Cgroups

Control Groups (cgroups) are a Linux kernel feature that aggregates processes into hierarchical groups and applies resource limits — CPU, memory, disk I/O, and network bandwidth — to each group. Originally developed by Paul Menage and Rohit Seth at Google in 2006, cgroups were designed to solve a specific problem: how to prevent a single runaway process in a shared compute cluster from exhausting resources needed by other jobs. They became the resource-control complement to namespaces, and together the two mechanisms form the technical foundation of modern containers.

The cgroups v1 interface exposed separate hierarchies for each resource controller, leading to complexity and inconsistency. The redesigned cgroups v2, merged into the Linux kernel in 2016, unified these hierarchies into a single tree with explicit delegation semantics. The v2 redesign reflects a deeper systems principle: resource control is not merely about limiting consumption but about establishing accountability — every unit of resource consumption must be attributable to a specific actor in the system.

cgroups are the most important systems technology that no developer thinks about. They are the invisible infrastructure that makes cloud computing economically viable: without cgroups, a multi-tenant platform like AWS or Google Cloud would be impossible, because any customer's process could starve every other customer. The fact that this mechanism is kernel-level and largely opaque to application developers is both its strength (it cannot be bypassed) and its weakness (it cannot be reasoned about from user space). The boundary between 'what the kernel controls' and 'what the developer understands' is itself a container boundary, and it leaks.