I found that after working around this issue (with seccomp rules) there are yet more AppArmor denials during namespace set up.
All in all, systemd services with sandboxing settings (i.e. settings that require the use of various namespaces) hit more and more denials in LXD containers. So, after discussing with LXD folks, the plan is to enable security.nesting: true by default for unprivileged containers [1].
I found that after working around this issue (with seccomp rules) there are yet more AppArmor denials during namespace set up.
All in all, systemd services with sandboxing settings (i.e. settings that require the use of various namespaces) hit more and more denials in LXD containers. So, after discussing with LXD folks, the plan is to enable security.nesting: true by default for unprivileged containers [1].
[1] https:/ /github. com/canonical/ lxd/issues/ 13631