The CIR vs PIR is the committed vs peak rates. Basically, it is up to you to define a 1-rate or 2-rate policer. When defining an output policy for a veth, I would expect that you will mainly use CIR only. PIR is useful if you want to mark packets differently. Seems more useful for packets being sent by the server into the network where you would "color" (or mark) the packets differently based upon how much traffic was being generated. The QoS config guide has references to the appropriate RFCs that discuss coloring. This would be done in an input policy on a veth or on an output policy on an eth.
To limit the bandwidth into a VM, I think that CIR, specifying bps, is the best way to go. You can do this in a policy that is applied as an input eth (if you want to limit all traffic into the server) or as an output veth (if you want to limit what an individual VM sees).
Hope that helps!
Tim