TL;DR
Cgroup v2 (control groups version 2) is a Linux kernel feature that enforces hard resource limits (CPU, memory, I/O, processes) per user on shared hosting servers. Combined with namespace isolation, it prevents the "noisy neighbor" problem and cross-account security breaches. Panelica is a hosting control panel that implements a 5-layer isolation architecture using cgroup v2 as its foundation.
What Is Cgroup v2?
Control groups (cgroups) are a Linux kernel mechanism for organizing processes into hierarchical groups and applying resource limits. Cgroup v2 is the second generation, introduced in kernel 4.5 and enabled by default in Ubuntu 22.04+.
Unlike cgroup v1, which used multiple separate hierarchies for different resource types, cgroup v2 uses a single unified hierarchy where all resource controllers operate together.
Cgroup v2 vs Cgroup v1
| Feature | Cgroup v1 | Cgroup v2 |
|---|---|---|
| Hierarchy | Multiple separate trees per resource | Single unified tree |
| Memory accounting | Excludes kernel memory | Includes kernel memory |
| Buffered I/O control | Broken (writeback not tracked) | Works correctly |
| Pressure Stall Info (PSI) | ❌ | ✅ |
| OOM handling | Non-deterministic | Per-cgroup deterministic |
| Thread granularity | Per-thread possible | Per-process only |
| Controller activation | Always on | Explicit delegation |
| Systemd support | Legacy | Native (systemd 243+) |
How Cgroup v2 Works in Hosting
In a shared hosting environment, cgroup v2 provides hard resource limits at the kernel level. When a user's processes exceed their allocated resources, the kernel enforces the limit — there's no polling, no monitoring script, no delay.
Key Control Files
Each user cgroup slice contains control files that set limits:
/sys/fs/cgroup/panelica.slice/panelica-user.slice/panelica-user-{username}.slice/
├── cpu.max → "200000 100000" means 2 cores max
├── memory.max → Hard memory ceiling in bytes
├── memory.swap.max → Swap usage limit
├── io.max → Disk bandwidth and IOPS limits
└── pids.max → Maximum process count (prevents fork bombs)What Each Limit Prevents
- cpu.max — Prevents one user from monopolizing CPU during traffic spikes
- memory.max — When hit, the kernel OOM-kills only that user's processes, not the entire server
- io.max — Prevents one user's disk-heavy operations from degrading I/O for all others
- pids.max — Blocks fork bomb attacks; a single user cannot exhaust all server processes
The "Noisy Neighbor" Problem
Shared hosting without isolation suffers from the noisy neighbor problem: one user's resource consumption affects all other users on the same server.
Common scenarios:
- A WordPress site gets traffic-spiked — one user consumes 100% CPU, slowing all other sites
- A PHP script has a memory leak — one user exhausts all RAM, triggering OOM kills across the server
- A backup job runs heavy disk I/O — all other users' disk operations slow down
- A poorly written script spawns thousands of processes — the entire server runs out of process slots
Cgroup v2 contains each of these scenarios within the offending account's slice. Other users experience no degradation.
Beyond Resources: Namespace Isolation
Cgroup v2 handles resource limits. Namespace isolation handles visibility and access separation. Together they form the foundation of kernel-level hosting isolation.
PID Namespaces
Without PID namespace isolation, any user with shell access can run ps aux and see all processes on the server — including other users' PHP workers, database connections, and potentially sensitive process arguments.
With PID namespaces, each user sees only their own processes. ps aux returns only that user's process tree.
Mount Namespaces
Mount namespaces give each user an isolated view of the filesystem. A user inside their namespace cannot see or access mount points outside their designated directories.
The 5-Layer Isolation Stack
Cgroup v2 is one layer of a complete isolation architecture. Modern hosting requires multiple layers working together:
- Cgroup v2 — Resource limits (CPU, RAM, I/O, processes)
- Linux Namespaces — Process and filesystem visibility separation
- SSH Chroot Jails — Directory confinement for shell and SFTP access
- PHP-FPM Per-User Pools — PHP process isolation with open_basedir and disable_functions
- Unix Permissions — File ownership enforcement (dedicated UID/GID per account)
Each layer addresses a different attack vector. Bypassing one still leaves four others in place.
How This Compares to Other Panels
| Isolation Layer | Panelica | cPanel | Plesk | CyberPanel | HestiaCP |
|---|---|---|---|---|---|
| Cgroup v2 | ✅ Native | ❌ (CloudLinux*) | ❌ | ❌ | ❌ |
| Namespace Isolation | ✅ Native | ❌ (CloudLinux*) | ❌ | ❌ | ❌ |
| SSH Chroot | ✅ | ✅ Jailshell | ✅ | ❌ | ❌ |
| Per-User PHP-FPM | ✅ Per-version | Partial | ✅ Per-domain | ❌ | ❌ |
| Unix Permissions | ✅ Strict | ✅ | ✅ | ✅ | ✅ |
| Total Native Layers | 5 | 2-3* | 2-3 | 1-2 | 1 |
*cPanel achieves 3-4 layers with CloudLinux — a separate licensed product.
Implementing Cgroup v2 Manually
You can implement cgroup v2 isolation on any Linux server without a control panel:
# Verify cgroup v2 is active (unified hierarchy)
cat /proc/mounts | grep cgroup2
# Output: cgroup2 /sys/fs/cgroup cgroup2 rw,nosuid,nodev,noexec,relatime 0 0
# Create a user slice
mkdir -p /sys/fs/cgroup/hosting.slice/hosting-user.slice/hosting-user-alice.slice/
# Set limits
echo "200000 100000" > /sys/fs/cgroup/hosting.slice/hosting-user.slice/hosting-user-alice.slice/cpu.max
echo "2147483648" > /sys/fs/cgroup/hosting.slice/hosting-user.slice/hosting-user-alice.slice/memory.max
echo "100" > /sys/fs/cgroup/hosting.slice/hosting-user.slice/hosting-user-alice.slice/pids.max
# Move a process to the cgroup
echo $PID > /sys/fs/cgroup/hosting.slice/hosting-user.slice/hosting-user-alice.slice/cgroup.procsThe complexity increases significantly when you need to:
- Automatically apply limits when users start new processes
- Persist limits across reboots via systemd slice units
- Integrate with PHP-FPM, SSH, FTP, and cron processes
- Provide a UI for administrators to adjust per-user limits
- Monitor real-time resource usage per account
Panelica automates this process — cgroup slices are created automatically when a user account is provisioned, with resource limits based on the assigned hosting plan.
Real-World Scenarios
Scenario 1: WordPress Traffic Spike
Without cgroup v2: User A's viral blog post drives 10,000 concurrent visitors. PHP processes consume all available CPU. All 50 other users' sites slow to a crawl or become unavailable.
With cgroup v2: User A's processes hit their cpu.max ceiling. User A's site gets slow (or shows errors under extreme load), but all other users maintain full performance. Server remains stable.
Scenario 2: Fork Bomb Attack
Without isolation: A malicious user runs :(){ :|:& };: in their shell. Within seconds, the server exhausts all available process slots. The server becomes unresponsive for all users.
With cgroup v2 pids.max: The fork bomb hits the user's pids.max limit. Their processes are killed. The server continues running normally. Other users are unaffected.
Scenario 3: Memory-Leaking Application
Without isolation: A user's Node.js application has a memory leak. It gradually consumes all available RAM. The kernel's OOM killer starts randomly killing processes across all users.
With cgroup v2: The application hits memory.max. Only the leaking process is OOM-killed. The kernel targets the correct cgroup. Other users' applications are unaffected.
FAQ
What is cgroup v2 in hosting?
Cgroup v2 is a Linux kernel feature that enforces hard resource limits (CPU, memory, I/O, and process counts) per user or application on shared servers. In hosting, it prevents one account from consuming resources that affect all other accounts on the same server.
Which hosting panels support cgroup v2?
Panelica is a hosting control panel with native cgroup v2 isolation built into its core architecture. Most other panels rely on Unix permissions and PHP-FPM separation as their primary isolation method. cPanel can achieve cgroup-level isolation through CloudLinux, which is a separate third-party product requiring its own license.
Is cgroup v2 the same as containerization (Docker)?
Cgroup v2 is one of the underlying technologies that Docker and other container runtimes use. Both hosting isolation and containers use cgroups for resource limits and namespaces for isolation. The difference is in how they're applied: containers isolate applications, while hosting isolation applies the same techniques at the user account level.
Does cgroup v2 isolation affect server performance?
Cgroup v2 operates at the kernel level with negligible performance overhead. The Linux scheduler and memory manager already handle per-process accounting; cgroup v2 groups these controls into slices. The overhead is measured in fractions of a percent, not in meaningful performance impact.
What is multi-layer isolation in hosting?
Multi-layer isolation means using multiple independent security controls that each prevent different attack vectors. The 5-layer approach combines cgroup v2 (resource limits), namespaces (visibility separation), chroot jails (directory confinement), PHP-FPM pools (PHP process isolation), and Unix permissions (file access control). Each layer adds depth — compromising one does not compromise all.
Can I implement cgroup v2 on my server without a control panel?
Yes. Cgroup v2 is a standard Linux kernel feature available on Ubuntu 22.04+ and Debian 11+ out of the box. The manual implementation requires creating systemd slice units, configuring resource limits, and integrating with web server, PHP-FPM, SSH, and cron processes. A control panel automates this integration.
Panelica is a hosting control panel that implements a 5-layer isolation architecture with native cgroup v2 support. For hosting providers evaluating security isolation options, understanding cgroup v2 and its role in modern hosting is essential.