YOU LIED TO ME???

There's gotta be a generic solution to this. Other people dind a lot too, even on Ubuntor.

could we maybe check in IsEnabled to see if the place apparmor_parser tries to write is readable by us?

s/readable/writable/

will not work

Elaborate!

@tianon I want to say it all started by a1a9baf

apparmor should not run within a container, weird stuff happens

Sure @vieux, blame me for trying to make the world a better place. :)

yes, this is really @tianon 's fault from the start

So if apparmor shouldn't be run in a container, why not set "container" universally? (yes, let's rehash that debate)

I think this is a workaround at best, and kind of an ugly one.

i thought the consensus was if you need to depend on container=whatever just use -e to add it

So everyone doing dind now has to add "container=..." for some docker-specific switch?

everyone

btw I agree with you @tianon but I have no other idea

LGTM

I can live with this solution, at least for now. :)

(especially since if it's in hack/dind, it's in the "canonical location" for information about dind)

LGTM