The CoreOS rkt container engine is designed for security and production deployment scenarios.
This video shows how to use rkt’s modular stage1 isolation mechanism to choose the process isolation model that makes the most sense for your application. By executing alternate stage1s, you can either expose more host resources to your application, or segment it away from your host further by running it inside of a rkt-managed virtual machine.