Control groups, or cgroups, are a Linux kernel feature that, in the words of the cgroups(7) manual page, “allow processes to be organized into hierarchical groups whose usage of various types of resources can then be limited and monitored.” Where namespaces give a process group an isolated view of the system, cgroups govern how much of the machine that group is allowed to consume.
The mechanism is built from controllers, each managing one class of resource. The cgroups(7) page describes a cpu controller that provides CPU share guarantees and bandwidth limits, a memory controller for “reporting and limiting of process memory, kernel memory, and swap used by cgroups,” and a blkio controller that throttles and caps access to block devices. Further controllers cover devices, process freezing, network classification, and process counts.
The initial cgroups implementation appeared in Linux 2.6.24, as documented in cgroups(7). Because the original design grew inconsistent and complex, a second version was developed; the kernel’s cgroup-v2 admin guide records that cgroup v2 uses a single unified hierarchy, mounted with a dedicated cgroup2 filesystem, and distributes resources top-down so that a child can only receive what its parent has been granted. Resources are apportioned by weights, hard limits, and protected minimums.
Together with Linux namespaces, cgroups are one of the two kernel primitives that make modern containers possible: namespaces decide what a containerized process can see, and cgroups decide how much it can take.