Merge pull request #10370 from ashahab-altiscale/9875-apparmor-regression

Fixes apparmor regression

daemon/execdriver/lxc/lxc_template.go

@@ -75,8 +75,8 @@ lxc.aa_profile = unconfined
 # In non-privileged mode, lxc will automatically mount /proc and /sys in readonly mode
 # for security. See: http://man7.org/linux/man-pages/man5/lxc.container.conf.5.html
 lxc.mount.auto = proc sys
-	{{if .AppArmor}}
+	{{if .AppArmorProfile}}
-lxc.aa_profile = .AppArmorProfile
+lxc.aa_profile = {{.AppArmorProfile}}
 	{{end}}
 {{end}}
 

daemon/execdriver/lxc/lxc_template_unit_test.go

@@ -248,7 +248,8 @@ func TestCustomLxcConfigMisc(t *testing.T) {
 	}
 	defer os.RemoveAll(root)
 	os.MkdirAll(path.Join(root, "containers", "1"), 0777)
-	driver, err := NewDriver(root, "", false)
+	driver, err := NewDriver(root, "", true)
+
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -271,9 +272,10 @@ func TestCustomLxcConfigMisc(t *testing.T) {
 				Bridge:      "docker0",
 			},
 		},
-		ProcessConfig: processConfig,
+		ProcessConfig:   processConfig,
-		CapAdd:        []string{"net_admin", "syslog"},
+		CapAdd:          []string{"net_admin", "syslog"},
-		CapDrop:       []string{"kill", "mknod"},
+		CapDrop:         []string{"kill", "mknod"},
+		AppArmorProfile: "lxc-container-default-with-nesting",
 	}
 
 	p, err := driver.generateLXCConfig(command)
@@ -287,7 +289,7 @@ func TestCustomLxcConfigMisc(t *testing.T) {
 	grepFile(t, p, "lxc.network.ipv4 = 10.10.10.10/24")
 	grepFile(t, p, "lxc.network.ipv4.gateway = 10.10.10.1")
 	grepFile(t, p, "lxc.network.flags = up")
-
+	grepFile(t, p, "lxc.aa_profile = lxc-container-default-with-nesting")
 	// hostname
 	grepFile(t, p, "lxc.utsname = testhost")
 	grepFile(t, p, "lxc.cgroup.cpuset.cpus = 0,1")