I've been wondering if it would be possible to run boxxy inside a Docker container as an extra layer.

I think it would be useful to force tools to write data inside a container to a tmpfs, etc.

You need to either have CAP_SYS_ADMIN inside the container, or run the Docker container with --security-opt seccomp=unconfined (or other seccomp profile). This is because boxxy uses Linux namespaces and nesting them with Docker is complicated. There may be a better way to do this, I'm just not sure. See also:

• moby/moby#43086
• apache/camel-k#1580 (comment)
• genuinetools/img#305 (comment)