On Sat, Jan 17, 2015 at 7:56 AM, lee <l...@yagibdah.de> wrote: > Rich Freeman <ri...@gentoo.org> writes: >> >> Depends on how you run it, but yes, you might have multiple instances >> of fail2ban running this way consuming additional RAM. If you were >> really clever with your container setup they could share the same >> binary and shared libraries, which means they'd share the same RAM. >> However, it seems like nobody bothers running containers this way >> (obviously way more work coordinating them). > > And they wouldn't be much separated anymore.
Yes and no. You can run 45 containers off of the same read-only root filesystem and they're just as separated as 45 containers running off of 45 copies of the same filesystem. The work comes from needing to design your containers so that they can share stuff. The processes are still isolated in memory, and they can't see outside of their container. If they share a writable filesystem then they are not separated with regard to that - you'd need to be careful what you shared and what you didn't. Typically in these kinds of setups you're going to use a gold image for most of your filesystem, and then use tmpfs or such for anything writable. This is one of the drivers for the /usr move - the goal is to consolidate the areas of a linux filesystem that an instance really needs to touch so that you don't end up having read-write areas all over the place. > >> I doubt it would take more CPU - 1 process scanning 5 logs probably >> doesn't use more CPU than 5 processes scanning 1 log each. > > Isn't there some sort of scheduling and/or other overhead involved when > you run more processes? I mean the overhead of "just being there": A > process scheduler that needs to consider 500 processes might require > more CPU itself than a scheduler considering 150 processes. The overhead is very minimal as far as I'm aware. The scheduler itself is O(1) so no, it doesn't take longer to task-switch between 5 processes and 5M processes. I'm sure there are some CPU costs I'm not accounting for, but it should be pretty low. RAM is really the issue here. Maybe disk IO if all those processes are updating different files as well. > >> You would get a security benefit from just running fail2ban on the >> host, since a failure on one container would apply a block to all the >> others. > > Plus when running fail2ban on the host, you can block connections from > a particular IP for everyone. > Also, if you have a container running apache and another running postfix, then a failed access attempt in postfix would result in access to your apache server being blocked as well. -- Rich