difference between cgroups and namespaces

Question

I recently started learning docker and it seems that most of the heavy lifting is done by the Linux kernel, using namespaces and cgroups.

A few things which I am finding confusing are:

1. What is the difference between a namespace and a cgroup? What are the different use cases they address?

2. What has docker implemented on top this these to gain popularity ?

3. I would like to know the internals of these features and how they are implemented.

Answer 1

The proper links for those two notions have been fixed in PR 14307:

Under the hood, Docker is built on the following components:

The cgroups and namespaces capabilities of the Linux kernel

With:

• cgroup: Control Groups provide a mechanism for aggregating/partitioning sets of tasks, and all their future children, into hierarchical groups with specialized behaviour.
• namespace: wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource.

In short:

• Cgroups = limits how much you can use;
• namespaces = limits what you can see (and therefore use)

See more at "Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic" by Jérôme Petazzoni.

Cgroups involve resource metering and limiting:

• memory
• CPU
• block I/O
• network

Namespaces provide processes with their own view of the system

Multiple namespaces:

• pid
• net
• mnt
• uts
• ipc
• user: userns it is graduating from experimental in docker 1.10
  (per-daemon-instance remapping of container root to an unprivileged user is in progress: PR 12648: see its design)