Comment 7 for bug 1654624

Hadmut, AppArmor's stacking support was intended to allow supporting unmodified Ubuntu inside LXD containers. If you're feeling up for some experimentation, you could try to disable this feature by setting the kernel.unprivileged_userns_apparmor_policy sysctl to 0 early in a system boot, preferably before LXD starts. This should cause the attempts to set policy within LXDs to fail, and either the services will then refuse to start or they'll fall back to their old behaviour. (This reflects my lack of familiarity with LXD.)

I'll note that this is a wild guess; I'd feel more comfortable giving this advice on IRC than in a public bug tracker where it might do more harm than good. But I'm cautiously optimistic that this might give you a system you'd be happier using.

Thanks