What are Linux namespaces and cgroups, and how do they underpin containers?
Answer
Namespaces provide isolation of system resources. Linux has seven namespace types: pid (isolates process IDs — a container sees its own PID 1), net (isolates network interfaces, routing, ports), mnt (isolates filesystem mount points), uts (isolates hostname and domain name), ipc (isolates inter-process communication), user (maps container UIDs to host UIDs), and cgroup (isolates cgroup root). Control groups (cgroups) enforce resource limits: CPU, memory, disk I/O, and network bandwidth. A Docker container is essentially a process (or group of processes) with all seven namespaces applied plus cgroup limits, given a root filesystem image. Understanding namespaces and cgroups explains what containers actually are at the kernel level — not VMs, but isolated process trees.
Previous
What is process substitution in bash?
Next
How do iptables and nftables handle packet filtering rules?
More Linux / Shell Scripting Questions
View all →- Advanced How do iptables and nftables handle packet filtering rules?
- Advanced What is LVM (Logical Volume Manager) and what problems does it solve?
- Advanced How does /etc/fstab work and what are important mount options?
- Advanced How do sysctl kernel parameters work and what are important tuning examples?
- Advanced How do you use perf and flame graphs for performance analysis on Linux?