Added documentation on unprivileged LXC containers

Co-developed-by: Jake Chacko <chackoj1204@gmail.com>
Co-developed-by: Rahik Sikder <sikder.rahik@gmail.com>
Signed-off-by: Jake Chacko <chackoj1204@gmail.com>

diff --git a/doc/lxc.sgml.in b/doc/lxc.sgml.in
index f4c5848ff3129052fccb8d2f5a9c243564711af1..4505db806c2d7ccbcc086fbb12237455be9dd105 100644 (file)
--- a/doc/lxc.sgml.in
+++ b/doc/lxc.sgml.in
@@ -206,6 +206,21 @@ rootfs
       </para>
     </refsect2>
 
+    <refsect2>
+      <title>Unprivileged containers</title>
+      <para>
+        Unprivileged LXC containers run without root host-level privileges in a 
+        user namespace, mapping container UID 0 to a non-root host ID, which 
+        strictly limits the accessible devices and filesystems of the 
+        container. In order to mount a rootfs in an unprivileged container, the 
+        mapped host user must have execute permissions for all directories 
+        along the path to and including the rootfs. Additionally, all files and 
+        directories under the rootfs must be owned by the correct user ID and 
+        group ID. The correct user ID and group ID are the host IDs mapped to 
+        the container root(UID 0) in lxc.idmap.
+      </para>
+    </refsect2>
+
     <refsect2>
       <title>Creating / Destroying containers</title>
       <para>