apply layer permission denied

[NikolaMandic]

docker version
Client version: 1.6.1
Client API version: 1.18
Go version (client): go1.4.2
Git commit (client): 97cd073
OS/Arch (client): linux/amd64
Server version: 1.6.1
Server API version: 1.18
Go version (server): go1.4.2
Git commit (server): 97cd073
OS/Arch (server): linux/amd64

docker info:
Containers: 2
Images: 1
Storage Driver: devicemapper
Pool Name: docker-252:0-2507176-pool
Pool Blocksize: 65.54 kB
Backing Filesystem: extfs
Data file: /dev/loop0
Metadata file: /dev/loop1
Data Space Used: 308 MB
Data Space Total: 107.4 GB
Data Space Available: 107.1 GB
Metadata Space Used: 847.9 kB
Metadata Space Total: 2.147 GB
Metadata Space Available: 2.147 GB
Udev Sync Supported: true
Data loop file: /var/lib/docker/devicemapper/devicemapper/data
Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
Library Version: 1.02.88 (2014-08-05)
Execution Driver: native-0.2
Kernel Version: 3.15.5-pentoo
Operating System: Gentoo/Linux
CPUs: 4
Total Memory: 7.67 GiB
Name: pentoo
ID: CFAJ:2O5D:TBQS:YD5Z:KKFA:2M6E:QNIK:IWLH:GNMO:VSTD:CL6W:YL4E
Username: mn080202
Registry: [https://index.docker.io/v1/]
WARNING: No memory limit support
WARNING: No swap limit support

uname -a:
Linux pentoo 3.15.5-pentoo #1 SMP PREEMPT Sat Jan 3 23:42:16 UTC 2015 x86_64 Intel(R) Core(TM) i5-4200U CPU @ 1.60GHz GenuineIntel GNU/Linux

Environment details (AWS, VirtualBox, physical, etc.):
physical

How reproducible:
always

Steps to Reproduce:

1. install pento
2. try to install docker
3. profit!!!

Actual Results:
$ sudo docker run -it busybox bash
Unable to find image 'busybox:latest' locally
latest: Pulling from busybox
6ce2e90b0bc7: Extracting [===============> ] 360.4 kB/1.145 MB
6ce2e90b0bc7: Error downloading dependent layers
8c2e06607696: Error pulling image (latest) from busybox, ApplyLayer exit status 1 stdout: stderr: operation not permitted
cf2616975b4a: Download complete
FATA[0022] Error pulling image (latest) from busybox, ApplyLayer exit status 1 stdout: stderr: operation not permitted

Expected Results:
to work

Additional info:
happens after reinstalling restarting changing flags for package
it has selinux on and hardened kernel

[NikolaMandic]

pentoo has chroot and mknod disabled by default that is causing this error.
it is not really a docker issue I was hoping somebody with internal knowlege might help what's up with this
so enabling chroot and mknod makes it work

[thaJeztah]

@NikolaMandic what installation method did you use to install Docker? Perhaps the documentation for installing on Gentoo needs to be updated? https://docs.docker.com/installation/gentoolinux/

[NikolaMandic]

it has it's on package installation software called emerge
so there is graphical manager for it called porthole that is analog to synaptic
so docker may have masked packages as dependencies
masked means marked so it cannot be installed for warning people of something
to install you need to explicitly say I want to circumvent those blocks
since gentoo is "tinkerers distro" you can pick flags how to install or compile from source
here is one way to do it with one choice of the flags
ACCEPT_KEYWORDS='~amd64' ACCEPT_LICENCE='' ACCEPT_PACKAGE='' USE="btrfs contrib device-mapper doc lxc overlay vim-syntax" emerge --getbinpkg --nospinner --verbose =app-emulation/docker-1.6.1
after that I installed aufs from sources(others give error on modded kernel it seems)
then dissable mknod and chroot restriction as you would do on other linuxes
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_unix
and there you go it works now

some other people had similar issues on some other distro
apply layer function in registry uses chmod and mknod(debug output show some device stuff) it seems
and I was hoping for somebody to tell me more about internals here that could cause this error so that's why posting here

[thaJeztah]

perhaps @stevvooe can give some more insight there

[NikolaMandic]

well it works now so no need to trouble anyone anymore thanks anyways