What are Linux namespaces and cgroups, and how do they enable container isolation?
Namespaces provide isolation for system resources so each container sees its own view of the system:
pid— isolated process tree (container sees its own PIDs starting at 1)net— isolated network stack (own IP, routing table)mnt— isolated filesystem mountsuts— isolated hostnameuser— isolated user/group IDs
cgroups (Control Groups) limit and account for resource usage (CPU, memory, I/O) per group of processes. This is how Docker enforces your CPU/memory limits.
Together: namespaces provide isolation (what can be seen), cgroups provide resource limits (how much can be used).