Introducing LiteSpeed Containers

LiteSpeed Containers

[Editor’s note: the control panel plugin features described below are not yet available. Look for them in an upcoming mid-September release. –LC]

Introducing LiteSpeed Containers for Web Hosts!

If you host websites and use a Control Panel like cPanel or Plesk and are not using CloudLinux, you may very well consider using LiteSpeed Containers to help you manage your customers.

LiteSpeed Containers uses the powerful new features of Linux including:

  • Allowing full control of CPU, I/O, number of processes and amount of memory a user can use using cgroups.
  • Putting each user in a sandbox, or container that isolates the user from affecting any other users using namespaces.

If you use Enterprise Litespeed and one of our supported control panels (cPanel or Plesk), all control is from a PlugIn in the Control Panel itself.

Even if you use OpenLiteSpeed or an unsupported control panel you can get the same powerful features using our included APIs. This is all built-in to your LiteSpeed server product.

This blog will walk you through a number of situations where LiteSpeed Containers can help you better manage your environment.

Turning on LiteSpeed Containers

If you have LiteSpeed Enterprise v6.3 or later, and one of our supported control panels, you can find LiteSpeed Containers in the Control Panel Plugin, and you can simply run the script there that enables it. We recommend adding the configuration for cgroups and namespaces at the virtual host level.

If you are running OpenLiteSpeed you will need to upgrade to v1.8 or later, and enable cgroups and namespaces.

Hogging the CPU

Preventing CPU hogging is the most basic value of LiteSpeed Containers. Linux will allocate all CPU power to any process that uses it, and users may take advantage of this, intentionally or not. LiteSpeed Containers gives you the tools to manage this condition.

For example, if one of your users has a bug in a PHP script that creates a tight loop and uses all of the CPU, suddenly every user on that machine sees their processes get hung.

With LiteSpeed Containers you can avoid this scenario by allocating each user in the package a defined amount of CPU. We strongly recommend that this be in multiples of 100. Each multiple of 100 uses a full CPU, and allocating CPU in this manner avoids context switching.

If you have one of the LiteSpeed Control Panel Plugins, open the plugin, select Containers Package Manager, highlight the package, and click Edit.

Enter 100 as in the above example, and each user will get a maximum of 1 CPU. If the user begins to completely hog the CPU, then it will be the only user using that CPU while all other CPUs are available for other users.

If you do not have a LiteSpeed Control Panel you can do the same thing with the command line API (using the package new-package):

sudo /usr/local/lsws/lsns/bin/lspkgctl --cpu 100 set new-package

To see the current values, use this command:

sudo /usr/local/lsws/lsns/bin/lspkgctl list new-package

Which displays:

{
    "packages": {
        "new-package": {
            "uids": [
                1002
            ],
            "cpu": "100"
        }
    }
}

Note that as soon as you complete the action, the user settings are immediately updated.

Selling a Variety of Access

LiteSpeed Containers can help you sell a variety of access tiers. For example, you could have a Basic tier which offers a more limited form of access and an Advanced tier that offers more power for customers. The procedure involves something you possibly already have in place, which is to put each user in each tier in a package specific to that tier.

Once you have that done, you are ready to set up each package for the tier. For example:

  • Basic tier limits to 1 CPU, 1G RAM, 1K IO’s per second, 1M IO and 100 tasks.
  • Advanced tier limits to 2 CPUs, 4G RAM, 4K IO’s per second, 4M IO and 400 tasks.

These are just examples and the values you would sell are what is appropriate for your region and hardware.

As above, this is best done at the package level because it affects all users at the same time. We’ll discuss making exceptions below.

In your control panel, create the packages (or plans in Plesk) and add users as appropriate to each.

If you have one of the LiteSpeed Control Panel Plugins, in the plugIn, select Containers Package Manager, highlight basic and press the Edit button.

Enter the appropriate values and press the Update button to apply the changes to the users. To update the advanced package press its Edit button.

Again, enter, the appropriate values and press the Update button to apply the changes to the users.

To perform the same actions using the API enter:

sudo /usr/local/lsws/lsns/bin/lspkgctl --cpu 100 --io 1m --iops 1k --mem 1g --tasks 100 set basic
sudo /usr/local/lsws/lsns/bin/lspkgctl --cpu 200 --io 4m --iops 4k --mem 4g --tasks 400 set advanced

Making cgroups Exceptions

If you have a user with the name exception in the advanced package, and you wish to offer no limit for tasks, you can do this. In the plugin, select Containers User Manager and click Edit in the Cgroups column, and the appropriate user’s row.

To set the user’s task enforcement to unlimited, press the Unlimited button in the Tasks row and press the Update button to apply the change. Future package updates to the advanced package will be applied to all users including this one, except for the Tasks limit which will be preserved.

To perform the same function to the exception user using the API enter:

sudo /usr/local/lsws/lsns/bin/lscgctl --tasks -1 set exception

Making namespace Exceptions

If you configure a user with namespace containers in the LiteSpeed Configuration, it will run in its own container shared with all instances of that user. If you wish to exclude a user from namespace containers you can indeed do that.

In the plugin select Containers User Manager. In the Namespaces column is a Disable button.

If you press the Disable button you will disable use the of the container for that user for future invocations. Existing ones will run until completed. It warns you that you must run a manual graceful restart to apply the disable at a time when it will not disrupt user traffic.

The Unmount button is displayed indicating that there is a namespace created for that user. Once all users are done you can press the Unmount button. Pressing it while users are running will cause no harm. It will warn you that it is in use.

To disable the user exception using the API:

sudo /usr/local/lsws/lsns/bin/lsnsctl --uid exception disable-uid

Monitoring Users With Prometheus

Besides monitoring LiteSpeed, the LiteSpeed Prometheus Exporter will also monitor cgroups statistics for each user unless configured not to. This is quite a low-overhead operation and has a very large upside for LiteSpeed Containers. With it, you can use Prometheus and Prometheus-compatible tools like Grafana to monitor your system.

You can get some quick and dirty statistics with the plugin. Select Containers Stats Manager:

Time Range can be set to:

  • Last 10 minutes
  • Last 30 minutes
  • Last hour
  • Last 4 hours
  • Today
  • Yesterday

After changing the Time Range you must press the Refresh button to see the results or select a Refresh Interval other than stop and it will update during the next auto-refresh..

These statistics come from Prometheus itself so you must have the Prometheus Address configured to contact the same Prometheus server that the LiteSpeed Prometheus Exporter is using. You can use Prometheus or its tools to provide graphs or alerts which can be useful to allow you to see which users are using excessive resources or which users are not actually using the systems.

Monitoring Users Without Prometheus

If you do not wish to use Prometheus, you can get a point-in-time look at the system by selecting the Time Range: Real-Time (without Prometheus) and pressing the Refresh button or set a Refresh Interval other than stop. This will only provide the last 2 seconds of information and can be useful in determining the current state of the system.

There is an API to provide the non-Prometheus information. For example, to see the statistics for the user exception enter:

/usr/local/lsws/lsns/bin/lscgstats exception

Which returns the details for the system as a whole, the dot (.) user, and the exception user:

{
    ".": {
        "name": ".",
        "cpu": "1178426628",
        "io": "80723709952",
        "iops": "463034",
        "mem": "497131520",
        "tasks": "36"
    },
    "1009": {
        "name": "exception",
        "cpu": "844348342",
        "io": "3561500672",
        "iops": "5620",
        "mem": "60563456",
        "tasks": "2"
    }
}

The values can be used to calculate details as they are directly from the operating system cgroups user directories. For example, the cpu number is the number of microseconds the CPU has used since the reboot for the system as a whole and for the specific user. Thus if you run this with a 1-second interval and subtract the more recent value from the earlier value and divide by 1 million, you will get the amount of CPU time used in that 1 second. Multiply by 100 and you have a percentage. It is this and similar tricks used by the LiteSpeed Prometheus Exporter which give you statistics about your system.



Related Posts


Comments