From e672c988e4bdabecedcc6970b18a5880056e6eb3 Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Tue, 16 Mar 2021 15:13:58 +0900
Subject: [PATCH] rootless: allow kernel.dmesg_restrict=1

When `/dev/kmsg` is unreadable due to sysctl value `kernel.dmesg_restrict=1`,
bind-mount `/dev/null` into `/dev/kmsg`

Fix issue 3011

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
 pkg/rootless/mounts.go   | 12 ++++++++++++
 pkg/rootless/rootless.go |  4 ----
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/pkg/rootless/mounts.go b/pkg/rootless/mounts.go
index 06175a013e..67fa1f3577 100644
--- a/pkg/rootless/mounts.go
+++ b/pkg/rootless/mounts.go
@@ -37,6 +37,18 @@ func setupMounts(stateDir string) error {
 		}
 	}
 
+	if devKmsg, err := os.Open("/dev/kmsg"); err == nil {
+		devKmsg.Close()
+	} else {
+		// kubelet requires /dev/kmsg to be readable
+		// https://github.com/rootless-containers/usernetes/issues/204
+		// https://github.com/rootless-containers/usernetes/pull/214
+		logrus.Debugf("`kernel.dmesg_restrict` seems to be set, bind-mounting /dev/null into /dev/kmsg")
+		if err := unix.Mount("/dev/null", "/dev/kmsg", "none", unix.MS_BIND, ""); err != nil {
+			return err
+		}
+	}
+
 	return nil
 }
 
diff --git a/pkg/rootless/rootless.go b/pkg/rootless/rootless.go
index fac671e737..d81ed00b3b 100644
--- a/pkg/rootless/rootless.go
+++ b/pkg/rootless/rootless.go
@@ -85,10 +85,6 @@ func validateSysctl() error {
 		// However, the current k3s implementation has a bug that requires net.ipv4.ip_forward=1
 		// https://github.com/rancher/k3s/issues/2420#issuecomment-715051120
 		"net.ipv4.ip_forward": "1",
-
-		// Currently, kernel.dmesg_restrict needs to be 0 to allow OOM-related messages
-		// https://github.com/rootless-containers/usernetes/issues/204
-		"kernel.dmesg_restrict": "0",
 	}
 	for key, expectedValue := range expected {
 		if actualValue, err := readSysctl(key); err == nil {