Understanding Docker’s Core: How Cgroups Enable Resource Isolation

Docker Core Principle: Cgroups

Cgroups is a powerful mechanism provided by the Linux kernel for managing and limiting resources of a group of processes.

Why Cgroups Are Needed

All applications share the same OS kernel and system resources (CPU, memory, disk I/O, network bandwidth). Without Cgroups, a misbehaving container could consume unlimited resources, affecting other containers and the host.

How Cgroups Work

Cgroups organize tasks into a hierarchical tree structure. Each node can have subsystems attached to control resources for all tasks under that node.

<ol>
<li>/sys/fs/cgroup/…</li>
<li>├── memory/docker/<container-id>/</li>
<li>├── cpu/docker/<container-id>/</li>
<li>├── blkio/docker/<container-id>/</li>
<li>└── …</li>
</ol>

Each subsystem directory contains files that record resource quotas and usage.

Key subsystems include:

cpu

: CPU time allocation – e.g., limit maximum CPU usage.

cpuset

: Specify CPU cores a container can run on.

memory

: Memory usage limit – prevent OOM.

blkio

: Disk I/O bandwidth and speed control.

net_cls

: Network bandwidth management via traffic class tags.

devices

: Device access control for containers.

Practical Examples

CPU limit

Set CPU weight with

cpu.shares

or quota with

cpu.cfs_quota_us

. Example:

# Allow only one CPU core
docker run --cpus=1 …

Memory limit

Set maximum memory with

memory.limit_in_bytes

. Example:

docker run --memory=256m …

In summary, Docker relies on Linux Cgroups to enforce “who, how much, and how” of resource limits, making it the cornerstone technology for container isolation and elastic scaling.