No Internet Access for Docker containers on Debian

General
1

installed Docker on Debian 11 but the created container does not have internet access. For example, an nginx container cannot bind to port 80 and logs show permission denied.

I checked AppArmor logs in dmesg and I saw this.

[ 1334.886165] audit: type=1400 audit(1695623693.319:93): apparmor="DENIED" operation="create" namespace="root//lxd-bullseye_<var-snap-lxd-common-lxd>" profile="docker-default" pid=5079 comm="nginx" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
[ 1334.886170] audit: type=1400 audit(1695623693.319:94): apparmor="DENIED" operation="create" namespace="root//lxd-bullseye_<var-snap-lxd-common-lxd>" profile="docker-default" pid=5079 comm="nginx" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
[ 1334.886193] audit: type=1400 audit(1695623693.319:95): apparmor="DENIED" operation="create" namespace="root//lxd-bullseye_<var-snap-lxd-common-lxd>" profile="docker-default" pid=5079 comm="nginx" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
[ 1334.886196] audit: type=1400 audit(1695623693.319:96): apparmor="DENIED" operation="create" namespace="root//lxd-bullseye_<var-snap-lxd-common-lxd>" profile="docker-default" pid=5079 comm="nginx" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
[ 1334.887506] audit: type=1400 audit(1695623693.319:97): apparmor="DENIED" operation="create" namespace="root//lxd-bullseye_<var-snap-lxd-common-lxd>" profile="docker-default" pid=5079 comm="nginx" family="inet" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create"

Why is that apparmor is denying network access? I just installed Docker by following the docker documentation.

2

Are you trying to install Docker in an LXD container?

This is suspicious

namespace="root//lxd-bullseye_<var-snap-lxd-common-lxd>"
3

Ah, yes.

In a Ubuntu lxd container everything works well but not on Debian.

Why is apparmor denying access? I didn’t change the settings of docker daemon or apparmor profiles.

4

Running Docker in a container is not obvious. Apparmor can have different settings on different distributions. I don’t know why it denies running docker, but the log tells nothing about the port number, only about nginx. Have you tried it in a virtual machine? Did you intentionally used a container for Docker?

5

I have a VPS and it’s a container basically (LXD). Is it possible to replicate the same settings apparmor has on Ubuntu on Debian too?

Making Docker work in an LXD container is important for me. I know I can go for a VM but I want Docker to work in container as well.

If I remove Apparmor completely, all works as usual. So I want to know if any settings should be changed.

6

I’ve run into this issue too on a Ubuntu 20.04 LTS LXD host and Debian bullseye LXD container with docker-ce 25.0.2 after upgrading everything (the host, the container, and docker). All docker containers were being denied any networking access. It took me a while to find out what’s going on.

I resolved it by uninstalling apparmor from the LXD container. It’s not an ideal solution, but at least I could keep apparmor on the Ubuntu LXD host. Based on that, it seems the issue lies with the apparmor profile that docker creates for its containers (AppArmor security profiles for Docker | Docker Docs). Alas, I don’t have the time to explore this in more details.