Docker in ctrtool
Basic functionality (pulling and starting containers) in unprivileged non-rootless ctrtool container with unrestricted capability bounding set in user namespace works, including overlayfs (on a 5.13 kernel). IPv4 networking works for outbound connections. Port publishing not tested. IPv6 networking and Socketbox not tested. Cgroups might not be working, even with delegation in ctrtool; the host system only used the cgroupv2 unified hierarchy. Resource limiting features that rely on cgroups not tested. iptables requires "iptables-nft" variant.
--iptables=false not tested. Userns-remap mode (nested user namespaces w.r.t. ctrtool) does not work, even though the correct number of UID/GIDs has been allocated from the ctrtool side. Docker "Rootless" mode not tested.
-H fd:// with ctrtool mini-init's fd_share_mode and socket outside of mount namespace not tested; bind mount + nosymfollow might be safer. SECCOMP enabled, but not AppArmor. Use of exposed Unix socket with docker-compose on host not tested. Used "docker" from Autoserver's container module #2. Scripts to replicate this setup will be released sometime during end of September/October.
We will eventually need to test Podman in ctrtool.