Control Groups and Capabilities

Let's look at control groups and capabilities in Linux

Control groups

If namespaces are about isolation, control groups (cgroups) are about limits.

Think of containers as similar to rooms in a hotel. While each room might appear to be isolated, they actually share many things, such as water, electricity, air conditioning, a swimming pool, a gym, elevators, a breakfast bar, and more. Containers are similar—even though they’re isolated, they share many common resources, such as the host’s CPU, RAM, network I/O, and disk I/O.

Docker uses cgroups to limit a container’s use of these shared resources and prevent any container from consuming them all and causing a denial of service (DoS) attack.

Capabilities

The Linux root user is extremely powerful, and you shouldn’t use it to run apps and containers.

However, it’s not as simple as running them as non-root users, as most non-root users are so powerless that they are practically useless. What’s needed is a way to run apps and containers with the exact set of permissions they need — nothing more, nothing less.

This is where capabilities come to the rescue.

Under the hood, the Linux root user is a combination of a long list of capabilities. Some of these capabilities include:

  • CAP_CHOWN: lets you change file ownership

  • CAP_NET_BIND_SERVICE: lets you bind a socket to low-numbered network ports

  • CAP_SETUID: lets you elevate the privilege level of a process

  • CAP_SYS_BOOT: lets you reboot the system.

The list goes on and is long.

Docker leverages capabilities so that you can run containers as root but strip out all the capabilities you don’t need. For example, suppose the only capability your container needs is the ability to bind to low-numbered network ports. In that case, Docker can start the container as root, drop all root capabilities, and then add back the CAP_NET_BIND_SERVICE capability.

This is a good example of implementing the principle of least privilege as you end up with a container that only has the capabilities it needs. Docker also sets restrictions to prevent containers from re-adding dropped capabilities.

Docker ships with sensible out-of-the-box capabilities, but you should configure your own for your production apps and containers. However, configuring your own requires extensive effort and testing.

Get hands-on with 1300+ tech skills courses.