rootless: allow kernel.dmesg_restrict=1

When `/dev/kmsg` is unreadable due to sysctl value `kernel.dmesg_restrict=1`,
bind-mount `/dev/null` into `/dev/kmsg`

Fix issue 3011

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This commit is contained in:
Akihiro Suda 2021-03-16 15:13:58 +09:00 committed by Brad Davidson
parent 6e8284e3d4
commit e672c988e4
2 changed files with 12 additions and 4 deletions

View File

@ -37,6 +37,18 @@ func setupMounts(stateDir string) error {
} }
} }
if devKmsg, err := os.Open("/dev/kmsg"); err == nil {
devKmsg.Close()
} else {
// kubelet requires /dev/kmsg to be readable
// https://github.com/rootless-containers/usernetes/issues/204
// https://github.com/rootless-containers/usernetes/pull/214
logrus.Debugf("`kernel.dmesg_restrict` seems to be set, bind-mounting /dev/null into /dev/kmsg")
if err := unix.Mount("/dev/null", "/dev/kmsg", "none", unix.MS_BIND, ""); err != nil {
return err
}
}
return nil return nil
} }

View File

@ -85,10 +85,6 @@ func validateSysctl() error {
// However, the current k3s implementation has a bug that requires net.ipv4.ip_forward=1 // However, the current k3s implementation has a bug that requires net.ipv4.ip_forward=1
// https://github.com/rancher/k3s/issues/2420#issuecomment-715051120 // https://github.com/rancher/k3s/issues/2420#issuecomment-715051120
"net.ipv4.ip_forward": "1", "net.ipv4.ip_forward": "1",
// Currently, kernel.dmesg_restrict needs to be 0 to allow OOM-related messages
// https://github.com/rootless-containers/usernetes/issues/204
"kernel.dmesg_restrict": "0",
} }
for key, expectedValue := range expected { for key, expectedValue := range expected {
if actualValue, err := readSysctl(key); err == nil { if actualValue, err := readSysctl(key); err == nil {