Features:
+* man: document in ExecStart= explicitly that we don't take shell command lines, only executable names with arguments
+
* shutdown: don't read-only mount anything when running in container
* nspawn: --read-only is not applied recursively to submounts
- resource control in systemd
- inhibiting
- testing with Harald's awesome test kit
+ - restart
* allow port=0 in .socket units