in Concepts

Making of a container: Cgroups and Namespaces

Let me clear out one thing – Containers are not a thing. VMs are a thing FreeBSDs Jails and Solaris containers are primitive concepts, Containers are almost a clever trickery over Linux
kernel features.

Most of the container management tool out there including docker are made up from Linux kernel primitives C-groups and namespace;(yes they have a lot of tooling and patches that make the environment more consistent and stable).

C-groups and namespaces
Cgroups and namespace applied on process groups allow the container to have an isolated and accounted environment.


Namespaces provides the necessary isolation on subsystems. This allows the processes to run in their own bubble.
Some of the namespace are listed.

  • pid – Allows processes to see only processes inside the group
  • net – Namespace for the network.Everything from ip tables to routing rules.
  • uts – namespace hostname
  • ipc
  • mnt
  • user

Convenient utility to run process in new namespace UNSHARE(1)
unshare -p -f /bin/bash


Control groups allow for accounting and throttling of sub-systems like io, memory, cpu.

  • Memory cgroup – memory group
  • CPU cgroup
  • CPUset cgroup
  • BlockIo cgroups
  • Network io cgroup
  • Device cgroups

Control groups have a file based Api and can be accessed through /sys/fs/cgroup/. Though its is advised to use a higher level abstraction than directly writing to files.
# tree -L 1 -d /sys/fs/cgroup/

|– blkio
|– cpu -> cpu,cpuacct
|– cpuacct -> cpu,cpuacct
|– cpu,cpuacct
|– cpuset
|– devices
|– freezer
|– hugetlb
|– memory
|– net_cls -> net_cls,net_prio
|– net_cls,net_prio
|– net_prio -> net_cls,net_prio
|– perf_event
|– pids
|– systemd


Write a Comment