Allow for port override/reassignment when port 80 (or 22) is used by a local service on Windows

[ba31]

Window OS already consuming the port 80 for system services . Is there any way to change or proxy the port for CRC to start without disabling HTTP services in windows ? If I temp disable HTTP service , CRC runs perfectly fine but can not leave the HTTP service disable or I need to build CRC inside the VM to get through this ?

General information

• OS: Windows
• Hypervisor: Hyper-V
• Did you run crc setup before starting it :Yes
• Running CRC on: Laptop

CRC version

CodeReady Containers version: 1.32.1+4d40571f
OpenShift version: 4.8.5 (bundle installed at C:\Program Files\CodeReady Containers\crc_hyperv_4.8.5.crcbundle)

CRC status

EBU CodeReady Containers version: 1.32.1+4d40571f
DEBU OpenShift version: 4.8.5 (bundle installed at C:\Program Files\CodeReady Containers\crc_hyperv_4.8.5.crcbundle)
DEBU Running 'crc status'
DEBU Checking file: C:\Users\crcuser\.crc\machines\crc\.crc-exist
DEBU Checking file: C:\Users\crcuser\.crc\machines\crc\.crc-exist
DEBU Running 'Hyper-V\Get-VM crc | Select-Object -ExpandProperty State'
CRC VM:          Stopped
OpenShift:       Stopped (v4.8.5)
Disk Usage:      0B of 0B (Inside the CRC VM)
Cache Usage:     14.13GB
Cache Directory: C:\Users\crcuser\.crc\cache

CRC config

- consent-telemetry                     : no

Steps to reproduce

1. Windows Machine enabled with HTTP Service and port 80 is consumed by the system process
2. execute crc start

Expected

crc start process to complete

Actual

PS C:\Users\crcuser> crc start
INFO Checking if running in a shell with administrator rights
INFO Checking Windows 10 release
INFO Checking Windows edition
INFO Checking if Hyper-V is installed and operational
INFO Checking if crc-users group exists
INFO Checking if current user is in Hyper-V Admins group
INFO Checking if Hyper-V service is enabled
INFO Checking if the Hyper-V virtual switch exists
INFO Found Virtual Switch to use: crc
INFO Checking if vsock is correctly configured
INFO Starting CodeReady Containers VM for OpenShift 4.8.5...
failed to expose port :80 -> 192.168.127.2:80: listen tcp :80: bind: An attempt was made to access a socket in a way forbidden by its access permissions.

[gbraad]

We have been considering to use a prefix or port override, but so far haven't been able to work on this.
Port 80 is used by IIS if enabled. Workaround would be to resign IIS to another port for now.

[gbraad]

The error comes from:

https://github.com/code-ready/crc/blob/2d638593ed3dadd008236f5a4e7c8fc03a682cf3/pkg/crc/machine/vsock.go#L29-L31

which means the port.local can be specified with either an offset/prefix value, such as: a config portOffset = 40000 which would result in 40080 as the http port. Or a specific config override for 80 => 40080 to achieve the same.

The current options are given as:

https://github.com/code-ready/crc/blob/2d638593ed3dadd008236f5a4e7c8fc03a682cf3/pkg/crc/machine/vsock.go#L45-L51

and used here:

https://github.com/code-ready/crc/blob/2d638593ed3dadd008236f5a4e7c8fc03a682cf3/pkg/crc/machine/vsock.go#L53-L72

[ba31]

If I change the port number in vsock.go , will it work ? or you have already have plan to release custom option ?

[gbraad]

You can try to build your own version, but we are discussing what to do to address this. We are not sure what will happen to the address that are being used when an alternative port is used; a possible rewrite is needed? In short, we need to test this.

[gbraad]

@anjannath would you be willing to have a look at this after your PTO? I'll catch up with you soon to explain what we talked about.

[gbraad]

On Windows port 443 (and 80) might be claimed by the Worldwide Web Publishing service (IIS) or Work Folders. We either need to document this as a known issue (and solution to disable), or implement alternative ports.

[anjannath]

@anjannath would you be willing to have a look at this after your PTO? I'll catch up with you soon to explain what we talked about.

@gbraad apologies, i completely missed the comment, yes I'd like to take a look this, for now we can point users here and this serves as a known issue, and we can work on implementing an solution to this like suggested like binding to an alternative IP:PORT

[gbraad]

Perhaps document this also ?

[Malmasoud0]

hello guys, has anyone figured this out yet? thanks a lot

[brian316]

We have been considering to use a prefix or port override, but so far haven't been able to work on this. Port 80 is used by IIS if enabled. Workaround would be to resign IIS to another port for now.

disable IIS or stop the service to open up the port. Also recommend a program called TCPView to see which ports are bound

[Malmasoud0]

Thanks guys. I resolved it by issuing the following command in Powershelll which does you say stop iis services:
netsh http add iplisten ipaddress=::

[radaviko]

Are there any updates to the modification to crc/pkg/crc/machine/vsock.go file and Sprint 208 release that was mentioned above, please?. In our case it's not IIS but a different process.

C:\Program Files\Red Hat OpenShift Local>crc.exe start --log-level debug
DEBU CRC version: 2.7.1+8b30b973
DEBU OpenShift version: 4.11.0
DEBU Podman version: 4.1.1
DEBU Running 'crc start'

It fails with error when I attempt to start the instance

DEBU Running '(Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").EditionID'
failed to expose port :80 -> 192.168.127.2:80: listen tcp :80: bind: An attempt was made to access a socket in a way forbidden by its access permissions.

Windows OS already consuming the port 80 for system services. Is there any way to change or proxy the port for CRC to start without using port 80?

C:\Program Files\Red Hat OpenShift Local>netstat -ano | findstr 80
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       4800

Please advise of a resolution as port 80/443 is used by Windows and I cannot start the CRC instance.

[dobraalkan]

1. Go to "Start" --> "Control Panel"
2. Click on "Windows Firewall"
3. Inside Windows Firewall, click on "Allow a program or feature through Windows Firewall"
4. Now inside of Allow Programs, Click on the "Change Settings" button. Once you click on the Change Settings button, the "Allow another program..." button gets enabled.
5. When you click on the "Allow another program..." button, a new dialog box will appear.
6. Click "Browse" button and find "crc.exe" and "Add" button.
7. Click OK, and restart your machine.

[EBoiSha]

Same question as as radaviko. In my case, Windows 10 ntoskrnl.exe is running and using port 80. Reading about what this component is about I think it's a bad idea to deactivate it. Let me try to disable IIS

[anjannath]

@EBoiSha Newer CRC versions automatically uses a different port if port 80 or 443 are already in use, this was added in #3332

If this is not working for you (CRC not automatically using a different port when 80 or 443 is in use) please create another issue with details of your setup and how to reproduce

[gbraad]

Note:

is used by Windows

means IIS is enabled. if the solution in #3332 is not sufficient, consider changing the ports using the Internet Information Services (IIS) Manager tool.