Update readme for apparmor

Change-Id: I4afe123e8543441a9fee805dea1426ddd19a9416

README.md

@@ -64,6 +64,21 @@ Please refer to the [Ceph Network Reference](http://docs.ceph.com/docs/master/ra
 
 **NOTE**: Existing deployments using ceph-*-network configuration options will continue to function; these options are preferred over any network space binding provided if set.
 
+AppArmor Profiles
+=================
+
+AppArmor is not enforced for Ceph by default.  An AppArmor profile can be generated by the charm.  However, great care must be taken.
+
+Changing the value of the ```aa-profile-mode``` option is disruptive to a running Ceph cluster as all ceph-osd processes must be restarted as part of changing the AppArmor profile enforcement mode.
+
+The generated AppArmor profile currently has a narrow supported use case, and it should always be verified in pre-production against the specific configurations and topologies intended for production.
+
+The AppArmor profile(s) which are generated by the charm should NOT yet be used in the following scenarios:
+  - When there are separate journal devices.
+  - On any version of Ceph prior to Luminous.
+  - On any version of Ubuntu other than 16.04.
+  - With Bluestore enabled.
+
 
 Contact Information
 ===================

config.yaml

@@ -299,4 +299,5 @@ options:
       .
       NOTE: changing the value of this option is disruptive to a running Ceph
       cluster as all ceph-osd processes must be restarted as part of changing
-      the apparmor profile enforcement mode.
+      the apparmor profile enforcement mode.  Always test in pre-production
+      before enabling AppArmor on a live cluster.