difference between cgroups and namespaces
Asked Answered
H

3

136

I recently started learning docker and it seems that most of the heavy lifting is done by the Linux kernel, using namespaces and cgroups.

A few things which I am finding confusing are:

  1. What is the difference between a namespace and a cgroup? What are the different use cases they address?

  2. What has docker implemented on top this these to gain popularity ?

  3. I would like to know the internals of these features and how they are implemented.

Hardtop answered 15/1, 2016 at 21:57 Comment(2)
See en.wikipedia.org/wiki/Cgroups and en.wikipedia.org/wiki/Cgroups#Namespace_isolationReadjustment
"A cgroup is a collection of processes that are bound to a set of limits or parameters defined via the cgroup filesystem." see man7.org/linux/man-pages/man7/cgroups.7.htmlLys
C
175

The proper links for those two notions have been fixed in PR 14307:

Under the hood, Docker is built on the following components:

The cgroups and namespaces capabilities of the Linux kernel

With:

  • cgroup: Control Groups provide a mechanism for aggregating/partitioning sets of tasks, and all their future children, into hierarchical groups with specialized behaviour.
  • namespace: wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource.

In short:

  • Cgroups = limits how much you can use;
  • namespaces = limits what you can see (and therefore use)

See more at "Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic" by Jérôme Petazzoni.

Cgroups involve resource metering and limiting:

  • memory
  • CPU
  • block I/O
  • network

Namespaces provide processes with their own view of the system

Multiple namespaces:

Cabstand answered 16/1, 2016 at 8:51 Comment(5)
Thanks. Is chroot based on some namespace? Can chroot be replaced by some namespace?Macrobiotic
No, chroot is not based on a namespace: see itnext.io/…. More than three years later though, keep in mind the new Docker (19.03, still in beta) can be run as rootless: github.com/moby/moby/blob/…. And can expose resources on the host namespace: github.com/moby/moby/pull/38913Cabstand
Can chroot be replaced by some namespace?Macrobiotic
@Macrobiotic Not natively. Maybe with pivot_root? (unix.stackexchange.com/a/456777/7490) See also github.com/vincentbernat/jchrootCabstand
twitter.com/b0rk/status/1225445956734390273 for container illustrationCabstand
A
15

cgroups limits the resources which a process or set of processes can use these resources could be CPU,Memory,Network I/O or access to filesystem while namespace restrict the visibility of group of processes to the rest of the system.

visit for further details How Linux Kernel Cgroups And Namespaces Made Modern Containers Possible

Antedate answered 26/10, 2017 at 7:5 Comment(0)
G
12

Cgroups(control groups) does resource management.
It determines how much host machine resources to be given to containers.

for example:- we define resources in docker-compose yaml file for creating services like:

resources:
  limits:
    cpus: "0.1" (100 millicores)
    memory: 50M

Here, in this example we are explicitly asking cgroups to allocate these resources to particular container.


Namespaces: provides process isolation, complete isolation of containers, separate file system.


There are 6 types of namespaces:
1. mount ns - for file system.
2. UTS(Unique time sharing) ns- which checks for different hostnames of running containers
3. IPC ns - interprocess communication
4. Network ns- takes care of different ip allocation to different containers
5. PID ns - process id isolation
6. user ns- different username(uid)
Gesellschaft answered 7/1, 2020 at 18:0 Comment(1)
Wasn't cgroup also a namespace?Practitioner

© 2022 - 2024 — McMap. All rights reserved.