Question
You know cgroups provide isolation (along with namespaces in the context of containers). But what exactly are cgroups?
Answer
cgroups enforce hard limits of subsystems to allow efficient allocation of resources of the super-system.
Cgroups allow you to allocate resources — such as CPU time, system memory, network bandwidth, or combinations of these resources — among user-defined groups of tasks (processes) running on a system.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/resource_management_guide/ch01
cgroups apply limits to resources (according to https://www.linuxjournal.com/content/everything-you-need-know-about-linux-containers-part-i-linux-control-groups-and-process).
To read why it is inadvisable to change cgroups settings for Docker, see this posting.
Namespaces allow for identically named resources on a subsystem (e.g., a Docker container) to be used without interfering with other subsystems. To read more see this: