How do you monitor, manage, and run untrusted third-party code in a hosted service?

Let's say I'm running a hosted service that wishes to allow plugins written by third-party clients.

Perhaps a gaming service provider that provides infrastructure but allows clients to develop their own game referees. Or, a coding competition site that allows coders to submit code to be run as their solution to some coding problem.

How would you harden/lock-down/sandbox this user code from doing potential harm to the server that intends to run it?

How would you monitor and restrict resource usage (CPU, memory mostly)?

This is a good start for Python but I'm wondering if anyone here has more specific experiences they can share regardless of language (Python, Lua, Ruby, etc.).

Solution

Lua has the best sandboxing and watchdogging that I've seen to date. My host language is Python. Thus, I've decided to go with Lunatic Python.

Math.Sin() gives incorrect value
How to run my python script when the sunOS is start booting
Express-session: not resetting cookie expiration on each request
Getting a stack overflow exception when normalizing a vector
Edit default summary function in R gives error for multiple variables
What was a For loop? Why isn't it needed in R?
How to use download button in shiny and save results in various formats (csv, texte, pdf, spss...)?
Why are there two assignment operators, `<-` and `->` in R?
lm()$assign: what is it?
How to get the value of list(...) in R and S functions
Design matrix for MLM from library(lme4) with fixed and random effects
how to generate elements not included in my sample
Create a matrix with gradually changing values without a for loop
Emacs ESS and S-plus ( S+ ) 8.1 compatability
How to lag date-index in a time-series in R?
Nonlinear regression in R / S
Calling R from S-Plus?