Juju: Using AppArmor with Charms

Status: lightweight "first steps" work items identified.
NOTE: jdstrand> may still get to aa-complain/aa-enable rewrite, but alternative would be to seed apparmor-utils on the server CD and/or make apparmor-utils a Recommends of a package supporting charms development

Work Items:
[clint-fewbar] document how to generate profiles from complain logs in charms: DONE
[clint-fewbar] write helper scripts for charms to install/include charms easily: DONE
[clint-fewbar] write an example profile embedded in a charm: DONE
[jdstrand] rewrite aa-complain and aa-enable/etc. in python and make sure they are installed in base installs: POSTPONED

aa-logprof aa-genprof

aa-complain, aa-enable, etc should be rewritten in python and in package with aa-status

update charm-tools to generate apparmor templates (?)
  - can we get this from packages (like metadata description)?

already part of charm review

augment juju debug logs to include aa complaints (?)
  - helps generate profiles for charms
  - deploy charm in learning mode

autodiscovery of complaints... set profiles on all ami's in ec2 in complain mode... mine this
(anonymized somehow?)
this might even be useful outside of the context of charms

What about strengthening the container itself? as we move to containers everywhere (separate conversation)
security team working to get apparmor stacking working for lxc containers

Two problems:
 - profiles for services within the containers
 - containers themselves