How Docker Achieves Container Isolation with Namespaces and Cgroups

Docker Isolation Overview

Docker relies on two core Linux kernel mechanisms—Namespaces and Control Groups (cgroups)—to provide strong isolation for containers while sharing the host kernel.

Linux Namespaces

Namespaces create separate execution environments for a group of processes. Docker invokes the clone() system call with flags such as CLONE_NEWUTS, CLONE_NEWNET, and CLONE_NEWPID to allocate a distinct set of namespaces for each container.

// Simplified pseudo‑code
clone(fn, child_stack, CLONE_NEWUTS | CLONE_NEWNET | CLONE_NEWPID, arg);

Each namespace type has a corresponding kernel structure, for example: struct pid_namespace; – isolates process ID space. struct net; – isolates network devices, ports, and protocol stacks. struct uts_namespace; – isolates hostname and domain name.

Typical namespace types and the resources they isolate include:

pid : process ID space (container processes start at PID 1).

net : network interfaces, IP addresses, routing tables.

mnt : filesystem mount points (each container gets its own / root).

uts : hostname and domain name.

Control Groups (cgroups)

Cgroups are another kernel feature that lets Docker limit the resources a group of processes (a container) can consume. Resources that can be constrained include CPU, memory, disk I/O, network bandwidth, and the number of child processes.

CPU : limit core count, scheduling weight.

Memory : set maximum usage, trigger OOM kill.

Disk I/O : throttle read/write rates.

Network bandwidth : cap send/receive rates (often combined with tc).

Process count : cap the number of processes to prevent fork bombs.

Cgroups are organized as a hierarchical tree; each hierarchy can attach one or more subsystems (also called controllers) such as cpu, memory, blkio, net_cls, and net_prio. The implementation consists of a directory structure under /sys/fs/cgroup with control files that accept configuration values.

/sys/fs/cgroup/memory/docker/<container-id>/memory.limit_in_bytes

Setting the value in this file limits the container's memory usage. The same pattern applies to other resources, making cgroups a flexible, file‑system‑based resource‑control mechanism.