Set rlimits in the containers.
The containers should have rlimits set to prevent runaway resource use, though some of these (eg: address space) are tricky and require thought.
After discussion on IRC, sensible defaults that could be applied to everything as a first pass would be something like:
RLIMIT_STACK: 8192 RLIMIT_RSS: 0 (No effect as of Linux 2.6.x) RLIMIT_CORE: 0 RLIMIT_NPROC: 512 RLIMIT_NOFILE: 1024 (512?, lower?) RLIMIT_MEMLOCK: 64 (KiB) RLIMIT_LOCKS: (check how much firefox/tor uses flock, set to something low) RLIMIT_SIGPENDING: 64 RLIMIT_MSGQUEUE: 0 (assuming nothing uses this) RLIMIT_NICE: 0 RLIMIT_RTPRIO: 0 RLIMIT_RTTIME: 0