Crowdsec-firewall-bouncer in a container


Ready to get (in french) ‘une volée de bois vert’, but we are experimenting a way to use crowdsec-firewall-bouncer in a container.

We used to install it on the host with deb or rpm but this time we tried to get it workable within a rootfull container build with buildah and running by systemd and podman

buildah script

systemd service

We decided to go to nftables, ipset is going to be really old school, nftables is working well with firewalld (or firewalld works well with nftables :p)

Once started the container can receive orders from crowdsec container and interacts with nftables as we wish…

Well if you have suggestions, I can accept also do not go that way :slight_smile:

1 Like

Looks awesome! the only comment I had was installing the repositories is a great way, but you could also just grab the binary direct from the releases of github page. Then you can make a more minimal container size from scratch.

But other than that looks great!

1 Like