From 6da53a898f6b192701078d977c313ad1e4dad0a5 Mon Sep 17 00:00:00 2001
From: Stavros Kois <s.kois@outlook.com>
Date: Mon, 6 Apr 2026 16:56:29 +0300
Subject: [PATCH 1/2] zerobyte: disable apparmor when mount fuse is enabled

---
 ix-dev/community/zerobyte/app.yaml                      | 2 +-
 ix-dev/community/zerobyte/templates/docker-compose.yaml | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/ix-dev/community/zerobyte/app.yaml b/ix-dev/community/zerobyte/app.yaml
index a2120cfedb3..c77336dc299 100644
--- a/ix-dev/community/zerobyte/app.yaml
+++ b/ix-dev/community/zerobyte/app.yaml
@@ -32,4 +32,4 @@ sources:
 - https://github.com/nicotsx/zerobyte
 title: Zerobyte
 train: community
-version: 1.1.16
+version: 1.1.17
diff --git a/ix-dev/community/zerobyte/templates/docker-compose.yaml b/ix-dev/community/zerobyte/templates/docker-compose.yaml
index 17749ca0738..2060fb526fe 100644
--- a/ix-dev/community/zerobyte/templates/docker-compose.yaml
+++ b/ix-dev/community/zerobyte/templates/docker-compose.yaml
@@ -12,6 +12,7 @@
   {% endif %}
   {% do c1.add_caps(["SYS_ADMIN"]) %}
   {% do c1.devices.add_device("/dev/fuse", "/dev/fuse") %}
+  {% do c1.add_security_opt("apparmor", "unconfined") %}
 {% endif %}
 
 {% do c1.healthcheck.set_test("wget", {"port": values.consts.internal_web_port, "path": "/api/healthcheck"}) %}

From 813907a77ef1f497196518850839eec230beb245 Mon Sep 17 00:00:00 2001
From: Stavros Kois <s.kois@outlook.com>
Date: Mon, 6 Apr 2026 17:07:57 +0300
Subject: [PATCH 2/2] update docs

---
 ix-dev/community/zerobyte/questions.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ix-dev/community/zerobyte/questions.yaml b/ix-dev/community/zerobyte/questions.yaml
index b5042ce027c..80b76129bb8 100644
--- a/ix-dev/community/zerobyte/questions.yaml
+++ b/ix-dev/community/zerobyte/questions.yaml
@@ -51,7 +51,7 @@ questions:
         - variable: mount_fuse
           label: Mount FUSE / Add SYS_ADMIN Capability
           description: |
-            Mount the FUSE device inside the container and add the SYS_ADMIN capability.</br>
+            Mount the FUSE device inside the container, adds the SYS_ADMIN capability and sets apparmor to unconfined.</br>
             This is required for mounting remote backends like SMB, NFS, rclone, etc.</br>
             WARNING: This will give the container very high privileges on the host system,</br>
             including the potential to interact with or damage ZFS pools and datasets.</br>
@@ -239,7 +239,8 @@ questions:
                                           "null": true
                                       - variable: priority
                                         label: Priority (Optional)
-                                        description: Indicates in which order Compose connects the service's containers to its networks.
+                                        description: Indicates in which order Compose connects the service's containers
+                                          to its networks.
                                         schema:
                                           type: int
                                           "null": true