Hi, I'm trying to deal with some of the issues of rogue sites or, in other words, the possibility for a site to get hacked and used for other purposes, consuming cpu and other resources. The problem happens when a site gets hacked and starts scanning the internet, or doing other damage. The hosting server gets slow and other customers start complaining. A viable solution would be to use cloudlinux and it's apache module that will put all requests made from a site in it's own lve (i.e. context). This works well, but is $$ in licenses and not open source at all. One way of dealing with this would be to leverage the systemd sockets and "multi-master" php-fpm setup. The pieces are there , but need to be assembled in a proper way (for example): 1. systemd can place each process in it's own cgroup limiting cpu, memory and via a proper TC setup the network bandwidth. To do this, each process must be started from systemd via a listening socket (i.e. on demand, which also uses less resources than dynamic php-fpm). 2. php-fpm can be run in multiple-master mode, where each site pool is served by a single master and a single socket. Each of these masters will have a single pool corresponding to the web site. The master can be started from it's own socket by systemd. The above will require a some rewrite of the current templates. Some new configuration templates for systemd will be necessary. With the addition of some "systemctl daemon-reload" and enable/disable commands all could work automagically. I'd like to ask @till or the other developers what they think of this idea and if there're issues with this approach. ispcomm.