man: Document the interaction between --systemd and --privileged

Users need to know about this side effect. Fixes: 5a2405a ("Don't mount /dev/tty* inside privileged...") Fixes: f4c81b0 ("Only prevent VTs to be mounted inside ...") Signed-off-by: Martin Roukala (né Peres) <[email protected]>
containers · Jan 16, 2023 · 8db2b4b · 8db2b4b
1 parent 70057c8
commit 8db2b4b
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/docs/source/markdown/options/privileged.md b/docs/source/markdown/options/privileged.md
@@ -9,7 +9,9 @@ Give extended privileges to this container. The default is **false**.
 By default, Podman containers are unprivileged (**=false**) and cannot, for
 example, modify parts of the operating system. This is because by default a
 container is only allowed limited access to devices. A "privileged" container
-is given the same access to devices as the user launching the container.
+is given the same access to devices as the user launching the container, with
+the exception of virtual consoles (_/dev/tty\d+_) when running in systemd
+mode (**--systemd=always**).
 
 A privileged container turns off the security features that isolate the
 container from the host. Dropped Capabilities, limited devices, read-only mount

diff --git a/docs/source/markdown/options/systemd.md b/docs/source/markdown/options/systemd.md
@@ -24,6 +24,7 @@ Running the container in systemd mode causes the following changes:
 * Podman sets the default stop signal to **SIGRTMIN+3**.
 * Podman sets **container_uuid** environment variable in the container to the
 first 32 characters of the container id.
+* Podman will not mount virtual consoles (_/dev/tty\d+_) when running with **--privileged**.
 
 This allows systemd to run in a confined container without any modifications.