fix: bake in AppArmor unconfined + schema validation for Docker-in-LXC

setup-guacamole-lxc.sh

@@ -42,14 +42,14 @@ echo "============================================"
 
 # --- Check if template exists ---
 if ! pveam list local | grep -q "debian-12-standard"; then
-    echo "[1/8] Downloading Debian 12 template..."
+    echo "[1/9] Downloading Debian 12 template..."
     pveam download local debian-12-standard_12.12-1_amd64.tar.zst
 else
-    echo "[1/8] Debian 12 template already available"
+    echo "[1/9] Debian 12 template already available"
 fi
 
-# --- Create the container ---
+# --- Create the container (don't start yet - need AppArmor fix first) ---
-echo "[2/8] Creating LXC container ${CT_ID}..."
+echo "[2/9] Creating LXC container ${CT_ID}..."
 pct create "${CT_ID}" "${CT_TEMPLATE}" \
     --hostname "${CT_NAME}" \
     --memory "${CT_MEMORY}" \
@@ -59,16 +59,23 @@ pct create "${CT_ID}" "${CT_TEMPLATE}" \
     --net0 "name=eth0,bridge=${BRIDGE},ip=${CT_IP},gw=${CT_GW},firewall=0" \
     --nameserver "10.0.0.224" \
     --onboot 1 \
-    --start 1 \
     --unprivileged 1 \
     --features "nesting=1,keyctl=1" \
     --startup "order=3,up=15"
 
-echo "[3/8] Waiting for container to start..."
+# --- Apply AppArmor fix for Docker-in-LXC ---
+echo "[3/9] Applying AppArmor fix for Docker compatibility..."
+CT_CONF="/etc/pve/lxc/${CT_ID}.conf"
+if ! grep -q "lxc.apparmor.profile" "${CT_CONF}" 2>/dev/null; then
+    echo "lxc.apparmor.profile: unconfined" >> "${CT_CONF}"
+fi
+pct start "${CT_ID}"
+
+echo "[4/9] Waiting for container to start..."
 sleep 5
 
 # --- Install Docker inside the container ---
-echo "[4/8] Installing Docker..."
+echo "[5/9] Installing Docker..."
 pct exec "${CT_ID}" -- bash -c '
     apt-get update -qq
     apt-get install -y -qq ca-certificates curl gnupg
@@ -83,7 +90,7 @@ pct exec "${CT_ID}" -- bash -c '
 '
 
 # --- Create Docker Compose config ---
-echo "[5/8] Creating Guacamole Docker Compose configuration..."
+echo "[6/9] Creating Guacamole Docker Compose configuration..."
 pct exec "${CT_ID}" -- bash -c "
     mkdir -p /opt/guacamole
     cat > /opt/guacamole/docker-compose.yml << DCEOF
@@ -137,26 +144,35 @@ DCEOF
 "
 
 # --- Generate the database init script ---
-echo "[6/8] Generating database initialisation schema..."
+echo "[7/9] Generating database initialisation schema..."
 pct exec "${CT_ID}" -- bash -c '
     mkdir -p /opt/guacamole/initdb
     docker pull guacamole/guacamole:latest -q
-    docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --postgresql > /opt/guacamole/initdb/001-init.sql
+    docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --postgresql \
-    echo "Database schema extracted successfully"
+        > /opt/guacamole/initdb/001-init.sql 2>/dev/null
+
+    # Validate the schema was generated properly
+    SCHEMA_SIZE=$(wc -c < /opt/guacamole/initdb/001-init.sql)
+    if [ "${SCHEMA_SIZE}" -lt 1000 ]; then
+        echo "ERROR: Schema generation failed (${SCHEMA_SIZE} bytes)"
+        echo "Check that AppArmor fix was applied correctly"
+        exit 1
+    fi
+    echo "Schema generated successfully (${SCHEMA_SIZE} bytes)"
 '
 
 # --- Start the stack ---
-echo "[7/8] Starting Guacamole stack..."
+echo "[8/9] Starting Guacamole stack..."
 pct exec "${CT_ID}" -- bash -c '
     cd /opt/guacamole
     docker compose up -d
     echo "Waiting for services to initialise..."
-    sleep 15
+    sleep 20
     docker compose ps
 '
 
 # --- Create systemd service for auto-start ---
-echo "[8/8] Creating systemd service for auto-start..."
+echo "[9/9] Creating systemd service for auto-start..."
 pct exec "${CT_ID}" -- bash -c '
     cat > /etc/systemd/system/guacamole.service << "SVCEOF"
 [Unit]