BestHub
Sign in
Operations 12 min read

Master Docker Resource Management: Namespaces, Cgroups, and Monitoring Hacks

This article explains how Docker uses Linux namespaces and cgroups to provide isolation, CPU/memory/I/O control, and monitoring, and includes practical scripts and tips for managing container resources effectively.

Efficient Ops
Efficient Ops
Efficient Ops
Master Docker Resource Management: Namespaces, Cgroups, and Monitoring Hacks

What problems does Docker solve?

It solves two major problems: high‑performance container‑level virtualization that provides isolation and control, and image storage & change management via DockerHub and AUFS (or other drivers).

How does Docker achieve isolation?

Docker uses Linux kernel namespaces. The supported namespace types are:

Mount (CLONE_NEWNS)

UTS (hostname) (CLONE_NEWUTS)

IPC (CLONE_NEWIPC)

PID (CLONE_NEWPID)

Network (CLONE_NEWNET)

User (CLONE_NEWUSER)

Namespaces are visible under /proc/${PID}/ns as files ipc, mnt, net, pid, user, uts. The clone system call creates them; missing CLONE_NEW* flags cause inheritance from the parent.

Manipulating namespaces

Three kernel calls are used: clone, setns, unshare. Command‑line tools such as ip netns and unshare simplify operations. Example script adds a network interface to a container:

#!/bin/bash
PID=`docker inspect -f '{{.State.Pid}}' $1`
ID=`docker inspect -f '{{.Id}}' $1`
ETHNAME=$2
mkdir -p /var/run/netns
ln -s /proc/${PID}/ns/net /var/run/netns/${ID}
ip link add dev ${ETHNAME}.0 type vet peer name ${ETHNAME}.1
ip link set dev ${ETHNAME}.1 netns ${ID}
ip link set dev ${ETHNAME}.0 up
ip netns exec ${ID} ifconfig ${ETHNAME}.1 $3 up
rm -rf /var/run/netns/${ID}

Run with:

network.sh docker-test veth0 192.168.1.10/24

How does Docker control resources?

Beyond namespaces, Docker relies on cgroups for CPU, memory, swap, and I/O control.

CPU and memory

CPU shares ( cpu.shares) set relative priority; cpuset.cpus pins containers to specific cores. Memory limits are set via memory.limit_in_bytes and memory.memsw.limit_in_bytes. Enabling swap accounting requires kernel boot parameters cgroups_enable=memory swapaccount=1.

Disk I/O

cgroups provide weight‑based scheduling or precise throttling via blkio.throttle.read_bps_device, blkio.throttle.write_bps_device, blkio.throttle.read_iops_device, and blkio.throttle.write_iops_device. The format is "<major>:<minor> <limit>".

Disk capacity

When using the AUFS driver, capacity control is limited. Two alternatives are: using LVM volumes with the --volume flag, or using the btrfs driver with subvolume quotas, e.g.:

btrfs qgroup limit -e 100G /var/lib/docker/btrfs/subvolumes/<CONTAINER_ID>

Monitoring container resource usage

cgroups expose files such as cpuacct.usage, memory.usage_in_bytes, memory.memsw.usage_in_bytes, blkio.throttle.io_serviced, and blkio.throttle.io_service_bytes. Network statistics are available under /sys/class/net/<ethname>/statistics/.

Related lightweight projects

Bocker

Dockerlite

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Resource ManagementLinuxcgroupsNamespaces
Efficient Ops
Written by

Efficient Ops

This public account is maintained by Xiaotianguo and friends, regularly publishing widely-read original technical articles. We focus on operations transformation and accompany you throughout your operations career, growing together happily.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment