Can ISC DHCPv4 Lease a VIP for a Docker Swarm/KeepAlived Setup? ARP Setup?

Started by LakeNet, February 08, 2025, 09:54:21 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 08, 2025, 09:54:21 PM
I have a docker swarm that I setup via keepalived. Is there a way to lease the IP address to this keepalived VIP so that I don't accidentally use it later down the road? It's also not responding to ARP from non-keepalived devices. I can nmap scan the VIP and it's fine on peers, but non-peers it times out. Anyone know what that might be? I have not followed ChatGPT's suggestions because I would prefer to manage this through OPNSense, if at all possible. If y'all tell me to just go this route then I'll do so. Thanks!


Here's what ChatGPT is suggesting:

1. Adjust ARP Settings on the VIP-Holding Nodes
When using keepalived to manage a VIP on Linux, you often need to tune the ARP behavior so that only the active node responds to ARP requests for the VIP and so that external devices learn the correct MAC address quickly. Try setting the following sysctl parameters on the interfaces that are handling the VIP:

Set arp_ignore and arp_announce:

You can add these to a file in /etc/sysctl.d/ (for example, /etc/sysctl.d/99-keepalived.conf):

Code Select
# Only respond to ARP requests if the target IP is local to the interface that received the request.
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.default.arp_ignore = 1

# Use the best local IP for ARP requests (avoid ARP flux).
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.default.arp_announce = 2
Apply the Changes:

Code Select
sudo sysctl --system
These settings ensure that the node holding the VIP replies to ARP requests only on the proper interface and that it announces the VIP using the correct source IP/MAC.

2. Verify Gratuitous ARP (GARP) Behavior
Keepalived is designed to send gratuitous ARPs when the VIP is acquired or moved. This informs the rest of your network about the new MAC/IP association. In your keepalived configuration file, you can adjust or add parameters such as garp_interval (how often gratuitous ARPs are sent) if you suspect that the announcements are too infrequent. For example:

Code Select
vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 51
    priority 150
    advert_int 1
    garp_master_refresh 5
    garp_master_delay 1
    garp_interval 3
    virtual_ipaddress {
        192.168.1.20
    }
}
Check your keepalived logs to see that gratuitous ARPs are being sent when the VIP is brought up or during failover events.
Print
Go Up Pages1
User actions