What is a container ?

A container is a basic tool, consisting of any device creating a partially or fully enclosed space that can be used to contain, store, and transport objects or materials. In commerce, it includes "any receptacle or enclosure for holding a product used in packaging and shipping". Things kept inside of a container are protected by being inside of its structure.

Container history

Humans have used containers for at least 100,000 years, and possibly for millions of years. The first containers were probably invented for storing food, allowing early humans to preserve more of their food for a longer time, to carry it more easily, and to protect it from other animals. The development of food storage containers was "of immense importance to the evolving human populations", and "was a totally innovative behavior" not seen in other primates.


Kernel features

  • Control Groups
  • Namespaces

Veryyyyy simple ?

Control Groups Features

Manage resources for a collection of processes

Resource limit Groups can be set to not exceed a memory limit, including file system cache
Prioritization some groups may get a larger share of CPU utilization or disk I/O throughput
Accounting Accounting – measures a group's resource usage, which may be used, for example, for billing purposes
Control freezing groups of processes, checkpointing and restarting 

cgroups history

cgroups-v1 cgroups-v2
Cgroups was originally written by Paul Menage et al. and mainlined into the Linux kernel in 2007. Afterwards this is called cgroups version 1. Then development and maintenance of cgroups was taken over by Tejun Heo. Tejun Heo redesigned and rewrote cgroups. This rewrite is now called version 2, the documentation of cgroups-v2 first appeared in Linux kernel 4.5 released on March 14, 2016.

Unlike v1, cgroups-v2 has only a single process hierarchy and discriminates between processes, not threads.

We'll see v1, because docker and lxc which this focuses on use v1.

Definition: cgroup

A cgroup associates a set of tasks with a set of parameters for one or more subsystems.

Definition: subsystem

A subsystem is a module that makes use of the task grouping facilities provided by cgroups to treat groups of tasks in particular ways. A subsystem is typically a "resource controller" that schedules a resource or applies per-cgroup limits, but it may be anything that wants to act on a group of processes, e.g. a virtualization subsystem.


cgroups Subsystems

cpuset individual CPU and memory nodes
freezer freeze, checkpoint, continue processes
memory memory usage
blkio proportional disk time
net_cls tag network packets for tc or netfilter
net_prio priority on each interface
devices open and mknod on device files
hugetlb huge page usage
cpuacct cpu usage accounting

Definition: hierarchy

A hierarchy is a set of cgroups arranged in a tree, such that every task in the system is in exactly one of the cgroups in the hierarchy, and a set of subsystems; each subsystem has system-specific state attached to each cgroup in the hierarchy.  Each hierarchy has an instance of the cgroup virtual filesystem associated with it.


At any one time there may be multiple active hierarchies of task cgroups. Each hierarchy is a partition of all tasks in the system.


(cgroup-v2 has only one hierarchy)



cgroup usage

  • Using the cgroup filesystem directly (examples in linux/Documentation/cgroup-v1/)
  • cgmanager
  • libcgroup
  • LXC, Docker, Playpen, systemd ...



  • mnt: mount points
  • pid: processes
  • net: network stack
  • ipc: System V IPC
  • uts: hostnames
  • user: uids

Title Text

  • Bullet One
  • Bullet Two
  • Bullet Three

Linux Containers

By James Pic

Linux Containers

  • 1,578