CageFS is a virtualized per-user file system that uniquely encapsulates each customer, preventing users from seeing one another and viewing sensitive information about the server. CageFS prevents a large number of attacks, including most privilege-escalation and information-disclosure attacks. The best part is that CageFS is completely transparent to customers and does not require them to change their scripts.
- Only safe binaries are available to users.
- Users do not see other users and have no way to detect the presence of other users or their user names on the server.
- Users cannot see server configuration files such as Apache config files.
- Users have a limited view of their own processing file system and cannot see other users’ processes.
At the same time, a user’s environment is fully functional, and he or she should not feel restricted in any way. No adjustments to user scripts are necessary.
Today, a single site can consume all CPU, memory, and IO resources—and bring the server to a halt. LVE (lightweight virtual environment) technology prevents that by allowing admin to set up individual resource limits. This ensures that a tenant can never use more resources than he or she is given.
LVE is a kernel-level technology developed by the CloudLinux team. It integrates at the server, PAM (pluggable authentication moduels), and database levels to prevent any kind of abuse while maintaining the lowest overhead possible. The technology has roots in common with container-based virtualization.
The goal of LVE is to ensure that no single Web site can bring down your server.
LVE allows the host to maintain fine-tuned control over resources—including CPU, IO, memory, inodes, number of processes, and connections—that any single account can use. It is lightweight and transparent.
Memory limits control the amount of memory each customer can use. CloudLinux is able to identify, in real time, the amount of memory actually used by an end customer’s processes. Physical memory limits are especially effective in preventing out of memory (OOM) issues and customers’ ballooning memory usage, which destroy caches and cause server overload.
IO limits restrict the data throughput for the customer. They are measured in KB/s. When the limit is reached, the processes are throttled (put to sleep). Because IO is one of the scarcest resources in shared hosting, the ability to put an upper limit on customer use is vital.
CPU limits establish the maximum amount of CPU resources that an account can use. When a user hits the CPU limit, processes within that limit are slowed down. CPU limits are crucial in preventing CPU usage spikes, which can often make servers slow and unresponsive.
Number-of-processes limits control the total number of processes within LVE. Once the limit is reached, no new process can be created until another one finished. This effectively prevents fork bombs and similar DoS attacks.
Entry processes limits
Entry processes limits control the number of entries into LVE. The best way to think about this type of limit is as the number of Web scripts that can be executed in parallel by visitors to a site. These limits are important to preventing single sites from hogging all Apache slots, thus causing Apache to be unresponsive.
An inode is a data structure on a file system that is used to keep information about a file or a folder. The number of inodes indicates the number of files and folders an account has. Inodes limit work on the level of disk quota.
The PHP Selector is a part of CloudLinux that allows end users to select the specific version of PHP they need. It allows ultimate flexibility by offering all popular versions of PHP, with more than 120 PHP extensions to choose from.
CloudLinux packages PHP versions 4.4, 5.1, 5.2, 5.3, 5.4, 5.5, and 5.6. The convenient UI lets a customer switch between versions, select the extensions, and adjust PHP settings.
No longer do you have to move customers to other servers or force them to switch to VPS (or another hosting company) just to get that old PHP 5.2 that their scripts require.
CloudLinux includes a large number of extensions and gives control to the end user. Only users who need non-default version of PHP will be using PHP selector. Everyone else will use the default PHP version installed on the server, so there is no extra work associated with the PHP selector.
The Ruby Selector allows end users to choose the Ruby version for application and to install additional modules (gems) to the application environment. Ruby Selector uses mod_passenger for optimum performance.
Ruby Selector Benefits:
- Supports 1.8, 1.9, 2.0, and 2.1 Ruby versions
- Allows users to install additional modules to application environments
Python Selector allows end users to choose the Python version as an application and to install additional modules. Python Selector uses mod_passenger to get the best performance from Python applications.
MySQL often becomes a major headache for shared hosting companies. Keeping MySQL stable might be difficult, and customer queries can easily slow everything down. This is where MySQL Governor comes in. Its ability to pinpoint abusers and throttle them in real time is unprecedented in the industry. With support from the latest versions of MySQL and MariaDB, it is a must-have for any shared host.
MySQL Governor tracks CPU and disk IO usage for every user in real time and throttles MySQL queries by using same-per-user LVE limits. By using the dbtop utility, it is possible to see usage as it happens on a per-customer basis, ensuring that system admins always know what is going on.
MySQL Governor Benefits:
- Stable, simple limits counted as part of LVE limits
- Automatic detection and killing of long-running queries
- MySQL 5.1–5.6 support
- MariaDB 5.x and 10.x support
As a result, hosting companies can carefully throttle resources to maintain performance across servers without instantly disconnecting users.
Mod_lsapi is the fastest and most reliable way to serve PHP pages. It is a drop-in replacement for SuPHP, FCGID, RUID2, and ITK. It has a low memory footprint and understands PHP directives from .htaccess files.
Benefits of Mod_lsapi compared to other ways to serve PHP:
- Faster than any other way to serve PHP with Apache
- Doesn’t suffer from stability issues in process management like PHP FPM and mod_fcgid
- Full benefits of opcode caching
- Compatible with MPM Worker & Event
- No tuning required
- Support for PHP directives in .htaccess files
- Drop-in replacement for existing ways to serve PHP
- Fully compatible with PHP Selector