How Docker Uses Linux Cgroups to Enforce Resource Limits

Docker is an essential skill for cloud‑native development and a core component of cloud computing. Its resource‑limiting capabilities are primarily implemented through Linux Control Groups (cgroups).

Cgroups, also known as Linux Control Groups, provide a mechanism for managing and controlling resources for a group of processes.

Key functions of cgroups:

Resource isolation : Organize processes into containers to ensure one container's tasks do not excessively consume system resources.

Resource limiting : Precisely control CPU, memory, disk I/O, network bandwidth, etc., preventing abuse.

Priority management : Set priorities for containers or tasks so critical tasks receive sufficient resources.

Process management : Provide a hierarchical organization of processes for easier monitoring.

Docker containers are essentially processes; when multiple containers run, a single container consuming excessive CPU or memory can degrade others. Linux cgroups can restrict such resource usage.

The cgroup architecture consists of three components: subsystems, control groups, and hierarchy.

Subsystems are kernel components representing a class of resource controllers (e.g., memory, CPU).

Control groups (cgroup) associate a set of processes with a set of subsystems and their parameters.

Hierarchy arranges control groups in a tree structure, allowing child groups to inherit properties from parent groups.

For example, a control group c1 may limit CPU to one core; another group c2 can inherit this limit and additionally restrict memory to 2 GB, avoiding redundant definitions.