Virtualization in Cloud Computing

Definition

Virtualization in cloud computing is a technology that allows a single physical computing

resource (such as a server, storage device, or network) to be divided into multiple virtual
resources. Each virtual resource behaves like an independent system, enabling efficient
utilization of hardware.

Why Virtualization is Important in Cloud Computing

Virtualization is the core enabling technology of cloud computing because it provides:

 Resource sharing among multiple users

 Scalability and flexibility
 Cost reduction
 Isolation between applications
 On-demand provisioning

Without virtualization, cloud services like IaaS, PaaS, and SaaS would not be possible.

How Virtualization Works

 A software layer called a Hypervisor (Virtual Machine Monitor – VMM) sits
between the hardware and the operating systems.
 The hypervisor creates and manages multiple Virtual Machines (VMs).
 Each VM has its own OS, CPU, memory, storage, and network, even though they
share the same physical hardware.

Types of Virtualization in Cloud Computing

1. Server Virtualization

 A single physical server is divided into multiple VMs.

 Each VM runs its own operating system.
 Example: AWS EC2, OpenStack Nova
Benefits: Better hardware utilization, isolation, easy management

2. Storage Virtualization
  Combines multiple physical storage devices into a single virtual storage pool.
 Cloud users see storage as one logical unit.
 Example: Amazon S3, Google Cloud Storage
Benefits: Scalability, easy backup, fault tolerance

3. Network Virtualization

 Virtual networks are created on top of physical networks.

 Includes VLANs, virtual switches, and software-defined networking (SDN).
 Example: OpenStack Neutron
Benefits: Improved security, flexible network configuration

4. Desktop Virtualization

 User desktops are hosted on cloud servers and accessed remotely.

 Example: Virtual Desktop Infrastructure (VDI)
Benefits: Centralized management, remote access

5. Application Virtualization

 Applications run in isolated environments without being installed on the local OS.
 Example: Docker containers (lightweight virtualization)
Benefits: Faster deployment, portability

Hypervisors in Cloud Computing

Type 1 (Bare-Metal Hypervisor)

 Runs directly on hardware.

 High performance and security.
 Examples: VMware ESXi, Xen, KVM
 Used in cloud data centers.

Type 2 (Hosted Hypervisor)

 Runs on top of an existing OS.

 Examples: VirtualBox, VMware Workstation
 Used for testing and development.
Virtualization vs Cloud Computing
Virtualization Cloud Computing
Technology Service model
Creates VMs Delivers services
Resource abstraction On-demand access
Used inside data centers Used by end users

➡️ Virtualization is the foundation; cloud computing is the service built on it.

Advantages of Virtualization
 Efficient resource utilization
 Reduced hardware cost
 High availability and fault tolerance
 Easy backup and disaster recovery
 Faster provisioning

Challenges of Virtualization
 Performance overhead
 Security vulnerabilities (VM escape)
 Complex management
 Licensing issues

Real-Time Example
In OpenStack, virtualization is used to:

 Create virtual machines (Nova)

 Manage virtual networks (Neutron)
 Provide virtual storage (Cinder, Swift)

Characteristics of Virtualized Environments

1. Virtualization Concept
Virtualization is the creation of a virtual (software-
based) version of computing resources such as:
 Hardware

 Operating systems

 Storage

 Networks

Instead of directly using physical resources, users

interact with virtual resources created by software.

2. Main Components of a Virtualized Environment

A virtualized environment has three main
components:
1. Host
o The physical machine (hardware and

sometimes OS)
o Provides actual CPU, memory, storage, and

network resources
2. Guest
o The virtual system (OS, applications, or

users)
o Runs on virtual resources instead of physical

hardware
3. Virtualization Layer
o Also called Virtual Machine Manager

(VMM) or Hypervisor
o Creates and manages the virtual environment

o Acts as a bridge between guest and host

 o

Software-Based Abstraction
  Virtual environments are created and controlled
by software
 This abstraction allows:
o Better flexibility

o Efficient resource usage

o Easier management

 Modern hardware support has reduced

virtualization overhead

Key Characteristics of Virtualized

Environments
.Increased Security
Virtualization improves security by:
 Running guests in isolated environments

 Filtering and controlling guest operations

 Protecting host resources from malicious guest

actions
Examples:
 Java Virtual Machine (JVM) sandbox

 .NET runtime security policies

 VirtualBox / VMware virtual machines

 VPNs for secure virtual networking

➡️ Untrusted applications can run safely without

affecting the host.

Managed Execution
Virtualization enables better control and management
of execution using the following features:

a) Sharing
 Multiple virtual machines share the same physical

hardware
 Improves hardware utilization

 Reduces number of physical servers and power

consumption
Meaning:
One physical computer is shared by many virtual machines.

Example:
One server runs 3 virtual machines:

 VM1: Web server

 VM2: Database
 VM3: Email server


Example: Cloud data centers running many VMs on

one server

b) Aggregation
 Multiple physical machines are combined and


presented as one virtual system

 Used in distributed systems and clusters

Example: Cluster management software

c) Emulation
Meaning:
Running software made for different hardware or old systems.

Example:

 Playing old DOS games on Windows

 Using Android emulator on a PC

d) Isolation
 Each guest runs in a separate environment

 Guests do not interfere with each other

 Host is protected from guest failures or attacks

Benefits:
 Fault isolation

 Security isolation

 Stable multi-tenant environments

Additional Capabilities
. Performance Tuning
Virtualization allows fine-grained control over
performance:
 Limit CPU usage

 Allocate specific memory size

 Control I/O and network bandwidth

➡️ Enables Quality of Service (QoS) and Service Level

Agreements (SLA)
7. State Capture and Migration
 Virtual machines can be:

o Paused

o Saved

o Moved

o Resumed on another host

This process is called Virtual Machine Migration.

Example: Xen Hypervisor live migration
➡️ Useful for load balancing, maintenance, and fault
tolerance in data centers.

Virtualized Environment – Simple Explanation with

Examples
What is Virtualization?

Virtualization means creating a virtual (software-based) version of a computer, storage, or

network instead of using physical resources directly.

Example:
Running Windows inside your laptop using VirtualBox.

Main Parts of a Virtualized Environment

Component Simple Meaning Example
Host Real physical machine Your laptop
Guest Virtual system Windows/Linux VM
Virtualization Layer Software that creates VM VirtualBox / VMware

6. Performance Tuning

Meaning:
Control how much CPU, RAM, or storage a VM can use.

Example:
  VM gets only 2 GB RAM from an 8 GB system
 CPU usage limited to 50%

7. Virtual Machine Migration

Meaning:
Move a running VM from one computer to another.

Example:
A cloud provider moves your VM to another server without stopping your application.

Virtualization uses software to create secure, isolated, and manageable virtual systems that
share physical resources efficiently.

Taxonomy of Virtualization Techniques

Execution Virtualization
Execution virtualization refers to the ability to run applications or operating systems in an
isolated virtual environment. It can be classified based on the type of host support required.
Execution virtualization is broadly divided into:
1. Process-Level Virtualization
2. System-Level Virtualization

1. Process-Level Virtualization
Process-level virtualization runs on top of an existing operating system.
 The host OS fully controls the hardware.
 The virtualization layer works as a program or runtime environment.
 Only a single process or application is virtualized, not the entire OS.
Key Point: It provides a virtual execution environment for one program at a
time.
Types of Process-Level Virtualization

(a) Emulation (Application-Level Virtualization)

 The software imitates another hardware or operating system.
 Allows applications built for one platform to run on another.
Example:
 Running Android apps on Windows using an Android emulator.
 Running old DOS games on modern computers.
Advantage:
 High portability.
Disadvantage:
 Slow performance (because everything is simulated).
(b) High-Level Virtual Machines (Programming-Level Virtualization)
 Provides a virtual platform for programming languages.
 The program runs on a virtual machine, not directly on hardware.
Example:
 Java Virtual Machine (JVM)
 .NET CLR
How it works:
 Java code → Compiled into Bytecode → Executed by JVM.
Advantage:
 Platform independence ("Write Once, Run Anywhere").

(c) Multiprogramming (OS-Level Sharing)

 The operating system shares CPU among multiple programs.
 Each process feels like it is running independently.
Example:
 Running MS Word, Chrome, and VLC at the same time.
Note:
 Not true virtualization, but provides isolated execution.
2. System-Level Virtualization
System-level virtualization virtualizes the entire operating system.
 Runs directly on hardware or uses a hypervisor.
 Multiple OS instances (Virtual Machines) run on the same physical machine.
 Each VM has its own OS, memory, CPU, and storage.
Key Point:
It creates complete virtual machines.

Types of System-Level Virtualization

(a) Full Virtualization
 The complete hardware is simulated.
 Guest OS does not know it is virtualized.
 No modification to guest OS is required.
Example:
 VMware
 VirtualBox
Advantage:
  Strong isolation.
 Can run any OS.

(b) Paravirtualization
 Guest OS is modified to communicate with the hypervisor.
 Improves performance compared to full virtualization.
Example:
 Xen Hypervisor
Advantage:
 Better performance.
 Lower overhead.
Disadvantage:
 Requires OS modification.

(c) Hardware-Assisted Virtualization

 Uses special CPU instructions (Intel VT-x, AMD-V).
 Hardware supports virtualization directly.
Example:
 Modern VMware
 KVM
 Hyper-V
Advantage:
 High performance.
 No need to modify guest OS.

(d) Partial Virtualization

 Only some hardware components are virtualized.
 Guest OS may need modification.
Advantage:
 Less overhead than full virtualization.
Disadvantage:
 Limited compatibility.

Simple Comparison Table

Feature Process-Level System-Level

Scope Single application Entire OS

Host OS Required Yes Not necessarily

Performance Moderate High

Examples JVM, Emulators VMware, Xen, KVM

Hardware Control Managed by Host OS Managed by Hypervisor

Diagram (Conceptual Understanding)
Process-Level

Application
↓
Virtual Runtime (JVM/Emulator)
↓
Host OS
↓
Hardware

System-Level

VM1 (OS + Apps)

VM2 (OS + Apps)
↓
Hypervisor
↓
Hardware

Execution virtualization is classified into process-level and system-level virtualization.

Process-level virtualization runs on top of a host OS and virtualizes a single program (e.g.,
JVM, emulators). System-level virtualization creates complete virtual machines using
hypervisors and includes full virtualization, paravirtualization, hardware-assisted
virtualization, and partial virtualization.

[Link] the technology examples XEN, VMware ?

Xen – Paravirtualization (PV)
1 ⃣ What is Xen?

Xen is a Type-1 (bare-metal) hypervisor.

It runs directly on hardware, and above it multiple virtual machines (VMs) run.

Unlike full virtualization, Paravirtualization (PV) requires the guest OS to be modified so

it is aware that it is running in a virtualized environment.
The diagram shows:

 CPU privilege rings (Ring 0–3)

 Xen Hypervisor
 Domain 0 (Management Domain)
 Domain U (Guest VMs)
 Hardware

1. Hardware (Bottom Layer)

 Real physical machine (x86 system)
 CPU, Memory, I/O devices
⬆ Hardware sends traps to Xen when privileged instructions occur
.
(x86 is a family of processor architectures developed by:
 Intel
 Advanced Micro Devices
It includes:
 32-bit (IA-32)
 64-bit (x86-64 / AMD64)
Most PCs, laptops, and servers use x86 CPUs.)
x86 is:
The instruction set architecture (ISA)
The CPU design that defines:
 Instructions
 Registers
 Privilege rings
 Memory model
Virtualization works by controlling how x86 instructions execute.
 2. Xen Hypervisor (Ring 0)
 Runs in Ring 0 (most privileged level)
 Controls:
o Memory management
o CPU scheduling
o Device I/O
o Interrupt handling
In Xen PV, the hypervisor directly controls hardware.
🔵 3. Domain 0 (Dom0) – Management Domain
 Special privileged VM
 Has:
o VM management tools
o Device drivers
o Access to hypervisor
 Responsible for:
o Creating/destroying VMs
o Managing I/O for other domains
Think of Dom0 as the administrator VM.

4. Domain U (DomU) – Guest Domains

 Normal virtual machines
 Run modified guest OS
 Cannot execute privileged instructions directly
Instead:
 They use hypercalls to request services from Xen
Example:
Instead of executing a hardware instruction directly, the guest OS:
makes a hypercall → Xen → Hardware
This is the key idea of Paravirtualization.
5. User Applications (Ring 3)
 Normal applications
 Run unmodified
 No idea that virtualization exists
 Use standard OS system calls
How Privileged Instructions Work in Xen PV
In normal OS:

Application → OS (Ring 0) → Hardware

In Xen Paravirtualization:

Application → Guest OS → Hypercall → Xen → Hardware

Because:

 Guest OS is modified
 It does NOT execute privileged instructions directly
 It cooperates with hypervisor

CPU Ring Structure in Diagram

 Ring Who Runs Here

Ring 3 User Applications

Ring 1/2 Guest OS (modified)

Ring 0 Xen Hypervisor

Important: Guest OS does NOT run in Ring 0

Xen occupies Ring 0

This ensures security and isolation.

Why Paravirtualization is Fast?

Because:
 No need for full binary translation
 Guest OS is aware of virtualization
 Uses efficient hypercalls
So performance is close to native.
Advantages of Xen Paravirtualization
✔ High performance
✔ Better memory management
✔ Efficient I/O
✔ Strong isolation
Disadvantages
Guest OS must be modified
Cannot run unmodified OS (like old Windows)
Simple Real-Life Analogy
Imagine:
 Hardware = Government office
 Xen = Security guard
 Dom0 = Manager
 DomU = Employees
 Applications = Visitors
Employees (DomU) cannot directly access government records.
They must request through the security guard (Xen).
One-Line Exam Definition
Xen Paravirtualization is a virtualization technique where the guest OS is modified to
replace privileged instructions with hypercalls to the Xen hypervisor, which runs
directly on hardware.

Full Virtualization
VMware: Full Virtualization VMware’s technology is based on the concept of full
virtualization, where the underlying hardware is replicated and made available to the guest
operating system. The guest OS runs unaware of the abstraction layers and does not need to be
modified. VMware implements full virtualization in:
Desktop environments – using Type II hypervisors Server environments – using Type I
hypervisors

This diagram represents the Full Virtualization reference model.

Unlike paravirtualization (like Xen PV mode), in Full Virtualization:

Guest OS is NOT modified

Hypervisor handles privileged instructions using binary translation or hardware traps

Layers in the Diagram (Bottom to Top)

1 ⃣ Hardware (x86 System)
Real physical CPU, memory, and devices
Supports privilege rings (Ring 0 to Ring 3)
When sensitive instructions occur:
➡ Hardware generates a trap
➡ Control goes to hypervisor
2 ⃣ Hypervisor (VMM)
The diagram shows:
Hypervisor
 Binary Translation
 Instruction Caching
What it does:
✔ Emulates hardware
✔ Intercepts privileged instructions
✔ Performs dynamic translation
✔ Maintains isolation
It runs at Ring 0 (most privileged level).
3 ⃣ Guest Operating System (Unmodified)
Runs as if it is on real hardware

No changes required

Believes it is in Ring 0

But actually:
 It runs in a less privileged ring
 Hypervisor controls real Ring 0
The diagram shows:
 “Unmodified codebase”
 “VMM unaware”
This means:
The OS does not know it is virtualized.
4 ⃣ User Applications (Ring 3)
 Run normally
 Completely unaware of virtualization
 Use normal system calls
How Privileged Instructions Work (Step-by-Step)
In real system:

Application → OS → Hardware
In Full Virtualization:

Application → Guest OS → Hypervisor → Hardware

When Guest OS executes a sensitive instruction:

Two methods shown in diagram:

1 ⃣ Hardware Trap

 Sensitive instruction causes CPU trap

 Control switches to hypervisor
 Hypervisor emulates instruction

2 ⃣ Dynamic Binary Translation

 Hypervisor rewrites sensitive instructions

 Replaces them with safe instructions
 Stores them in instruction cache
 Executes modified version

This process is labeled in the diagram as:

Dynamic / Cached Translation (Sensitive Instructions)

CPU Ring Structure in Diagram

 Ring Who Runs

Ring 3 Applications

Ring 1/2 Guest OS

Ring 0 Hypervisor

Guest OS thinks it is in Ring 0,

but actually hypervisor occupies Ring 0.

Why Binary Translation is Needed?

On older x86 processors:
Some sensitive instructions do NOT trap automatically.
So hypervisor:
 Detects them
 Rewrites them
 Executes safe version
This is called:
Software-based Full Virtualization
Example hypervisor:
 VMware Workstation (classic example)
With Hardware Support (Modern CPUs)
Modern CPUs (Intel VT-x, AMD-V):

 Automatically trap privileged instructions

 No heavy binary translation required
 Better performance

Advantages of Full Virtualization

✔ No OS modification required
✔ Can run Windows, Linux, etc.
✔ High compatibility
✔ Easy migration

Disadvantages
Slight performance overhead
Binary translation adds cost (in software mode)

Difference: Full vs Para Virtualization

Feature Full Virtualization Paravirtualization

Guest OS modified? No ✔ Yes

Hypercalls used? No ✔ Yes

Binary translation? ✔ Yes No

Performance Slightly lower Higher

Simple Analogy
Imagine:

 Hardware = Bank vault

 Hypervisor = Security guard
 Guest OS = Customer

In Full Virtualization:
Customer thinks they have direct access to vault,
but actually guard checks every action secretly.

5-Mark Exam Answer Format

Full virtualization is a virtualization technique in which an unmodified guest operating
system runs on a hypervisor that provides a complete simulation of underlying hardware. The
hypervisor intercepts privileged instructions using hardware traps or binary translation and
executes them safely, ensuring isolation and compatibility.

Here is a clear comparison of

 Full Virtualization
 Paravirtualization
 Hardware-Assisted Virtualization

1️⃣ Full Virtualization

Guest OS is not modified
Hypervisor simulates complete hardware
How it works
 Hypervisor uses:
o Binary translation
o Trap-and-emulate
 Guest OS thinks it runs on real hardware
Example
 VMware Workstation
 Oracle VM VirtualBox
Features
✔ Runs unmodified OS
✔ High compatibility
Slight performance overhead
2️⃣ Paravirtualization (PV)
Guest OS is modified
Uses hypercalls instead of privileged instructions
How it works
 Guest OS cooperates with hypervisor
 No need for binary translation
 Faster execution
Example
 Xen (PV mode)
Features
✔ High performance
✔ Efficient memory & I/O
OS must be modified
Cannot run closed-source OS easily

3️⃣ Hardware-Assisted Virtualization

Uses CPU virtualization extensions

No need for heavy binary translation

Hardware Support

 Intel VT-x
 AMD-V

How it works

 CPU provides new privilege level

 Sensitive instructions automatically trap
 Hypervisor handles them directly

Example

 KVM
 Microsoft Hyper-V

Features

✔ Runs unmodified OS
✔ Near-native performance
✔ No guest OS modification
✔ No complex binary translation

Comparison Table
Feature Full Virtualization Paravirtualization Hardware-Assisted

Guest OS Modified? No ✔ Yes No

Uses Hypercalls? No ✔ Yes No

Binary Translation ✔ Yes No No

Hardware Support Required Not mandatory No ✔ Yes

Performance Medium High Very High

Compatibility Very High Limited Very High

Example VMware Xen (PV) KVM, Hyper-V

Quick 5-Mark Answer (Exam Ready)

Full virtualization runs unmodified guest operating systems by simulating complete hardware
and using binary translation or trap-and-emulate mechanisms. Paravirtualization modifies the
guest OS to replace privileged instructions with hypercalls to the hypervisor, improving
performance. Hardware-assisted virtualization uses CPU extensions such as Intel VT-x or
AMD-V to allow efficient execution of unmodified guest operating systems with near-native
performance.

Here is VMware Full Virtualization explained in correct order and in simple language for
easy understanding (useful for exams and teaching).

1️⃣ What is VMware Full Virtualization?

VMware uses Full Virtualization, where:

 The entire hardware is copied (virtually created).

 The Guest OS runs without modification.
 The Guest OS does not know it is running in a virtual machine.

Example: Windows installed inside VMware thinks it is running on real hardware.

2️⃣ Where VMware Uses Full Virtualization

Desktop Environment

 Uses Type II Hypervisor

 Example: VMware Workstation
 Runs on top of an existing OS (like Windows/Linux)

🏢 Server Environment
  Uses Type I Hypervisor
 Example: VMware ESXi
 Runs directly on hardware (no host OS needed)

3️⃣ How Full Virtualization Works

VMware uses two techniques:

✅ 1. Direct Execution
 Normal (non-sensitive) instructions run directly on hardware.
 Very fast.

✅ 2. Binary Translation
 Sensitive instructions are translated before execution.
 Prevents errors.

This allows virtualization of x86 architecture.

4️⃣ Why Binary Translation is Needed?

Problem with x86:

 x86 violates the First Theorem of Virtualization

 Some sensitive instructions are not privileged
 When executed outside Ring 0, they behave differently.

Before 2006, there was no hardware support.

Later, hardware support came:

 Intel VT-x
 AMD-V

But before that, VMware depended fully on Binary Translation.

5️⃣ Binary Translation Process (Step-by-Step)

1 ⃣ Sensitive instruction executes

2 ⃣ Trap occurs
3 ⃣ VMware replaces it with safe equivalent instructions
4 ⃣ Translated code is stored (cached)
5 ⃣ Next time → no need to translate again

Only sensitive instructions are translated

 Others run directly on hardware

6️⃣ Advantages of Full Virtualization

✔ Runs unmodified OS (important for Windows)

✔ No source code modification needed
✔ Portable across x86 systems

7️⃣ Disadvantages

Translation causes runtime overhead

Slightly slower than:

 Paravirtualization
 Hardware-assisted virtualization

But overhead is reduced because:

 Only few instructions are translated

8️⃣ Memory Virtualization in VMware

Problem:

 MMU (Memory Management Unit) must be handled.

 In Type II hypervisors → nested translations occur.

Solution:

 VMware uses TLB (Translation Lookaside Buffer) mapping.

 Slowdown happens only on TLB miss.
 Reduces performance impact.

9️⃣ I/O Virtualization in VMware

VMware fully virtualizes devices like:

 Network controller
 Keyboard
 Mouse
 Disk
 USB controller

Each guest OS thinks it has its own hardware devices.

 Summary (Very Short for Exam)
VMware Full Virtualization:

 Replicates complete hardware

 Runs unmodified guest OS
 Uses Direct Execution + Binary Translation
 Supports x86 architecture
 Uses TLB optimization for memory
 Fully virtualizes I/O devices
 Used in both Type I and Type II hypervisors

What is a Container?
Imagine you develop a software application.
To run that application, you need:
 The program (code)
 Some libraries
 Some supporting files (dependencies)
Normally, if you move the app to another system, it may not work because:
 That system may not have the same libraries
 OS may be different (Windows, Linux, Mac)
✅ A Container solves this problem.
A container packs:
 Application
 Libraries
 Dependencies
into one single unit.
So it runs the same everywhere.
“Build once, run anywhere

:
1 ⃣ Traditional Deployment
Structure:
Apps
Operating System
Hardware
Here:
 All apps are installed directly on one OS.
 If one app has a problem, it may affect others.
Hard to manage many applications.
Example: Installing multiple software directly on Windows.
2 ⃣ Virtual Machine (VM)
Structure:
App
Libraries
Guest OS
----------------
Hypervisor
Host OS
Hardware
Here:
 Each VM has its own separate OS
 Runs on a Hypervisor
 Looks like a full computer inside another computer
🔹 Advantages:
 Strong isolation
 Secure
🔹 Disadvantages:
 Very large (GBs)
 Slow to start
 Uses more RAM and CPU
Think of VM as a separate house.
3 ⃣ Container Deployment
Structure:
App
Libraries
----------------
Container Runtime
Host OS
Hardware
Here:
 No separate OS inside container
 Shares host OS
 Only application + needed files are packed
🔹 Advantages:
 Very small (MBs)
 Starts very fast
 Uses fewer resources
 Easy to move between systems
Think of container as a room in the same building.
VM vs Container (Easy Comparison)
Feature Virtual Machine Container
OS Own OS Shares Host OS
Size Large Small
Speed Slow Fast
Resource Use High Low
Isolation Strong Moderate
Portability Good Excellent

How Containers Work (Simple)

 Developer creates a Container Image
 Image is stored in a registry
 Runtime (like Docker) runs the container
 OS features like:
o Namespaces → separate processes
o Cgroups → control CPU & memory

Where Containers Are Used

✔ DevOps
 Fast development
 Testing
 Microservices

 ✔ Cloud Computing
 Hybrid cloud
 Multi-cloud
 Scalable applications

Final Understanding
Virtual Machine = Full computer inside another computer
Container = Lightweight package sharing same OS

VM = Heavy but strong isolation

Container = Light, fast, portable

Building Blocks of Containers

Containers mainly use two important Linux features:
1. Cgroups (Control Groups) → Control resources
2. Namespaces → Provide isolation
Think like this:
 Cgroups = Resource Manager
 Namespaces = Isolation Manager

1️⃣ Cgroups (Control Groups)

Cgroups control how much CPU, memory, disk, and network a container can use.
📌 Why we need Cgroups?
Imagine:
 You run 3 containers:
o Python App
o Nginx Web Server
 o Database
If one container uses all memory,
Other containers will crash.
So Cgroups:
 Limit CPU usage
 Limit memory usage
 Limit disk I/O
 Monitor resource usage

The diagram shows:

 CPU divided into parts (1,2,3,4)
 Memory divided into blocks
Example:
 Python app gets CPU core 3
 Nginx gets CPU core 1 & 2
 Memory is divided separately
This is done using Cgroups
Simple Example:
If system has 8GB RAM:
 Container A → 2GB
 Container B → 3GB
 Container C → 1GB

They cannot cross the limit.

🔐 Extra Benefits of Cgroups

 Prevents system crash
 Helps in monitoring usage
 Allows priority control

2️⃣ Namespaces – Simple Understanding

Namespaces give separate views of system resources.
Each container thinks:
“I am the only system running.”
But actually, many containers are sharing the same OS.

Namespaces – Isolation
Purpose:
Namespaces isolate different system resources so that each container thinks it has its own
separate system.

What namespaces isolate:

Namespace Type What It Isolates

PID Namespace Process IDs (each container has its own process tree)

NET Namespace Network interfaces, IP addresses, ports

MNT Namespace File system mount points

IPC Namespace Inter-process communication

UTS Namespace Hostname and domain name

USER Namespace User and group IDs

Simple Example:

If two containers run:

 Both can have a process with PID 1

 Both can use port 80
 Both can have different hostnames

Because namespaces keep them separated.

In short: Namespaces provide isolation

Types of Namespaces
🔹 1. Network Namespace
Each container gets:
 Its own IP
 Its own network interface (eth0)
 Its own routing table
From your diagram:
 Containers connect to a Virtual Ethernet Bridge
 Then connect to LAN
Containers cannot see other container networks unless allowed.
🔹 2. Filesystem Namespace (Mount Namespace)
Each container has:
 Its own root directory (/)
  Own /bin, /usr, /home etc.
Even though physically stored on host,
container sees it as separate.
Example:
Host path:
/var/lib/container/mycontainer
Container sees it as:
/
Container cannot access host files.

🔹 3. PID Namespace (Process ID)

Each container has:
 Its own process table
 Its own PID 1 (like init process)
From your diagram:
 Parent PID namespace (host)
 Child PID namespace (container)
Inside container:
 Process thinks it is PID 1
 Cannot see host processes
Running ps inside container shows only container processes.
Easy Way to Remember
Feature What It Does
Cgroups Controls resource usage
Namespaces Isolates system view

– Cgroups (CPU & Memory Allocation)

What the image shows:

 CPU cores (1,2,3,4)

 Memory blocks
 Two applications:
o Python App
o Nginx

What is happening?

– Network Namespace
What the image shows:

 Two container namespaces

 Each has:
o eth0
o veth0
 Connected to:
o Virtual Ethernet Bridge
o LAN
What is happening?
Each container has:
 Its own network interface
 Its own IP address
 Its own routing table
Even though they are on same host,
they behave like separate machines.
The Virtual Ethernet Bridge connects containers to:
 Host network
 Internet (LAN)
Simple meaning:
Network Namespace = Separate network for each container
Each container thinks:
“I have my own network.”

Filesystem Namespace

What the image shows:

 Host root filesystem (/)
 /bin, /usr, /var, /home
 Container has its own root
Host path:
/var/lib/container/mycontainer
Container sees it as:
/
What is happening?
The container:
 Cannot see full host filesystem
 Only sees its own virtual root
Simple meaning:
Filesystem Namespace = Separate file system view
Container cannot access host files unless allowed.
– PID Namespace

What the image shows:

 Parent PID namespace (Host)
 Child PID namespace (Container)
Inside container:
 Process starts with PID 1
 Only sees its own processes
Host can see:
 All processes
Container cannot see:
 Host processes
Simple meaning:
PID Namespace = Separate process list
Running ps:
 Inside container → shows only container processes
 On host → shows everything

Final Easy Understanding

Containers are built using:

✅ Cgroups → Controls resources (CPU, Memory)

✅ Namespaces → Creates isolation
Types of namespaces from your images:

 Network Namespace
  Filesystem Namespace
 PID Namespace

One-Line Summary
Cgroups control how much resources a container uses.
Namespaces control what a container can see.

Together they make containers:

 Lightweight
 Isolated
 Secure
 Efficient