Comment 6 for bug 1612412

traceroute and host also failed "Failed name lookup - disconnected path" [1]

flag "attach_disconnected" is way to resolve disconnected paths.[2]
patch example for bin.ping profile [3]

right now profile "unconfined" is used for neutron_agent [4]
and default profile "lxc-openstack" for containers already contains flag "attach_disconnected" [5]

I think this profile can be used for neutron_agent.
As next step I will check how it will work without 'lxc.cgroup.devices.allow=a *:* rmw' and bind mount of /lib/modules.

[1]
root@aio1-neutron-agents-container-26994ece:~# traceroute www.google.com
traceroute: error while loading shared libraries: libc.so.6: cannot stat shared object: Permission denied
root@aio1-neutron-agents-container-26994ece:~# ping 8.8.8.8
ping: error while loading shared libraries: libcap.so.2: cannot stat shared object: Permission denied

[2]
http://wiki.apparmor.net/index.php/ReleaseNotes_2_5
path name lookup and mediation of
Two new profile flags have been introduced to aid in mediation of disconnected paths. AppArmor's default behavior is to reject new accesses to disconnected paths reporting back the pathname without a leadeding / Unfortunately this can break some applications, if a profile must allow for mediation of disconnected paths then the profile flag attach_disconnected can be used. This prepend a leading / to the reported name, however this may not result in the original name of the file as AppArmor can only attach the file to root, not to its original location.
 /some/profile (attach_disconnected) {
   ...
 }

[3]
$ diff /etc/apparmor.d/bin.ping /etc/apparmor.d/bin.ping.old
13c13
< /{usr/,}bin/ping flags=(complain,attach_disconnected) {
---
> /{usr/,}bin/ping flags=(complain) {

[4] https://github.com/openstack/openstack-ansible/blob/master/playbooks/os-neutron-install.yml#L27

[5] https://github.com/openstack/openstack-ansible-lxc_hosts/blob/master/templates/lxc-openstack.apparmor.j2#L4