BestHub
Sign in
Cloud Native 5 min read

Understanding Docker’s Core Technologies: Namespaces and Cgroups Explained

This article explains how Docker achieves container isolation and resource management using Linux kernel features—Namespaces for process, network, and filesystem isolation, and Cgroups for CPU, memory, and I/O control—along with practical command examples and configuration details.

mikechen
mikechen
mikechen
Understanding Docker’s Core Technologies: Namespaces and Cgroups Explained

Docker is a fundamental skill for large‑scale architectures and a core component of cloud‑native computing. Its container technology relies on two Linux kernel mechanisms: Namespaces for isolation and Cgroups for resource management.

Namespaces

Namespaces create independent views of system resources so that each container runs with its own isolated process IDs, network interfaces, mount points, hostnames, and user IDs. The main namespace types used by Docker are: pid: isolates process IDs, giving each container its own PID 1. net: isolates network devices, ports, and routing, providing a separate virtual network interface for each container. ipc: isolates inter‑process communication resources such as semaphores and shared memory. mnt: isolates mount points and filesystem views, allowing containers to have distinct root filesystems. uts: isolates hostname and domain name, enabling each container to set its own hostname. user: isolates user and UID mappings, supporting rootless containers.

By combining these namespaces, Docker creates environments where processes behave as if they are running on separate operating systems, preventing interference between containers.

Cgroups

Cgroups (control groups) enforce resource limits and accounting for containers, ensuring that CPU, memory, disk I/O, and other resources are fairly allocated and do not exhaust the host. cpu: controls CPU usage (e.g., docker run -it --cpus="1.0" ubuntu limits the container to one CPU core). cpuacct: records CPU usage statistics. memory: limits memory consumption (e.g., docker run -it --memory="512m" ubuntu). blkio: controls block device I/O rates (e.g., docker run -it --device-write-bps=/dev/sda:5mb ubuntu). net_cls: tags network packets for traffic shaping. pids: limits the number of processes (e.g., docker run -it --pids-limit=100 ubuntu).

These subsystems work together to provide fine‑grained control over how much CPU time, memory, disk bandwidth, and process count a container may consume.

Practical Command Examples

docker run -it --cpus="1.0" ubuntu

Limits the container to one CPU core. docker run -it --memory="512m" ubuntu Sets a maximum memory usage of 512 MiB.

docker run -it --device-write-bps=/dev/sda:5mb ubuntu

Restricts disk write speed to 5 MiB/s on /dev/sda.

sudo tc qdisc add dev vethXXXX root tbf rate 1mbit burst 32kbit latency 400ms

Applies network bandwidth shaping of 1 Mbit/s with burst and latency parameters.

Visual Overview

Docker architecture diagram
Docker architecture diagram
Namespace isolation diagram
Namespace isolation diagram
Cgroup resource limits diagram
Cgroup resource limits diagram
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

DockercontainerizationcgroupsNamespaces
mikechen
Written by

mikechen

Over a decade of BAT architecture experience, shared generously!

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment