This setting defines ulimit settings passed to the vserver when it is started.
This contains a set of capability available to vserver. For example, if you want a vserver to be able to do some pings, put the CAP_NET_RAW capability there.
When starting a vserver, the /var/run directory was not cleared. In some situation, the various startup script were failing because a bogus PID file was left there from a previous run.
The private flag is a little weird. Once a security context has this flag set, it is not possible to join it. Even root in the root server with all capabilities is not allowed. This makes the virtual server fairly private. Security context 1 can still see which processes are executing in the vserver, but can't interfere.
Since ext3 is now part of 2.4.16, it has been modified to support the IMMUTABLE_LINKAGE feature.