Add warning that using --no-pivot is not secure

It is only intended for compatibility with the old
rootfs ISO, and not needed with the new tmpfs ISO.

pkg/provision/buildroot.go

@@ -110,6 +110,7 @@ Type=notify
 
 `
 	if noPivot {
+		log.Warn("Using fundamentally insecure --no-pivot option")
 		engineConfigTmpl += `
 # DOCKER_RAMDISK disables pivot_root in Docker, using MS_MOVE instead.
 Environment=DOCKER_RAMDISK=yes