Great walkthrough. Useful additions, explain pivot_root vs chroot, mount propagation, and cgroup v2 under systemd. Cover user namespaces with subuid or subgid mapping, plus rootless networking. For filesystems, call out overlayfs copy up and whiteouts. Close with seccomp, no_new_privs, and a tiny test suite asserting isolation across pid, mount, net, uts, and user namespaces.

We’re experimenting with a backend infra builder, think Loveable but for your infra. In the prototype, you can: describe your app → get a recommended stack + Terraform, and managed infra. Would appreciate feedback (even the harsh stuff) https://reliable.luthersystemsapp.com