+* systemctl (and possibly related tools): support a new switch that
+ allows enumerating units in local containers recursively. "systemctl
+ list-units -R" or so should not only lists on the host, but also the
+ services in all containers in a pretty way, to give an overview of
+ the entire system. Also, maybe add "systemctl list-machines" which
+ works like "machinectl list" but includes information about the
+ health status of each registered machine. For that we should
+ probably implement something that encodes the system health status
+ in a single enum state, i.e. something like a system-wide state
+ starting → running → failed → stopping, that is based on the current
+ job queue and a check for failed services. Maybe then change
+ "systemctl status" without args to output this state along with a
+ selection of other data, such as the uptime or so.
+
+* generalize ConditionXYZ= logic and make it available in networkd's
+ .network, .netdev, .network files, too. This is particularly useful
+ to match on containers with ConditionVirtualization to
+ conditionalize network setups for containers
+
+* doc: remove documentation for .include, drop-in snippets are the
+ better replacement.
+
+* Add a seccomp-based filter for socket() calls to limit services to
+ specific address families (for example: AF_UNIX), inspired by
+ Android's sandboxing
+
+* implement Distribute= in socket units to allow running multiple
+ service instances processing the listening socket, and open this up
+ for ReusePort=
+
+* add a timelimit to generator invocation
+
+* socket units: support creating sockets in different namespace,
+ opening it up for JoinsNamespaceOf=. This would require to fork off
+ a tiny process that joins the namespace and creates/binds the socket
+ and passes this back to PID1 via SCM_RIGHTS. This also could be used
+ to allow Chown/chgrp on sockets without requiring NSS in PID 1.
+
+* New service property: maximum CPU and wallclock runtime for a service
+