Understanding Docker: Containers, Namespaces, and Resource Limiting with Cgroups

Docker is introduced as a lightweight container technology that packages an application and its dependencies into a standard software unit, enabling fast and reliable execution across environments.

Key characteristics of containers include: they are a standard software unit, contain application code and dependencies, allow easy migration between environments, and Docker containers run on the Docker engine.

Compared with virtual machines, containers provide similar resource isolation but virtualize the operating system rather than hardware, offering higher portability and efficiency.

The article explains that a Docker container is essentially a bounded process; the container’s processes are regular processes on the host wrapped with Linux namespaces, which isolate PID, network, mount, and other resources.

Namespaces are detailed: Linux provides six namespaces (PID, Mount, UTS, IPC, Network, User). For example, PID namespace isolates process IDs, Network namespace provides separate network stacks, and Mount namespace gives distinct filesystem views.

Docker’s actual process model is illustrated, showing that container processes are host processes with namespace isolation, meaning they share the host kernel.

Advantages of Docker include agility and high performance due to reduced abstraction layers, while disadvantages stem from incomplete isolation compared to full virtualization.

Resource limitation is achieved using Linux Control Groups (cgroups), which can restrict CPU, memory, disk, and network bandwidth for a group of processes.

Practical steps are provided: create a cgroup directory under /sys/fs/cgroup/cpu , modify cpu.cfs_quota_us (e.g., set to 20000 to allow 20% of CPU time in a 100000‑us period), and assign a process ID to the cgroup by writing the PID to the tasks file (e.g., echo 17242 > tasks ).

Running a Docker container with CPU limits can be done with docker run -it --cpu-period=100000 --cpu-quota=20000 ubuntu /bin/bash , after which the container’s resource usage reflects the cgroup settings.

The article concludes that Docker’s essence is Linux container technology that uses namespaces for isolation and cgroups for resource control, enabling lightweight, portable, and controllable application deployment.