diff --git a/README.md b/README.md
index 6bd4c50..fa8b410 100644
--- a/README.md
+++ b/README.md
@@ -543,11 +543,61 @@ Now exit root shell (just with `exit`), and try `lxc-console -n CONTAINERNAME`.
 You should be able to log in using the new username and password.
 (To exit lxc console, use Ctrl+A, Q)
 
+### Alternatively: unprivileged LXC using LXD
+
+#### Security notes
+
+Note that with LXD, unprivileged containers run under root, which is not supposed to give them any extra privileges
+(source: https://discuss.linuxcontainers.org/t/privileged-and-unprivileged-containers/12060/2), but this implies that:
+
+Containers can only be managed with LXD using root access.
+Which means either `doas` for every command (including connecting to the container shell),
+or adding your user to the `lxd` group which will have access to LXD daemon,
+**which will effectively give your user passwordless sudo (since access to LXD daemon can trivially be used to gain root privileges),
+so that any process running under your user can trivially gain root privileges on the host**
+(which is for some reason not considered by LXD maintainers to be a problem).
+
+**DO NOT add your user to the `lxd` group, and DO NOT uncomment ` --group lxd` in `/etc/conf.d/lxd`**
+
+Instead the secure way of doing things would probably be to only use lxd as a root,
+and connect to the container using ssh.
+
+#### Containers support
+
+As simple as
+```
+apk add lxd lxd-client lxcfs dbus
+rc-update add lxc
+rc-update add lxd
+rc-update add lxcfs
+rc-update add dbus
+doas reboot
+```
+
+Networking with routing should work automatically.
+
+#### Creating container
+
+```
+doas lxc launch images:alpine/edge -c security.nesting=true -c security.privileged=false test-alpine-container
+doas lxc exec test-alpine-container -- /bin/ash
+```
+Networking should work inside of container.
+
 ### Docker
 
-(inside LXC)
+#### (inside LXC)
+
+TODO once nesting in LXC works (reference: https://discuss.linuxcontainers.org/t/lxc-on-alpine-host-sys-fs-cgroup-is-not-mounted-into-unprivileged-alpine-guest/15026/1)
+
+#### (inside LXD)
 
-TODO once nesting in LXC works
+As simple as
+```
+doas apk add docker
+doas rc-update docker start
+doas docker run hello-world
+```
 
 ## TODO