CloudLinux
Why CloudLinux?
Created in 2009, CloudLinux became the first commercially supported OS specifically designed for shared hosting providers. In its four years in the marketplace, CloudLinux has received numerous awards and has been praised by hundreds of shared hosting providers for resolving their stability problems. Web Hosting Search called it “The perfect OS for shared hosting.” It is no wonder that today more than 1,000 companies successfully use CloudLinux on their servers. It is installed on more than 10,000 servers worldwide.
CloudLinux benefits:
- Isolates users from each other to avoid the “bad neighbor effect”
- Prevents users from seeing configuration files and other private information
- Allows end user to select PHP versions 5.2, 5.3, 5.4, and 5.5
- Gives the power to monitor and control limits such as CPU, IO, Memory, and others
- Helps restrict and throttle MySQL database abusers
- Compatible with all major control panels
- Interchangeable with CentOS and RHEL.
Resource limits
Memory limits
Memory limits allow for precise control over the amount of memory each customer is permitted. CloudLinux is able to identify, in real time, the amount of memory actually used by an end customer's processes. Physical memory limits are especially effective in preventing OOM issues and ballooning memory usage by customers that destroy caches and cause server load.
I/O limits
I/O limits restrict the data throughput for the customer. They are measured in KB/s. When the limit is reached, the processes are throttled (put to sleep). With IO being one of the scarcest resources in shared hosting, the ability to put an upper limit on customer use is vital.
CPU Limits
This limit sets the maximum amount of CPU resources that an account can use. When a user hits the CPU limit, processes within that limit are slowed down. CPU limits are crucial in preventing CPU usage spikes that often can make servers slow and unresponsive.
Number of Processes Limit
The number of processes limit controls the total number of processes within LVE. Once the limit is reached, no new process can be created until another one dies. This effectively prevents fork bombs and similar DoS attacks.
Entry Processes Limit
The entry processes limit controls the number of entries into LVE. The best way to think about it is as the number of web scripts that can be executed in parallel by visitors to a site. This parameter is important to prevent single sites from hogging all Apache slots, causing Apache to be unresponsive.
MySQL Limits
With MySQL Governor hosting companies can configure acceptable usage limits across only three parameters—CPU, IO Read, and IO Write. These are the three hardware resources most commonly affected by MySQL abusers; an increase in CPU or disk IO usage is a strong indicator that a customer may be abusing MySQL functionality, which is one of the most common causes of instability.
Inodes Limits
An inode is a data structure on a file system that is used to keep information about a file or a folder. The number of inodes indicates the number of files and folders an account has. Inodes limit work on the level of disk quota.
Security
The main reason hacking is so easy on shared hosting servers is because Linux was never meant to be used by a large number of not vetted users. It is too easy for a hacker to obtain an account on your server (by using a stolen credit card and signing up or by abusing some outdated script one of your customers has not updated for years). After that, a hacker has inside access to the server and can begin poking around, finding low hanging fruit and hacking your server.
CloudLinux stops that. With our CageFS and SecureLinks technologies, users are virtualized to their own file systems, preventing any individual user from seeing any other users on the server.
Beyond CloudLinux additionally:
- Allow user access only to safe files
- Remove user's access to ALL SUID scripts
- Limit customer's access to /proc filesystem
- Prevent symbolic links attacks
- Customer can see only his or her own processes
All that without the need for the customer to change his or her scripts or to adjust anything at all. CageFS is completely transparent for the end user, yet impregnable to a hacker.