From 994a6364d2dfcf5fa11ec26e81752fbe842428aa Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 16 Nov 2017 18:05:42 +0100
Subject: [PATCH] man: document how nspawn's --bind= and --private-users
 interact

Fixes: #5900
---
 man/systemd-nspawn.xml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index 98ce1529de..1ef6567e48 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -806,7 +806,13 @@
         <option>norbind</option> are allowed, controlling whether to create a recursive or a regular bind
         mount. Defaults to "rbind". Backslash escapes are interpreted, so <literal>\:</literal> may be used to embed
         colons in either path.  This option may be specified multiple times for creating multiple independent bind
-        mount points. The <option>--bind-ro=</option> option creates read-only bind mounts.</para></listitem>
+        mount points. The <option>--bind-ro=</option> option creates read-only bind mounts.</para>
+
+        <para>Note that when this option is used in combination with <option>--private-users</option>, the resulting
+        mount points will be owned by the <constant>nobody</constant> user. That's because the mount and its files and
+        directories continue to be owned by the relevant host users and groups, which do not exist in the container,
+        and thus show up under the wildcard UID 65534 (nobody). If such bind mounts are created, it is recommended to
+        make them read-only, using <option>--bind-ro=</option>.</para></listitem>
       </varlistentry>
 
       <varlistentry>