The CoreOS rkt container engine is designed for security and production deployment scenarios.
This video shows how to use rkt’s modular stage1 isolation mechanism to choose the process isolation model that makes the most sense for your application. By executing alternate stage1s, you can either expose more host resources to your application, or segment it away from your host further by running it inside of a rkt-managed virtual machine.
Alternate stage1 isolation is useful for unifying management for a variety of legacy or specially-privileged apps alongside, but effectively isolated from, your conventional container workloads. Developers can even implement custom stage1 binaries to provide exacting isolation for particular applications or hosts.
The fly stage1 documentation has details about the privileged isolation environment.
The kvm stage1 documentation specifies the design and use of the virtual machine-based isolator.
Getting started with CoreOS rkt? Check out these resources: