Hi, Thanks for responding back to me. I was trying these solutions, when I realised that my /etc/apparmor.d/ directory already contains usr.bin.pasta. I believe this is because I downloaded the latest package from the launchpad. Using aa-status, it seems like ' /usr/bin/pasta.avx2 (1366) pasta' is running in enforce mode. So I suspect there is no point trying to do this over. On Mon, May 12, 2025 at 11:36 AM Stefano Brivio wrote:

Hi Ayon,

On Sat, 10 May 2025 21:26:29 -0230 Ayon T wrote:

...

Hi,

I've been using pasta as a network driver for rootless docker and I've been running into a couple of issues for a while now. I hope this is where I can find some help troubleshooting.

The issue is that when I use pasta as the network driver as opposed to slirp4netns, I'm unable to access the internet through rootless docker or use ping (or traceroute) through its containers. So if I run "docker pull <image-name>" I get a timeout error:

...

Using default tag: latest Error response from daemon: Get "https://registry-1.docker.io/v2/": dial tcp: lookup registry-1.docker.io on 10.0.2.3:53: read udp 169.254.2.1:58905 ->10.0.2.3:53: i/o timeout

I'm running pasta version 0.0~git20250217.a1e48a0-1 on Ubuntu 24.04.2 LTS with docker v27.3.1 build ce12230.

I suspect you might be hitting this:

https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2077158

...which is fixed on Ubuntu 24.10 and later versions. As a workaround, I guess you can create the AppArmor profile for pasta manually, from:

https://passt.top/passt/tree/contrib/apparmor/usr.bin.pasta

or set /proc/sys/kernel/unprivileged_userns_apparmor_policy to 0, see also:

https://github.com/kubevirt/kubevirt/issues/12333

Let me know if you still hit the issue.

-- Stefano