> Had their developers known what they were actually writing, perhaps we'd have a lean and mean solution that did the right thing.
I am surprised nobody mentionned nix, nixos and guix.
Can you explain what those are and what they do?
What it doesn't do: handling cpu quota on per "stack" basis, no builtin security isolation. That said, both use container technology for that.
By solving the issue at a layer below (instead of adding one like docker does) it makes things much cleaner, more powerful making obselete puppet and the like. FWIW describing a containers/vm's/os'es in guix is much more easy than using docker.
Have a look at https://github.com/NixOS/nixops too.