ECS AppArmor Support (aka Ubuntu 22 support)

[SreeeS]

Summary

This change will introduce ecs-default apparmor profile which adds support for ubuntu22 platforms as with Ubuntu 22, Ubuntu defaults both to docker 20.10.x+ and CgroupsV2. Creating ECS’s cgroups require extra DBUSpermissions in CgroupsV2. This ecs-default apparmor profile will provide the required permissions.

Implementation details

The changs are in ecs-init:

• engine.go is updated with PreStartAppArmor which checks if the host is apparmor supported and loadDefaultProfile if supported
• app-armor.go is added to load the ecs-default profile:
  • checks of the profile is already loaded. If not it will create and write to the file and load the profile using apparmor_parser.
• docker_config.go is updated to hostConfig.SecurityOpt if the host is apparmor supported
• Removed ecs-init/config/development.go as it is no longer used by our team, it is interfering with our ecs-int development process for debugging and running ecs-init.

Testing

• Added unit tests for engine.go and apparmor.go changes
• Run complete functional test suite to make sure there is no availability risk
• bot/test - tests run as part of git hub PR workflow
  New tests cover the changes: yes

Description for the changelog

Add apparmor support

Does this PR include breaking model changes? If so, Have you added transformation functions?

This PR is intended to support apparmor supported hosts. This PR can potentially break customers using a custom profile and the ecs-default profile permissions are insufficient (has been tested for availability risk). Given that currently we are not supporting apparmor, this change should not break existing customer.

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.