From f085a8cbd16ea20279220858887a9df9c4a9fc33 Mon Sep 17 00:00:00 2001
From: Jake Chacko <chackoj1204@gmail.com>
Date: Mon, 1 Dec 2025 20:47:53 -0600
Subject: [PATCH] Added documentation on unprivileged LXC containers

Co-developed-by: Jake Chacko <chackoj1204@gmail.com>
Co-developed-by: Rahik Sikder <sikder.rahik@gmail.com>
Signed-off-by: Jake Chacko <chackoj1204@gmail.com>
---
 doc/lxc.sgml.in | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/doc/lxc.sgml.in b/doc/lxc.sgml.in
index f4c5848ff..4505db806 100644
--- a/doc/lxc.sgml.in
+++ b/doc/lxc.sgml.in
@@ -206,6 +206,21 @@ rootfs
       </para>
     </refsect2>
 
+    <refsect2>
+      <title>Unprivileged containers</title>
+      <para>
+        Unprivileged LXC containers run without root host-level privileges in a 
+        user namespace, mapping container UID 0 to a non-root host ID, which 
+        strictly limits the accessible devices and filesystems of the 
+        container. In order to mount a rootfs in an unprivileged container, the 
+        mapped host user must have execute permissions for all directories 
+        along the path to and including the rootfs. Additionally, all files and 
+        directories under the rootfs must be owned by the correct user ID and 
+        group ID. The correct user ID and group ID are the host IDs mapped to 
+        the container root(UID 0) in lxc.idmap.
+      </para>
+    </refsect2>
+
     <refsect2>
       <title>Creating / Destroying containers</title>
       <para>
-- 
2.47.3