Silent failure when out of NUMA nodes
If we create two containers in NRM on a system with just one NUMA node (say, a laptop), the second container remains empty and the processes allegedly launched there run uncontained.
This is because NRM allocates the first and only NUMA node to the first container, and the cpuset.mems field of the second container is empty. It turns out that the Linux kernel refuses to attach processes to such a container, though the failure appears to be entirely silent (writing to the "tasks" field succeeds).
So to a casual user it looks like everything is fine: the second container is created, the tasks are running... Only those that were supposed to run within the second container don't run there, and there is no error indication to that fact.