Created attachment 393840 [details] Docker debug log Docker fails to pull images on my system: $ docker pull learn/tutorial Pulling repository learn/tutorial 8dbd9e392a96: Error pulling image (latest) from learn/tutorial, ApplyLayer exit status 1 chmod /bin/mount: permission denied FATA[0006] Error pulling image (latest) from learn/tutorial, ApplyLayer exit status 1 chmod /bin/mount: permission denied I'll attach the debug log. It seems to fail after "Start untar layer" - normally it would display the time it took to untar. Running as root makes no difference, the error is the same (user is part of the docker group).
Created attachment 393844 [details] emerge --info
Are you using any extra security layers like AppArmor, SELinux, or grsecurity? The output of "docker -D info" would be helpful as well.
I'm using hardened with grsecurity yes. Here's the output: # docker -D info Containers: 0 Images: 1 Storage Driver: devicemapper Pool Name: docker-254:3-134206-pool Pool Blocksize: 65.54 kB Data file: /var/lib/docker/devicemapper/devicemapper/data Metadata file: /var/lib/docker/devicemapper/devicemapper/metadata Data Space Used: 306.4 MB Data Space Total: 107.4 GB Metadata Space Used: 749.6 kB Metadata Space Total: 2.147 GB Library Version: 1.02.88 (2014-08-05) Execution Driver: native-0.2 Kernel Version: 3.14.17-hardened-r1 Operating System: Gentoo/Linux CPUs: 2 Total Memory: 1.954 GiB Name: xxx ID: Q7TY:4CLC:ZZZP:JIPZ:E67T:3KDE:MWZ7:XCGO:75QU:CP6M:BGTP:OJDA Debug mode (server): true Debug mode (client): true Fds: 13 Goroutines: 14 EventsListeners: 0 Init SHA1: 5b9c3d453fb4047fa23077272130d4790e80c4da Init Path: /usr/libexec/docker/dockerinit Docker Root Dir: /var/lib/docker Username: xxx Registry: [https://index.docker.io/v1/]
@hardened we could use your help here. I cannot reproduce that on non-hardened box
Do you run selinux or grsec in non-learn mode? Does dmesg hit at the denial? Do you have TPE enabled?
dmesg reports: grsec: From 127.0.0.6: denied chmod +s of /var/lib/docker/devicemapper/mnt/8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c/rootfs/bin/mount by /usr/bin/docker[docker:8250] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/docker[docker:11924] uid/euid:0/0 gid/egid:0/0 So it's indeed grsec interfering.
it's chroot restrictions, the description of how to work around (won't say fix because the restrictions exist for a reason) is here. http://www.corsac.net/?rub=blog&post=1517
Thanks, maybe a note can be added to the ebuild when installing it on hardened. There were some further issues with missing kernel features (see bug #536546), but I got it to run now. For pulling, I've temporarily disabled some grsecurity chroot features: echo 0 > /proc/sys/kernel/grsecurity/chroot_caps echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod
