BestHub
Sign in
Cloud Native 7 min read

How Does Docker Achieve CPU Isolation with cgroups?

Docker uses Linux cgroups to limit and schedule CPU resources for containers, allowing you to set a maximum number of CPU cores per container while keeping the actual cores dynamically allocated, so other processes can still use the remaining CPUs.

Liangxu Linux
Liangxu Linux
Liangxu Linux
How Does Docker Achieve CPU Isolation with cgroups?

Docker CPU Isolation Overview

Docker relies on Linux cgroups (control groups) to isolate CPU resources for each container. A cgroup can limit, account for, and isolate the CPU usage of a group of processes, enabling Docker to enforce per‑container CPU quotas.

Implementation Steps

Cgroup Resource Allocation – When a container starts, Docker creates a cgroup for it and adds the container’s process group to this cgroup, allowing the kernel to manage its CPU usage.

Setting CPU Limits – Users specify the allowed CPU cores with the --cpus flag (e.g., --cpus=2). Docker translates this into cgroup CPU subsystem settings, establishing an upper bound on CPU consumption.

CPU Scheduling – The kernel’s CPU scheduler enforces the cgroup limits, ensuring the container cannot exceed its allocated CPU quota, preventing it from monopolizing host CPU resources.

Impact on Other Processes

Processes that are not part of the Docker container remain in the default cgroup and can use any CPU cores not currently consumed by the container. Thus, Docker’s CPU limits do not deprive other system processes of CPU time.

Fixed vs. Dynamic CPU Assignment

The --cpus option defines a maximum number of CPU cores a container may use; it does not bind the container to specific physical cores. The kernel dynamically schedules the container’s threads across any available cores within the limit, adapting to system load.

Example Command

docker run --cpus=2 --name my_container my_image

This command starts my_container with a CPU quota of two cores. The container’s processes can run on any two cores, but never exceed the two‑core limit, leaving the remaining cores free for other workloads.

Key Takeaways

The CPU limit restricts the quantity of CPU resources a container may consume.

No single CPU core is permanently bound to a specific container.

Other system processes can still utilize any CPU cores not fully consumed by the container.

The dynamic scheduling provided by cgroups ensures efficient resource sharing while preventing any container from monopolizing the host.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

DockerResource ManagementcgroupsContainerscpu isolation
Liangxu Linux
Written by

Liangxu Linux

Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment