1 |
On Thu, Jan 15, 2015 at 3:32 PM, lee <lee@××××××××.de> wrote: |
2 |
> Rich Freeman <rich0@g.o> writes: |
3 |
> |
4 |
>> 2. Run fail2ban in each container and have it monitor its own logs, |
5 |
>> and then add host iptables rules to block connections. |
6 |
> |
7 |
> Containers must not be able to change the firewalling rules of the host. |
8 |
> If they can do such things, what's the point of having containers? |
9 |
|
10 |
A "container" on linux is really a set of kernel namespaces. There |
11 |
are six different namespaces in linux and a process can share any or |
12 |
none of them with the host. |
13 |
|
14 |
In this case the network namespace determines whether a process can |
15 |
see the host interfaces. There may also be capabilities that control |
16 |
what the process can do with those interfaces (I'd have to read up on |
17 |
that). A container may or may not have a separate network namespace. |
18 |
If it does most likely you're going to have to set up a bridged |
19 |
interface, DHCP/NAT, etc for the container. |
20 |
|
21 |
So, you can have it either way, which is why I offered three options. |
22 |
There are pros and cons to each. But, yes, if you do share the host |
23 |
interface then the amount of interaction is higher than if you don't. |
24 |
|
25 |
And, keep in mind that a container is not as compartmentalized as a VM |
26 |
in any case. |
27 |
|
28 |
> |
29 |
>> 3. Run fail2ban in each container and have each container in its own |
30 |
>> network namespace. Fail2ban can then add container iptables rules to |
31 |
>> block connections. |
32 |
> |
33 |
> That would waste resources. |
34 |
|
35 |
Depends on how you run it, but yes, you might have multiple instances |
36 |
of fail2ban running this way consuming additional RAM. If you were |
37 |
really clever with your container setup they could share the same |
38 |
binary and shared libraries, which means they'd share the same RAM. |
39 |
However, it seems like nobody bothers running containers this way |
40 |
(obviously way more work coordinating them). I doubt it would take |
41 |
more CPU - 1 process scanning 5 logs probably doesn't use more CPU |
42 |
than 5 processes scanning 1 log each. You would get a security |
43 |
benefit from just running fail2ban on the host, since a failure on one |
44 |
container would apply a block to all the others. |
45 |
|
46 |
-- |
47 |
Rich |