From a11ee6f721c6437072f06b620806777e553c696e Mon Sep 17 00:00:00 2001
From: Ruth Fuchss <ruth.fuchss@canonical.com>
Date: Wed, 7 Feb 2024 17:50:02 +0100
Subject: [PATCH] doc: additional options recommended for running Docker

Signed-off-by: Ruth Fuchss <ruth.fuchss@canonical.com>
---
 doc/.wordlist.txt           | 2 +-
 doc/faq.md                  | 5 ++++-
 doc/syscall-interception.md | 6 ++++--
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/doc/.wordlist.txt b/doc/.wordlist.txt
index 5349045b2298..22d2c8d1ba69 100644
--- a/doc/.wordlist.txt
+++ b/doc/.wordlist.txt
@@ -168,7 +168,7 @@ OpenSUSE
 OSD
 overcommit
 overcommitting
-overlayfs
+OverlayFS
 OVMF
 OVN
 OVS
diff --git a/doc/faq.md b/doc/faq.md
index 8e723b4dc043..59466e35056b 100644
--- a/doc/faq.md
+++ b/doc/faq.md
@@ -57,10 +57,13 @@ But that's also the cause of most of the security issues with such privileged co
 ```{youtube} https://www.youtube.com/watch?v=_fCSSEyiGro
 ```
 
-To run Docker inside a LXD container, set the {config:option}`instance-security:security.nesting` property of the container to `true`:
+To run Docker inside a LXD container, set the {config:option}`instance-security:security.nesting` option of the container to `true`:
 
     lxc config set <container> security.nesting true
 
+If you plan to use the OverlayFS storage driver in Docker, you should also set the {config:option}`instance-security:security.syscalls.intercept.mknod` and {config:option}`instance-security:security.syscalls.intercept.setxattr` options to `true`.
+See [`mknod` / `mknodat`](syscall-mknod) and [`setxattr`](syscall-setxattr) for more information.
+
 Note that LXD containers cannot load kernel modules, so depending on your Docker configuration, you might need to have extra kernel modules loaded by the host.
 You can do so by setting a comma-separated list of kernel modules that your container needs:
 
diff --git a/doc/syscall-interception.md b/doc/syscall-interception.md
index 352dbfaf8a1b..2a7c3aa189ba 100644
--- a/doc/syscall-interception.md
+++ b/doc/syscall-interception.md
@@ -13,6 +13,7 @@ per-container basis through container configuration options.
 
 ## Available system calls
 
+(syscall-mknod)=
 ### `mknod` / `mknodat`
 
 The `mknod` and `mknodat` system calls can be used to create a variety of special files.
@@ -28,7 +29,7 @@ inside an unprivileged containers.
 
 The devices which are currently allowed are:
 
-- overlayfs whiteout (char 0:0)
+- OverlayFS whiteout (char 0:0)
 - `/dev/console` (char 5:1)
 - `/dev/full` (char 1:7)
 - `/dev/null` (char 1:3)
@@ -102,13 +103,14 @@ considered to be flawed and can significantly impact overall system
 stability. This is why under normal conditions, only the real root user
 (or global `CAP_SYS_NICE`) would allow its use.
 
+(syscall-setxattr)=
 ### `setxattr`
 
 The `setxattr` system call is used to set extended attributes on files.
 
 The attributes which are handled by this currently are:
 
-- `trusted.overlay.opaque` (overlayfs directory whiteout)
+- `trusted.overlay.opaque` (OverlayFS directory whiteout)
 
 Note that because the mediation must happen on a number of character
 strings, there is no easy way at present to only intercept the few