My wife and I are both dog lovers and finally rescued our first dog, a Golden Retriever named Carson, two years ago. Carson was a puppy at the time and we were determined to have a well behaved dog so we began crate training him from day one. As a dog owner, you have to understand that a crate (or cage) isn’t just a means of punishment. It is intended to be a safe place for the dog to escape to while also providing safety to the dog and your belongings while you’re away. As it turns out, Carson loved his crate and would even willingly take a nap in it on occasion.
Enjoying his crate aside from the tennis ball teasing.
We could leave the house knowing that Carson was safe and secure in his own environment. If we had not put him in his cage, things would have turned out differently.
Playing in the sprinklers.
Making a mess of our garden.
Tearing up toys beyond recognition.
Crate training worked out great for Carson so, we thought, why not put all of our clients in a cage too? Believe it or not, that’s exactly what we’ve done.
As many of you know, CloudLinux has been the OS of choice on our servers for a couple of years now. We have been eagerly awaiting and testing one of the newest features of their OS, CageFS. Back in January we were finally able to deploy CageFS on all of our servers. This deployment has been a tremendous success with very few of our clients having even noticed it. That is great from an operational standpoint because our goal is always to make such changes as transparent as possible to the end user.
CageFS offers a couple of important benefits and goes well beyond what cPanel’s jailshell has to offer. Jailshell only applied if you were logged in and executing commands via SSH. It offered no protection when it came to processes run from cron or even PHP scripts accessed over HTTP. CageFS, on the other hand, provides a virtualized environment that locks down everything that is executed from a particular cPanel account, including the aforementioned cron and PHP processes. The two biggest changes that you’ll see or that may impact you include improved account isolation and limited command availability.
- Account Isolation – CageFS places each cPanel account in its own virtualized environment. You won’t be able to see other users logged into the server, their processes, or even server related processes. No amount of poking around will show any hints of other accounts being present on the server.
- Limited Commands – With CageFS we are able to easily limit what commands can be executed within each cage. We’ve taken steps to make sure you have access to everything that you might need, while removing access to those items you don’t. If you find that you’re unable to access something that you need, by all means submit a ticket and we can work with you to get it added.
Much like Carson’s crate, CageFS provides a safe and secure environment for your accounts to exist within. This is not, however, a blanket security solution. Security is an ever moving target that not only depends on us, but our clients as well. It is important that you keep your scripts patched and secured. If you run into any problems or have any questions concerning CageFS please feel free to submit a ticket or comment here.
The more I read about CageFS, the more I like the idea. Do we get PHP Selector too?
We have no plans to offer PHP Selector at this time. It is fairly new as it is and only even more recently became functional with LiteSpeed. We like to maintain our own PHP builds at this point because it gives us greater overall version control. We already include more modules than most will ever need. The only remaining benefit would be the ability to switch your PHP version via the GUI but it really isn’t all that difficult to do by adding a single line to a .htaccess file. Very few even opt to change their PHP version. I’d argue that those that are unable to make such a modification probably shouldn’t be fiddling with their PHP configuration anyways (especially the modules). Having said that, things can always change and we’ll re-evaluate as necessary. We’re also open to your input as well.