support nesting

[tych0]

diff --git a/container.go b/container.go
index 99840cc..037e319 100644
--- a/container.go
+++ b/container.go
@@ -163,11 +163,7 @@ func NewContainer(sc types.StackerConfig, storage types.Storage, name string) (*
 	// it. of course, we can't check for it by catting the value in
 	// securityfs, because that's restricted :). so we fork and try to
 	// change to the profile in question instead.
-	//
-	// note that this is not strictly correct: lxc will try to use a
-	// non-cgns profile if cgns isn't supported by the kernel, but most
-	// kernels these days support it so we ignore this case.
-	lxcDefaultProfile := "lxc-container-default-cgns"
+	lxcDefaultProfile := "lxc-container-default-with-mounting"
 	err = runInternalGoSubcommand(sc, []string{"check-aa-profile", lxcDefaultProfile})
 	if err != nil {
 		log.Infof("couldn't find AppArmor profile %s", lxcDefaultProfile)
diff --git a/test/basic.bats b/test/basic.bats
index 65f5044..0c5f94b 100644
--- a/test/basic.bats
+++ b/test/basic.bats
@@ -151,3 +151,27 @@ EOF
     umoci unpack --image oci:centos dest
     [ -f dest/rootfs/foo ]
 }
+
+@test "nested stacker works" {
+    cat > stacker.yaml <<EOF
+centos:
+    from:
+        type: oci
+        url: $CENTOS_OCI
+    import:
+        - ../../stacker
+    binds: ../centos -> /centos
+    run: |
+        cat > stacker.yaml <<EOF
+        centos:
+            from:
+                type: oci
+                url: /centos:latest
+            run: |
+                echo hello world
+        EOF
+        /stacker/stacker build
+        echo $output | grep hello world
+EOF
+        stacker build
+}

hangs for me. there are other reports of continued EACCES issues when we nest even when we don't have a hang.

it would be nice to fix nesting support and add a test case for it.

[tych0]

FWIW, there are some errors in the patch above. this one reproduces the EPERM:

diff --git a/container.go b/container.go
index 99840cc..037e319 100644
--- a/container.go
+++ b/container.go
@@ -163,11 +163,7 @@ func NewContainer(sc types.StackerConfig, storage types.Storage, name string) (*
 	// it. of course, we can't check for it by catting the value in
 	// securityfs, because that's restricted :). so we fork and try to
 	// change to the profile in question instead.
-	//
-	// note that this is not strictly correct: lxc will try to use a
-	// non-cgns profile if cgns isn't supported by the kernel, but most
-	// kernels these days support it so we ignore this case.
-	lxcDefaultProfile := "lxc-container-default-cgns"
+	lxcDefaultProfile := "lxc-container-default-with-mounting"
 	err = runInternalGoSubcommand(sc, []string{"check-aa-profile", lxcDefaultProfile})
 	if err != nil {
 		log.Infof("couldn't find AppArmor profile %s", lxcDefaultProfile)
diff --git a/test/basic.bats b/test/basic.bats
index 65f5044..334da72 100644
--- a/test/basic.bats
+++ b/test/basic.bats
@@ -151,3 +151,27 @@ EOF
     umoci unpack --image oci:centos dest
     [ -f dest/rootfs/foo ]
 }
+
+@test "nested stacker works" {
+    cat > stacker.yaml <<EOF
+centos:
+    from:
+        type: oci
+        url: $CENTOS_OCI
+    import:
+        - ../stacker
+    binds: ../test/centos -> /centos
+    run: |
+        cat > stacker.yaml <<EOF
+        centos:
+            from:
+                type: oci
+                url: /centos:latest
+            run: |
+                echo hello world
+        EOF
+        /stacker/stacker build
+        echo $output | grep hello world
+EOF
+        stacker build
+}