BestHub
Sign in
Operations 5 min read

How Linux Namespaces and Cgroups Enable Resource Isolation and Limits

This article explains how Linux namespaces provide resource isolation while cgroups enforce resource limits, detailing their types, system calls, configuration steps, and practical Go code examples to demonstrate CPU share control in container-like environments.

Efficient Ops
Efficient Ops
Efficient Ops
How Linux Namespaces and Cgroups Enable Resource Isolation and Limits

Namespace

Namespaces are a Linux feature that provides resource isolation, allowing a process to have its own view of system resources such as network, file systems, and process IDs.

mnt – file system

pid – processes

net – network

ipc – inter‑process communication

uts – hostname

user – user IDs

Three system calls are used to work with namespaces:

clone – creates a new process and a new namespace, attaching the child to the new namespace

unshare – creates a new namespace and attaches the current process to it without creating a new process

setns – attaches a process to an existing namespace

The shell command

sudo unshare --fork --pid --mount-proc bash

creates a new PID namespace and runs a bash shell inside it. Inside this namespace only the processes created by the shell are visible.

Cgroups

Cgroups (control groups) allow the kernel to limit, prioritize, and account for resource usage of groups of processes. They are typically mounted at

/sys/fs/cgroup

.

The

cpu.shares

parameter determines the relative CPU time allocated to a cgroup. The default value is 1024. Setting

cpulimited

to 512 and leaving

lesscpulimited

at the default creates a 1:2 CPU share ratio.

<code>sudo cgset -r cpu.shares=512 cpulimited</code>

Example Go program that generates high CPU load:

<code>func IsPrime(value int) bool {
    for i := 2; i <= int(math.Floor(float64(value)/2)); i++ {
        if value%2 == 0 {
            return false
        }
    }
    return true
}

func main() {
    for i := 0; i < 999999999; i++ {
        fmt.Printf("%v is prime: %v\n", i, IsPrime(i))
    }
}
</code>

Create two CPU cgroups:

<code>sudo cgcreate -g cpu:/cpulimited
sudo cgcreate -g cpu:/lesscpulimited</code>

Run the program in the limited cgroup:

<code>sudo cgexec -g cpu:cpulimited ./main &gt; /dev/null &amp;</code>

Both processes in

cpulimited

each consume about 50% of the CPU. Running the program in

lesscpulimited

shows roughly a 1:2 CPU usage ratio compared to the limited group.

Source: Zhihu article

LinuxCgroupsContainersResource IsolationNamespacesCPU Limits
Efficient Ops
Written by

Efficient Ops

This public account is maintained by Xiaotianguo and friends, regularly publishing widely-read original technical articles. We focus on operations transformation and accompany you throughout your operations career, growing together happily.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment