remove tmpfiles
nspawn,machined: change default container image location from /var/lib/container to /var/lib/machines Given that this is also the place to store raw disk images which are very much bootable with qemu/kvm it sounds like a misnomer to call the directory "container". Hence, let's change this sooner rather than later, and use the generic name, in particular since we otherwise try to use the generic "machine" preferably over the more specific "container" or "vm".
build-sys: configure the list of system users, files and directories Choose which system users defined in sysusers.d/systemd.conf and files or directories in tmpfiles.d/systemd.conf, should be provided depending on comile-time configuration.
tmpfiles.d: Create /var/lib/containers Create /var/lib/containers so that it exists with an appropriate mode. We want 0700 by default so that users on the host aren't able to call suid root binaries in the container. This becomes a security issue if a user can enter a container as root, create a suid root binary, and call that from the host. (This assumes that containers are caged by mandatory access control or are started as user).
tmpfiles: don't do automatic cleanup in $XDG_RUNTIME_DIR Now that logind will clean up all IPC resources of a user we should really consider $XDG_RUNTIME_DIR as just another kind of IPC with the same life-cycle logic as the other IPC resources. This should be safe now to do since every user gets his own $XDG_RUNTIME_DIR tmpfs instance with a fixed size limit, so that flooding of it will more effectively be averted.
tmpfiles: remove line for automatic clean-ups for /var/cache/man/ Management of /var/cache/man should move to the distribution package owning the directory (for example, man-db). As man pages are a non-essential part of the system and unnecessary for minimal setups, there's no point in having systemd ship these lines. Distribution packages should make sure the appropriate package for their distribution adopts this line. Ideally, the line is adopted by the upstream package. For Fedora I have filed this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1110274