#Linux #Containers #System Administration #DevOps

cgroups and namespaces explained

Namir Ahmed
Namir Ahmed
4 min read
Linux cgroups and namespaces visualization for an article by Atlanta based Software Engineer, Namir Ahmed.

Isolating Processes: The Linux Way

If you’ve been tinkering with containers like Docker or Kubernetes, you’ve likely heard of cgroups and namespaces. They’re fundamental to how these technologies work, providing the isolation and resource management that make containers feel like separate machines without the overhead.

Let’s break down what they are and why they matter.

Namespaces: Your Own Little World

Imagine you’re running multiple applications on the same server. You don’t want one app to accidentally mess with another’s files, network connections, or process IDs. That’s where namespaces come in. They create isolated views of system resources for a process and its children.

Think of it like giving each app its own personal set of house rules. It can’t see or interact with things outside its designated area. There are several types of namespaces, each isolating a different aspect of the system:

  • PID (Process ID) Namespace: Each PID namespace has its own set of PIDs, starting from 1. A process in one PID namespace won’t see processes in another.
  • Network (Net) Namespace: Gives processes their own network stack, including network interfaces, IP addresses, routing tables, and port numbers. This is crucial for containers to have their own IP addresses and ports.
  • Mount (Mnt) Namespace: Allows processes to have their own view of the filesystem. A process can mount and unmount filesystems without affecting others.
  • UTS (UNIX Timesharing System) Namespace: Isolates the hostname and domain name. This means you can set a different hostname for a container than the host system.
  • IPC (Interprocess Communication) Namespace: Isolates System V IPC objects and POSIX message queues.
  • User Namespace: Isolates user and group IDs. A process can have root privileges within its user namespace without having root privileges on the host system.

A Quick Example (Conceptual):

If you were to run a command like ps aux inside a network namespace, you’d only see processes associated with that namespace, not all processes on the host. Similarly, if you tried to access a file path that was only mounted within a specific mount namespace, you wouldn’t see it from outside.

Cgroups: Keeping Things in Check

While namespaces provide isolation, cgroups (Control Groups) provide resource control. They allow you to allocate, limit, and prioritize system resources like CPU, memory, disk I/O, and network bandwidth for a group of processes.

This is vital for preventing a single runaway process from consuming all available resources and crashing the system. Cgroups enable:

  • Resource Limiting: Setting hard limits on how much of a resource a group of processes can use (e.g., maximum 50% CPU, 1GB RAM).
  • Prioritization: Giving certain groups of processes higher priority for accessing resources.
  • Accounting: Monitoring resource usage for a group of processes.
  • Control: Freezing, thawing, and restarting processes within a group.

Cgroups are organized in a hierarchical way, allowing for more granular control. For instance, you might have a cgroup for all web server processes, and within that, sub-cgroups for different web applications.

Key Cgroup Controllers:

  • cpu: Controls CPU time allocation.
  • memory: Controls memory usage.
  • blkio: Controls block I/O device access.
  • net_cls / net_prio: Classifies network packets for accounting and traffic control.

**A Simple Snippet (Illustrative - actual management is more complex):

Imagine you want to limit a process to using only 25% of the CPU. You might create a cgroup and configure its cpu.shares or cpu.cfs_quota_us (depending on cgroup version) to enforce this limit.

Let’s say you create a directory /sys/fs/cgroup/cpu/my_app and in it, you set:

Terminal window
# Limit to 25% of CPU
echo 25000 > /sys/fs/cgroup/cpu/my_app/cpu.cfs_quota_us


# Assign a process to this cgroup (e.g., process ID 1234)
echo 1234 > /sys/fs/cgroup/cpu/my_app/tasks

This is a simplified view, as modern systems often use cgroup v2, which has a unified hierarchy and different configuration methods.

The Power Duo

Namespaces and cgroups work hand-in-hand. Namespaces provide the illusion of separate environments, and cgroups ensure that these environments don’t hog all the server’s resources. Together, they are the bedrock of containerization, allowing us to run isolated, resource-controlled applications efficiently on a single host.

Understanding these two concepts is key to grasping how containers function and how to manage them effectively in production environments.

Tags: Linux, Containers, System Administration, DevOps

Back to Blog
← Previous Article Probabilistic Data Structures: When to Use Them Next Article → Open Source Maintenance Realities

Contents

Need to Message Me?

Let's Talk!