2.3.2 Cgroup Resource Control
A focused guide to Cgroup Resource Control, connecting core concepts with practical Docker and container operations.
Cgroup resource control is the kernel mechanism Docker uses to limit and account for how much CPU, memory, disk I/O, and other resources a container's processes are allowed to consume, enforced directly by the kernel rather than by the application or by Docker itself at runtime.
Why Resource Control Is Necessary
Without resource limits, a single misbehaving or unexpectedly busy container could consume all of a host's available memory or CPU, degrading or crashing every other container sharing that host. Cgroups give the kernel a way to enforce boundaries per group of processes, preventing this kind of resource exhaustion.
docker run -d --memory=512m --cpus=1 myapp:1.0
This container is restricted to 512 megabytes of memory and the equivalent of one CPU core's worth of processing time, regardless of what else the application might otherwise attempt to consume.
How Limits Are Enforced
Cgroup limits are enforced by the kernel directly: if a container attempts to exceed its memory limit, the kernel's out-of-memory handling targets processes within that specific cgroup, rather than allowing the container to consume memory belonging to the rest of the system.
docker run --memory=64m --rm alpine sh -c "yes | tr \\\n x | head -c 200000000 > /dev/null"
A command designed to consume far more memory than the configured limit allows is terminated by the kernel once it exceeds that cgroup's memory ceiling.
Inspecting Resource Usage Per Container
Because cgroups also track resource usage, not just limits, the actual consumption of any running container can be inspected directly, which is useful for right-sizing limits based on observed real-world behavior.
docker stats myapp
Resource Control Across Many Containers
When many containers run on the same host, appropriately configured cgroup limits ensure that each container gets a predictable, bounded share of the host's resources, making overall host capacity planning practical, since the maximum possible consumption per container is known in advance.
docker run --memory=256m --cpus=0.5 app-a:1.0
docker run --memory=256m --cpus=0.5 app-b:1.0
Why Cgroup Resource Control Matters
Cgroup-based resource control is what makes multi-tenant container hosting practical and predictable — it converts "how much of the host's resources might this container use" from an open-ended risk into a defined, enforced ceiling.