How Docker Enforces CPU Isolation and What the Limits Really Mean

Docker’s CPU isolation mechanism

Docker relies on Linux cgroups (control groups) to limit, account for, and isolate the CPU resources of a container. When a container starts, Docker creates a cgroup for the container’s process group and attaches it to the kernel’s CPU subsystem.

Steps Docker follows to achieve CPU isolation

Cgroup resource allocation : Docker adds the container’s processes to a newly created cgroup so the kernel can manage its CPU usage.

Setting CPU limits : Users specify the allowed CPU cores with the --cpus option (e.g., --cpus=2). The kernel enforces this limit via the cgroup CPU subsystem.

CPU scheduling : The kernel’s scheduler ensures the container runs only within the allocated CPU quota, preventing it from monopolizing the host’s CPU.

Impact on other processes

Processes that are not part of the Docker‑assigned cgroup remain in the default cgroup and can use any CPU resources that are not consumed by the container. Therefore, limiting a container’s CPU does not deprive other host processes of CPU time.

Is the CPU assignment fixed?

The --cpus flag defines an upper limit on the number of CPU cores a container may use; it does not bind the container to specific physical CPUs. The Linux scheduler dynamically selects which cores the container’s threads run on, based on system load and availability.

Example command

docker run --cpus=2 --name my_container my_image

In this example, the container my_container can use at most two CPU cores, but the exact cores are chosen dynamically by the kernel.

Key takeaways

CPU isolation limits the quantity of CPU a container may consume, not the specific CPUs.

Other host processes continue to have access to all CPUs not already consumed by the container.

The limit prevents a single container from exhausting the host’s CPU resources, which is the core purpose of Docker’s CPU isolation.