run chroot within docker

Option --cap-add=SYS_CHROOT should do the job.

It is possible to make a chroot inside a container... but, as mentioned in "debootstrap inside a docker container", you might need to run with the privileged mode.

docker run --privileged

By default, Docker containers are “unprivileged” and cannot, for example, run a Docker daemon inside a Docker container.
This is because by default a container is not allowed to access any devices, but a “privileged” container is given access to all devices.

There was a huge discussion for requesting docker to support privileged operations.
So far, it is not happening.