The proper links for those two notions have been fixed in PR 14307:
Under the hood, Docker is built on the following components:
The cgroups and
namespacescapabilities of the Linux kernel
With:
- cgroup: Control Groups provide a mechanism for aggregating/partitioning sets of tasks, and all their future children, into hierarchical groups with specialized behaviour.
- namespace: wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource.
In short:
- Cgroups = limits how much you can use;
- namespaces = limits what you can see (and therefore use)
See more at “Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic” by Jérôme Petazzoni.
Cgroups involve resource metering and limiting:
- memory
- CPU
- block I/O
- network
Namespaces provide processes with their own view of the system
Multiple namespaces:
- pid
- net
- mnt
- uts
- ipc
- user: userns it is graduating from experimental in docker 1.10
(per-daemon-instance remapping of container root to an unprivileged user is in progress: PR 12648: see its design)