@pid_eins I have been experimenting with this to see if I can recreate fedora's toolbx using nspawn.

One hurdle I came across is that mstack containers are limited to managed or no user namespacing.

Is this a hard limitation, or something that may be lifted in a future release?

https://github.com/systemd/systemd/blob/fb4bfe651b7dda85b0545d340eac21c7988fe383/src/nspawn/nspawn.c#L6612-L6613