Rich Freeman <ri...@gentoo.org> writes: > On Sun, Jan 11, 2015 at 10:48 AM, lee <l...@yagibdah.de> wrote: >>> >>> I don't want to run fail2ban in the container because the container must >>> not mess with the firewall settings of the host. If a container can do >>> that, then what's the point of having containers in the first place? >>> > > I've never used the LXC scripts to set up a container, but I actually > run a firewall inside a container. You just need to run it in a > separate network namespace so that it is messing with its own > interface. > > In general, though, I wouldn't want my containers messing with my host > interfaces.
Same here, so why does fail2ban get involved with containers? >>> BTW, why does Gentoo put containers under /etc? Containers aren't >>> configuration files ... >> > > I'd never put a container there. I can't speak to how the lxc scripts > are intended to be used - I don't use those tools to manage > containers. I typically stick my containers in their own place in > btrfs subvolumes for easy management. I wouldn't put them there, either. Yet Gentoo does, very unexpectedly. I'll probably move the container into its own ZFS FS. -- Again we must be afraid of speaking of daemons for fear that daemons might swallow us. Finally, this fear has become reasonable.
