For me, the right solution is "semi-dedicated hosting" from NameCrane.com. Really it's just high quality shared hosting with resource guarantees. You can pay anywhere from eight to 120 bucks a year depending on the amount of resources you want. For me the sweet spot is $15 a month for a quarter terabyte of NVMe storage, two cores, and four gigs of RAM.
Unlike with Mythic Beasts, you don't get to run your own persistent processes; you have to be content with the mysqld and lighthttpd provided. But on the plus side, you get backups, cron jobs, and good outbound email deliverability. SSH access is available. You don't get sudo, which is kind of the point, but you can install whatever software you want, as long as you "pip install --user" and "configure --prefix $HOME". That might take some getting used to, for folks used to a VPS; but it's a worthwhile trade-off for not having to do server admin.
I imagine this is a PHP site? They say:
cPanel or DirectAdmin with all the goodies: Litespeed, LSCache, PHP8, JetBackup & more
I have a PHP app, but also some Python apps ... How do you use Python? For cron jobs, or with CGI?
https://support.cpanel.net/hc/en-us/articles/360049921014-Ho...
RE: the CloudLinux-specific python features, I _think_ Namecrane has cloudlinux on all their shared/crate plans
And since namecrane I believe also uses litespeed on most or all of their plans, here's some related info that includes some python things: https://docs.litespeedtech.com/lsws/cp/cpanel/cloudlinux/
PS BuyVM/Namecrane/Frantech have an active discord with good/active/friendly company participation. Nice little community..
BTW I really enjoyed your article! This topic isn't explored that much these days and was a breath of fresh air
With mass virtual hosting (not virtualisation, think in terms of vhosts in Apache) resource sharing and security issues that aren't easily fixed with some UID/GID quota tricks and as such we got chrooted FTP, SSH and SCP, then OpenVZ at some point, and LXC. Later down the line we got container sand cgroups and even later, cgroupv2. All of them with similar goals in mind: shared resources, but strong enough isolation to not have unwanted side-effects.
This is still something that exists, but isn't really used this way (as far as I can tell - only ISPConfig seems to do this?), because containers were then also used as stateless packaging methods where you don't edit anything in a running container, but rather just re-deploy the whole thing. That is of course not a good match for the article, but there is nothing preventing this from being done in a container. Heck, if you have classic shared storage (i.e. NFS) you could get any container hosting company to do this without them knowing it.
But you'd still be on the hook for managing the container lifecycle...
Google used/uses cgroups with just plain UID isolation, no namespaces (of course this was for mostly trusted internal users, although they became less and less trusted over time ... due to being attacked by nation states and all that)
Heroku used LXC.
Dreamhost does use cgroups now, but it is not configured well, as mentioned in my post (the FastCGI and SSH processes share a cgroup, which means that you can't debug when it goes wrong!)
But most hosts these days just use Docker (fly.io, Render, etc.), which I think conflates a bunch of things. Not just cgroups, but also networking ...
So yeah it would be nice to have modern shared hosting, without Docker, but with good resource isolation
You're right though I think the "modern shared hosting with a more paas approach but without docker and good security/isolation" is something that doesn't really exist. Perhaps someone could use Sandstorm (Kenton Varda's (pretty much abandoned now?) fantastic project/isolation technology) as a starting point and gear it towards a more "shared hosting" approach.
They allow you to run persistent HTTP servers, supervised with systemd"
Systemd isn't Unix...
IMHO If you share computing with random other people you want AT LEAST Intel VT/AMD-V virtualization for isolation.
I think the shared hosting companies have issues because of customers who host "grayware" and the like, although I'd probably agree they don't have enough security for a critical business like a bank or health care organization
(I don't know much about their internals, but I know the Dreamhost has grsec-hardened kernels)
IMHO If you share computing with random other people you want AT LEAST Intel VT/AMD-V virtualization for isolation.
I think you can probably do this with Firecracker VMs. That is, preserve the shared hosting model, but have all the protections that VMs have.
It might be possible to plug in firecracker purely through config, or make a slight patch to sshd.
sshd already has support for ChrootDirectory, which is conceptually the same, but just a weaker form of isolation:
https://unix.stackexchange.com/questions/542440/how-does-chr...
And then for a web process, you can mount some disk and a connection to a database into a Firecracker VM, etc.
That's my use case too. I don't want to maintain a VPS, just have some server available. Something fast and cheap which is maintained by someone else.
