How Linux Cgroups and Namespaces Power Modern Containerization
This article traces the evolution of operating‑system level virtualization from the early UNIX chroot to modern Docker containers, explaining the roles of chroot, control groups, various Linux namespaces, their implementation details, and how Docker leverages these mechanisms for isolation and resource management.
Operating System Virtualization (Container Technology) Evolution
1979 UNIX V7 introduced chroot, considered the first OS‑level virtualization prototype, isolating the file system for a process.
2006 Google released Process Container on Linux, aiming to provide VM‑like resource limits for processes.
2007 Google merged Process Container into the Linux kernel and renamed it Control Groups (cgroups).
2008 the Linux community combined chroot, cgroups, namespaces, SELinux, and Seccomp into LXC 0.1.0, achieving lightweight OS virtualization.
2013 Docker was announced, initially based on LXC, and its source was open‑sourced on GitHub.
Chroot
Chroot is a system call that changes the root directory of a process, restricting its file‑system access to the specified directory.
Prototype:
Call permission : root user.
Parameter : path – absolute path to new root.
Return : 0 on success, -1 on failure.
#include <unistd.h>
int chroot(const char *path);Typical uses: security isolation, debugging environments, system rescue.
Cgroups
Cgroups (Control Groups) provide resource‑quota and management for user processes or kernel threads, covering resource quota, priority, accounting, and control.
Key components:
libcgroups : programming library.
Tasks : unified abstraction of processes/threads.
Subsystems : resource‑type definitions.
Control Group (cgroup) : binds tasks to subsystems.
Cgroup Filesystem : VFS interface for configuration.
Cgroup Subsystems
Examples include cpu, cpuset, cpuacct, memory, hugetlb, devices, blkio, net_cls, net_prio, namespace, freezer, perf_event, pids, etc.
Each subsystem provides a configuration entry in the cgroup filesystem.
$ sudo yum install libcgroup-tools
$ lssubsys -a
cpuset
cpu,cpuacct
blkio
memory
device
freezer
net_cls,net_prio
perf_event
hugetlb
pids
rdmaCgroup Filesystem
The filesystem exposes files such as cgroup.clone_children, cgroup.procs, memory.limit_in_bytes, etc., to control and monitor resources.
$ ll /sys/fs/cgroup/memory/
# shows files like cgroup.clone_children, memory.limit_in_bytes, tasks, …Cgroup Hierarchy
Cgroups are organized as a tree; creating a child cgroup automatically creates its configuration files, optionally inheriting settings from the parent.
$ mkdir /sys/fs/cgroup/memory/cgrp1/
$ ls /sys/fs/cgroup/memory/cgrp1/
cgroup.clone_children memory.kmem.limit_in_bytes tasks
…Namespaces
Linux namespaces isolate views of global resources, with types such as UTS, PID, IPC, Mount, Network, User, and Cgroup.
UTS namespace
Provides isolation of hostname and domain name.
PID namespace
Gives each container its own process‑ID space, with PID 1 as the init process.
IPC namespace
Isolates System V and POSIX IPC mechanisms.
Mount namespace
Isolates filesystem mount points, enabling independent root filesystems.
Network namespace
Isolates network devices, IP stacks, routing tables, firewall rules, and sockets.
User namespace
Isolates user and group IDs, allowing non‑root users to have root‑like capabilities inside a container.
Docker’s Use of Cgroups and Namespaces
Example commands to inspect a Docker container’s cgroup and namespace configuration.
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS NAMES
cfca1212d140 centos:7.9 "bash" … Up 2 hours vim-ide
$ docker inspect --format '{{.State.Pid}}' cfca1212d140
2240
$ cat /sys/fs/cgroup/memory/docker/.../memory.limit_in_bytes
9223372036854771712How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.