Linux cgroups & namespaces – From Basics to FAANG-level Mastery
🧩 Table of Contents
What Problem Are We Solving?
Overview: Linux Process Isolation
🔐 Linux Namespaces (All 8 Types)
⚙️ Linux Control Groups (cgroups v1 vs v2)
cgroups + namespaces = Containers
Hands-on Demos & Examples
Advanced Use-Cases
FAANG-Level Interview Questions & Answers
Visual Summary & Cheat Table
🚩 1. What Problem Are We Solving?
Imagine a multi-user system or a container host:
How do you prevent one process from seeing others? 👉 Namespaces
How do you limit CPU/RAM per process/group? 👉 cgroups
How do you isolate processes like they're in separate machines? 👉 Combine both
📦 2. Overview: Linux Process Isolation
In default Linux:
All processes see the same process list, same filesystem, and compete for the same CPU/memory.
To isolate processes (e.g., in containers), Linux provides:
🧱 3. Linux Namespaces – Logical Isolation
✅ What are Namespaces?
Namespaces provide per-process views of global system resources. Each namespace isolates one aspect of the system.
🧠 Chronological Explanation (1–8 Types)
🌐 Namespace Example – Isolate hostname and PID
🔧 4. Linux Control Groups (cgroups) – Resource Management
✅ What are cgroups?
cgroups = control groups. They limit, account, and isolate the resource usage (CPU, memory, disk I/O, etc.) of groups of processes.
⚖️ What Can You Control with cgroups?
📚 cgroups v1 vs cgroups v2
🔥 Kubernetes & systemd now prefer cgroups v2.
⚙️ Basic cgroup Setup (v1)
Above limits process to 20% CPU usage.
🔗 5. Combining Namespaces + cgroups = Containers
Containers (like Docker) are not a new kernel feature.
They're just:
Example: How Docker Uses Both
docker run -m 128m --cpus="0.5" alpine
Sets memory/cpu limits via cgroups
Starts PID/net/uts/mnt namespaces
Runs as root inside user namespace
🧪 6. Hands-on: DIY "Container"
Inside:
hostname isolated
mount -t proc proc /proc
Now you’re in a mini container with isolated process tree, hostname, and resources!
🧠 7. Advanced Use-Cases
🎯 8. FAANG-Level Interview Q&A
❓Q1: How do cgroups and namespaces enable containers?
A: Namespaces isolate what a process sees (process list, filesystem, hostname), cgroups control how much it uses (CPU, memory). Together they make containers look and behave like VMs.
❓Q2: What happens when memory limit is exceeded in a cgroup?
A: Kernel invokes the OOM Killer inside that cgroup and terminates the largest memory-consuming process.
❓Q3: How do you apply a cgroup to an existing process?
echo <pid> > /sys/fs/cgroup/memory/mygroup/tasks
❓Q4: Can two containers share the same namespace?
A: Yes. You can use --pid=container:<name> in Docker to share PID namespace.
❓Q5: Difference between namespace and chroot?
🗂️ 9. Summary & Cheat Sheet
✅ Final Thought
Containers are not magic.
They're built using Linux kernel primitives:
namespaces for isolation, and cgroups for limits.
Mastering these is critical for systems, DevOps, and SRE roles at top companies.
More ref:
- https://www.linkedin.com/pulse/linux-technologies-fundamental-containers-hossein-abedinzadeh-x9fjf/
- https://amsekharkernel.blogspot.com/2016/11/what-is-linux-namespace-cgroups.html
- https://medium.com/@mrdevsecops/namespace-vs-cgroup-60c832c6b8c8
- https://thevirtualbuddha.com/2024/05/23/understanding-container-technology-the-magic-of-cgroups-and-namespaces/
- https://www.alibabacloud.com/blog/getting-started-with-kubernetes-%7C-further-analysis-of-linux-containers_596290
