Deploying nested structure of containers on bare metal

I am thinking of having a nested structure of containers on which someone could work having access only to the first level container and not to the host.
That structure would then have to be deployed to another host, on bare metal, so that the first level container would become the host OS.
Is that doable in any way?
How would I proceed?

Most certainly, what you’re looking for is nested containers.

For extra security you might also want to have the first level to be VM’s instead of containers:

This way your users will be a lot more isolated from the bare metal machine.