Resource limits

At a very basic level I don't see anything in any of the namespaces really being any different from any other process. The big differences are is that it is now possible to allocate kinds of resources that no one has added rlimits for, and that if /etc/subuid is setup and your users have multiple uids per user limits go from mostly useless to totally useless.

To my knowledge there is not much in the control groups that is namespace or container specific. Although I seem to remember a network memory controller that had a connection with the network namespace.

Beyond that it all depends on how heavy a sandbox you want to run. Certainly with ptrace and a firm hand you can implement very fine control on processes.

When done well I think the lightest weight solutions will live in the kernel. Certainly the cpu controller seems to live up to that notion.

But honestly whatever works and whatever is easiest.

If there is any consensus of feeling on the matter it is that cgroups are ugly but they are the best general solution we have to the problem so far.

Beyond that it looks like most of the time resource consumption is not a problem for most people. With the result that technology to implement and enforce resource limits are frequently neglected.

I hope that helps a little.

Eric