Ok, so I realize I just got into Docker, but there are some things about it that concern me from a complexity and security standpoint, and I think there are simpler, more secure alternatives available, even if they don't have a community behind them (yet).
First and most important, there's that privileged daemon. You have two options: either put one or more regular users in the docker group, thus giving them the equivalent of root access to the system, or let them run the docker command with sudo, giving them the equivalent of root access to the system and also a command they can try to trick into doing their bidding to boot.
Second, there's the use of an overlay filesystem to get around the fact that most Linux filesystems don't have any concept of snapshots, LVM snapshots aren't useful for anything beyond backup, and most people don't use LVM. But if you're going to build an OS from the ground up to support containers, the better approach is to do what SmartOS, FreeNAS, etc do: use ZFS.
Since 3.8, Linux has had a feature called USER_NS. This lets unprivileged users create UID namespaces. So what, you ask? Well, in the new UID namespace, the user can then give themselves root privileges, after which they can create other namespaces, such as a mount namespace, then mount filesystems, etc. Hard to get right, security-wise, because there could be kernel bugs with privileged operations inside the container, but that's true of every single system call already, so the real issue is that USER_NS is relatively new, which means it probably has bugs hiding in it. On the other hand, though, if someone does manage to break out of the container somehow, they are an unprivileged user on the host.
It appears as though what I am thinking of may only barely be possible at this point. A bug in ZFS related to user namespaces was fixed only a few days ago. But I plan to experiment with some ideas, and I'll report back here on my progress.