What is Hive
Hive is a software package which includes the following software:
- Modified version of Apache's SuExec
- Modified version of the default Apache mod_cgi
- Modified version of Vixi's Crond
- An OS distribution aimed at the Hosting providers
- CPU statistics collection daemon
- CPU statistics web interface
What it gives you
First our modified SuExec
We have added a few major features to our SuExec:
- Now every process executed by SuExec is chrooted in the user's home folder
- We have added resource limits which can be changed per user or for the whole system
- We have added CPU usage statistics
- We have added support for 6 different PHP versions (this is in combination with our mod_cgi)
What this gives you is:
- Far better security than anything currently available for shared Hosting environments
- Better protection from a system resource deprivation by a single user
- Better control over CPU resources by showing you which are the users which overload or overuse your system
- Far better user experience by giving more options to your users
We added two major things to mod_cgi:
- A new option - MaxLoadLimit
- The multiple PHPs support
Before executing each script the apache server checks the system load. If it is higher than the MaxLoadLimit value, mod_cgi returns ISE.
This helps you prevent server overloads caused by DoS, DDoS or simple high usage of the Apache web service. It is added only to protect your server, not as a per-client limitation.
Multiple PHPs support
What we did was to introduce 6 different PHP handlers in mod_cgi, so now every user on the machine can choose with what PHP version their software will run. And the best thing is that users can change this themselves without involving the support department.
Modified version of Vixi's Crond
After our success with SuExec, we decided to add most of SuExec's functionality to crond. And we succeeded!
Our version of Vixi's Crond supports:
- Chrooting every user's process into the user's home folder
- Per-user CPU statistics
- Per-user and globally changeable resource limits
OS distribution - BaseOS
Since the security we offer is based on the idea/principal of chrooting every user process into the user's home folder, we had to make sure that programs can be executed into every user's home folder.
In order to do so securely, we decided to create a copy of a CentOS 5.5, but removing all software that users on shared hosting servers don't use.
We decided to call this BaseOS.
The BaseOS includes all the basic software that users need. This separation of software that the users use and software that the administrators use adds another layer of security to the system. Security is increased also by the fact that there are no suid binaries in the BaseOS. All this makes it very easy to recover from security incidents, without the need of reinstalling your whole system.
CPU statistics collection daemon - cpustatsd
All CPU statistics are stored in the logs of suexec and crond. However, we found that the job of parsing these files a few times a day is a very CPU and I/O intensive task. So we designed a simple daemon which parses those files on the fly.
The daemon stores the information for the current hour in its memory and when the new hour begins it stores the old data in a PostgreSQL database.
CPU statistics web interface
The web interface is where the magic happens. Here you can find structured data and review the overall CPU usage of your server.
You can find more information about the CPUStats web interface here.
The whole software package is licensed per server.
A single server is defined by these variables:
- IP Address
- MAC Address
- CPU Model
If any of those change you have to request a new license. Our software can check and request new licenses automatically.
You must only make sure that the licensed IP addresses have been added to your account.
You can find more about how our licensing works here.