broker: add broker.dmesg_restrict configuration key

[garlick]

Problem: flux dmesg involves a lot of sudoing when diagnosing a system instance.

A number of services were restricted to instance owner out of an abundance of caution. Possibly this one could be opened to guests for convenience?

If necessary, we could restrict access to "local only" to give rank 0 a modicum of protection for sites that run it on a node with restricted access.

Just a thought I wanted to open for discussion.

[grondo]

As a data point, the kernel dmesg logs are also restricted to root. Most things I would worry about are probably logged to rank 0 only for now, but perhaps not in the future if the execution system is redone.

[garlick]

It's a good point that the content is pretty open ended and developers should probably not have to worry about what they might be exposing when deciding whether or not to log stuff. They should be focused on what's useful.

If we really thought this was an issue (say on a development system) we could add configuration support for enabling guest access, similar to the kernel sysctl kernel.dmesg_restrict but it's probably not worth it. You've convinced me. I'll close this. Thanks!

[grondo]

That's what I was thinking, a configuration setting that admins could set on the mgmt nodes would be pretty useful probably.

[garlick]

Oh well it'd be easy to add. I'll reopen this and retitle.