difference between cgroups and namespaces

I recently started learning docker and it seems that most of the heavy lifting is done by the linux kernel, using namespaces and cgroups.

A few things which i am finding confusing are :

  1. What is the difference between a namespace and a cgroup ? What are the different uses cases they address ?

  2. What has docker implemented on top this these to gain popularity ?

  3. I would like to know the internals of these features and how they are implemented.


The proper links for those two notions have been fixed in PR 14307:

Under the hood, Docker is built on the following components:

The cgroups and namespaces capabilities of the Linux kernel


  • cgroup: Control Groups provide a mechanism for aggregating/partitioning sets of tasks, and all their future children, into hierarchical groups with specialized behaviour.
  • namespace: wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource.

In short:

  • Cgroups = limits how much you can use;
  • namespaces = limits what you can see (and therefore use)

See more at "Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic" by Jérôme Petazzoni.

Cgroups involve resource metering and limiting:

  • memory
  • CPU
  • block I/O
  • network

Namespaces provide processes with their own view of the system

Multiple namespaces:

cgroups limits the resources which a process or set of processes can use these resources could be CPU,Memory,Network I/O or access to filesystem while namespace restrict the visibility of group of processes to the rest of the system.

visit for further details How Linux Kernel Cgroups And Namespaces Made Modern Containers Possible

Need Your Help

Loss of precision - int -> float or double

java floating-point double precision

I have an exam question I am revising for and the question is for 4 marks.