For Ubuntu, installing the NSX-T CNI plug-in will copy the AppArmor profile file ncp-apparmor to /etc/apparmor.d and load it. Before the install, the AppArmor service must be running and the directory /etc/apparmor.d must exist. Otherwise, the install will fail. You can check whether the AppArmor module is enabled with the following command:

    sudo cat /sys/module/apparmor/parameters/enabled

You can check whether the AppArmor service is started with the following command:

    sudo /etc/init.d/apparmor status

If the AppArmor service is not running when you install the NSX-T CNI plug-in, the install will display the following message when it finishes:

    subprocess installed post-installation script returned error exit status 1

The message indicates that all the installation steps completed except the loading of the AppArmor profile.

The ncp-apparmor profile file provides an AppArmor profile for NSX node agent called node-agent-apparmor, which differs from the docker-default profile in the following ways:

• The deny mount rule is removed.

• The mount rule is added.

• Some network, capability, file, and umount options are added.

You can replace the node-agent-apparmor profile with a different profile. However, the profile name node-agent-apparmor is referenced in the file nsx-node-agent-ds.yml, which is used in the installation of NSX node agent. If you use a different profile, you must specify the profile name in nsx-node-agent-ds.yml, under the section spec:template:metadata:annotations, in the following entry:

    container.apparmor.security.beta.kubernetes.io/<container-name>: localhost/<profile-name>