How Docker Works: Inside Namespaces, Cgroups, and UnionFS

Docker is a lightweight container technology that lets developers package applications and their dependencies into a portable container that runs consistently across environments.

Compared with traditional virtual machines, Docker containers share the host kernel, consume fewer resources, and start faster.

Docker packages an application and all its dependencies (libraries, system tools, runtime) into a single executable unit called a container.

Docker core principles

Docker’s core implementation is built on three Linux kernel features: namespaces, cgroups, and UnionFS.

Linux namespaces

Namespaces provide isolation for containers, giving each container its own view of processes, network interfaces, users, and mount points, ensuring containers are isolated from each other and the host.

Cgroups (control groups)

Cgroups allow limiting, controlling, and isolating resource usage of process groups. Common controllers include: cpu: control CPU time allocation. cpuacct: account CPU usage. memory: limit memory and swap usage. blkio: control block device I/O. net_cls and net_prio: classify and prioritize network traffic. devices: control access to device files. freezer: suspend and resume processes in a cgroup.

When running a container with resource limits, e.g.: docker run -it --memory="256m" alpine sh the Docker daemon creates a cgroup for the container and applies the specified limits.

UnionFS (union file system)

UnionFS enables stacking multiple file systems, forming the basis of Docker image layering. An image consists of several read‑only layers; when a container starts, Docker adds a writable layer on top.

The layered storage makes images incremental, each layer containing only changes from the previous one.

In summary, Docker combines Linux namespaces for isolation, cgroups for resource management, and UnionFS for efficient layered image storage, forming the foundation of its powerful container capabilities.