On Thu, Jan 15, 2015 at 3:32 PM, lee <l...@yagibdah.de> wrote: > Rich Freeman <ri...@gentoo.org> writes: > >> 2. Run fail2ban in each container and have it monitor its own logs, >> and then add host iptables rules to block connections. > > Containers must not be able to change the firewalling rules of the host. > If they can do such things, what's the point of having containers?
A "container" on linux is really a set of kernel namespaces. There are six different namespaces in linux and a process can share any or none of them with the host. In this case the network namespace determines whether a process can see the host interfaces. There may also be capabilities that control what the process can do with those interfaces (I'd have to read up on that). A container may or may not have a separate network namespace. If it does most likely you're going to have to set up a bridged interface, DHCP/NAT, etc for the container. So, you can have it either way, which is why I offered three options. There are pros and cons to each. But, yes, if you do share the host interface then the amount of interaction is higher than if you don't. And, keep in mind that a container is not as compartmentalized as a VM in any case. > >> 3. Run fail2ban in each container and have each container in its own >> network namespace. Fail2ban can then add container iptables rules to >> block connections. > > That would waste resources. Depends on how you run it, but yes, you might have multiple instances of fail2ban running this way consuming additional RAM. If you were really clever with your container setup they could share the same binary and shared libraries, which means they'd share the same RAM. However, it seems like nobody bothers running containers this way (obviously way more work coordinating them). I doubt it would take more CPU - 1 process scanning 5 logs probably doesn't use more CPU than 5 processes scanning 1 log each. You would get a security benefit from just running fail2ban on the host, since a failure on one container would apply a block to all the others. -- Rich
