From “Connection Refused” to “Active”: My Journey Running RKE2 on SLES 15 ARM with an M-Series Mac

The process was a battle against SSL handshakes, disappearing network interfaces, and restrictive Mac security policies. Below is the ultimate guide to replicating this setup, including the lvh.me “DNS hack” that makes it all possible on a locked-down corporate machine.

The Environment

Hardware & Virtualization Host

• Host Device: Apple Mac with M4 Processor (Apple Silicon/ARM64).

• Host OS: macOS (Corporate/Locked-down environment).

• Virtualization Software: VirtualBox 7.x (Developer Preview/Beta for Apple Silicon).

• Networking Strategy: * Loopback DNS: lvh.me (Wildcard DNS pointing to 127.0.0.1).

  • Port Forwarding: VirtualBox NAT engine (Mac:8443 → VM:443).

  • This allowed me to connect to my Rancher Manager from a browser on my Mac.

Virtual Machines (Guest OS)

Both VM 1 (Manager) and VM 2 (Worker) share the following base configuration:

• Operating System: SUSE Linux Enterprise Server (SLES) 15 SP4.

• Kernel Architecture: aarch64 (ARM 64-bit).

• Network Manager: wicked (Manual ifcfg-eth1 configuration).

• IP Scheme (Host-Only):

  • Manager (VM 1): 192.168.56.x

  • Worker (VM 2): 192.168.56.x (Configured via ifcfg-eth1).

Kubernetes & Rancher Prime Stack

The environment is running the latest stable releases of the Rancher “Primordial” stack:

The Secret Weapon: Why lvh.me?

On a locked-down Mac, you often cannot edit /etc/hosts due to System Integrity Protection (SIP) or corporate MDM. This makes it impossible to map a custom domain like rancher.local to your VM’s IP.

The Solution: lvh.me.

lvh.me is a wildcard DNS service where any subdomain (e.g., rancher.lvh.me) automatically resolves to 127.0.0.1.

• The Logic: Your Mac browser asks the internet for rancher.lvh.me. The internet says “That’s at 127.0.0.1 (your own machine).”

• The Bridge: By using VirtualBox Port Forwarding, we “catch” that traffic on your Mac’s localhost and tunnel it into the SLES VM. This bypasses the need for admin rights to modify system networking.

Step-by-Step Instructions: End-to-End Setup

Phase 1: VirtualBox & SLES Settings

For the M4 Mac, standard x86 VM settings will fail. Use these exact specifications:

1. Processor: Assign at least 2 vCPUs.

2. Network Adapter 1 (NAT): Required for internet access to pull RKE2 binaries.

3. Network Adapter 2 (Host-Only): This is your private bridge. Under Advanced, set Promiscuous Mode to Allow All.

4. SLES Tip: During installation, select the “Public Cloud” module to ensure all RKE2 dependencies are available.

Phase 2: SLES Network Stabilization

SLES uses the Wicked manager. You must make your interfaces persistent, or the worker node will lose its connection to the manager.

1. Create/Edit the config: sudo vi /etc/sysconfig/network/ifcfg-eth1

2. Add: BOOTPROTO='static', STARTMODE='auto', and IPADDR='192.168.56.3' (for Manager) or .4 (for Worker). Your IP value may differ.

3. Apply: sudo wicked ifreload all && sudo wicked ifup eth1.

Phase 3: Install RKE2 & Rancher (VM 1)

1. Install RKE2 Server: curl -sfL https://get.rke2.io | sudo sh -

2. Enable the service: sudo systemctl enable --now rke2-server

3. The Alias Fix: To handle SLES pathing, add alias kubectl='sudo KUBECONFIG=/etc/rancher/rke2/rke2.yaml /var/lib/rancher/rke2/bin/kubectl' to your .bashrc.

Phase 4: The Locked-Down Mac DNS Hack

Since you can’t edit /etc/hosts, go to VirtualBox > VM 1 Settings > Network > Adapter 1 (NAT) > Port Forwarding:

• Name: Rancher-UI | Protocol: TCP | Host IP: 127.0.0.1 | Host Port: 8443 | Guest Port: 443

• Access: Open your browser to https://rancher.lvh.me:8443.

Phase 5: Join the Worker Node (VM 2)

1. Copy the registration command from the Rancher UI.

2. The SSL Checksum: On VM 1, find the CA hash: sha256sum /var/lib/rancher/rke2/server/tls/server-ca.crt.

3. The Fix: Run the Rancher command on VM 2, but manually ensure the CATTLE_CA_CHECKSUM environment variable is set to the value from Step 2. This prevents the “unknown authority” crash.

Key Takeaways

• lvh.me is your DNS “Get Out of Jail Free” card for corporate Macs without edit access to /etc/hosts. It’s graciously maintained by Levi Cook.

• Wicked requires manual ifcfg files in SLES to stay stable.

• M4 Performance is massive; once these network hurdles are cleared, your lab will run faster than most enterprise servers.