A Linux kernel feature which allow processes to be organized into hierarchical groups whose usage of various types of resources can then be limited and monitored.
The CLONE_NEWCGROUP provides a mechanism to virtualize the “view” of the “/proc/$PID/cgroup” file and cgroup mounts. Without it it will show complete path of the cgroup of a process. Which may leak potential system level information to the isolated processes.
In a container setup where we’re trying to isolate things, we want to use a namespace for cgroups so that it has an isolated view of cgroups.
A limit of 2 GiB main memory applies to a single process (and its threads). And a child process of this process inherits also a limit of 2 GiB main memory, but this is 2 GiB for its own usage.
In other words, each process would have a limit of 2 GiB, and together they could consume up to 4 GiB of main memory.
cgroups
So, control groups allow to limit resources over a group of processes.
Limiting the main memory to 2 GiB for a group containing 3 processes, means the main memory used by all 3 processes together may not exceed 2 GiB.
cgroupv1 & cgroupv2
If /sys/fs/cgroup/cgroup.controllers is present on your system, you are using v2, otherwise you are using v1.