What is a Cgroup

A cgroup (control group) is a Linux kernel feature that limits and tracks how much CPU, memory, disk I/O, and network bandwidth a group of processes can use. If namespaces control what a process can see, cgroups control what it can consume.

How it works

Cgroups organize processes into a hierarchy exposed as a filesystem at /sys/fs/cgroup. Each directory is a cgroup. Resource controllers attach limits: memory.max caps memory usage, cpu.max sets CPU quota, pids.max limits process count, and io.max throttles disk I/O.

When docker run --memory=512m executes, Docker creates a cgroup with memory.max = 512000000 and places the container's PID in it. If the container exceeds the limit, the kernel's OOM killer terminates a process in the cgroup.

Cgroup v2 (the modern version) uses a unified hierarchy — all controllers on one tree, one cgroup per process. The older v1 had separate hierarchies per controller. Most modern distributions default to v2.

Why it matters

Cgroups are the resource enforcement half of containers. Without them, a single runaway container could consume all the host's memory or CPU, starving every other container. Cgroups explain why Kubernetes pod memory limits work, how the OOM killer decides what to terminate, and why docker stats can show per-container resource usage.

See How Cgroups Work for controllers, v1 vs v2, and Kubernetes integration.