Fundamentals 5 min read

How Linux Namespaces and Cgroups Enable Resource Isolation and Limits

This article explains how Linux namespaces provide resource isolation while cgroups enforce resource limits, detailing the six namespace types, relevant system calls, practical commands like unshare and cgcreate, and demonstrates CPU share control with Go code and cgroup configuration examples.

Open Source Linux

Mar 22, 2022

Namespace

Linux namespaces are used for resource isolation, allowing a process to have exclusive access to resources such as ports or files. Since 2002, six namespace types have been implemented:

mnt – file system

pid – processes

net – network

ipc – inter‑process communication

uts – hostname

user – user IDs

Namespaces can be created via three system calls:

clone – creates a new process and a new namespace, attaching the process to it

unshare – creates a new namespace and attaches the current process without creating a new process

setns – attaches a process to an existing namespace

The shell command sudo unshare --fork --pid --mount-proc bash creates a new PID namespace and runs a bash shell inside it.

After running the command, only two processes are visible in this namespace:

Cgroups

Cgroups (control groups) are used for resource limiting and are accessed through the virtual file system, typically mounted at /sys/fs/cgroup.

The kernel reads cgroup information to schedule resources for each process. The article demonstrates limiting CPU usage with a Go program that generates high CPU load:

func IsPrime(value int) bool {
    for i := 2; i <= int(math.Floor(float64(value)/2)); i++ {
        if value%2 == 0 {
            return false
        }
    }
    return true
}

func main() {
    for i := 0; i < 999999999; i++ {
        fmt.Printf("%v is prime: %v
", i, IsPrime(i))
    }
}

Two CPU cgroups are created:

sudo cgcreate -g cpu:/cpulimited
sudo cgcreate -g cpu:/lesscpulimited

The cpu.shares parameter determines the proportion of CPU time allocated to each cgroup. The default value is 1024. Setting cpulimited to 512 gives a 1:2 share ratio compared to the default.

sudo cgset -r cpu.shares=512 cpulimited

Running a process in the cpulimited cgroup consumes 100% of the CPU. Starting another process in the same cgroup results in each using roughly 50% of the CPU.

When a process is started in the lesscpulimited cgroup, it receives about one‑third of the CPU compared to the two processes in cpulimited, confirming the 1:2 share relationship.

sudo cgexec -g cpu:lesscpulimited ./main > /dev/null &

Thus, the total CPU consumption of two cpulimited processes is roughly equal to that of a single lesscpulimited process, demonstrating the intended 1:2 CPU share ratio.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.

Go Linux cgroups Resource Isolation Namespaces cpu-limits

Written by

Open Source Linux

Focused on sharing Linux/Unix content, covering fundamentals, system development, network programming, automation/operations, cloud computing, and related professional knowledge.

0 followers

Reader feedback

How this landed with the community

Rate this article

Was this worth your time?

Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.