NEWS: mention temporary limitations for running containers in systemd-homed directories

1 files changed, 13 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index 33bdbfe0a4..606b4714c1 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,19 @@ CHANGES WITH 251:
         * Services with Restart=always and a failing ExecCondition= will no longer
           be restarted, to bring ExecCondition= in line with Condition*= settings.
 
+        * In v250 systemd-homed started making use of UID mapped mounts for the
+          home areas if the kernel and used file system support it. Files are
+          now internally owned by the "nobody" user (i.e. the user typically
+          used for indicating "this ownership is not mapped"), and dynamically
+          mapped to the UID used locally on the system via the UID mapping
+          mount logic of recent kernels.
+          In the current implementation systemd-homed only maps a limited
+          number of UIDs and GIDs making it impossible to run unprivileged
+          containers that want to map a full POSIX compliant UID and GID range
+          with their rootfs located within the systemd-homed managed home area.
+          This will be fixed in subsequent releases. See
+          https://github.com/systemd/systemd/pull/22239 for a proposal.
+
 CHANGES WITH 250:
 
         * Support for encrypted and authenticated credentials has been added.