Running a classic web hosting environment with virtual hosts and chroot isolation has been the de facto standard for a long time.
Even when using chroot all sites still share the same namespaces for network, users and processes.
The Linux kernel has built in support for a set of features called LXC (Linux Containers) which lets you isolate entire environments.
LXC containers are often considered as something in the middle between a chroot and a full fledged virtual machine. The goal of LXC is to create an environment as close as possible to a standard Linux installation but without the need for a separate kernel.
Quote from: https://linuxcontainers.org/lxc/introduction/
Different strokes for different folks
Some of our projects have special needs like ImageMagick or GhostScript of a specific version, some use different daemons for serving their contents like apache or nginx.
A few users have the need for logging in with SSH to their sites with a full set of tools like WP-Cli, Git or their own custom shell script or cron table.
Security Considerations
in the Runtime Environment
Shared Hosting
Shared hosting is using the same resources and services for all webpages, thru the years different ways have been invented to circumvent the obvious security implications but they all rely on the individual services. Many services on the host system is started as the root-user so if an attacker manages to find a bug in the service they might be able to execute arbitrary code with host root privileges.
LXC
Unprivileged containers uses a map of the user and group ID to allocate a range of IDs for a container, the root user (id 0) in the container is actually something like id 100000 on the host. This means that even if an attacker manages to break out of a container they just have regular user access on the host.
Comparison Sheet
of Common Administrative Tasks
Task | LXC hosting | Shared hosting |
---|---|---|
Restarting Services | Each container has its own set of isolated daemons like Apache, MariaDB & PHP. This means it wont affect other sites when reloading or restarting inside of a container. | Since all sites share a single daemon for managing web requests and processing php, a misconfiguration of a site would halt all sites on reload. |
Upgrading Services | The container can have different versions of packages, even different Linux distribution. | A system upgrade impacts all sites and they all run the same version of packages as the host. |
Migrating Sites Between Host Servers | Migrating a container to a new host is as easy as copying the files to the new server and starting it. | Migrating sites from an old linux distribution to a new can be a big hassle, some of the sites might not have support for a new version of PHP or some custom script might use absolute paths of the old host system. |
Development | Since migrating containers is easy, copying a production site into a development environment gives you an exact replica to work with. | Developing on a remote server can create compatibility problems, the developer needs to make sure he is only using the tools allowed by the host. |
Service Diversity | Each container can chose their own weapons, some might like Nginx, others like Apache or Lighttpd. | There can be only one. All sites share the same daemon for managing requests. |
Soo.. why not use Docker or Kubernetes?
First let’s get some facts straight..
- Docker is based on LXC
- Kubernetes is an orchestration system for docker containers
- LXC Containers can be run on kubernetes
- Docker is a third-party application while LXC is native Linux
Docker
A Docker container is more or less built to be restarted on change. If you “update” a container, you have to delete it and then start a new instance. They are usually referred to as application container where the first process id is usually the main service of the container. Multiple containers make up a complex distributed multi-service group.
A typical docker based website has separate containers for web, sql and php.
LXC – Native Linux Containers
LXC Containers are long running system containers which can host any number of services. Using a minimal distribution like Alpine takes up less than 5Mb, if you add Lighttpd with FastCGI PHP the system grows to only 25Mb.
Both SystemD and SystemV based distributions work just fine and for the end user it looks just like a regular Linux system.
Commercial Support
Although LXC is open source, commercial support can still be obtained.
The company where i work (Asbra AB) has been using LXC for a couple of years in our development environment and last year (2019) we started migrating all our clients from shared hosting to containers.
- Asbra AB Swedish consultant company who offers Linux & LXC support.
- Canonical LTD The company who leads the development of both LXC and Ubuntu.