Update docs about user namespace for LXC

Mention that user namespace can be enabled using the UID/GID
mapping schema.

Fix typo in link anchor for container args in domain XML docs.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

diff --git a/docs/drvlxc.html.in b/docs/drvlxc.html.in
index 640968f35932c9918eaac16db392ea731ce548b8..1e6aa1d7f753d7eeb852d027c012c0c2579cf7a7 100644 (file)
--- a/docs/drvlxc.html.in
+++ b/docs/drvlxc.html.in
@@ -40,15 +40,11 @@ primary "host" OS environment, the libvirt LXC driver requires that
 certain kernel namespaces are compiled in. Libvirt currently requires
 the 'mount', 'ipc', 'pid', and 'uts' namespaces to be available. If
 separate network interfaces are desired, then the 'net' namespace is
-required. In the near future, the 'user' namespace will optionally be
-supported.
-</p>
-
-<p>
-<strong>NOTE: In the absence of support for the 'user' namespace,
-processes inside containers cannot be securely isolated from host
-process without the use of a mandatory access control technology
-such as SELinux or AppArmor.</strong>
+required. If the guest configuration declares a
+<a href="formatdomain.html#elementsOSContainer">UID or GID mapping</a>,
+the 'user' namespace will be enabled to apply these. <strong>A suitably
+configured UID/GID mapping is a pre-requisite to making containers
+secure, in the absence of sVirt confinement.</strong>
 </p>
 
 <h2><a name="init">Default container setup</a></h2>

diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index d656836a330b076fbd71748a85e8e1cb83a21180..f5a36d903d17dbc42274b006c8264c4f738e11d3 100644 (file)
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -263,7 +263,7 @@
         <span class="since">Since 1.0.4</span></dd>
     </dl>
 
-    <h4><a name="eleemntsOSContainer">Container boot</a></h4>
+    <h4><a name="elementsOSContainer">Container boot</a></h4>
 
     <p>
       When booting a domain using container based virtualization, instead