BestHub
Sign in
Fundamentals 5 min read

How Linux Namespaces and Cgroups Provide Isolation and Resource Limits

This article explains how Linux namespaces achieve resource isolation and how cgroups enforce resource limits, covering the six namespace types, the system calls used to create them, and practical examples of CPU share configuration with Go code and command‑line tools.

Efficient Ops
Efficient Ops
Efficient Ops
How Linux Namespaces and Cgroups Provide Isolation and Resource Limits

Namespace

Namespaces are a Linux feature that provides resource isolation, allowing a process to have its own view of system resources such as mount points, process IDs, network interfaces, IPC, hostname, and user IDs. Linux supports six namespaces: mnt, pid, net, ipc, uts, and user.

Namespaces can be created via three system calls:

clone – creates a new process and a new namespace, attaching the child to the new namespace.

unshare – creates a new namespace and attaches the current process to it without creating a new process.

setns – attaches an existing process to an existing namespace.

The shell command

sudo unshare --fork --pid --mount-proc bash

creates a new PID namespace and runs a bash shell inside it. Inside this namespace only the processes started there are visible.

Cgroups

Cgroups (control groups) are a kernel feature that limits and accounts for resource usage of processes. They are accessed through the virtual filesystem mounted at

/sys/fs/cgroup

.

The kernel reads the cgroup settings to schedule resources such as CPU time. The article demonstrates limiting CPU usage with a Go program that repeatedly checks for prime numbers.

<code>func IsPrime(value int) bool {
    for i := 2; i <= int(math.Floor(float64(value)/2)); i++ {
        if value%2 == 0 {
            return false
        }
    }
    return true
}
func main() {
    for i := 0; i < 999999999; i++ {
        fmt.Printf("%v is prime: %v\n", i, IsPrime(i))
    }
}
</code>

Two CPU cgroups are created:

<code>sudo cgcreate -g cpu:/cpulimited
sudo cgcreate -g cpu:/lesscpulimited
</code>

The

cpu.shares

parameter determines the proportion of CPU time allocated. Setting

cpu.shares=512

for

cpulimited

while leaving

lesscpulimited

at the default 1024 results in a 1:2 CPU share ratio.

<code>sudo cgset -r cpu.shares=512 cpulimited
</code>

Running the Go program in each cgroup with

sudo cgexec -g cpu:cpulimited ./main &gt; /dev/null &amp;

shows that the two processes in

cpulimited

together consume roughly the same CPU as one process in

lesscpulimited

, confirming the expected 1:2 relationship.

LinuxCgroupsCPU LimitingContainersResource IsolationNamespaces
Efficient Ops
Written by

Efficient Ops

This public account is maintained by Xiaotianguo and friends, regularly publishing widely-read original technical articles. We focus on operations transformation and accompany you throughout your operations career, growing together happily.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment