[SOLVED] Can't Pull Container Images On LXC

[lomarkomar]

I can't pull container images from container registries, both quay.io and docker.io doesn't avaliable.

root@jenkins:~# buildah pull docker.io/python/python:3.13-slim
Trying to pull docker.io/python/python:3.13-slim...
Error: initializing source docker://python/python:3.13-slim: pinging container registry registry-1.docker.io: Get "https://registry-1.docker.io/v2/": dial tcp: lookup registry-1.docker.io on 8.8.8.8:53: dial tcp 8.8.8.8:53: socket: permission denied

root@jenkins:~# cat /etc/resolv.conf
# --- BEGIN PVE ---
search skysec.internal
nameserver 8.8.8.8
# --- END PVE ---
options edns0 use-vc

root@jenkins:~# nslookup google.com
Server:        8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
Name:    google.com
Address: 142.251.140.78
Name:    google.com
Address: 2a00:1450:4017:805::200e

root@jenkins:~# nslookup registry-1.docker.io
Server:        8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
Name:    registry-1.docker.io
Address: 44.206.172.4
Name:    registry-1.docker.io
Address: 35.170.181.116
Name:    registry-1.docker.io
Address: 50.16.201.24
Name:    registry-1.docker.io
Address: 54.236.189.171
Name:    registry-1.docker.io
Address: 3.226.118.171
Name:    registry-1.docker.io
Address: 44.213.170.80
Name:    registry-1.docker.io
Address: 44.207.195.157
Name:    registry-1.docker.io
Address: 98.85.9.239
Name:    registry-1.docker.io
Address: 2600:1f18:2148:bc01:d6a5:fab3:4a8b:5ea
Name:    registry-1.docker.io
Address: 2600:1f18:2148:bc00:9104:7a5f:27b5:e18c
Name:    registry-1.docker.io
Address: 2600:1f18:2148:bc00:8c90:c2f3:c37c:a257
Name:    registry-1.docker.io
Address: 2600:1f18:2148:bc01:d94f:d347:f580:afc7
Name:    registry-1.docker.io
Address: 2600:1f18:2148:bc02:9ace:ab18:c47e:e0a5
Name:    registry-1.docker.io
Address: 2600:1f18:2148:bc01:feb3:7a51:d53c:da8b
Name:    registry-1.docker.io
Address: 2600:1f18:2148:bc00:b979:555:b50c:b1bf
Name:    registry-1.docker.io
Address: 2600:1f18:2148:bc02:8712:b9d1:fca2:d950

root@pve:~# cat /etc/pve/lxc/104.conf
arch: amd64
cores: 1
features: keyctl=1,nesting=1
hostname: jenkins.skysec.internal
memory: 1024
nameserver: 8.8.8.8
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.1.1,hwaddr=BC:24:11:30:00:E7,ip=192.168.1.51/24,type=veth
ostype: ubuntu
parent: jenkins
rootfs: local-lvm:vm-104-disk-0,size=8G
swap: 1024
unprivileged: 1

[jenkins]
arch: amd64
cores: 1
features: nesting=1
hostname: jenkins.skysec.internal
memory: 1024
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.1.1,hwaddr=BC:24:11:30:00:E7,ip=192.168.1.51/24,type=veth
ostype: ubuntu
rootfs: local-lvm:vm-104-disk-0,size=8G
snaptime: 1755013204
swap: 1024
unprivileged: 1
lxc.apparmor.profile: unconfined

 

[Impact]

Try

buildah pull docker.io/python:3.13-slim

If that still doesn't work share how you installed docker and buildah.

 

[lomarkomar]

Try

buildah pull docker.io/python:3.13-slim

If that still doesn't work share how you installed docker and buildah.

I haven't installed docker, just podman and buildah installed.

The installation method I've used:

apt install podman buildah -y

 

[Impact]

What did running that command result in?

 

[lomarkomar]

What did running that command result in?

Error: initializing source docker://python:3.13-slim: pinging container registry registry-1.docker.io: Get "https://registry-1.docker.io/v2/": dial tcp: lookup registry-1.docker.io on 8.8.8.8:53: dial tcp 8.8.8.8:53: socket: permission denied

 

[Impact]

Hmm. This woeks fine on my unprivileged debian 13 CT on PVE 9. I use the docker repos though. I will try to reproduce with a normal ubuntu CT later if I don't forget.
I assume PVE is up to date? What does pveversion say?

 

[lomarkomar]

Hmm. It worked fine on my unprivileged debian CT on PVE 9. I use the docker repos though. I will try to reproduce with a normal ubuntu CT later if I don't forget.

I don't know why, however I've switched to CentOS Steam 9 and It solved