Great article, thanks!

Checkout Nestybox (www.nestybox.com) too … we’ve developed a container runtime that enables Docker to deploy an unprivileged container (i.e., one that uses all Linux namespaces, including the user-namespace) inside of which you can run system level workloads such as Docker, Systemd, and soon K8s. This way you avoid using Docker privileged containers for this purpose.

It takes a different approach than rootless Docker: rather than running the Docker daemon on the host within a user-namespace, the Docker daemon on the host continues to run as root, but you can now use it to deploy unprivileged containers, each of which can run a Docker instance in total isolation from the rest of the system.