tmpfiles.d: change all subvolumes to use quota Let's make sure the subvolumes we create fit into a sensible definition of a quota tree.

tmpfiles: automatically remove old machine snapshots at boot Remove old temporary snapshots, but only at boot. Ideally we'd have "self-destroying" btrfs snapshots that go away if the last last reference to it does. To mimic a scheme like this at least remove the old snapshots on fresh boots, where we know they cannot be referenced anymore. Note that we actually remove all temporary files in /var/lib/machines/ at boot, which should be safe since the directory has defined semantics. In the root directory (where systemd-nspawn --ephemeral places snapshots) we are more strict, to avoid removing unrelated temporary files. This also splits out nspawn/container related tmpfiles bits into a new tmpfiles snippet to systemd-nspawn.conf

tmpfiles: make /home and /var btrfs subvolumes by default when booted up with them missing This way the root subvolume can be left read-only easily, and variable and user data writable with explicit quota set.

nspawn,machined: change default container image location from /var/lib/container to /var/lib/machines Given that this is also the place to store raw disk images which are very much bootable with qemu/kvm it sounds like a misnomer to call the directory "container". Hence, let's change this sooner rather than later, and use the generic name, in particular since we otherwise try to use the generic "machine" preferably over the more specific "container" or "vm".

tmpfiles.d: upgrade a couple of directories we create at boot to subvolumes In particular we upgrade /var/lib/container, /var/tmp and /tmp to subvolumes.

tmpfiles.d: Fix directory name The .service uses "/var/lib/container", not "containers".

tmpfiles.d: Create /var/lib/containers Create /var/lib/containers so that it exists with an appropriate mode. We want 0700 by default so that users on the host aren't able to call suid root binaries in the container. This becomes a security issue if a user can enter a container as root, create a suid root binary, and call that from the host. (This assumes that containers are caged by mandatory access control or are started as user).

tmpfiles: remove line for automatic clean-ups for /var/cache/man/ Management of /var/cache/man should move to the distribution package owning the directory (for example, man-db). As man pages are a non-essential part of the system and unnecessary for minimal setups, there's no point in having systemd ship these lines. Distribution packages should make sure the appropriate package for their distribution adopts this line. Ideally, the line is adopted by the upstream package. For Fedora I have filed this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1110274

tmpfiles: if /var is mounted from tmpfs, we should adjust its access mode

tmpfiles: always recreate the most basic directory structure in /var Let's allow booting up with /var empty. Only create the most basic directories to get to a working directory structure and symlink set in /var.