I've used Linux containers directly and indirectly for years, but I wanted to become more familiar with them. So I wrote some code. This used to be 500 lines of code, I swear, but I've revised it some since publishing; I've ended up with about 70 lines more. I wanted specifically to find a minimal set of restrictions to run untrusted code. This isn't how you should approach containers on anything