kubernetes-core & canonical-kubernetes need a different lxd profile.

[mbruzek]

The release candidate charms for the CDK now use snaps and we are getting some errors on not being able to apply apparmor profiles to the containers.

2017-04-04 14:23:57 INFO install - Setup snap "core" (1441) security profiles (cannot setup apparmor for snap "core": cannot load apparmor profile "snap.core.hook.configure": cannot load apparmor profile: exit status 243
2017-04-04 14:23:57 INFO install apparmor_parser output:
2017-04-04 14:23:57 INFO install apparmor_parser: Unable to replace "snap.core.hook.configure".  Permission denied; attempted to load a profile while confined?

It seems to be related to privileged containers not being able to apply apparmor profiles.

We found some success with comparing the current docker lxd profile to the profile that is set for the kubernetes-core spell. More investigation is needed here and we need to update the profiles for both spells once we figure out what will work.

Related to: conjure-up/conjure-up#802

[adam-stokes]

test out this diff

diff --git a/kubernetes-core/steps/lxd-profile.yaml b/kubernetes-core/steps/lxd-profile.yaml
index 2132757..5bc081d 100644
--- a/kubernetes-core/steps/lxd-profile.yaml
+++ b/kubernetes-core/steps/lxd-profile.yaml
@@ -5,6 +5,7 @@ config:
   raw.lxc: |
     lxc.aa_profile=unconfined
     lxc.mount.auto=proc:rw sys:rw
+    lxc.cap.drop=
   security.nesting: "true"
   security.privileged: "true"
 description: ""

Lemme know the results and I'll update the spell

[adam-stokes]

fc6e672