✦ For everyone, free.

Practical knowledge for real and everyday life

Home

2.2.2.4 Runc Cgroup Setup

A focused guide to Runc Cgroup Setup, connecting core concepts with practical Docker and container operations.

Runc cgroup setup is the part of container creation where runc configures Linux control groups (cgroups) to limit and account for the system resources — CPU, memory, I/O — that a container's process is allowed to consume, separate from the namespace isolation that controls what the container can see.

Cgroups Limit Resource Usage, Not Visibility

Where namespaces control what a container can see, cgroups control how much of the host's actual resources it can use. A container can be aware that more memory exists on the host while still being prevented from consuming more than its assigned cgroup limit.

{
  "linux": {
    "resources": {
      "memory": { "limit": 268435456 },
      "cpu": { "shares": 512 }
    }
  }
}

This configuration limits the container to 256 megabytes of memory and gives it a proportional share of CPU time relative to other containers on the same host.

Enforcing Memory Limits

When a container's memory usage exceeds its configured cgroup limit, the kernel intervenes directly — typically by terminating the offending process — rather than allowing the container to consume memory the host cannot spare.

docker run --memory=128m myapp:memory-intensive

If this container's process attempts to use more than 128 megabytes, the kernel's cgroup enforcement, not the application itself, is what stops it.

CPU Shares and Limits

Cgroups can both guarantee a proportional share of CPU time relative to other containers, and impose a hard ceiling on CPU usage regardless of what else is running on the host.

docker run --cpus=0.5 myapp:1.0

This restricts the container to using, at most, half of one CPU core's worth of processing time, even if the rest of the host's CPU capacity is otherwise idle.

Inspecting Cgroup Configuration Directly

Because cgroups are a real kernel feature exposed through the filesystem, a container's actual resource limits can be inspected directly from the host.

cat /sys/fs/cgroup/memory.max

Inspected from within the cgroup associated with a specific container, this reports the exact memory ceiling the kernel is enforcing for it.

Why Cgroup Setup Matters

Cgroup-based resource limits are what prevent one container from monopolizing a shared host's resources at the expense of others, making it practical to run many containers with predictable, bounded resource consumption on the same machine.

Related content