Deep Dive into Linux Virtualization: CPU VT, chroot, cgroups, Namespaces and LXC

Current mainstream virtualization technologies include hardware-assisted solutions such as Intel VT, semi‑virtualization like Xen, full virtualization with KVM, and OS‑level isolation techniques such as LXC, Docker, and other container runtimes. The focus of this presentation is on upper‑layer virtualization mechanisms and their Linux implementations.

1. CPU VT Technology

Intel VT (Virtualization Technology) enables a CPU to appear as multiple logical CPUs, allowing several operating systems to run concurrently on a single machine. Intel provides virtualization for CPU, memory, I/O, GPU, and network resources. For further details see the Intel VT documentation.

2. chroot Analysis

The chroot system call changes the root directory of a process, improving security by isolating the filesystem view. Benefits include:

Increased system security by limiting user privileges.

Separate directory hierarchy for development or rescue environments.

Ability to change the root directory for booting or recovery.

Many container technologies rely on chroot for filesystem isolation.

3. chroot Implementation

The implementation searches the target path with user_path_at, then sets the process's root via set_fs_root. The source code snippets illustrate this flow.

4. cgroup Analysis

Control Groups (cgroups) were introduced by Google engineers in 2006 and integrated into the Linux kernel. They allow limiting, accounting, and isolating resources such as CPU, memory, and I/O for groups of processes.

Typical usage steps:

Create a directory under the cgroup hierarchy.

Write allowed CPU list to cpuset.cpus, e.g., echo 0-1 > cpuset.cpus.

Add a task PID to the cgroup: echo [pid] >> tasks.

The architecture consists of several key structures:

cgroupfs_root : the mount point directory.

css_set : per‑process cgroup information, linking tasks to cgroups.

hierarchy : tree‑like organization of cgroups.

cgroup : a directory representing a resource‑control group.

cg_group_link : many‑to‑many relationship between cgroups and css_sets.

cgroup_subsys and cgroup_subsys_state : subsystem registration and state.

File‑system operations (e.g., writing to cgroup.procs) ultimately invoke cgroup_attach_task, which migrates tasks into the appropriate cgroup hierarchy.

5. cgroup File System

cgroups expose a virtual file system. Creating a cgroup is performed via mkdir, which allocates a cgroup_subsys_state for each subsystem. The cgroup structure holds pointers to its subsystems, enabling later attach/detach operations.

6. Namespace Analysis

Namespaces provide isolation of system resources. Linux defines six namespace types (PID, mount, network, IPC, UTS, user). Each process has a nsproxy pointer linking to its namespaces. New namespaces are created via the clone system call, which eventually calls

do_fork → copy_process → copy_namespaces → create_new_namespaces

. PIDs are allocated within the newly created PID namespace.

7. LXC Introduction

LXC (Linux Containers) combines cgroups, namespaces, chroot, virtual Ethernet (veth), and user‑space scripts to provide a full container environment. Early Docker versions (<0.9.0) used LXC as the backend; later Docker introduced libcontainer for its own management.

8. Other Virtualization Solutions

Beyond lightweight containers, Linux offers full virtualization via KVM (Kernel‑based Virtual Machine), which leverages Intel VT or AMD‑V hardware extensions to run multiple isolated virtual machines, each with its own virtual hardware (disk, NIC, GPU, etc.).

Q&A Highlights

Q1: Performance impact of various virtualization methods. A: Hardware virtualization (VT) offers the best performance; KVM is production‑ready; Docker incurs minimal overhead but may suffer network latency (≈30% loss) when using VXLAN.

Q2: QEMU’s virtualization technique. A: QEMU is an emulator that can use KVM for hardware acceleration.

Q3: Is KVM the standard for OpenStack? A: OpenStack commonly uses KVM for large clusters, though smaller deployments may use alternative hypervisors.