Cannot create Octavia Amphora instance, AppArmor denied mkfs, ldconfig, collect2

Fresh OpenStack Ussuri on Ubuntu Focal deployment.
nova-compute version 21.1.0, charm revision 323.

Creating a Load Balancer fails with ERROR. /var/log/syslog on the compute node shows DENIED entries:

```
Feb 4 08:04:24 comp-002 kernel: [ 3783.092969] audit: type=1400 audit(1612425864.197:113): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/usr/sbin/mkfs" pid=211130 comm="nova-compute" requested_mask="x" denied_mask="x" fsuid=64060 ouid=0
Feb 4 08:04:24 comp-002 kernel: [ 3783.092977] audit: type=1400 audit(1612425864.197:114): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/usr/sbin/mkfs" pid=211130 comm="nova-compute" requested_mask="x" denied_mask="x" fsuid=64060 ouid=0
Feb 4 08:04:24 comp-002 kernel: [ 3783.252979] audit: type=1400 audit(1612425864.357:115): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/usr/sbin/ldconfig" pid=211134 comm="nova-rootwrap" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Feb 4 08:04:24 comp-002 kernel: [ 3783.257532] audit: type=1400 audit(1612425864.361:116): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/usr/lib/gcc/x86_64-linux-gnu/9/collect2" pid=211136 comm="gcc" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Feb 4 08:04:24 comp-002 kernel: [ 3783.423984] audit: type=1400 audit(1612425864.525:117): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/usr/sbin/ldconfig" pid=211139 comm="privsep-helper" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Feb 4 08:04:24 comp-002 kernel: [ 3783.428376] audit: type=1400 audit(1612425864.529:118): apparmor="DENIED" operation="exec" profile="/usr/bin/nova-compute" name="/usr/lib/gcc/x86_64-linux-gnu/9/collect2" pid=211141 comm="gcc" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
```

It looks like AppArmor did not take into account /etc/apparmor.d/usr.bin.nova-compute rules file. Here's why.

AppArmor on the compute node is active since Thu 2021-02-04 07:02:12 UTC:

```
ubuntu@comp-002:~$ systemctl status apparmor
● apparmor.service - Load AppArmor profiles
     Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
     Active: active (exited) since Thu 2021-02-04 07:02:12 UTC; 1h 7min ago
       Docs: man:apparmor(7)
             https://gitlab.com/apparmor/apparmor/wikis/home/
   Main PID: 1383 (code=exited, status=0/SUCCESS)
      Tasks: 0 (limit: 629145)
     Memory: 0B
     CGroup: /system.slice/apparmor.service

Feb 04 07:02:12 ubuntu systemd[1]: Starting Load AppArmor profiles...
Feb 04 07:02:12 ubuntu apparmor.systemd[1383]: Restarting AppArmor
Feb 04 07:02:12 ubuntu apparmor.systemd[1383]: Reloading AppArmor profiles
Feb 04 07:02:12 ubuntu apparmor.systemd[1395]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Feb 04 07:02:12 ubuntu systemd[1]: Finished Load AppArmor profiles.
```

usr.bin.nova-compute rules file is "younger" than apparmor.service, note the last modify date/time 2021-02-04 07:35:59:

```
ubuntu@comp-002:~$ stat /etc/apparmor.d/usr.bin.nova-compute
  File: /etc/apparmor.d/usr.bin.nova-compute
  Size: 3404 Blocks: 8 IO Block: 4096 regular file
Device: fd00h/64768d Inode: 42731391 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2021-02-04 07:35:59.979320142 +0000
Modify: 2021-02-04 07:35:59.015303088 +0000
Change: 2021-02-04 07:35:59.015303088 +0000
 Birth: -
```

WORKAROUND:

Restart apparmor service on each compute node:

```
juju run --application nova-compute sudo systemctl restart apparmor.service
```