CloudLinux has support for the following limits:
| Limits | Units | Default Value | Description | Supported Kernels / OS |
| SPEED | % of a core, or HZ | 100% | CPU speed limit, relative to a single core, or specified in HZ (portable across CPU s) | all |
| CPU [deprecated] | % of CPU | 25% | CPU Limit (smallest of CPU & NCPU is used) | all |
| NCPU [deprecated] | number of cores | 1 CORE | Max number of cores (smallest of CPU & NCPU used) | all |
| PMEM | KB | 1024MB | Physical memory limit (RSS field in ps/RES in top). Also includes shared memory and disk cache | CL5 hybrid kernel, CL5 lve1.x+ kernel, CL6 and CL7 |
| VMEM | KB | 0 | Virtual memory limit (VSZ field in ps/VIRT in top) | all |
| IO | KB/sec | 1024KB/sec | IO throughput - combines both read & write operations | CL7, CL6 lve1.1.9+ kernel |
| IOPS [lve1.3+] | Operations per second | 1024 | Restricts total number of read/write operations per second. | CL7 and CL6 kernel |
| NPROC | number | 100 | Max number of processes within LVE | CL6 and CL7 kernels |
| EP | number | 20 | Limit on entry processes. Usually represents max number of concurrent connections to apache dynamic scripts as well as SSH and cron jobs running simultaneously. | all |
::: tip Note It is always better to disable VMEM limits (set them to 0) in your system at all because they are deprecated in CloudLinux 6/7 system and are causing unexpected issues. :::
Bellow you can find recommendations for your typical shared hosting setup. The recommendations don't depend on the power of your server. They only depend on how "fast" you want your hosting accounts to be.
Typical Hosting Account
- SPEED=100%
- PMEM=512MB
- VMEM=0
- IO=1024KB/s
- IOPS=1024
- NPROC=100
- EP=20
High End Hosting Account
- SPEED=200%
- PMEM=1GB
- VMEM=0
- IO=4096KB/s
- IOPS=1024
- NPROC=100
- EP=40
LVE is a kernel level technology developed by the CloudLinux team. The technology has common roots with container based virtualization and uses cgroups in its latest incarnation. It is lightweight and transparent. The goal of LVE is to make sure that no single web site can bring down your web server.
Today, a single site can consume all CPU, IO, Memory resources or Apache processes - and bring the server to a halt. LVE prevents that. It is done via collaboration of Apache module, PAM module and kernel.
mod_hostinglimits is Apache module that:
- detects VirtualHost from which the request came;
- detects if it was meant for CGI or PHP script;
- puts Apache process used to serve that request into LVE for the user determined via SuexecUserGroup directive for that virtual host;
- lets Apache to serve the request;
- removes Apache process from user's LVE.
The kernel makes sure that all LVEs get fair share of the server's resources, and that no customer can use more then the limits set for that customer. Today we can limit CPU , Memory (virtual and physical), IO, number of processes as well as the number of entry processes (concurrent connections to apache).
Each LVE limits amount of entry processes (Apache processes entering into LVE) to prevent single site exhausting all Apache processes. If the limit is reached, then mod_hostinglimits will not be able to place Apache process into LVE, and will return error code 508. This way very heavy site would slow down and start returning 508 errors, without affecting other users.
- If the site is limited by CPU or IO, then the site will start responding slower.
- If the site is limited by memory or number of processes limits, then the user will receive 500 or 503 errors that server cannot execute the script.
To use LVE you should have CloudLinux kernel installed, and LVE module loaded. You can check the kernel by running the following command:
$ uname -r
You should see something like 2.6.18-294.8.1.el5.lve0.8.60. The kernel should have lve in its name. To see if lve kernel module is loaded run:
$ lsmod|grep lve
lve 46496 0
Starting from kernels lve1.4.x iolimits module is a part of kmod-lve and could not be used separately.
-
You can toggle LVE on/ff by editing
/etc/sysconfig/lveand settingLVE_ENABLEvariable toyesorno.Setting it to
yeswill enable LVE, setting it tonowill disable LVE. -
You can toggle IO limits by editing
/etc/sysconfig/iolimitsand settingIO_LIMITS_ENABLEDvariable toyesorno.
You need to reboot the server, after you set this option to make the changes live.
The best way to control LVE limits is using LVE Manager in your favorite control panel. Alternatively, you can use command line tool lvectl to control limits.
The limits are saved in /etc/container/ve.cfg
Example:
<?xml version="1.0" ?>
<lveconfig>
<defaults>
<cpu limit="25"/>
<ncpu limit="1"/>
<io limit="1024"/>
<mem limit="262144"/>
<other maxentryprocs="200"/>
<pmem limit="262144"/>
<nproc limit="0"/>
</defaults>
<lve id="532">
<cpu limit="30"/>
<ncpu limit="5"/>
</lve>
</lveconfig>
Sets CPU limit to 25%, IO limit to 1024KB/s, virtual memory limit to 1GB (memory limit is set as a number of 4096 bytes pages), physical memory limit to 1GB, CPU cores per LVE to 1, maximum entry processes to 200 and no limit for number of processes for all LVEs. It also sets the limit of 30% and number of processes limit to 5 for LVE with ID 532.
One of the best way to monitor current usage is lvetop:
$ lvetop
ID EP PNO TNO CPU MEM I/O
test 1 2 2 2% 728 0
You can also check the content of /proc/lve/list file that has all the data about LVE usage for all LVEs:
[root@localhost tests]$ cat /proc/lve/list
4:LVE EP lCPU lIO CPU MEM IO lMEM lEP nCPU fMEM fEP
0 0 75 25 0 0 0 262144 20 2 0 0
500 0 75 25 0 0 0 4294967 20 3 2 1
700 1 75 25 1403247 202 0 262144 20 2 0 0
Additionally you can use tool lveps to see CPU usage, and processes within LVE.
Starting from lve-utils version 3.1-1, the validation of EP and NPROC limits is supported. If an administrator sets the NPROC limit less than (EP + 15), the following warning is shown:
error: You're trying to set invalid LVE limits.
NPROC limit must be greater than EP + 15 limit, because number of processes and threads within LVE includes
also Apache processes/threads, SSH sessions and etc, which enter into LVE.
Validation does not affect limits operation in any way. Even if invalid limits have been set, they will be applied for users/resellers.
Commands that support validation:
lvectl set
This command allows validation of an LVE ID which does not have a corresponding UID in the system. I.e., you can set limits for any LVE ID and they can be validated.
lvectl set-user
This command allows validation when setting limits using a user name instead of LVE ID.
lvectl set-reseller
This command supports limits validation both for inactive reseller and active one.
lvectl set-reseller-default
This command supports validation when setting default limits for a reseller.
lvectl package-set
This command supports limits validation both for packages existing in the system and nonexisting ones.
- The
cloudlinux-packageandcloudlinux-limitscommands support all validation types described above, and support limits validation and exceptions lists as described below.
- a) When EP limit for a package is greater than a custom NPROC limit for a user included in this package.
OR
b) when NPROC limit for a package is less than a custom EP limit for a user included in this package.
- a) When default EP limit for a hoster is greater than a custom NPROC limit for a user/package which inherits the default limit.
OR
b) When default NPROC limit for a hoster is less than a custom EP limit for a user/package which inherits the default limit.
- When using the following commands:
a) lvectl set-reseller --all
b) cloudlinux-limits --json enable-reseller-limits --all
The automatic validation using cldiag utility by cron job is enabled on a server by default. You can disable it in the /etc/sysconfig/cloudlinux config file using ENABLE_CLDIAG option (Warning! This option disables all automatic checks using cldiag!) When calling this utility automatically by cron, it checks all limits existing on the server and send an administrator a report with limits check results. You can use the following command to validate existing limits: cldiag --check-lve-limits.
The important difference between checking existing and setting limits is that even if validation fails when setting limits (see exceptions list above), checking existing limits will catch invalid limits in any case. I.e. even if a server administrator set invalid limits, validation of existing limits will catch invalid limit in any case.
Set NPROC limit greater than (EP + 15).
:::tip Note lve-utils 1.4+ :::
CPU SPEED limit allows to set CPU limit in terms of % of a single core, or as a fixed number of Hz.
--speed=XX% would set performance relative to one core.
For example:
-
--speed=50%would mean 1/2 core. -
--speed=100%would mean 1 core, -
--speed=150%would mean 1.5 cores
--speed=XXmhz would automatically detect CPU speed of each core, and adjust the CPU scheduler to make sure user cannot go over that limit.
For example, on 1ghz CPU , setting of --speed=2ghz would mean 2 cores, while on 4ghz CPU same setting would mean 1/2 of a core.
This should allow hosting companies to set same approximate performance level limits across different hardware using single setting.
:::tip Note
Note. We strongly recommend setting CPU speed limits not less than 100%. As such limits cause CPU context switching which leads to increased %sys.
:::
:::tip Note Deprecated
This limit is no longer used, and SPEED is used instead :::
CPU Limits are set by CPU and NCPU parameters. CPU specifies the % of total CPU of the server available to LVE. NCPU specifies the number of cores available to LVE. The smallest of the two is used to define how much CPU power will be accessible to the customer.
| Cores Per Server | CPU Limit | NCPU Limit | Real limit |
| 1 | 25% | 1 | 25% of 1 core |
| 2 | 25% | 1 | 50% of 1 core |
| 2 | 25% | 2 | 50% of 1 core |
| 4 | 25% | 1 | 100% of 1 core (full core) |
| 4 | 25% | 2 | 1 core |
| 4 | 50% | 1 | 1 core |
| 4 | 50% | 2 | 2 cores |
| 8 | 25% | 1 | 1 core |
| 8 | 25% | 2 | 2 cores |
| 8 | 50% | 2 | 2 cores |
| 8 | 50% | 3 | 3 cores |
When user hits CPU limit, processes within that limit are slowed down. For example, if you set your CPU limit to 10%, and processes inside LVE want to use more then 10% they will be throttled (put to sleep) to make sure they don't use more then 10%. In reality, processes don't get CPU time above the limit, and it happens much more often then 1 second interval, but the end result is that processes are slowed down so that their usage is never above the CPU limit set.
Memory is controlled using virtual (VMEM) and physical (PMEM) memory limits.
Virtual memory limit corresponds to the amount of memory processes can allocate within LVE. You can see individual process virtual memory usage by monitoring VIRT column in top output for the process.
When process tries to allocate more memory, CloudLinux checks if the new total virtual memory used by all processes within LVE is more then a limit set. In such case CloudLinux will prevent memory from being allocated and increments fVMEM counter. In most cases, but not all of them - this causes process to fail. For CGI/PHP scripts it will usually cause 500 and 503 error.
:::tip Note It is recommended to disable VMEM limits (set them to 0) in your system at all because they are deprecated in CloudLinux 6 and 7 system and can cause unexpected issues. :::
Physical memory limit corresponds to the amount of memory actually used by end customer's processes. You can see individual process physical memory usage by monitoring RES column in top output for the process. Because similar processes (like PHP) share a lot of their memory, physical memory usage is often much lower then virtual memory usage.
Additionally physical memory includes shared memory used by the customer, as well as disk cache. In case of disk cache – if a user is starting to lack physical memory, the memory used for disk cache will be freed up, without causing any memory faults.
When LVE goes over physical memory limit, CloudLinux will first free up memory used for disk cache, and if that is not enough, it will kill some of the processes within that LVE, and increment fPMEM counter. This will usually cause web server to serve 500 and 503 errors. Physical memory limit is a much better way to limit memory for shared hosting.
If you see no processes under some user, but lve manager keeps telling it is using some memory, then most probably memory is taken by users disk cache. To check personal users disk cache (if lveinfo shows memory usage but not processes there):
cat /proc/bc/XXX/meminfo
…
Cached: 67300 kB
…
where XXX is user id, could be taken with:
id username
IO limits restrict the data throughput for the customer. They are in KB/s. When limit is reached, the processes are throttled (put to sleep). This makes sure that processes within LVE cannot go over the limit,. Yet don't stop working, nor getting killed – they just work slower when the limit is reached.
IO limits are available with kernels el6.lve1.x and higher.
The IO limits will only affect DISK IO, and will have no effect on network. It also doesn't take into consideration any disk cache accesses. So, even if file is loaded from disk cache 1000 times – it will not be counted towards IO limits.
IOPS limits restrict the total number of read/write operations per second. When the limit is reached the read/write operations stop until current second expires.
Entry processes limit controls the number of entries into LVE. Each time a process 'enters' into LVE, we increment the counter. Each time process exits LVE, we decrement the counter. We don't count processes that are created inside LVE itself. It is also know as 'Apache concurrent connections' limit.
The process enter's into LVE when there is a new HTTP request for CGI/PHP.
This limit was created to prevent DoS attacks against web server. One of the fairly popular attacks is to tie up all the Apache connections by hitting some slow page on a server. Once all Apache slots are used up, no one else will be able to connect to the web server, causing it to appear to be down. The issue is worsened by CPU limits, as once site starts to get slow due to CPU limit – it will respond to requests slower and slower, causing more and more connections to be tied up.
To solve that, we have created entry processes (often called concurrent connections) limit. It will limit the number of concurrent connections to Apache, causing web server to serve error 508 page ( Resource Limit Reached), once there number of concurrent requests for the site goes above the limit.
NPROC controls the total number of processes and threads within LVE. Once the limit is reached, no new process can be created (until another one dies). When that happens NPROC counter is incremented. Apache might return 500 or 503 errors in such case.
:::tip Note Requires kernel lve1.4.4.el6 or higher, or lve1.4.56.el7 or higher :::
Network traffic bandwidth control and accounting systems in CloudLinux 6 allows for each LVE container:
- Limiting outgoing network traffic bandwidth
- Accounting incoming and outgoing network traffic
:::tip Note The system supports IPv4 only protocol. :::
All outgoing IP packets generated inside LVE container and marked with LVE identifier. Traffic control utility tc from iproute2 package uses this marker to set required bandwidth.
:::tip Note CloudLinux doesn’t limit the network traffic itself, it only marks IP packets with specific LVE id. :::
Example 1:
- We create class with HTB qdiscs and rate 10kbit :
tc qdisc add dev eth1 root handle 1: htb
tc class add dev eth1 parent 1: classid 1:1 htb rate 10kbit
- All packets marked with LVE id will be processed by class 1:1 (rate 10kbit ).
tc filter add dev eth1 parent 1: handle 2121 fw flowid 1:1
Example 2:
- As an example we create class with HTB qdiscs and rate 100mbit and class 1:10 will be used by default:
tc qdisc add dev eth3 root handle 1: htb default 10
tc class add dev eth3 parent 1: classid 1:1 htb rate 100mbit
- For class 1:1 we create two branches with rate 5 mbit and 10 kbit accordingly, with classid 1:10 and 1:20.
tc class add dev eth3 parent 1:1 classid 1:10 htb rate 5mbit
tc class add dev eth3 parent 1:1 classid 1:20 htb rate 10kbit
- All packets marked with LVE id=2121 are processed by 10 kbit class.
tc filter add dev eth3 protocol ip parent 1: prio 1 handle 2121 fw flowid 1:20
More info about tc and its syntax can be found on the link http://tldp.org/HOWTO/Traffic-Control-HOWTO/index.html
Traffic accounting is performed for each LVE container. Network statistics is collected at /proc/lve/list file. Network-related data found at fields:
lNETO- output traffic limit by volume, equals 0*lNETI- input traffic limit by volume, equals 0*NETO- current outgoing traffic valueNETI- current incoming traffic value
The data is also collected at /proc/lve/per-lve/<id>/net_stat, where id is an LVE container identifier.
net_stat file contains 4 values in one row:
- Outgoing traffic limit by volume, equals 0*
- Incoming traffic limit by volume, equals 0*
- Current outgoing traffic value
- Current incoming traffic value
:::tip Note The current version of CloudLinux network control system doesn’t limit network traffic volume for a specific period of time (for example 3GB per day), it limits only network bandwidth.
Network limits are supported only for processes inside LVE. By default it does not limit static content, but only PHP/cgi scripts processed by Apache and processes launched over ssh etc. :::
| Web Server / PHP | CPU | Virtual & Physical Memory | EP | NPROC | IO | CageFS | PHP Selector |
| Apache / suPHP | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Apache / FCGID | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Apache / CGI | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Apache / PHP-FPM | Yes 3 | Yes | Yes | Yes | Yes | Yes 3 | No |
| Apache / mod_php | Yes | No | Yes | Yes | Yes | No | No |
| Apache / mod_ruid2 | Yes | No | Yes | Yes | Yes | No | No |
| Apache / MPM ITK | Yes | No | Yes | Yes | Yes | Yes 1 | No |
| LiteSpeed | Yes | Yes 2 | Yes | Yes | Yes | Yes | Yes |
| NGINX / PHP-FPM | Yes 3 | Yes | No | Yes | Yes | Yes | No |
| SSH | Yes | Yes | Yes | Yes | Yes | Yes 3 | Yes |
| Cron Jobs | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
- Requires patched version of MPM-ITK. CL httpd RPM has ITK worker with the patch. Patch is also available at: http://repo.cloudlinux.com/cloudlinux/sources/da/cl-apache-patches.tar.gz
- CloudLinux 7 and CloudLinux 6 kernels only. 3. The DirectAdmin and CloudLinux PHP provide patched version. For other PHP distributions, please use patches available here: http://repo.cloudlinux.com/cloudlinux/sources/da/cl-apache-patches.tar.gz
:::tip Note Please note that mod_lsapi does not work when php-fpm is enabled because php-fpm is also a PHP Handler just as mod_lsapi. :::
CloudLinux uses various ways to integrate with existing system. By default we can integrate with:
- PAM - using pam_lve
- Apache - using mod_hostinglimits, apr library, patched suexec
- LiteSpeed - built in integration
pam_lve.so is a PAM module that sets up LVE environment. It provides easy way to setup LVE for SSH sessions, as well as other PAM enabled applications, such as crontab, su, etc.
pam_lve.so is installed by default when you convert existing server.
Installation:
# yum install pam_lve
After you install RPM , add the following line to the PAM config file for the required application:
session required pam_lve.so 500 1 wheel,other
In this line:
- 500 stands for minimum UID for which LVE will be setup. For any user with UID < 500, LVE will not be setup. If CageFS is installed, use:
cagefsctl --set-min-uid UIDto setup minimum UID. The parameter in PAM files will be ignored in that case. - 1 stands for CageFS enabled (0 – CageFS disabled)
- 3rd optional argument defines group of users that will not be placed into LVE or CageFS. Starting with pam_lve 0.3-7 you can specify multiple groups, comma separated.
:::tip Warning It is crucial to place all users that su or sudo to root into that group. Otherwise, once such user gains root, user will be inside LVE, and all applications restarted by that user will be inside that user LVE as well. :::
For example, to enable LVE for SSH access, add that line to the /etc/pam.d/sshd. To enable LVE for SU, add that line to the /etc/pam.d/su.
By default, module will not place users with group wheel into lve. If you want to use different group to define users that will not be placed into LVE by pam_lve - pass it as the 3rd argument.
:::tip Warning
Be careful when you test it, as if you incorrectly add this line to the /etc/pam.d/sshd, it will lock you out ssh. Don't log out of your current SSH session, until you sure it works.
:::
For preventing cases when user enters under usual user (using ssh) and then tries to enter as super user (via sudo or su) - pam_sulve was created, which tries to enter to LVE=1 and leaves it right away. If action fails, user gets message:
!!!! WARNING: YOU ARE INSIDE LVE !!!!
To check if pam_sulve is enabled on the server:
grep pam_sulve.so /etc/pam.d/*
should not be empty.
LVE Wrappers are the set of tools that allow system administrator to run various users, programs & daemons within Lightweight Virtual Environment. This allows system administrator to have control over system resources such program can have. Additionally it prevents misbehaving programs running within LVE to drain system resources and slow down or take down the whole system. The tools are provided by lve-wrappers RPM.
You can install them by running:
$ yum install lve-wrappers
LVE Wrappers provide two tools for placing programs inside LVE: lve_wrapper and lve_suwrapper.
/bin/lve_wrapper can be used by any non-root user, as long as that user is in group lve (see /etc/groups file).
Syntax
lve_wrapper <command_to_run>
Example
$ lve_wrapper make install
The program will be executed within LVE with ID matching user's id.
/bin/lve_suwrapper can be used by root user or any user in group lve (see /etc/groups file) to execute command within specified LVE.
Syntax
lve_suwrapper LVE_ID <command_to_run>
Example
# lve_suwrapper 10000 /etc/init.d/postgresql start
Switches
-f- force namespace-n- without namespace
CloudLinux httpd RPM comes with MPM ITK built in. Yet, if you would like to build your own Apache, you need to apply our patch for MPM ITK
- Download file: http://repo.cloudlinux.com/cloudlinux/sources/da/cl-apache-patches.tar.gz
- Extract: apache2.2-mpm-itk-seculrelve12.patch
- And apply this patch to your Apache source code.
When running MPM ITK , you should disable mod_hostinglimits. All the functionality needed by MPM ITK is already built into the patch.
Directives which can be used by Apache with ITK patch:
AssignUserID- uses ID as LVE IDLVEErrorCodeITK- error code to display on LVE error (508 by default)LVERetryAfterITK- same asLVERetryAfter- respond withRetry-Afterheader when LVE error 508 occursLVEId- ovverides id used for LVE ID instead ofAssignUserIDLVEUser- overrides user to use to retrieve LVE ID, instead of AssignUserID
mod_hostinglimits works with existing CGI/PHP modules, to put them into LVE context. In most cases the CGI/PHP process will be placed into LVE with the ID of the user that sites belongs to. mod_hostinglimits detects the user from SuexecUserGroup (suexec module), SuPHP_UserGroup (from mod_suphp), AssignUserID (MPM ITK), RUidGid (mod_ruid2 ) directives.
This can be overwritten via LVEId or LVEUser parameter on the Directory level.
:::tip Note Those parameters will not work with mod_fcgid and mod_cgid. :::
The order of detection looks as follows:
- LVEId
- LVEUser
- SuexecUserGroup
- suPHP_UserGroup
- RUidGid
- AssignUserID
:::tip Note LVE doesn't work for mod_include #include due to its "filter" nature. :::
Example:
LoadModule hostinglimits_module modules/mod_hostinglimits.so
<IfModule mod_hostinglimits.c>
AllowedHandlers cgi-script php5-script php4-script
SecureLinks On
</IfModule>
mod_hostinglimits (since version 1.0-22) supports min-uid - cagefsctl --set-min-uid=600.
Min UID is read on Apache start/restart and stored in the memory during apache runtime.
If the min UID has changed, you should restart Apache for mod_hostinglimits applying new min UID value. Full min UID is supported only with APR.
The following message should appear:
[notice] mod_hostinglimits: found apr extention version 3.
This means that the correct APR is installed with mod_hostinglimits.
mod_hostinglimist has variable for Apache CustomLog format string %{LVE_ID}y.
How to use:
LogFormat
"%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" req for lve "%{LVE_ID}y"
combined
shows in access_log the following info:
*.*.*.* - - [09/Apr/2015:07:17:06 -0400] "GET /1.php HTTP/1.1" 200 43435 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0" req for lve 500
*.*.*.* - - [09/Apr/2015:07:17:06 -0400] "GET /1.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524 "************/1.php""Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0" req for lve 500
*.*.*.* - - [09/Apr/2015:07:17:06 -0400] "GET /1.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146 "************/1.php""Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0" req for lve 500
cPanel
Installed by default during EasyApache build. Requires lve-stats & lve-utils packages to be installed.
DirectAdmin
Can be built using custombuild:
$ yum install liblve-devel
$ cd /usr/local/directadmin/custombuild
$ ./build update
$ ./build set cloudlinux yes
$ ./build apache
$ ./build rewrite_confs
If you run suphp, then run the following:
$ ./build suphp
Plesk
$ yum install mod_hostinglimits
ISPmanager
$ yum install mod_hostinglimits
InterWorx
$ yum install mod_hostinglimits
H-Sphere
Included by default in H-Sphere 3.5+
Standard Apache from RPM
$ yum install mod_hostinglimits
Custom Apache installation
Compile from the source: http://repo.cloudlinux.com/cloudlinux/sources/mod_hostinglimits.tar.gz
$ wget http://repo.cloudlinux.com/cloudlinux/sources/mod_hostinglimits.tar.gz
$ yum install cmake
$ tar -zxvf mod_hostinglimits*.tar.gz
$ cd mod_hostinglimits*
$ cmake .
$ make
$ make install
- Apache Module Identifier:
hostinglimits_module - Source Files:
mod_hostinglimits.c - Compatibility: MPM prefork, worker, event, ITK
| Description | Makes sure that for any virtual hosts, only files owned by user specified via SuexecUserGroup or other ways as described above are served. For files owned by any other user apache will return Access Denied error. The directive will not affect VirtualHost without user id specified, or with uid < 100 |
| Syntax | SecureLinks On |
| Default | SecureLinks Off |
| Context | server config |
Prevents apache from serving files not owned by user, stopping symlink attacks against php config files.
Example
SecureLinks On
| Description | Allow apache to continue if LVE is not available |
| Syntax | SkipErrors On |
| Default | SkipErrors On |
| Context | server config |
Prevents Apache from exiting if LVE is not available.
Example
SkipErrors Off
| Description | List of handlers that should be placed into LVE, support regexp |
| Syntax | AllowedHandlers cgi-script %^php% my-script |
| Default | none |
| Context | server config |
This directive allows to list handlers which will be intercepted and placed into LVE.
Examples
-
Match requests handled by cgi-script handler:
AllowedHandlers cgi-script -
Match all requests:
AllowedHandlers * -
Match all requests that handled by handler that contains PHP:
AllowedHandlers %php% -
Match all requests handled by handler that starts with PHP:
AllowedHandlers %^php%
| Description | List of handlers that should not be placed into LVE, support regexp |
| Syntax | DenyHandlers text/html |
| Default | none |
| Context | server config |
This directive works together with AllowHandlers, to exclude some handlers from being allowed in LVE.
Example:
Match all requests, but text/*
AllowedHandlers *DenyHandlers %text/*%
| Description | Error code to display once entry is rejected due to maxEntryProcs |
| Syntax | values from 500 to 510 |
| Default | 508 |
| Context | directory config |
Specifies ErrorCode to use on LVE error (like too many concurrent processes running).
The message that will be displayed by default is:
Resource Limit Is Reached.
The website is temporarily unable to serve your request as it exceeded resource limit.
Please try again later.
You can redefine error message using ErrorDocument directive
Example:
LVEErrorCode 508ErrorDocument 508 508.html
| Description | Allows to setup separate LVE ID on per directory level. If not set, user ID of a corresponding user is used. |
| Syntax | LVEId number |
| Default | User Id is used |
| Context | directory config |
Specifies LVE id for particular directory
Example:
<Directory "/home/user1/domain.com/forums">
LVEId 10001
</Directory>
| Description | Allows to setup separate LVE ID on per directory level. |
| Syntax | LVEUser username |
| Default | none |
| Context | directory config |
Specifies LVE ID for particular directory.
Example:
<Directory "/home/user1/domain.com/forums">
LVEUser user1
</Directory>
| Description | Use group ID instead of user ID for LVE container number. |
| Syntax | LVEUserGroupID On/Off |
| Default | User Id is used |
| Context | global config only |
- If the option enabled, group ID will be used instead of a user ID. Apache will display the following string in error logs:
mod_hostinglimits: use GroupID instead of UID
mod_hostinglimits: found apr extension version 2
mod_hostinglimits: apr_lve_environment_init_group check ok
- If a compatible apr library is not found, the following error message will be display in error logs.
mod_hostinglimits: apr_lve_* not found!!!
Example:
<Directory "/home/user1/domain.com/forums">
LVEUserGroupID On
</Directory>
| Description | Returns Retry-After header when LVE error 508 occurs. |
| Syntax | LERetryAfter MINUTES |
| Default | 240 minutes |
| Context | directory config |
Specifies interval for Retry-After header. The Retry-After response-header field can be used to indicate how long the service is expected to be unavailable to the requesting client.
Example:
LVERetryAfter 180
| Description | Provides extended debug info for listed sites. |
| Syntax | LVESitesDebug test.com test2.com |
| Default | none |
| Context | directory config |
Specifies virtual hosts to provide extra debugging information.
Example:
<Directory "/home/user1/domain.com/forums">
LVESitesDebug abc.com yx.cnet
</Directory>
| Description | Determines the way LVE ID will be extraced. In Conf |
| Syntax | LVEParseMode CONF PATH OWNER REDIS |
| Default: | CONF |
| Context: | directory config |
-
In
CONFmode, standard way to extract LVE ID is used (SuexecUserGroup, LVEId, or similar directives). -
In
PATHmode, username is extracted from the home directory path. The default way to match username is via the following regexp:/home/([^/]*)/. Custom regexp can be specified in LVEPathRegexp. -
In
OWNERmode, the owner of the file is used as an LVE ID. -
In
REDISmode, LVE ID is retrieved from Redis database.
Example:
LVEParseMode CONF
| Description | Regexp used to extract username from the path. Used in conjuction with LVEParseMode PATH |
| Syntax | LVEPathRegexp regexp |
| Default | /home/([^/]*)/ |
| Context | directory config |
Used to extract usersname via path.
Example:
LVEPathRegexp /home/([^/]*)/
| Description | Timeout in milliseconds, a site will return EP without lve_enter for LA decreasing after this time |
| Syntax | LVELimitRecheckTimeout number |
| Default | 0 |
| Context | httpd.conf, virtualhost |
Example:
LVELimitRecheckTimeout 1000
| Description | Use 429 error code as code returned on max entry limits ( on/off ). |
| Syntax | LVEUse429 on |
| Default | off |
| Context | httpd.conf, virtualhost |
Example:
LVEUse429 on
Available for RPM based panels, EasyApache 4 and DirectAdmin.
Redis support provides a way to query Redis database for LVE id, based on domain in the HTTP request. Given a database like:
xyz.com 10001
bla.com 10002
....
The module will retrieve corresponding LVE id from the database.
To enable Redis support, compile from source: http://repo.cloudlinux.com/cloudlinux/sources/mod_hostinglimits.tar.gz
The compilation requires hiredis library.
$ wget http://repo.cloudlinux.com/cloudlinux/sources/da/mod_hostinglimits.tar.gz
$ yum install cmake
$ tar -zxvf mod_hostinglimits*.tar.gz
$ cd mod_hostinglimits*
$ cmake -DREDIS:BOOL=TRUE .
$ make
$ make install
To enable Redis mode, specify:
LVEParseMode REDIS
| Description | Socket to use to connect to Redis database. |
| Syntax | LVERedisSocket path |
| Default | /tmp/redis.sock |
| Context | server config |
Used to specify location of Redis socket.
Example:
LVERedisSocket /var/run/redis.sock
| Description | IP/port used to connect to Redis database instead of socket. |
| Syntax | LVERedisAddr IP PORT |
| Default | none |
| Context | server config |
Used to specify IP and port to connect to Redis instead of using Socket
Example:
LVERedisAddr 127.0.0.1 6993
| Descriptin | Number of seconds to wait before attempting to re-connect to Redis. |
| Syntax | LERetryAfter SECONDS |
| Default | 60 seconds |
| Context | server config |
Number of seconds to wait before attempting to reconnect to Redis after the last unsuccessful attempt to connect.
Example:
LVERedisTimeout 120
CloudLinux offers JSON API for lvectl via WHM. You can access it using the following URL:
https:/IP:2087/cpsess_YOURTOKEN/cgi/CloudLinux.cgi?cgiaction=jsonhandler&handler=list
The output will look as follows:
{"data":[{"ID":"default","CPU":"30","NCPU":"1","PMEM":"1024M","VMEM":"1024M","EP":"28","NPROC":"0","IO":"2048"}]}
cgiaction |
always jsonhandler |
handler |
should match lvectl command |
For commands like set, destroy & delete, where you need to specify LVE (user) ID, like lveid=500 (matches user ID 500).
Example:
https://IP:2087/cpsess_YOURTOKEN/cgi/CloudLinux.cgi?cgiaction=jsonhandler&handler=set&lveid=500&speed=30%&io=2048
https://IP:2087/cpsess_YOURTOKEN/cgi/CloudLinux.cgi?cgiaction=jsonhandler&handler=set&lveid=500&speed=300Mhz&io=2048
https://IP:2087/cpsess_YOURTOKEN/cgi/CloudLinux.cgi?cgiaction=jsonhandler&handler=set&lveid=500&speed=3Ghz&io=2048
:::tip Note Speed limit can be specified in several units of measure - %, MHz, GHz . The figures will be different according to the unit of measure. :::
Output:
{"status":"OK"}
To do set default, use lveid=0, like:
https://IP:2087/cpsess_YOURTOKEN/cgi/CloudLinux.cgi?cgiaction=jsonhandler&handler=set&lveid=0&speed=30%&io=2048
For commands like apply all, destroy all, use:
handler=apply-all
handler=destroy-all
You can use the following commands that allow to specify user name instead of user ID:
set-user |
Set parameters for a LVE and/or create a LVE using username instead of ID. |
list-user |
List loaded LVEs, display username instead of user ID. |
delete-user |
Delete LVE and set configuration for that user to defaults. |
If the limits for users are set with cPanel LVE Extension , then turnkey billing solutions can be applied (e.g. WHMCS).
:::tip Note LVE Manager 1.0-9.8+ :::
cPanel LVE Extension allows to control LVE limits for packages via cPanel hosting packages control interface and via cPanel WHM API . It simplifies integration with existing billing systems for cPanel (like WHMCS for example).
To add LVE Settings to standard cPanel package, go to Packages | Add a Package.
:::tip Note You can find the information on how to add a package in official cPanel documentation on the link: https://documentation.cpanel.net/display/ALD/Add+a+Package :::
Tick LVE Settings in the bottom of the page to open LVE Settings form.
You can specify the following options:
:::tip Note Your changes to LVE Settings will appear in the system after a little while. :::
| Speed Settings | Maximum CPU usage for an account. Must be in the range 1 - 100 (but obligatory > 0 ) if old format is used; use % or Mhz\Ghz to set CPU limit as speed; Type DEFAULT to use default value. |
| Memory Settings | Pmem - Maximum physical memory usage for an account. Vmem - Maximum virtual memory usage for an account. Must be a positive number. Postfix allowed only in KGMT. Type DEFAULT to use default value. Type 0 for unlimited resource. |
| Max entry proc Settings | Maximum number of entry processes (concurrent connections) for an account. Must be a positive number. Type DEFAULT to use default value. Type 0 for unlimited resource. |
| Nproc Settings | Maximum number of processes usage for an account. Must be a positive number. Type DEFAULT to use default value. Type 0 for unlimited resource. |
| IO Settings | Maximum I/O (input/output) usage speed for an account. Is measured in Kb/s. Must be a positive number. Type DEFAULT to use default value. Type 0 for unlimited resource. |
| IOPS Settings | Maximum IOPS (input/output operations per second) usage for an account. Must be a positive number. Type DEFAULT to use default value. Type 0 to unlimited resource. |
Click Add to apply your changes.
You can edit limits in any convenient for you way - in Edit a Package section, in the LVE Manager or even via WHM API.
Edit a Package
To edit package extensions, go to Packages | Edit a Package. Choose a package from the Package list and click Edit.
LVE Manager
To edit package extensions, go to LVE Manager | Server Configuration | CloudLinux LVE Manager | Packages and click pencil (edit) icon.
WHM API
To learn how to work with package extensions limits using WHM API, please read the official cPanel documentation: https://documentation.cpanel.net/display/SDK/Guide+to+Package+Extensions+-+Data+Behavior+and+Changes




