Using control groups to protect core services

What I'd like to do is guarantee certain minimum resources to core/critical services like sshd, maybe prioritize root user processes over non-root, etc. Most docs and examples have the opposite approach and explain how to compartmentalize applications.

I've just had enough of the 'a bug in my code has run amok with the mem/cpu, now I can't log in to kill it - please reboot' type incidents.

Can anyone point me to config examples or tutorials that cover this?