difference between cgroups and namespaces
I recently started learning docker and it seems that most of the heavy lifting is done by the linux kernel, using namespaces and cgroups.
A few things which i am finding confusing are :
What is the difference between a namespace and a cgroup ? What are the different uses cases they address ?
What has docker implemented on top this these to gain popularity ?
I would like to know the internals of these features and how they are implemented.
The proper links for those two notions have been fixed in PR 14307:
Under the hood, Docker is built on the following components:
- cgroup: Control Groups provide a mechanism for aggregating/partitioning sets of tasks, and all their future children, into hierarchical groups with specialized behaviour.
- namespace: wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource.
- Cgroups = limits how much you can use;
- namespaces = limits what you can see (and therefore use)
Cgroups involve resource metering and limiting:
- block I/O
Namespaces provide processes with their own view of the system
- user: userns it is graduating from experimental in docker 1.10 (per-daemon-instance remapping of container root to an unprivileged user is in progress: PR 12648: see its design)
cgroups limits the resources which a process or set of processes can use these resources could be CPU,Memory,Network I/O or access to filesystem while namespace restrict the visibility of group of processes to the rest of the system.
visit for further details How Linux Kernel Cgroups And Namespaces Made Modern Containers Possible