Docker Internals: Namespace and cgroup

Docker architect has two main features, which provides isolation and resource management in docker.

  • cgroup [control group]: cgroup is built into kernel space. It primary responsibility is provide the resource usage isolation [cpu,memory,disk and network]. cgroup provides the guaranteed resource to any application or set of application. This can modify the resource allocation on the fly.cgroup also monitor the resource allocation.

docker stats <container id> /*this command will show the resource usages*/

CONTAINER           CPU %               MEM USAGE/LIMIT     MEM %                 NET I/O
a21ac26f720f        0.00%               5.345 MB/2.088 GB           0.26%               7.236 kB/1.055 kB

  • Namespace: Namespace provide the isolation view. This basically provides the process virtualization. A few set of kernel name space is mentioned below
    • mnt [mount points, file system]
    • pid [process]
    • net [network]
    • ipc [inter process communication]
    • uts [hostname]
    • user[UIDS]