Docker DCA – Linux Namespaces and cgroups

If you’ve been using Docker you have likely come across Linux namespaces and cgroups, but what are they? This quick post will cover what you need to know for the Docker DCA objective around both.

Linux Namespaces

Namespaces are a feature of the Linux kernel that partitions the kernel resources so that one set of processes see one set of resources whilst, at the same time, another set of processes sees a different set of resources. The namespace refers to the group of processes and resources.

Each process running on a linux system is given a process ID, otherwise known as a PID. In turn, each PID is assigned to a namespace. Processes in the same namespace are able to access each other, whilst PIDs in other namespaces are unable to interact with those in a different namespace to themselves.

As you can see, it is namespaces that help make containers and container isolation possible. When you run a container, Docker creates a set of namespaces for the container. A container process running under one namespace is unable to access information outside its container (e.g. the host system or another running container on the same system).

Types of Namespace

Since kernel version 4.10, there are 7 kinds of namespaces. These are:

  • Mount (mnt)
  • Process ID (pid)
  • Network (net)
  • Interprocess Communication (ipc)
  • UTS
  • User ID (user)
  • Control group (cgroup) namespace
  • Time namespace

The Docker engine uses the following linux namespaces:

  • PID – this is used for process isolation.
  • NET – this is used for managing network interfaces.
  • IPC – this is used for managing access to IPC resources.
  • MNT – this is used for managing mount points.
  • UTS – this is used for isolating kernel and version identifiers.

Control Groups (cgroups)

Control groups or cgroups are a kernel feature of Linux that limits and isolates the resource usage (such as CPU, memory, disk I/O, network etc) of a group of processes. Docker can use cgroups to limit container access to the system resources. When running a container you can set limits in the container run command. For example:

sudo docker run -it -m 10m --memory-swap 10m nginx:latest /bin/sh

The ‘-m 10m –memory-swap 10m’ in the command above is there to apply limits to memory and memory swap for the container. These limits are enforced by using cgroups.

Related posts

Mastering the Linux ifconfig Command

Docker Exec Command With Practical Examples

Debugging with Git Bisect

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More