BestHub
Sign in
Cloud Native 7 min read

How Docker Uses cgroups to Isolate CPU Resources

Docker leverages Linux cgroups to limit and schedule CPU usage per container, allowing you to set an upper bound on cores with the --cpus flag while keeping the actual cores dynamically allocated and leaving other system processes free to use the remaining CPUs.

Liangxu Linux
Liangxu Linux
Liangxu Linux
How Docker Uses cgroups to Isolate CPU Resources

Docker’s CPU isolation mechanism

Docker relies on Linux cgroups (control groups) to isolate CPU resources for each container. The cgroup CPU subsystem lets Docker restrict, account for, and schedule CPU time for a group of processes belonging to a container.

Steps Docker follows to enforce CPU limits

Cgroups resource allocation : When a container starts, Docker creates a cgroup for it and adds the container’s process group to that cgroup, enabling the kernel to manage its CPU usage.

Setting the CPU limit : Users specify the allowed CPU share with the --cpus flag (e.g., --cpus=2). Docker translates this into cgroup settings that cap the container’s CPU consumption.

CPU scheduling : The cgroup CPU scheduler ensures the container runs only within its allocated CPU quota, preventing it from monopolizing the host’s CPU resources.

Impact on other processes

Processes that are not part of the Docker‑created cgroup remain in the default cgroup and can use any CPU cores that are not consumed by the container’s quota. Therefore, Docker’s CPU limits do not block other system processes from accessing the remaining CPU capacity.

Can a container have dedicated CPUs?

Yes. By using --cpus, you can restrict a container to a specific number of CPU cores. For example:

docker run --cpus=2 --name my_container my_image

This command limits the container to at most two CPU cores, but it does not bind the container to any particular cores.

Limit vs. fixed core binding

Upper‑limit restriction : The --cpus flag defines the maximum number of CPU cores the container may use. It is a ceiling, not a reservation of specific cores.

Dynamic scheduling : The Linux kernel dynamically schedules the container’s processes on any available cores within the defined limit. The actual cores used can change over time based on system load and resource availability.

Key takeaways

CPU isolation in Docker is a quantitative limit, not a permanent binding of cores.

Other processes can still access CPUs that are not consumed by the container’s quota.

The --cpus flag provides a flexible upper bound, allowing the scheduler to allocate cores dynamically for better overall system utilization.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Resource Managementcgroupscontainer limits
Liangxu Linux
Written by

Liangxu Linux

Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment