cgroups and Namespaces — The Linux Kernel's Building Blocks Behind Containers

William Kwabena Akoto Posted on May 30 cgroups and Namespaces — The Linux Kernel's Building Blocks Behind Containers # containers # cgroups # namespaces # linux Every container you have ever run is, at its core, a process with a restricted view of the world and a capped share of the machine's resources. That restriction and that cap come from exactly two kernel features: namespaces and cgroups . Everything else is plumbing. The Problem They Solved Long before Docker, system administrators wrestled with a deceptively simple question: how do you run multiple workloads on the same machine without them interfering with each other? The classical answers were clunky. Separate physical machines were expensive. Full virtual machines were slow to boot and heavy on resources. chroot jails , introduced in Unix back in 1979, changed a process's view of the filesystem but nothing else. A chrooted process still shared the same process table, network stack, and user database as everything else on the host. The walls only went up in one direction. What the industry needed was something built into the kernel itself, some that is lightweight enough to start in milliseconds, safe enough for multi-tenant workloads. Linux delivered that in two independent features merged roughly a year apart: namespaces (first type in 2002, full suite by 2013) and cgroups (2007). Namespaces — A Selective Blindfold A namespace wraps a global system resource and gives each participating process its own isolated instance of it. The process believes it has exclusive ownership. The kernel is quietly managing multiple independent copies underneath. There are eight namespace types, each isolating a different dimension of the system: Mount (CLONE_NEWNS) — The first and oldest. Isolates the filesystem mount table. A container can have its own /etc/hosts , its own /proc , its own root filesystem and none of it visible to the host or other containers. PID (CLONE_NEWPID) — The first process in a new PID namespa