Docker architect has two main features, which provides isolation and resource management in docker.

• cgroup [control group]: cgroup is built into kernel space. It primary responsibility is provide the resource usage isolation [cpu,memory,disk and network]. cgroup provides the guaranteed resource to any application or set of application. This can modify the resource allocation on the fly.cgroup also monitor the resource allocation.

docker stats <container id> /*this command will show the resource usages*/

CONTAINER           CPU %               MEM USAGE/LIMIT     MEM %                 NET I/O
a21ac26f720f        0.00%               5.345 MB/2.088 GB           0.26%               7.236 kB/1.055 kB

https://docs.docker.com/v1.9/engine/articles/runmetrics/

• Namespace: Namespace provide the isolation view. This basically provides the process virtualization. A few set of kernel name space is mentioned below
  • mnt [mount points, file system]
  • pid [process]
  • net [network]
  • ipc [inter process communication]
  • uts [hostname]
  • user[UIDS]