From 6729ad423292e7935b77ca208cedd0cd6058f909 Mon Sep 17 00:00:00 2001
From: Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk>
Date: Tue, 3 Dec 2019 13:25:55 +0000
Subject: [PATCH] Use unconfined apparmor profiles on Debian Buster.

This seems related to systemd >= 240 and this issue
https://discuss.linuxcontainers.org/t/apparmor-denied-operation-mount/2424/13

Change-Id: Icc7c0f7fa08ad6e21b574b236e71c7e08558ec8c
---
 inventory/group_vars/all_containers.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/inventory/group_vars/all_containers.yml b/inventory/group_vars/all_containers.yml
index c7a3a82e20..0cabae3132 100644
--- a/inventory/group_vars/all_containers.yml
+++ b/inventory/group_vars/all_containers.yml
@@ -16,7 +16,7 @@
 # This is the default LXC AppArmor profile
 # Groups which need the unbound profile have a specific override
 lxc_container_config_list:
-  - "lxc.aa_profile=lxc-openstack"
+  - "{{ (hostvars[physical_host]['ansible_distribution'] == 'Debian' and hostvars[physical_host]['ansible_distribution_major_version'] == '10' ) | ternary('lxc.aa_profile=unconfined', 'lxc.aa_profile=lxc-openstack') }}"
 
 # Needed by playbooks/common-tasks/os-lxc-container-setup.yml
 lxc_container_log_path: "/var/log/lxc"