rootless: allow kernel.dmesg_restrict=1

When kernel.dmesg_restrict=1 is set, the entrypoint bind-mounts /dev/null into /dev/kmsg . Signed-off-by: Akihiro Suda <[email protected]>
kubernetes-sigs · Mar 3, 2021 · ed9e560 · ed9e560
1 parent fd99e3c
commit ed9e560
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 13 deletions.
diff --git a/images/base/files/usr/local/bin/entrypoint b/images/base/files/usr/local/bin/entrypoint
@@ -41,13 +41,6 @@ validate_userns() {
     exit 1
   fi
 
-  local dmesg_restrict
-  dmesg_restrict="$(cat /proc/sys/kernel/dmesg_restrict)"
-  if [[ "${dmesg_restrict}" != "0" ]]; then
-    # This ERROR can be probably demoted to WARNING after analysis of this issue: https://github.com/rootless-containers/usernetes/issues/204
-    echo "ERROR: UserNS: expected kernel.dmesg_restrict to be 0, got ${dmesg_restrict}" >&2
-    exit 1
-  fi
   if [[ ! -f "/sys/fs/cgroup/cgroup.controllers" ]]; then
     echo "ERROR: UserNS: cgroup v2 needs to be enabled" >&2
     exit 1
@@ -312,6 +305,13 @@ fix_kmsg() {
       echo 'WARN: /dev/kmsg does not exist, nor does /dev/console!' >&2
     fi
   fi
+
+  if [[ -n "${userns}" ]]; then
+    if ! head -n1 /dev/kmsg >/dev/null 2>&1; then
+      echo 'WARN: UserNS: /dev/kmsg is not readable, faking with /dev/null (hint: set sysctl value "kernel.dmesg_restrict" to 0)' >&2
+      mount --bind /dev/null /dev/kmsg
+    fi
+  fi
 }
 
 select_iptables() {

diff --git a/site/content/docs/user/rootless.md b/site/content/docs/user/rootless.md
@@ -6,7 +6,7 @@ menu:
     identifier: "rootless"
     weight: 3
 ---
-Starting with kind 0.11.0 and Docker 20.10, Rootless Docker can be used as the node provider of kind.
+Starting with kind 0.11.0 and Docker 20.10, [Rootless Docker](https://docs.docker.com/go/rootless/) can be used as the node provider of kind.
 
 Rootless Podman is not supported at the moment.
 
@@ -25,11 +25,6 @@ Also, depending on the host configuration, the following steps might be needed:
 Delegate=yes
 ```
 
-- Create `/etc/sysctl.d/99-rootless.conf` with the following content, and then run `sudo sysctl --system`:
-```
-kernel.dmesg_restrict=0
-```
-
 ## Restrictions
 
 The restrictions of Rootless Docker apply to kind clusters as well.
@@ -46,3 +41,6 @@ To create a kind cluster with Rootless Docker, just run:
 $ export DOCKER_HOST=unix://${XDG_RUNTIME_DIR}/docker.sock
 $ kind create cluster
 ```
+
+## Tips
+- To enable OOM watching, allow `dmesg` by running `sysctl -w kernel.dmesg_restrict=0`.