Comment 11 for bug 1648143

Okay, that looks like the kernel is working for you and you are now past the original

[103975.623545] audit: type=1400 audit(1481284511.494:2807): apparmor="DENIED" operation="change_onexec" info="no new privs" error=-1 namespace="root//lxd-tor_<var-lib-lxd>" profile="unconfined" name="system_tor" pid=18593 comm="(tor)" target="system_tor"

The new unlink denials will need the rule
  /var/lib/openntpd/run/ntpd.sock w,

added to the ntpd profile in /etc/apparmor.d/usr.sbin.ntpd