cgroups (control groups) is a Linux kernel feature that limits, accounts for, and isolates the resource usage of a collection of processes. Docker uses cgroups to enforce hardware resource constraints on containers, ensuring each container gets its fair share of CPU, memory, and disk I/O without affecting others.
cgroups, short for control groups, is a fundamental Linux kernel capability that provides fine-grained control over system resources such as CPU, memory, network bandwidth, and block I/O. It organizes processes into hierarchical groups and allows administrators to set limits, prioritize access, and monitor usage for each group. Docker leverages cgroups as one of its core building blocks alongside namespaces—where namespaces provide isolation (what you can see), cgroups provide resource control (what you can use) .
When you start a Docker container, the Docker daemon automatically creates a cgroup for that container under the appropriate subsystems. Through cgroups, Docker can enforce quotas, set limits, and guarantee that a container cannot consume more than its allocated resources. This prevents any single container from starving others or overwhelming the host system, which is essential for multi-tenant environments and production deployments .
CPU control: Using --cpus to limit CPU cores (e.g., 1.5 cores) or --cpu-shares to set relative weight for CPU contention . The underlying cgroup parameters are cpu.cfs_period_us and cpu.cfs_quota_us which work together to define how much CPU time a container gets per period .
Memory control: Using --memory to set hard RAM limits. If a container exceeds this limit, the kernel may invoke the Out-of-Memory (OOM) killer to terminate processes . Memory limits are enforced via the memory cgroup subsystem.
Block I/O control: Using --blkio-weight (range 10-1000) to set disk I/O priority, or --device-read-bps/--device-write-bps to set absolute speed limits per device .
Network bandwidth: While cgroups provide a net_cls classifier, Docker typically implements network limits through other mechanisms, though cgroups can be used to classify traffic for external shaping tools like tc .
Internally, when you run a container with resource constraints, Docker writes the corresponding values to cgroup files in the /sys/fs/cgroup/ directory. For example, CPU limits are written to cpu.cfs_period_us and cpu.cfs_quota_us, while memory limits are written to memory.limit_in_bytes. You can verify these settings by inspecting the cgroup files directly or using docker inspect to see the host configuration . The cgroups hierarchy allows Docker to manage resources at the container level, and any child processes spawned by the container automatically inherit the same cgroup restrictions .
Understanding the distinction between namespaces and cgroups is crucial: namespaces provide isolation by giving each container its own view of the system (process IDs, network interfaces, mount points), while cgroups provide resource control by limiting how much of the system's resources each container can actually consume. Together, they form the foundation of Docker's container runtime environment, enabling lightweight virtualization with strong guarantees about resource usage and isolation .