Namespaces:
Docker relies on Linux kernel features to isolate containers from each other and from the host system. One of the most important of these features is the namespace.
Namespaces provide isolation — they make a container think it's running on its own system, even though it's actually sharing the host kernel with other containers and the host itself.
Here are the main types of namespaces Docker uses:
| Namespace | Description |
|---|---|
pid |
Isolates the process ID number space (each container has its own process tree). |
net |
Provides each container with its own network interfaces and routing table. |
mnt |
Gives each container its own filesystem mount points. |
ipc |
Isolates inter-process communication (e.g., shared memory) between containers. |
uts |
Allows containers to have their own hostname and domain name. |
user |
Isolates user and group ID mappings between the host and container. |
So when you run a container, Docker creates these namespaces for it. This is how containers stay isolated — they don’t share their process tree, network stack, filesystem, or even hostname with other containers or the host.
Cgroups:
Cgroups, short for control groups, are a feature in the Linux kernel that provide resource isolation and allocation for processes. Cgroups allow you to control and limit the resources (such as CPU, memory, disk I/O, and network bandwidth) that a group of processes can use.
When it comes to Docker containers, cgroups play an important role in resource management and isolation. Docker leverages cgroups to allocate and limit system resources for each container, preventing one container from monopolizing system resources and impacting the performance of other containers or the host system.
This is the command-line-tool you use to talk to the daemon; when you run something like:
docker run nginx
The client sends this request to the daemon, which then :
They communicate using REST API, using UNIX socket or a network connection.