Summary

This is a followup to #3941. That PR was reverted because an issue was discovered that affects customers who are running Ubuntu on the EC2 launch type. This issue was not discovered pre-launch because our team was not testing Ubuntu on the EC2 launch type, we only tested Ubuntu on the EXTERNAL launch type in our automated regression testing.

Since then we have added support for testing Ubuntu on the EC2 launch type to our automated regression testing framework, and have fixed the AppArmor DENY that was causing the issue on Ubuntu on EC2 (network netlink permission)

This change will introduce ecs-agent-default apparmor profile which adds support for ubuntu22 platforms as with Ubuntu 22, Ubuntu defaults both to docker 20.10.x+ and CgroupsV2. Creating ECS’s cgroups require extra DBUSpermissions in CgroupsV2. This ecs-default apparmor profile will provide the required permissions.

Implementation details

The changs are in ecs-init:

• engine.go is updated with PreStartAppArmor which checks if the host is apparmor supported and loadDefaultProfile if supported
• app-armor.go is added to load the ecs-default profile: checks of the profile is already loaded. If not it will create and write to the file and load the profile using apparmor_parser.
• docker_config.go is updated to hostConfig.SecurityOpt if the host is apparmor supported
• Removed ecs-init/config/development.go as it is no longer used by our team, it is interfering with our ecs-int development process for debugging and running ecs-init.

Testing

New tests cover the changes: yes

• unit tests added as part of this PR
• full functional test suite has been run on Ubuntu 18, 20, 22 on both the EXTERNAL and EC2 launch types.

Description for the changelog

Enhancement: Add AppArmor support

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.