Master Docker’s Core: Namespaces and Cgroups Explained

Docker Core Technologies

Docker is essential for large‑scale architectures and a cornerstone of cloud‑native computing. Its core lies in isolating and managing processes and resources.

Namespaces – Isolation

Namespaces provide isolated views of system resources such as processes, network, file‑system mounts, hostnames, and user IDs, making each container appear as an independent OS.

pid : isolates process IDs; each container has its own PID 1.

net : isolates network devices, ports, routing; containers get independent network interfaces.

ipc : isolates inter‑process communication like semaphores and shared memory.

mnt : isolates mount points and filesystem view; containers have separate root filesystems.

uts : isolates hostname and domain name; each container can set its own hostname.

user : isolates user and UID mappings; enables rootless containers.

Example:

docker run -it --pid=host ubuntu

Cgroups – Resource Management

Cgroups limit and monitor the resources a container can use, preventing contention and ensuring system stability.

cpu : control CPU usage (e.g., --cpus="1.0" limits to one CPU core).

cpuacct : account for CPU usage.

memory : control memory usage.

blkio : control block device I/O.

net_cls : tag network packets for traffic control.

pids : limit the number of processes.

Examples:

docker run -it --cpus="1.0" ubuntu

docker run -it --cpu-shares=512 ubuntu

docker run -it --device-write-bps /dev/sda:5mb ubuntu

sudo tc qdisc add dev vethXXXX root tbf rate 1mbit burst 32kbit latency 400ms

docker run -it --pids-limit=100 ubuntu

These mechanisms together give Docker containers isolation and resource control, forming the foundation of containerization.