Understanding Docker’s Core Technologies: Namespaces, Cgroups, and UnionFS

Docker Core Technologies

Docker implements container isolation by leveraging three Linux kernel mechanisms: Namespaces , Cgroups , and UnionFS . These mechanisms work together to provide process, network, filesystem, and resource isolation while keeping the runtime lightweight.

Namespaces

Namespaces are kernel‑provided isolation primitives that partition global system resources into independent views for each container. The primary namespace types used by Docker are:

PID : isolates the process identifier space so that processes inside a container see their own PID tree starting at 1 and cannot see processes on the host.

NET : gives each container its own network stack, including interfaces, routing tables, and firewall rules.

MNT : provides a separate mount namespace, allowing containers to have distinct filesystem mount points.

UTS : isolates hostname and domain name, so a container can have its own hostname.

IPC : separates inter‑process communication resources such as System V semaphores and POSIX message queues.

USER : maps user and group IDs inside the container to different IDs on the host, enabling user‑namespace based privilege separation.

By creating a distinct set of namespaces for each container, Docker ensures that processes, network interfaces, and filesystem views are isolated from the host and from other containers.

Cgroups (Control Groups)

Cgroups manage and limit the resource consumption of a group of processes. Docker creates a cgroup hierarchy for each container and attaches the container’s processes to it. The main resource subsystems controlled by cgroups are:

CPU : allocation of CPU time, optionally using shares or quotas.

Memory : maximum memory usage and optional swap limits.

blkio : throttling of block‑device I/O bandwidth.

devices : whitelist/blacklist of device nodes that a container may access.

pids : limit on the number of processes that can be created.

Docker configures these limits based on the options supplied to docker run (e.g., --memory, --cpus). The cgroup controller enforces the limits, preventing a single container from exhausting host resources and ensuring fair scheduling among containers.

UnionFS (Union File System)

UnionFS merges multiple filesystem layers into a single unified view. Docker images are built as a stack of read‑only layers; when a container is started, Docker adds a thin writable layer on top using a copy‑on‑write (CoW) strategy.

Read‑only layers : each layer represents a set of filesystem changes (e.g., a RUN instruction in a Dockerfile). Layers are immutable and can be shared across containers, enabling image reuse and caching.

Writable layer : the container’s topmost layer records any modifications made at runtime. Files are only copied from lower read‑only layers into this writable layer when they are changed, which reduces disk I/O and storage consumption.

This layered approach allows Docker to distribute images efficiently (only the layers that differ need to be transferred) and to rebuild images quickly by reusing unchanged layers.