I start a fresh images:debian/10 based LXD container, install docker inside, set required configuration (see below) and try to ping 8.8.8.8 from a Docker container. When the Docker container is run with [code]–privileged[code] the ping works. If not, the ping fails with ping: can't create raw socket: Permission denied.
All networking otherwise works OK.
debian/10 - doesn’t work for containers (but does work in a VM)
debian/9 - works
ubuntu/20.10 - works
ubuntu/18.04 - works
Am I missing some configuration options for the LXD container?
The LXD container has the unmodified default profile, and runs on the lxdbr0 network.
output of the pings from the inner Docker container:
# This works
$ lxc exec "$CONTAINER_ID" -- bash -c "docker run --rm --privileged busybox ping -c 4 8.8.8.8"
Unable to find image 'busybox:latest' locally
latest: Pulling from library/busybox
4c892f00285e: Pull complete
Digest: sha256:e1488cb900233d035575f0a7787448cb1fa93bed0ccc0d4efc1963d7d72a8f17
Status: Downloaded newer image for busybox:latest
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=116 time=8.929 ms
64 bytes from 8.8.8.8: seq=1 ttl=116 time=7.968 ms
64 bytes from 8.8.8.8: seq=2 ttl=116 time=8.482 ms
64 bytes from 8.8.8.8: seq=3 ttl=116 time=8.301 ms
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 7.968/8.420/8.929 ms
# This fails
$ lxc exec "$CONTAINER_ID" -- bash -c "docker run --rm busybox ping -c 4 8.8.8.8"
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: can't create raw socket: Permission denied
I already have lxc config set "$CONTAINER_ID" security.nesting="true" security.privileged="true" in the script.
To be sure I added -c security.nesting="true" to the first launch invocation as well - but still with the same result.
Here is my try, and it worked for me with the ubuntu:20.04 container image. I notice that it worked for you as well, but does not work on images:debian/10.
$ lxc launch ubuntu: mydocker -c security.nesting=true
Creating mydocker
Starting mydocker
$ lxc shell mydocker
root@mydocker:~# apt update
...
root@mydocker:~# curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
OK
root@mydocker:~# apt-key fingerprint 0EBFCD88
...
root@mydocker:~# add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
root@mydocker:~# apt install docker-ce
...
root@mydocker:~# docker run --rm busybox ping -c 3 8.8.8.8
Unable to find image 'busybox:latest' locally
latest: Pulling from library/busybox
4c892f00285e: Pull complete
Digest: sha256:e1488cb900233d035575f0a7787448cb1fa93bed0ccc0d4efc1963d7d72a8f17
Status: Downloaded newer image for busybox:latest
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=115 time=82.381 ms
64 bytes from 8.8.8.8: seq=1 ttl=115 time=39.129 ms
64 bytes from 8.8.8.8: seq=2 ttl=115 time=80.403 ms
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 39.129/67.304/82.381 ms
root@mydocker:~#
There should be a pencil at the end of the title. By clicking that pencil, you can edit the title.
I did this change myself. If you want to further change the title, go for it.
My understanding with the images:debian/10 container image is that the whole networking is messed up. ping is a bit special because it uses raw icmp. An alternative test is to wget a file. You can see that name resolutions do not work either.
I think it would help if you can edit the initial post and summarize which container images do not let Docker work.