyCAFile              = "proxy-ca-file"
 	ConsentTelemetry         = "consent-telemetry"
 	EnableClusterMonitoring  = "enable-cluster-monitoring"
+	ModifyHostsFile          = "modify-hosts-file"
 	KubeAdminPassword        = "kubeadmin-password"
 	DeveloperPassword        = "developer-password"
 	Preset                   = "preset"
@@ -129,6 +130,9 @@ func RegisterSettings(cfg *Config) {
 	cfg.AddSetting(EnableClusterMonitoring, false, ValidateBool, SuccessfullyApplied,
 		"Enable cluster monitoring Operator (true/false, default: false)")
 
+	cfg.AddSetting(ModifyHostsFile, true, ValidateBool, SuccessfullyApplied,
+		"Allow CRC to modify the system hosts file (true/false, default: true)")
+
 	// Telemeter Configuration
 	cfg.AddSetting(ConsentTelemetry, "", validateYesNo, SuccessfullyApplied,
 		"Consent to collection of anonymous usage data (yes/no)")
diff --git a/pkg/crc/config/settings_test.go b/pkg/crc/config/settings_test.go
index 870f0d32dd..ffa01b730d 100644
--- a/pkg/crc/config/settings_test.go
+++ b/pkg/crc/config/settings_test.go
@@ -251,6 +251,9 @@ var configDefaultValuesTestArguments = []struct {
 	{
 		EnableClusterMonitoring, false,
 	},
+	{
+		ModifyHostsFile, true,
+	},
 	{
 		ConsentTelemetry, "",
 	},
@@ -331,6 +334,9 @@ var configProvidedValuesTestArguments = []struct {
 	{
 		EnableClusterMonitoring, true,
 	},
+	{
+		ModifyHostsFile, false,
+	},
 	{
 		ConsentTelemetry, "yes",
 	},
diff --git a/pkg/crc/machine/client.go b/pkg/crc/machine/client.go
index 5c7ba59bb8..a7171210f2 100644
--- a/pkg/crc/machine/client.go
+++ b/pkg/crc/machine/client.go
@@ -64,6 +64,10 @@ func (client *client) networkMode() network.Mode {
 	return crcConfig.GetNetworkMode(client.config)
 }
 
+func (client *client) modifyHostsFile() bool {
+	return client.config.Get(crcConfig.ModifyHostsFile).AsBool()
+}
+
 func (client *client) monitoringEnabled() bool {
 	return client.config.Get(crcConfig.EnableClusterMonitoring).AsBool()
 }
diff --git a/pkg/crc/machine/start.go b/pkg/crc/machine/start.go
index 58ee542a6b..f3a626ce14 100644
--- a/pkg/crc/machine/start.go
+++ b/pkg/crc/machine/start.go
@@ -481,8 +481,9 @@ func (client *client) Start(ctx context.Context, startConfig types.StartConfig)
 		SSHRunner: sshRunner,
 		IP:        instanceIP,
 		// TODO: should be more finegrained
-		BundleMetadata: *vm.bundle,
-		NetworkMode:    client.networkMode(),
+		BundleMetadata:  *vm.bundle,
+		NetworkMode:     client.networkMode(),
+		ModifyHostsFile: client.modifyHostsFile(),
 	}
 
 	// Run the DNS server inside the VM
@@ -506,7 +507,11 @@ func (client *client) Start(ctx context.Context, startConfig types.StartConfig)
 	logging.Info("Check DNS query from host...")
 	if err := dns.CheckCRCLocalDNSReachableFromHost(servicePostStartConfig); err != nil {
 		if !client.useVSock() {
-			return nil, errors.Wrap(err, "Failed to query DNS from host")
+			msg := "Failed to query DNS from host"
+			if !servicePostStartConfig.ModifyHostsFile {
+				msg += " (modify-hosts-file=false). Ensure your system DNS/hosts entries resolve the CRC domains."
+			}
+			return nil, errors.Wrap(err, msg)
 		}
 		logging.Warn(fmt.Sprintf("Failed to query DNS from host: %v", err))
 	}
@@ -694,7 +699,7 @@ func createHost(machineConfig config.MachineConfig, preset crcPreset.Preset) err
 		if err := cluster.GenerateUserPassword(constants.GetKubeAdminPasswordPath(), "kubeadmin"); err != nil {
 			return errors.Wrap(err, "Error generating new kubeadmin password")
 		}
-		if err = os.WriteFile(constants.GetDeveloperPasswordPath(), []byte(constants.DefaultDeveloperPassword), 0600); err != nil {
+		if err = os.WriteFile(constants.GetDeveloperPasswordPath(), []byte(constants.DefaultDeveloperPassword), 0o600); err != nil {
 			return errors.Wrap(err, "Error writing developer password")
 		}
 	}
@@ -748,7 +753,7 @@ func enableEmergencyLogin(sshRunner *crcssh.Runner) error {
 	for i := range b {
 		b[i] = charset[rand.Intn(len(charset))] //nolint
 	}
-	if err := os.WriteFile(constants.PasswdFilePath, b, 0600); err != nil {
+	if err := os.WriteFile(constants.PasswdFilePath, b, 0o600); err != nil {
 		return err
 	}
 	logging.Infof("Emergency login password for core user is stored to %s", constants.PasswdFilePath)
@@ -775,7 +780,7 @@ func updateSSHKeyPair(sshRunner *crcssh.Runner) error {
 	}
 
 	logging.Info("Updating authorized keys...")
-	err = sshRunner.CopyData(publicKey, "/home/core/.ssh/authorized_keys", 0644)
+	err = sshRunner.CopyData(publicKey, "/home/core/.ssh/authorized_keys", 0o644)
 	if err != nil {
 		return err
 	}
@@ -874,10 +879,10 @@ func startMicroshift(ctx context.Context, sshRunner *crcssh.Runner, ocConfig oc.
 	if _, _, err := sshRunner.RunPrivileged("Starting microshift service", "systemctl", "start", "microshift"); err != nil {
 		return err
 	}
-	if err := sshRunner.CopyFileFromVM(fmt.Sprintf("/var/lib/microshift/resources/kubeadmin/api%s/kubeconfig", constants.ClusterDomain), constants.KubeconfigFilePath, 0600); err != nil {
+	if err := sshRunner.CopyFileFromVM(fmt.Sprintf("/var/lib/microshift/resources/kubeadmin/api%s/kubeconfig", constants.ClusterDomain), constants.KubeconfigFilePath, 0o600); err != nil {
 		return err
 	}
-	if err := sshRunner.CopyFile(constants.KubeconfigFilePath, "/opt/kubeconfig", 0644); err != nil {
+	if err := sshRunner.CopyFile(constants.KubeconfigFilePath, "/opt/kubeconfig", 0o644); err != nil {
 		return err
 	}
 
@@ -895,5 +900,5 @@ func ensurePullSecretPresentInVM(sshRunner *crcssh.Runner, pullSec cluster.PullS
 	if err != nil {
 		return err
 	}
-	return sshRunner.CopyDataPrivileged([]byte(content), "/etc/crio/openshift-pull-secret", 0600)
+	return sshRunner.CopyDataPrivileged([]byte(content), "/etc/crio/openshift-pull-secret", 0o600)
 }
diff --git a/pkg/crc/services/dns/dns_darwin.go b/pkg/crc/services/dns/dns_darwin.go
index 4105af8101..44fcfd37b7 100644
--- a/pkg/crc/services/dns/dns_darwin.go
+++ b/pkg/crc/services/dns/dns_darwin.go
@@ -33,8 +33,12 @@ type resolverFileValues struct {
 
 func runPostStartForOS(serviceConfig services.ServicePostStartConfig) error {
 	// Update /etc/hosts file for host
-	if err := addOpenShiftHosts(serviceConfig); err != nil {
-		return err
+	if serviceConfig.ModifyHostsFile {
+		if err := addOpenShiftHosts(serviceConfig); err != nil {
+			return err
+		}
+	} else {
+		logging.Infof("Skipping hosts file modification")
 	}
 
 	if serviceConfig.NetworkMode == network.UserNetworkingMode {
diff --git a/pkg/crc/services/dns/dns_linux.go b/pkg/crc/services/dns/dns_linux.go
index 5773e482d2..d301aa715b 100644
--- a/pkg/crc/services/dns/dns_linux.go
+++ b/pkg/crc/services/dns/dns_linux.go
@@ -1,11 +1,18 @@
 package dns
 
 import (
+	"github.com/crc-org/crc/v2/pkg/crc/logging"
 	"github.com/crc-org/crc/v2/pkg/crc/services"
 )
 
 func runPostStartForOS(serviceConfig services.ServicePostStartConfig) error {
 	// We might need to set the firewall here to forward
 	// Update /etc/hosts file for host
-	return addOpenShiftHosts(serviceConfig)
+	if serviceConfig.ModifyHostsFile {
+		return addOpenShiftHosts(serviceConfig)
+	} else {
+		logging.Infof("Skipping hosts file modification")
+	}
+
+	return nil
 }
diff --git a/pkg/crc/services/dns/dns_windows.go b/pkg/crc/services/dns/dns_windows.go
index e7cdfd779c..b75ebd3dda 100644
--- a/pkg/crc/services/dns/dns_windows.go
+++ b/pkg/crc/services/dns/dns_windows.go
@@ -3,6 +3,7 @@ package dns
 import (
 	"fmt"
 
+	"github.com/crc-org/crc/v2/pkg/crc/logging"
 	"github.com/crc-org/crc/v2/pkg/crc/network"
 	"github.com/crc-org/crc/v2/pkg/crc/services"
 )
@@ -11,5 +12,12 @@ func runPostStartForOS(serviceConfig services.ServicePostStartConfig) error {
 	if serviceConfig.NetworkMode != network.UserNetworkingMode {
 		return fmt.Errorf("only user-mode networking is supported on Windows")
 	}
-	return addOpenShiftHosts(serviceConfig)
+
+	if serviceConfig.ModifyHostsFile {
+		return addOpenShiftHosts(serviceConfig)
+	} else {
+		logging.Infof("Skipping hosts file modification")
+	}
+
+	return nil
 }
diff --git a/pkg/crc/services/services.go b/pkg/crc/services/services.go
index c50614326d..8451d379b8 100644
--- a/pkg/crc/services/services.go
+++ b/pkg/crc/services/services.go
@@ -7,9 +7,10 @@ import (
 )
 
 type ServicePostStartConfig struct {
-	Name           string
-	SSHRunner      *ssh.Runner
-	BundleMetadata bundle.CrcBundleInfo
-	IP             string
-	NetworkMode    network.Mode
+	Name            string
+	SSHRunner       *ssh.Runner
+	BundleMetadata  bundle.CrcBundleInfo
+	IP              string
+	NetworkMode     network.Mode
+	ModifyHostsFile bool
 }