Answer: Linux Namespaces provide isolation for users, process IDs, and networks in Docker containers.
Docker achieves process isolation and resource control using Linux cgroups (Control Groups) and Namespaces.
Namespaces ensure process isolation by creating separate environments for containers. Docker uses the following namespaces:
| Namespace | Description |
|---|---|
| PID Namespace | Isolates process IDs, preventing containers from seeing or interfering with other processes. |
| Network Namespace | Provides separate network stacks, ensuring each container has its own interfaces, IP addresses, and routing tables. |
| Mount Namespace | Isolates file system views, ensuring each container has its own root filesystem. |
| User Namespace | Separates user IDs, enabling containers to run as non-root users for security. |
| IPC Namespace | Isolates inter-process communication, preventing shared memory conflicts. |
| UTS Namespace | Allows containers to have independent hostnames and domain names. |
lsns
Control Groups (cgroups) limit and allocate system resources (CPU, memory, disk I/O, network bandwidth) for Docker containers.
| Cgroup Type | Function |
|---|---|
| CPU | Limits CPU usage for a container. |
| Memory | Restricts RAM usage to prevent a container from consuming all memory. |
| Block I/O (blkio) | Controls disk read/write speed. |
| Network | Manages network bandwidth. |
| Devices | Restricts access to hardware devices. |
cat /proc/self/cgroup