2 files changed, 24 insertions, 17 deletions

diff --git a/man/machinectl.xml b/man/machinectl.xml
index 38cf919a78..7a159aecdc 100644
--- a/man/machinectl.xml
+++ b/man/machinectl.xml
@@ -518,19 +518,14 @@
       <varlistentry>
         <term><command>bind</command> <replaceable>NAME</replaceable> <replaceable>PATH</replaceable> [<replaceable>PATH</replaceable>]</term>
 
-        <listitem><para>Bind mounts a directory from the host into the
-        specified container. The first directory argument is the
-        source directory on the host, the second directory argument
-        is the destination directory in the container. When the
-        latter is omitted, the destination path in the container is
-        the same as the source path on the host. When combined with
-        the <option>--read-only</option> switch, a ready-only bind
-        mount is created. When combined with the
-        <option>--mkdir</option> switch, the destination path is first
-        created before the mount is applied. Note that this option is
-        currently only supported for
-        <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
-        containers.</para></listitem>
+        <listitem><para>Bind mounts a directory from the host into the specified container. The first directory
+        argument is the source directory on the host, the second directory argument is the destination directory in the
+        container. When the latter is omitted, the destination path in the container is the same as the source path on
+        the host. When combined with the <option>--read-only</option> switch, a ready-only bind mount is created. When
+        combined with the <option>--mkdir</option> switch, the destination path is first created before the mount is
+        applied. Note that this option is currently only supported for
+        <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> containers,
+        and only if user namespacing (<option>--private-users</option>) is not used.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -540,9 +535,12 @@
         system into a running container. Takes a container name,
         followed by the source path on the host and the destination
         path in the container. If the destination path is omitted, the
-        same as the source path is used.</para></listitem>
-      </varlistentry>
+        same as the source path is used.</para>
 
+        <para>If host and container share the same user and group namespace, file ownership by numeric user ID and
+        group ID is preserved for the copy, otherwise all files and directories in the copy will be owned by the root
+        user and group (UID/GID 0).</para></listitem>
+      </varlistentry>
 
       <varlistentry>
         <term><command>copy-from</command> <replaceable>NAME</replaceable> <replaceable>PATH</replaceable> [<replaceable>PATH</replaceable>]</term>
@@ -551,7 +549,11 @@
         into the host system. Takes a container name, followed by the
         source path in the container the destination path on the host.
         If the destination path is omitted, the same as the source path
-        is used.</para></listitem>
+        is used.</para>
+
+        <para>If host and container share the same user and group namespace, file ownership by numeric user ID and
+        group ID is preserved for the copy, otherwise all files and directories in the copy will be owned by the root
+        user and group (UID/GID 0).</para></listitem>
       </varlistentry>
     </variablelist></refsect2>
 
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index 17c14e9f22..96f8c3a61f 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -474,7 +474,12 @@
 
         <para>Note that the picked UID/GID range is not written to <filename>/etc/passwd</filename> or
         <filename>/etc/group</filename>. In fact, the allocation of the range is not stored persistently anywhere,
-        except in the file ownership of the files and directories of the container.</para></listitem>
+        except in the file ownership of the files and directories of the container.</para>
+
+        <para>Note that when user namespacing is used file ownership on disk reflects this, and all of the container's
+        files and directories are owned by the container's effective user and group IDs. This means that copying files
+        from and to the container image requires correction of the numeric UID/GID values, according to the UID/GID
+        shift applied.</para></listitem>
       </varlistentry>
 
       <varlistentry>