linux

How to make safe execution of user code (lambda, function as a service)?

Different users store data on the server. I also want to give users the opportunity to manage their own data a little according to their own logic. (for example: when uploading a new file or every N minutes, call a user script that, for example, will count the number of files and the total size and write it to some other file).

What programming language does not matter.

The main requirement is that it must be safe, including:

• The script cannot get root access or access to system files
  
• Script cannot access files of other users
  
• The script cannot load the machine too much (guzzle 100% of the CPU or run forever instead of 3-5 seconds), fork into a thousand processes, daemonize, etc.
  
• The script (I'm not sure here) should not be able to work with the network
  
• The solution must be lightweight. Probably, all the previous points can be satisfied if you run the script inside the docker container, but this, kmk, will eat up a lot of resources
  

So far, a combination of chroot / timeout / ulimit / unshare comes to mind - how good is this? (but I don’t like the idea that you have to store libc and other libs for the script with user data - is it somehow possible to do it beautifully? allow access only to /lib/, /usr/lib/ and /home/username/data).

How powerful is Docker's overhead compared to just running it in a chroot? And what if 100 lambda functions are executed at the same time (100 processes are not a problem even for a simple virtual machine, but 100 docker containers will probably require huge resources?).

Maybe there is some other option? And a lot of all sorts of providers (Amazon, Scaleway) - do they all reinvent their wheel or is there some kind of ready-made solution for this?