diff --git a/website/source/docs/agent/index.html.md b/website/source/docs/agent/index.html.md
index 5e927f489..dad7f9c67 100644
--- a/website/source/docs/agent/index.html.md
+++ b/website/source/docs/agent/index.html.md
@@ -133,3 +133,10 @@ When a server _leaves_, it specifies its intent to do so, and the cluster marks
 node as having _left_. If the server has _left_, replication to it will stop and it
 is removed from the consensus peer set. If the server has _failed_, replication
 will attempt to make progress to recover from a software or network failure.
+
+## Permissions
+
+Nomad servers should be run with the lowest possible permissions. Nomad clients
+must be run as root due to the OS isolation mechanisms that require root
+privileges. In all cases, it is recommended you create a `nomad` user with the
+minimal set of required privileges.
diff --git a/website/source/docs/job-specification/service.html.md b/website/source/docs/job-specification/service.html.md
index 748dd66c1..eddd4f16d 100644
--- a/website/source/docs/job-specification/service.html.md
+++ b/website/source/docs/job-specification/service.html.md
@@ -103,6 +103,11 @@ does not automatically enable service discovery.
 
 ### `check` Parameters
 
+Note that health checks run inside the task. If your task is a Docker container,
+the script will run inside the Docker container. If your task is running in a
+chroot, it will run in the chroot. Please keep this in mind when authoring check
+scripts.
+
 - `args` `(array<string>: [])` - Specifies additional arguments to the
   `command`. This only applies to script-based health checks.