Master Docker Resource Management: Namespaces, Cgroups, and Monitoring Hacks

What problems does Docker solve?

It solves two major problems: high‑performance container‑level virtualization that provides isolation and control, and image storage & change management via DockerHub and AUFS (or other drivers).

How does Docker achieve isolation?

Docker uses Linux kernel namespaces. The supported namespace types are:

Mount (CLONE_NEWNS)

UTS (hostname) (CLONE_NEWUTS)

IPC (CLONE_NEWIPC)

PID (CLONE_NEWPID)

Network (CLONE_NEWNET)

User (CLONE_NEWUSER)

Namespaces are visible under

/proc/${PID}/ns

as files ipc, mnt, net, pid, user, uts. The clone system call creates them; missing CLONE_NEW* flags cause inheritance from the parent.

Manipulating namespaces

Three kernel calls are used:

clone

,

setns

,

unshare

. Command‑line tools such as

ip netns

and

unshare

simplify operations. Example script adds a network interface to a container:

#!/bin/bash
PID=`docker inspect -f '{{.State.Pid}}' $1`
ID=`docker inspect -f '{{.Id}}' $1`
ETHNAME=$2
mkdir -p /var/run/netns
ln -s /proc/${PID}/ns/net /var/run/netns/${ID}
ip link add dev ${ETHNAME}.0 type vet peer name ${ETHNAME}.1
ip link set dev ${ETHNAME}.1 netns ${ID}
ip link set dev ${ETHNAME}.0 up
ip netns exec ${ID} ifconfig ${ETHNAME}.1 $3 up
rm -rf /var/run/netns/${ID}

Run with:

network.sh docker-test veth0 192.168.1.10/24

How does Docker control resources?

Beyond namespaces, Docker relies on cgroups for CPU, memory, swap, and I/O control.

CPU and memory

CPU shares (

cpu.shares

) set relative priority;

cpuset.cpus

pins containers to specific cores. Memory limits are set via

memory.limit_in_bytes

and

memory.memsw.limit_in_bytes

. Enabling swap accounting requires kernel boot parameters

cgroups_enable=memory swapaccount=1

.

Disk I/O

cgroups provide weight‑based scheduling or precise throttling via

blkio.throttle.read_bps_device

,

blkio.throttle.write_bps_device

,

blkio.throttle.read_iops_device

, and

blkio.throttle.write_iops_device

. The format is "<major>:<minor> <limit>".

Disk capacity

When using the AUFS driver, capacity control is limited. Two alternatives are: using LVM volumes with the

--volume

flag, or using the btrfs driver with subvolume quotas, e.g.:

btrfs qgroup limit -e 100G /var/lib/docker/btrfs/subvolumes/<CONTAINER_ID>

Monitoring container resource usage

cgroups expose files such as

cpuacct.usage

,

memory.usage_in_bytes

,

memory.memsw.usage_in_bytes

,

blkio.throttle.io_serviced

, and

blkio.throttle.io_service_bytes

. Network statistics are available under

/sys/class/net/<ethname>/statistics/

.

Related lightweight projects

Bocker

Dockerlite