From ed9e560c86b8b6f835e7312d22e0df0b6ae756ee Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Wed, 3 Mar 2021 18:31:45 +0900 Subject: [PATCH] rootless: allow kernel.dmesg_restrict=1 When kernel.dmesg_restrict=1 is set, the entrypoint bind-mounts /dev/null into /dev/kmsg . Signed-off-by: Akihiro Suda --- images/base/files/usr/local/bin/entrypoint | 14 +++++++------- site/content/docs/user/rootless.md | 10 ++++------ 2 files changed, 11 insertions(+), 13 deletions(-) diff --git a/images/base/files/usr/local/bin/entrypoint b/images/base/files/usr/local/bin/entrypoint index 3b60acd0a0..aed6fa3aa6 100755 --- a/images/base/files/usr/local/bin/entrypoint +++ b/images/base/files/usr/local/bin/entrypoint @@ -41,13 +41,6 @@ validate_userns() { exit 1 fi - local dmesg_restrict - dmesg_restrict="$(cat /proc/sys/kernel/dmesg_restrict)" - if [[ "${dmesg_restrict}" != "0" ]]; then - # This ERROR can be probably demoted to WARNING after analysis of this issue: https://github.com/rootless-containers/usernetes/issues/204 - echo "ERROR: UserNS: expected kernel.dmesg_restrict to be 0, got ${dmesg_restrict}" >&2 - exit 1 - fi if [[ ! -f "/sys/fs/cgroup/cgroup.controllers" ]]; then echo "ERROR: UserNS: cgroup v2 needs to be enabled" >&2 exit 1 @@ -312,6 +305,13 @@ fix_kmsg() { echo 'WARN: /dev/kmsg does not exist, nor does /dev/console!' >&2 fi fi + + if [[ -n "${userns}" ]]; then + if ! head -n1 /dev/kmsg >/dev/null 2>&1; then + echo 'WARN: UserNS: /dev/kmsg is not readable, faking with /dev/null (hint: set sysctl value "kernel.dmesg_restrict" to 0)' >&2 + mount --bind /dev/null /dev/kmsg + fi + fi } select_iptables() { diff --git a/site/content/docs/user/rootless.md b/site/content/docs/user/rootless.md index 3ef0692945..142a1dbbec 100644 --- a/site/content/docs/user/rootless.md +++ b/site/content/docs/user/rootless.md @@ -6,7 +6,7 @@ menu: identifier: "rootless" weight: 3 --- -Starting with kind 0.11.0 and Docker 20.10, Rootless Docker can be used as the node provider of kind. +Starting with kind 0.11.0 and Docker 20.10, [Rootless Docker](https://docs.docker.com/go/rootless/) can be used as the node provider of kind. Rootless Podman is not supported at the moment. @@ -25,11 +25,6 @@ Also, depending on the host configuration, the following steps might be needed: Delegate=yes ``` -- Create `/etc/sysctl.d/99-rootless.conf` with the following content, and then run `sudo sysctl --system`: -``` -kernel.dmesg_restrict=0 -``` - ## Restrictions The restrictions of Rootless Docker apply to kind clusters as well. @@ -46,3 +41,6 @@ To create a kind cluster with Rootless Docker, just run: $ export DOCKER_HOST=unix://${XDG_RUNTIME_DIR}/docker.sock $ kind create cluster ``` + +## Tips +- To enable OOM watching, allow `dmesg` by running `sysctl -w kernel.dmesg_restrict=0`.