+ - nspawn: investigate whether we can support the same as LXC's
+ lxc.network.type=phys mode, and pass through entire network
+ interfaces to the container
+ - nspawn: maybe add a way to drop additional caps, in addition to add additional caps
+ - nspawn: maybe explicitly reset loginuid?