Very, very often you have to deal with the need to use a certain version of Python, for example, for torch, or for something specific.
Using conda or Docker with nvidia-container-toolkit and then setting up images like nvidia/cuda:13.0.1-runtime-ubuntu22.04 feels counterintuitive to me, even though I’ve done it many times.
And an additional packages have to be installed in the container.

It’s easier and more convenient to compile everything on the host system, but at the same time prevent contamination of the entire system with third-party libraries and executable files.

The following is an example of building multiple Python versions for the verpy group only, which is a bit more convenient than installing for just one user.

• ai - an arbitrary user from whom the compilation is performed.
• verpy - the group that will be allowed to use these versions.

apt install \
    build-essential libssl-dev zlib1g-dev libbz2-dev libreadline-dev libsqlite3-dev \
    wget curl llvm libncurses5-dev libncursesw5-dev xz-utils tk-dev libffi-dev \
    liblzma-dev libgdbm-dev libnsl-dev libgdbm-compat-dev

mkdir /opt/openssl
mkdir /opt/python
groupadd --gid 42398 verpy
usermod -aG verpy ai

This example shows an installation over LXC, while for any more or less serious use this is completely unacceptable and requires using KVM with additional security measures.
And besides, installation on KVM will be much, much easier.
LXC does not provide adequate security because, for proper operation, it requires mounting the /sys and /proc partitions from the host, which are accessible to all LXC instances.
Furthermore, this example requires using a PRIVILEGED virtual machine.
However, LXC allows relatively easy setting up a testing infrastructure without the overhead associated with KVM.
So some aspects in this example will only be related to the setup in LXC.

On the HOST system

First, let’s make preparations on the host system.

nano /etc/modules

overlay
nf_nat
br_netfilter
xt_conntrack
rbd
fuse
ip_vs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
iptable_nat

nano /etc/sysctl.d/35-lxc-kubernetes.conf

kernel.dmesg_restrict = 0
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.bridge.bridge-nf-call-iptables = 1
# --conntrack-max-per-core Default: 32768 * N
net.netfilter.nf_conntrack_max=131072
# net.bridge.bridge-nf-call-arptables
# kernel.pid_max=100000
# user.max_user_namespaces=15000
vm.compact_memory = 1
vm.overcommit_memory = 1

Everyone knows about the limits on the number of connections from one IP (IP-based), but what if we want to limit the number of connections to a certain API per authorization token?
And it doesn’t matter how many different IPs will be used.

Part of the nginx config:

map $request_uri $client_token {
    "~*(?i)(token=)([a-f0-9]{32})" $2;      # regex return <32str>
    default                        "";      # Fallback to limit_req_zone:global
}

limit_req_zone  $binary_remote_addr   zone=global:32m       rate=100r/s;    # Rule_1
limit_req_zone  $client_token         zone=tokenlimit:32m   rate=5r/s;      # Rule_2
limit_req       zone=global           burst=25;

server {
        location / {
            index index.html;
            root /var/www/html;
        }
        location = /api {
            index index.html;
            root /var/www/api/html;
            limit_req   zone=tokenlimit   burst=5 nodelay;  # api location
            limit_req   zone=global;                        # Fallback
            limit_req_status              429;              # 503

Abstractly.
There is some software that needs X’s.
Download, install, launch - enjoy.
But here’s the problem: I don’t want to run software (absolutely everything that is not included in the standard debian repository.) like this on:

1. My HOST.
2. From my user.
3. Under my user’s Xorg.
4. Allow into my networks, including 127.0.0.0

In addition, a browser for regular web surfing and a browser for client banking are not the same browser, user, and sometimes even system.
We will not consider points 1, 2, 4 now; we will talk about X.

In debian, with standard system settings, LightDM is used as the default display manager.
You can enable listen tcp in it, but it runs Xorg processes as root.
In gdm3, on the contrary, by default, it launches Xorg from the user who logs into the environment, but the ability to enable listen tcp was broken.
More precisely, they left the ability to disable nolisten tcp,
but not enable listen tcp.

To do this, you need to edit the wrapper over X.

We have a laptop with intel wifi onboard which sometimes failed due to overheating, or due to long-term uptime, or channel load / pps, or whatever.

[2250886.567817] ieee80211 phy0: Hardware restart was requested
[2250886.602451] iwlwifi 0000:24:00.0: Radio type=0x1-0x2-0x0
[2250886.899471] iwlwifi 0000:24:00.0: Radio type=0x1-0x2-0x0
[2250887.042217] iwlwifi 0000:24:00.0: Microcode SW error detected.  Restarting 0x2000000.
[2250887.042225] iwlwifi 0000:24:00.0: Loaded firmware version: 18.168.6.1 6000g2a-6.ucode
[2250887.042348] iwlwifi 0000:24:00.0: Start IWL Error Log Dump:
[2250887.042349] iwlwifi 0000:24:00.0: Status: 0x0000004C, count: 6
[2250887.042482] iwlwifi 0000:24:00.0: Start IWL Event Log Dump: nothing in log
[2250887.042486] iwlwifi 0000:24:00.0: BUG_ON, Stop restarting
[2250887.128058] iwlwifi 0000:24:00.0: Command REPLY_ADD_STA failed: FW Error
[2250887.128063] wlan0: failed to remove key (0, 01:11:88:ab:2c:99) from hardware (-5)
[2250887.128112] iwlwifi 0000:24:00.0: iwl_trans_wait_tx_queues_empty bad state = 0
[2250887.128132] iwlwifi 0000:24:00.0: Command REPLY_ADD_STA failed: FW Error
[2250887.128133] wlan0: failed to remove key (1, ff:ff:ff:ff:ff:ff) from hardware (-5)
[2250887.228460] iwlwifi 0000:24:00.0: Request scan called when driver not ready.
[2250902.567848] iwlwifi 0000:24:00.0: Command REPLY_RXON failed: FW Error
[2250902.567857] iwlwifi 0000:24:00.0: Error clearing ASSOC_MSK on BSS (-5)
[2250902.587425] iwlwifi 0000:24:00.0: Radio type=0x1-0x2-0x0
[2250902.637530] iwlwifi 0000:24:00.0: Command COEX_PRIORITY_TABLE_CMD failed: FW Error
[2250902.637535] iwlwifi 0000:24:00.0: Could not complete ALIVE transition: -5
[2250902.649786] iwlwifi 0000:24:00.0: Failed to run INIT ucode: -5
[2250902.649819] iwlwifi 0000:24:00.0: Unable to initialize device.
[2250960.530138] iwlwifi 0000:24:00.0: Radio type=0x1-0x2-0x0
[2250960.665000] iwlwifi 0000:24:00.0: Unable to initialize device.

Basic or simple option just reboot system. But when (always) you have million open windows and million shell tabs with runned scripts over mounted partitions, it’s not a vary good option.