The title may sound confusing but I believe that it reflects what I am actually trying to achieve.
I have got an LXD container that I use as a built server. Within this LXD container, I run LXD to build a new LXD container. This built works fine as long I don’t attempt to install LXD within that container. When I try to install LXD within that container, I get the following error.
LXD is installed by the use of Snap (the Snap install is actually used on the host as well)
"error: cannot perform the following tasks:
Setup snap "core" (4486) security profiles (cannot setup apparmor for snap "core": cannot load apparmor profile "snap-update-ns.core": cannot load apparmor profile: exit status 1
apparmor_parser output:
Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.
Setup snap "core" (4486) security profiles (cannot load apparmor profile "snap-update-ns.core": cannot load apparmor profile: exit status 1
apparmor_parser output:
Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.
Note, the same built process works without errors when run directly on the host machine. The LXD container that builds the LXD container is run with security.nesting=true and security.privileged=true.
So there’s unfortunately not much you can do here.
This error is coming as the result of an AppArmor limitation. One can only create one AppArmor namespace at this time.
LXD itself creates one such namespace per container, the LXD you run inside that container then detects that it can’t create its own namespace and shares the one of its parent, so things work fine.
Where things then fail is when you attempt to install LXD inside that as snapd requires apparmor and just completely fails to install lxd.
Until this limitation is removed (@tyhicks on our team has that on his backlog), the two workarounds I can think of here are to either use the LXD deb package inside that nested nested container, or see if there’s a way to disable snapd’s apparmor handling so that you can run snapd inside the nested container without it failing.
The closet thing to an existing upstream AppArmor bug report that I’m aware of is Launchpad bug #1652101. There’s more to multi-level AppArmor stacking than what’s described in that bug’s description but that’s a good one to watch.