Hi,

Thanks for responding back to me. I was trying these solutions, when I realised that my /etc/apparmor.d/ directory already contains usr.bin.pasta. I believe this is because I downloaded the latest package from the launchpad. Using aa-status, it seems like ' /usr/bin/pasta.avx2 (1366) pasta' is running in enforce mode. So I suspect there is no point trying to do this over.

On Mon, May 12, 2025 at 11:36 AM Stefano Brivio <sbrivio@redhat.com> wrote:

Hi Ayon,

On Sat, 10 May 2025 21:26:29 -0230
Ayon T <sanroz.mozan13@gmail.com> wrote:

> Hi,
>
> I've been using pasta as a network driver for rootless docker and I've been
> running into a couple of issues for a while now. I hope this is where I can
> find some help troubleshooting.
>
> The issue is that when I use pasta as the network driver as opposed to
> slirp4netns, I'm unable to access the internet through rootless docker or
> use ping (or traceroute) through its containers. So if I run "docker pull
> <image-name>" I get a timeout error:
>
> > Using default tag: latest
> Error response from daemon: Get "https://registry-1.docker.io/v2/": dial
> tcp: lookup registry-1.docker.io on 10.0.2.3:53: read udp 169.254.2.1:58905
> ->10.0.2.3:53: i/o timeout
>
> I'm running pasta version 0.0~git20250217.a1e48a0-1 on Ubuntu 24.04.2 LTS
> with docker v27.3.1 build ce12230.

I suspect you might be hitting this:

https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2077158

...which is fixed on Ubuntu 24.10 and later versions. As a workaround,
I guess you can create the AppArmor profile for pasta manually, from:

https://passt.top/passt/tree/contrib/apparmor/usr.bin.pasta

or set /proc/sys/kernel/unprivileged_userns_apparmor_policy to 0, see
also:

https://github.com/kubevirt/kubevirt/issues/12333

Let me know if you still hit the issue.

--
Stefano