From cdc8586282fbe227aa429dece15a32b4a037ef66 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 29 Jan 2026 19:56:08 +0000
Subject: [PATCH 1/3] Initial plan


From d1fae96a0cb8c59e6b0cc38d6be87ce82f4e0b83 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 29 Jan 2026 19:59:07 +0000
Subject: [PATCH 2/3] Document VETH pair limitation with containers

Add documentation noting that at least one side of a VETH pair must
remain in the host namespace. Both ends cannot be assigned to different
containers.

Updates:
- container.md: Added IMPORTANT note in Container Host Interface section
- infix-if-veth.yang: Added note in module description
- infix-if-container.yang: Added note in host identity description

Fixes: #947
Related: #941

Co-authored-by: troglobit <183517+troglobit@users.noreply.github.com>
---
 doc/container.md                             | 6 ++++++
 src/confd/yang/confd/infix-if-container.yang | 6 +++++-
 src/confd/yang/confd/infix-if-veth.yang      | 6 +++++-
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/doc/container.md b/doc/container.md
index 59aca114b..eb6de6233 100644
--- a/doc/container.md
+++ b/doc/container.md
@@ -668,6 +668,12 @@ set:
 
 For an example of both, see the next section.
 
+> [!IMPORTANT]
+> **VETH Pair Limitation:** When using VETH pairs with containers, at least
+> one side of the pair must remain in the host namespace. It is currently
+> not possible to create VETH pairs where both ends are assigned to different
+> containers. One end must always be accessible from the host.
+
 [^3]: Something which the container bridge network type does behind the
     scenes with one end of an automatically created VETH pair.
 
diff --git a/src/confd/yang/confd/infix-if-container.yang b/src/confd/yang/confd/infix-if-container.yang
index f496aa4ff..25cac63b6 100644
--- a/src/confd/yang/confd/infix-if-container.yang
+++ b/src/confd/yang/confd/infix-if-container.yang
@@ -59,7 +59,11 @@ submodule infix-if-container {
 
   identity host {
     base container-network;
-    description "Host device, e.g., one end of a VETH pair or other host interface.";
+    description "Host device, e.g., one end of a VETH pair or other host interface.
+                 
+                 Note: When using VETH pairs, at least one side must remain in the
+                 host namespace. Both ends of a VETH pair cannot be assigned to
+                 different containers.";
   }
 
   /*
diff --git a/src/confd/yang/confd/infix-if-veth.yang b/src/confd/yang/confd/infix-if-veth.yang
index bd29d4343..7feb9c00d 100644
--- a/src/confd/yang/confd/infix-if-veth.yang
+++ b/src/confd/yang/confd/infix-if-veth.yang
@@ -13,7 +13,11 @@ submodule infix-if-veth {
 
   organization "KernelKit";
   contact      "kernelkit@googlegroups.com";
-  description  "Linux virtual Ethernet pair extension for ietf-interfaces.";
+  description  "Linux virtual Ethernet pair extension for ietf-interfaces.
+                
+                Note: When using VETH pairs with containers, at least one side
+                of the pair must remain in the host namespace. Both ends of a
+                VETH pair cannot be assigned to different containers.";
 
   revision 2023-06-05 {
     description "Initial revision.";

From 915a5393c138e453247005f9eee77718040fa851 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 29 Jan 2026 20:00:43 +0000
Subject: [PATCH 3/3] Fix trailing whitespace in YANG descriptions

Co-authored-by: troglobit <183517+troglobit@users.noreply.github.com>
---
 src/confd/yang/confd/infix-if-container.yang | 2 +-
 src/confd/yang/confd/infix-if-veth.yang      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/confd/yang/confd/infix-if-container.yang b/src/confd/yang/confd/infix-if-container.yang
index 25cac63b6..2a2e1bd98 100644
--- a/src/confd/yang/confd/infix-if-container.yang
+++ b/src/confd/yang/confd/infix-if-container.yang
@@ -60,7 +60,7 @@ submodule infix-if-container {
   identity host {
     base container-network;
     description "Host device, e.g., one end of a VETH pair or other host interface.
-                 
+
                  Note: When using VETH pairs, at least one side must remain in the
                  host namespace. Both ends of a VETH pair cannot be assigned to
                  different containers.";
diff --git a/src/confd/yang/confd/infix-if-veth.yang b/src/confd/yang/confd/infix-if-veth.yang
index 7feb9c00d..d997ba360 100644
--- a/src/confd/yang/confd/infix-if-veth.yang
+++ b/src/confd/yang/confd/infix-if-veth.yang
@@ -14,7 +14,7 @@ submodule infix-if-veth {
   organization "KernelKit";
   contact      "kernelkit@googlegroups.com";
   description  "Linux virtual Ethernet pair extension for ietf-interfaces.
-                
+
                 Note: When using VETH pairs with containers, at least one side
                 of the pair must remain in the host namespace. Both ends of a
                 VETH pair cannot be assigned to different containers.";