LXD is the direction that the LXC project is moving towards, and it has several nice features that are helpful for autopkgtest: fast container creation with intelligent caching, support for local images (with autopkgtest modifications), and seamless support for remote containers.
We need the latter for moving armhf testing into Scalingstack, as we don't have native armhf support there. We can create a big semi-permanent arm64 instance and then create armhf lxd containers in that, and talk to them from the autopkgtest controller node in ProdStack using the arm64 instance as a remote. This cannot be done with either the ssh runner (that would need some rather complicated setup script) nor the lxc runner (I tried wrapping ssh around it, but the extra level of shell processing/quoting breaks stuff).
Some tests need to mount /proc (like pbuilder) or do bind mounts (like nested LXC), so we need to relax the restrictions. As lxd containers are unprivileged, the extra apparmor profile is merely a fallback security layer; users should not be able to do any harm to the host in an unpriv container.
Create profile without AppArmor:
lxc profile create autopkgtest autopkgtest/ ' | lxc profile edit autopkgtest profile= unconfined
lxc profile show default | sed '/^name:/ s/default/
lxc profile set autopkgtest raw.lxc lxc.aa_
Start containers with:
lxc launch images: ubuntu/ xenial/ amd64 x1 --profile autopkgtest
In that container bind mounts and mounting proc etc. works.