What are Linux namespaces and cgroups, and how do they enable containers?

Containers are not magic — they use two fundamental Linux kernel features: Namespaces isolate what a process can see. Each namespace type provides a different view: pid — process isolation (a process in a container only sees its own processes, PID 1 appears as the init); net — network isolation (each container has its own network stack, interfaces, IP); mnt — filesystem isolation (separate mount namespace — container has its own root filesystem); uts — hostname isolation (container has its own hostname and domain name); ipc — IPC isolation (separate message queues, semaphores); user — user ID isolation (container user IDs map to different host UIDs — enables rootless containers); cgroup — resource limit isolation (separate cgroup hierarchy view). cgroups (Control Groups) limit what resources a process can use: CPU (shares, quota, pinning to specific cores), memory (limit + OOM handling), block I/O (throttle disk I/O), network I/O (tc for traffic control), number of processes (pids limit). A container is fundamentally: a process with a set of namespaces (isolating what it sees) + cgroup limits (restricting what it can use) + a union filesystem (overlay2 for layered image + writable layer). Understanding this: docker run --pid=host shares the host PID namespace (breaks PID isolation), docker run --network=host shares the host network namespace.