Hadmut, AppArmor's stacking support was intended to allow supporting unmodified Ubuntu inside LXD containers. If you're feeling up for some experimentation, you could try to disable this feature by setting the kernel.unprivileged_userns_apparmor_policy sysctl to 0 early in a system boot, preferably before LXD starts. This should cause the attempts to set policy within LXDs to fail, and either the services will then refuse to start or they'll fall back to their old behaviour. (This reflects my lack of familiarity with LXD.)
I'll note that this is a wild guess; I'd feel more comfortable giving this advice on IRC than in a public bug tracker where it might do more harm than good. But I'm cautiously optimistic that this might give you a system you'd be happier using. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1654624 Title: dhcp apparmor profile complains about lxd client Status in apparmor package in Ubuntu: Confirmed Status in isc-dhcp package in Ubuntu: Confirmed Bug description: Hi, strange problem recently occured: I'm having some ubuntu machines running in LXD (nothing unusual, just based on the regular ubuntu LXD images) on a ubuntu host. Worked well for some time. But now the host generates messages like Jan 6 19:17:05 monstrum kernel: [ 1063.263531] audit: type=1400 audit(1483726625.388:247): apparmor="DENIED" operation="file_perm" namespace="root//lxd-rackadmin_<var-lib-lxd>" profile="/sbin/dhclient" name="/apparmor/.null" pid=5125 comm="dhclient" requested_mask="w" denied_mask="w" fsuid=165536 ouid=0 in /var/log/kern.log. For some reason the apparmor running on the host interferes with the containers. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: isc-dhcp-client 4.3.3-5ubuntu12.6 ProcVersionSignature: Ubuntu 4.4.0-57.78-generic 4.4.35 Uname: Linux 4.4.0-57-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.4 Architecture: amd64 CurrentDesktop: LXDE Date: Fri Jan 6 19:19:12 2017 SourcePackage: isc-dhcp UpgradeStatus: Upgraded to xenial on 2016-04-06 (275 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1654624/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
