Features:
+* nspawn: move "incoming mount" directory to /run/host, move "inaccessible"
+ nodes to /run/host, move notify socket (for sd_notify() between payload and
+ container manager)
+
* cryptsetup: if keyfile specified in crypttab is AF_UNIX socket, connect to it
and read from it (like we do elsewhere with READ_FULL_FILE_CONNECT_SOCKET)