mnt (mountpoints): This namespace is used for mapping access to
host operating system storage resources to the container process.
pid (processes): This namespace is used to create a new process ID
for an application.
net (networks): This namespace is responsible for network access
and mapping communication ports.
ipc (System V IPC): Inter-process communication controls how the
application can access shared memory locations between applications
within containers.
uts (hostname): This namespace controls host and domain names,
allowing unique values per process.
user (UIDs): This namespace is used to map unique user rights to
processes.Figure 13-22 shows a Linux host using namespaces to
isolate three different containers.
Figure 13-22 Linux Namespace Isolation for
Containers
Cgroups
Cgroups, or control groups, are used to manage the
resource consumption of each container process. You can
set how much CPU and RAM are allocated as well as
network and storage I/O. Each parameter can be
managed to tweak what the container sees and uses.
These limits are enforced by cgroups through the native
Linux scheduler and function to restrict hardware-level
resources. Figure 13-23 shows an example of a cgroup
that allocates a maximum of 25% of the various
hardware resources of the container host.