AppArmor issue with Docker in LXD

Hi,

I know that this usually is supposed to work, but I’m having a bad time running Docker inside of LXD.

Running containers works fine, but any network connection just results in an apparmor error like this:

34954.470560] audit: type=1400 audit(1638871533.634:255559786): apparmor="DENIED" operation="create" namespace="root//lxd-loyal-bengal_<var-lib-lxd>" profile="docker-default" pid=2476443 comm="http" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none

I’ve set security.nesting and the LXD container itself is not privileged.
Running a “privileged” docker container works fine (I guess then just the apparmor profile already applied by the host gets used).

I’ve already tried setting the LXD container to privileged and even setting the profile to unconfined, but I just can’t get this working.

I’m running a custom build of LXD on top of Debian Bullseye, so I have somewhat of a weird setup and might just have an issue in there, but I guess it doesn’t hurt to ask…

Any ideas where to even start looking?

Same issue on Ubuntu 20.04.4 with the latest snap of LXD.

I’ve run into this issue too on a Ubuntu 20.04 LTS LXD host and Debian bullseye LXD guest with docker-ce 25.0.2 after upgrading everything (the host, the container, and docker). All docker containers were being denied any networking access. It took me a while to find out what’s going on.

I resolved it by uninstalling apparmor from the LXD container. It’s not an ideal solution, but at least I could keep apparmor on the Ubuntu LXD host. Based on that, it seems the issue lies with the apparmor profile that docker creates for its containers (AppArmor security profiles for Docker), but there maybe some more complicated interplay between the apparmor on the host and guest. Alas, I don’t have the time to explore this in more details at the moment.

Is that issue (inability to get networking) related only to unprivileged (rootless) Docker containers?