We looked into running snapd in lxc containers that use a config like:
raw.lxc: |
lxc.apparmor.profile=unconfined
In this configuration the container itself will not have “CAP_MAC_ADMIN” which means that nothing inside the container can manipulate the apparmor confinement. This is a problem for snapd which relies on apparmor. After some unsuccessful attempts to run snapd without apparmor inside such an environment I think we need to error with a clean message.
The following PR: https://github.com/snapcore/snapd/pull/5715 implements this new approach.
This will avoid the very confusing errors that people currently get when trying to run snaps inside such an environment.