systemd-nspawn: Improve documentation.

The `--help` text lies about what the `-U` flag does, and under-documents
the `--private-users` values.  Fix that.

The man page is a bit vague about the `--keep-unit` option.  Don't entirely
fix it, but at least clarify the mechanics a bit.

2 files changed, 11 insertions, 4 deletions

diff --git a/src/systemd-nspawn/nspawn.c b/src/systemd-nspawn/nspawn.c
index 25376d0b28..5f5e21c0f4 100644
--- a/src/systemd-nspawn/nspawn.c
+++ b/src/systemd-nspawn/nspawn.c
@@ -217,9 +217,13 @@ static void help(void) {
                "     --uuid=UUID            Set a specific machine UUID for the container\n"
                "  -S --slice=SLICE          Place the container in the specified slice\n"
                "     --property=NAME=VALUE  Set scope unit property\n"
-               "  -U --private-users=pick   Run within user namespace, autoselect UID/GID range\n"
-               "     --private-users[=UIDBASE[:NUIDS]]\n"
+               "     --private-users[=yes]  Run within user namespace, detect UID/GID range\n"
+               "     --private-users=UIDBASE[:NUIDS]\n"
                "                            Similar, but with user configured UID/GID range\n"
+               "     --private-users=pick   Similar, but autoselect an unused UID/GID range,\n"
+               "                            implies --private-users-chown"
+               "  -U                        If the kernel supports the user namespaces feature,\n"
+               "                            equivalent to --private-users=pick; otherwise ignored\n"
                "     --private-users-chown  Adjust OS tree ownership to private UID/GID range\n"
                "     --private-network      Disable network in container\n"
                "     --network-interface=INTERFACE\n"
diff --git a/src/systemd-nspawn/systemd-nspawn.xml b/src/systemd-nspawn/systemd-nspawn.xml
index c449edee89..0019f948b1 100644
--- a/src/systemd-nspawn/systemd-nspawn.xml
+++ b/src/systemd-nspawn/systemd-nspawn.xml
@@ -881,8 +881,11 @@
         <command>systemd-nspawn</command> is invoked from within a
         service unit, and the service unit's sole purpose is to run a
         single <command>systemd-nspawn</command> container. This
-        option is not available if run from a user
-        session.</para></listitem>
+        option is not available if run from a user session. If using
+        the cgroup v2 unified hierarchy, this assumes that
+        <command>systemd-nspawn</command> has the control group all to
+        itself; that it is the only process in the
+        group.</para></listitem>
       </varlistentry>
 
       <varlistentry>