Announcement

Collapse
No announcement yet.

cagefs vs php-fpm chroot

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    cagefs vs php-fpm chroot

    Hi, what is the difference between php-fpm chroot VS cagefs (just web php), I not looking ssh, cron, etc
    can you give me technical details about the difference ?
    Tags: None
  • #2
    Hi,

    From what I know PHP-FPM can really isolate PHP processes from the res of the system to access files within a specified directory tree (Process isolation, but not user isolation). However, the big pain could be in setting it and maintaining for the dependent shared objects to keep them up to date after each system update. Another big case could be that any file paths in PHP scripts must be relative to this directory (it's chroot, meaning / become redefined). Unfortunately cannot provide more technical details on it as we are not familiar with such setups.


    With CageFS you are getting the 'safe filesystem' out of the box where users have fully functional environment with all the needed files and libraries.

    Comment

    • #3
      Thanks, according to https://cloudlinux.zendesk.com/hc/en...What-is-CageFS
      Users will have a limited view of /proc file system, and will not be able to see other users' processes,
      1 does have this feature on php ?
      2 does php CageFS enabled anothers linux namespaces like:

      ? net (network stack)
      ? ipc (System V IPC)
      ? uts (hostname)
      ? user (UIDs)​

      Comment

      • #4
        Not sure if I got your questions, but CageFS does not rely on PHP or other processes at all. It's is a full filesystem replacement (cage) for the user and processes launched under it.

        The network is not tied to CageFS in any way. It does not extend its functionality to include the management of these other namespaces. Each of these namespaces serves different purposes in Linux, such as isolating network resources or user IDs, but they are not inherently part of CageFS's functionality.

        User in CageFS will see own uid and hostname. But for him it will look like he is a single user on a server.

        Comment

        • #5
          Thank you for your quick input, When I say CageFS php I refer to CageFS program tied to php process, when this happened CageFS enabled linux namespace mnt (mount points, filesystems) is this correct ?, if that is true so my question is again:

          Users will have a limited view of /proc file system, and will not be able to see other users' processes,
          does have this linux namespace pid (processes) enabled in CageFS php ?

          Comment

          • #6
            It's not just mounts, but CageFS uses a combination of Linux namespaces and file system virtualization.

            Each user is completely isolated from others. They cannot see or access each other's files, processes, or even the existence of other users. This is achieved by:
            • Mounting a separate instance of the file system for each user.
            • Providing a limited view of the /proc file system, so users cannot see other users' processes.

            ​Caged user will see only oen pids in /proc/ . Here is the live test from lab server.

            Under root user:
            Code:
            # cat /etc/passwd | wc -l
64
​
# ls -la /proc/ | wc -l
285
​
[root@CL9cPanel ~]# ls -la /proc/ | head
total 4
dr-xr-xr-x 282 root root 0 Jan 10 14:15 .
dr-xr-xr-x. 22 root root 4096 Jan 15 16:50 ..
dr-xr-xr-x 9 root root 0 Jan 10 14:15 1
dr-xr-xr-x 9 root root 0 Jan 15 02:54 10
dr-xr-xr-x 9 root root 0 Jan 15 02:54 11
dr-xr-xr-x 9 root root 0 Jan 15 02:54 12
dr-xr-xr-x 9 polkitd polkitd 0 Jan 14 02:54 1233
dr-xr-xr-x 9 root root 0 Jan 14 02:54 1255
dr-xr-xr-x 9 root root 0 Jan 15 02:54 13​

            And under regular cagefs user named 'az':
            Code:
            $ cat /etc/passwd | wc -l
25
​
$ ls -la /proc/ | wc -l
66
​
$ ls -la /proc/ | head
total 4
dr-xr-xr-x 282 root root 0 Jan 10 14:15 .
drwxr-xr-x 14 root root 4096 Aug 6 14:41 ..
dr-xr-xr-x 9 az az 0 Jan 15 16:58 983249
dr-xr-xr-x 9 az az 0 Jan 15 17:04 984042
dr-xr-xr-x 9 az az 0 Jan 15 17:04 984043
dr-xr-xr-x 3 root root 0 Jan 15 15:38 acpi
-r--r--r-- 1 root root 0 Jan 15 15:38 bootconfig
-r--r--r-- 1 root root 0 Jan 15 15:38 buddyinfo
dr-xr-xr-x 4 root root 0 Jan 15 15:38 bus


            Comment

            • #7
              Hi, sorry to be this way, you are showing me commands bash for CageFS ssh, just to confirm, this two features are also enabled CageFS php ?
              • Mounting a separate instance of the file system for each user.
              • Providing a limited view of the /proc file system, so users cannot see other users' processes.
              So no matter what service process is (php, ssh, cron, etc) CageFS will always have this two features, is that correct ?​

              Comment

              • #8
                Yes, exactly.

                Comment

                Previous template Next
                Working...
                X