From: Jake Chacko <chackoj1204@gmail.com>
Date: Tue, 2 Dec 2025 02:47:53 +0000 (-0600)
Subject: Added documentation on unprivileged LXC containers
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f085a8cbd16ea20279220858887a9df9c4a9fc33;p=thirdparty%2Flxc.git

Added documentation on unprivileged LXC containers

Co-developed-by: Jake Chacko <chackoj1204@gmail.com>
Co-developed-by: Rahik Sikder <sikder.rahik@gmail.com>
Signed-off-by: Jake Chacko <chackoj1204@gmail.com>
---

diff --git a/doc/lxc.sgml.in b/doc/lxc.sgml.in
index f4c5848ff..4505db806 100644
--- a/doc/lxc.sgml.in
+++ b/doc/lxc.sgml.in
@@ -206,6 +206,21 @@ rootfs
       </para>
     </refsect2>
 
+    <refsect2>
+      <title>Unprivileged containers</title>
+      <para>
+        Unprivileged LXC containers run without root host-level privileges in a 
+        user namespace, mapping container UID 0 to a non-root host ID, which 
+        strictly limits the accessible devices and filesystems of the 
+        container. In order to mount a rootfs in an unprivileged container, the 
+        mapped host user must have execute permissions for all directories 
+        along the path to and including the rootfs. Additionally, all files and 
+        directories under the rootfs must be owned by the correct user ID and 
+        group ID. The correct user ID and group ID are the host IDs mapped to 
+        the container root(UID 0) in lxc.idmap.
+      </para>
+    </refsect2>
+
     <refsect2>
       <title>Creating / Destroying containers</title>
       <para>