Great article, thanks. You may also want to look into the Sysbox runtime (https://github.com/nestybox/sysbox). It creates VM-like containers using pure OS-level virtualization. These containers are fully unprivileged (via the Linux user-namespace) and can run things like systemd, Docker, and even K8s inside (just as VM would).