From 8982c0fd5e1db818803e8c9cdee588a8a13d8fd2 Mon Sep 17 00:00:00 2001
From: =?utf8?q?St=C3=A9phane=20Graber?= <stgraber@ubuntu.com>
Date: Tue, 15 Jul 2014 21:32:46 -0400
Subject: [PATCH] doc: Mention that veth.pair is ignored for unpriv
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

veth.pair is ignore for unprivileged containers as allowing an
unprivileged user to set a specific device name would allow them to
trigger actions in tools like NetworkManager or other uevent based
handlers that may react based on specific names or prefixes being used.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
---
 doc/lxc.container.conf.sgml.in | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index 2050d7c46..4f8e4e9ec 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -259,7 +259,9 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 	      by <command>lxc</command>, but if you wish to handle
 	      this name yourself, you can tell <command>lxc</command>
 	      to set a specific name with
-	      the <option>lxc.network.veth.pair</option> option.
+	      the <option>lxc.network.veth.pair</option> option (except for
+	      unprivileged containers where this option is ignored for security
+	      reasons).
 	    </para>
 
 	    <para>
-- 
2.47.2