The broader container ecosystem—Docker, Kubernetes, Fargate, and friends—rests on two foundational Linux kernel features, and the piece offers practical guidance for monitoring container behavior by inspecting namespace and cgroup state.

Containers are built from two kernel primitives: namespaces and cgroups, which isolate what a process sees and what it can consume.

Cgroups act as the resource accountant, grouping processes and enforcing limits on CPU, memory, PID count, block I/O, and other resources, with version 2 unifying the hierarchy and adding PSI for better insight.

Key controllers include CPU, Memory, PID, and Block I/O, collectively preventing resource contention and abuse within containers (e.g., cpu.weight, cpu.max, memory.high, memory.max).

Docker and Kubernetes sit atop these primitives, with Kubernetes mapping its pod and QoS concepts to cgroup hierarchies (kubepods) and enforcing resource limits accordingly.

Namespaces provide isolated views for resources such as filesystem mounts, processes (PID), network, users, UTS, IPC, cgroups, and time, enabling per-container isolation and security.

Practical guidance runs throughout on observing limits, how OOM events trigger within a cgroup, and diagnosing slow or throttled containers by inspecting kernel interfaces and metrics.

The interaction of namespaces and cgroups is formalized by the Open Container Initiative Runtime Specification; runtimes like runc implement the necessary kernel calls to configure namespaces and cgroups before launching the user application.

Version 1 of cgroups used per-controller hierarchies and fragmentation, while Version 2 consolidates into a single hierarchy with improved consistency and metrics like PSI.