document CAP_SYS_ADMIN required for systemd PrivateNetwork

Signed-off-by: James Cassell <code@james.cassell.me>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

1 files changed, 1 insertions, 1 deletions

diff --git a/rootless.md b/rootless.md
index e6f17a370..f94815606 100644
--- a/rootless.md
+++ b/rootless.md
@@ -17,7 +17,7 @@ can easily fail
   * As of Fedora 31 defaults to cgroup V2, which has full support of rootless cgroup management.  Note this requires the --cgroup-manager within rootless containers to use systemd, which new containers will get by default.
 * Some system unit configuration options do not work in the rootless container
   * systemd fails to apply several options and failures are silently ignored (e.g. CPUShares, MemoryLimit). Should work on cgroup V2.
-  * Use of certain options will cause service startup failures (e.g. PrivateNetwork).
+  * Use of certain options will cause service startup failures (e.g. PrivateNetwork).  The systemd services requiring `PrivateNetwork` can be made to work by passing `--cap-add SYS_ADMIN`, but the security implications should be carefully evaluated.  In most cases, it's better to create an override.conf drop-in that sets `PrivateNetwork=no`.  This also applies to containers run by root.
 * Can not share container images with CRI-O or other rootfull users
 * Difficult to use additional stores for sharing content
 * Does not work on NFS or parallel filesystem homedirs (e.g. [GPFS](https://www.ibm.com/support/knowledgecenter/en/SSFKCN/gpfs_welcome.html))