From 22f8c13bf7917bb82795d37d756759c20489e059 Mon Sep 17 00:00:00 2001
From: Stepan Koltsov <stepan.koltsov@gmail.com>
Date: Thu, 18 Sep 2025 20:34:07 +0100
Subject: [PATCH] Document limitations of docker-in-gvisor

---
 g3doc/user_guide/tutorials/docker-in-gvisor.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/g3doc/user_guide/tutorials/docker-in-gvisor.md b/g3doc/user_guide/tutorials/docker-in-gvisor.md
index e9b52c0f67..fa8e5918fe 100644
--- a/g3doc/user_guide/tutorials/docker-in-gvisor.md
+++ b/g3doc/user_guide/tutorials/docker-in-gvisor.md
@@ -6,6 +6,16 @@ applications.
 In gVisor, all basic docker commands should function as expected. The host
 network driver and the bridge network driver are tested and supported.
 
+### Limitations
+
+- `dockerd` inside gVisor needs to be executed with flags
+  `--iptables=false --ip6tables=false` and additional network setup is needed, check
+  [images/basic/docker/start-dockerd.sh](https://github.com/google/gvisor/blob/master/images/basic/docker/start-dockerd.sh)
+  for the reference
+- because iptables disabled, `docker run --expose=` does not expose the port;
+  if a nested container needs to expose ports, inside gVisor use `docker run --network=host`
+- docker 28 may not work
+
 ### NOTE on runsc setup
 
 To run docker within gvisor, runsc must be enabled to allow raw sockets. This is