Master Linux Namespaces and Cgroups: Isolate and Limit Resources Like a Pro
Learn how Linux namespaces provide resource isolation and how cgroups enforce resource limits, with step‑by‑step commands, code examples in Go, and practical demonstrations of CPU sharing using unshare, cgcreate, cgset, and cgexec to control process behavior.
Conclusion first: namespaces are used for resource isolation, cgroups are used for resource limitation.
Namespace
Namespaces provide resource isolation, meaning a process can have exclusive access to resources such as a specific port (e.g., running a web server on port 8080 without conflicts). Linux has supported namespaces for about 20 years and currently defines six types:
mnt – file system
pid – processes
net – network
ipc – inter‑process communication
uts – hostname
user – user IDs
Three system calls can create or attach namespaces:
clone – creates a new process and a new namespace, attaching the new process to it
unshare – creates a new namespace and attaches the current process
setns – attaches a process to an existing namespace
The shell also provides an unshare command that simplifies namespace creation. sudo unshare --fork --pid --mount-proc bash This command creates a new PID namespace and runs bash inside it. Checking the processes in this namespace shows only two processes.
Cgroups
Cgroups (control groups) expose resource control information via a virtual file system, typically mounted at /sys/fs/cgroup.
The kernel reads these files to schedule resources for each process. For example, to limit CPU usage, the article provides a Go program that stresses the CPU:
func IsPrime(value int) bool {
for i := 2; i <= int(math.Floor(float64(value)/2)); i++ {
if value%2 == 0 {
return false
}
}
return true
}
func main() {
for i := 0; i < 999999999; i++ {
fmt.Printf("%v is prime: %v
", i, IsPrime(i))
}
}Two CPU cgroups are created:
sudo cgcreate -g cpu:/cpulimited
sudo cgcreate -g cpu:/lesscpulimitedThe cpu.shares parameter determines the CPU share for each group; the default is 1024. Setting cpulimited to 512 while leaving lesscpulimited at the default creates a 1:2 CPU share ratio.
sudo cgset -r cpu.shares=512 cpulimitedVerification steps:
Start a process in cpulimited:
sudo cgexec -g cpu:cpulimited ./main > /dev/null &The process occupies 100% of the CPU. Starting another process in the same cgroup shows each using about 50% of the CPU.
Starting a process in lesscpulimited results in roughly half the CPU usage compared to the two cpulimited processes, confirming the 1:2 share ratio.
Thus, the combined CPU usage of two processes in cpulimited roughly equals the CPU usage of one process in lesscpulimited, demonstrating the intended 1:2 resource allocation.
Source: https://zhuanlan.zhihu.com/p/55099839
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.