Writing a container in a few lines of Go code, as seen at DockerCon 2017 and on O'Reilly Safari
You need root permissions for this to work.
Also note that the Go code uses some syscall definitions that are only available when building with GOOS=linux.