How to use keepalived virtual IP Address with Apps? Specifically Pi-hole

[cjm571]

I'd like to use keepalived to set up high-availability with my Pi-hole instances. The primary is the TrueCharts Pi-hole app on my TrueNAS Scale box (192.168.0.100), and the backup is a Raspberry Pi (192.168.0.98). I've managed to get keepalived to behave and create a virtual interface and IP (en4sp0:0, 192.168.0.10) that Pi-hole would eventually use. However, I can't seem to get the Pi-hole app to make use of this virtual IP.

I know that the virtual IP is functioning, as it appears in ifconfig properly, and I can also access the TrueNAS web UI with it. It does not, however, appear in the Interfaces section of the TrueNAS Network page, nor does it appear as an option for "Host Interface" under the Expert Config in the App Edit menu.

Seems like the "fix" I'm looking for would be to get that virtual interface to show up in the Network Interfaces, and then choose it as the external interface for the Pi-hole app to use, but I'm not sure how to do that. Has anyone had good results in addressing this kindof thing, or working with keepalived/VRRP in general with TrueNAS Apps?

 

[Heracles]

There is no need for KeepAlive should you wish to run PI-Hole.

PI-Hole is a DNS Server.... DNS has its own built-in HA mechanism.

Just install both of your PI-Hole, first with IP01 and second with IP02. In your client, either by static configuration or with DHCP, configure the operating system to use both of these IPs as DNS (first as primary, second as secondary).

Way easier than KeepAlive!

 

[cjm571]

Appreciate the response, but primary/secondary DNS is not the true HA I'm going for - clients may choose (randomly, in some cases) which of the two servers to use. This particular RPi is very old, and will struggle under even nominal loads, so I'd like to use it only as an "emergency backup" of sorts, in case the TrueNAS Pi-hole container (or the whole TrueNAS box itself) crashes. Basically, I want HA, but also high nominal performance :)

And in any case, though my current use case is limited to Pi-hole, I am interested in the general concept of HA using TrueNAS, in case I find a different App that I'd like to have HA with. So I'm still interested in figuring out keepalived (or some other mechanism), despite the challenges.

 

[Heracles]

but primary/secondary DNS is not the true HA I'm going for

Well... you need to learn more about ""true HA" then.

Keepalive will monitor at layer 3, while DNS itself has its HA at layer 7. As such, keepalive will not detect a process that is running but not responding (the IP stack will keep replying, the process will be there, ...). Because primary's IP will be up, there will be no load transfer. Keepalive is a faked HA much more then true HA.

This particular RPi is very old, and will struggle under even nominal loads

Another thing to know about HA is that the solution must be able to run normally even after loosing one (or more) member. Here, you do not trust that RPi to sustain up to 50% of the load (should all your client do load sharing over their DNS servers). As such, it is completely unusable in a config for redundant DNS using 2 members because that means it would need to sustain 100%. It may be part of a cluster of 4 (if you think it can sustain 33% of your load) but not in a pair.

I'd like to use it only as an "emergency backup"

Then have your DNS configured normally, points your regular clients only to the primary and points your critical resources to both. Also, on regular clients, you can give them 1.1.1.1 or similar as a secondary DNS. In that case, they will not be ad-protected in case of problem but will remain On. That would be a fail-open type of security. If you look for a fail close, then just your single DNS will do it.

Basically, I want HA, but also high nominal performance :)

If that RPi is that bad, just go for a new one. They are not that expensive...

I am interested in the general concept of HA using TrueNAS

TrueNAS is a ZFS storage appliance. Its redundancy will be at the storage level, so Raid-Zx, mirrors, etc. When it's time to include another server, ZFS replication will be the mechanism for that, itself based on the snapshots. Keepalive is nowhere to be found here.

Keepalive will offer one kind of redundancy but not of a great value. Should a protocol has its own HA mechanism (DNS, SMTP, ...), that one will be a million time better. For HTTP, go with a reverse proxy like HAProxy that will do monitoring and distribute the load according to the available members in the cluster and their roles. For IP-based service like routers / firewalls, again, they have their own HA solution to transfer not only the active IP but also things like active sessions in progress so network trafic will survive during a failover. Keepalive will not do any of that.

At the end, if you insist to use KeepAlive on your TrueNAS server, you will have better support about KeepAlive in a forum related to that tool instead. Being completely different and not related to TrueNAS, Keepalive is out-of-scope in this forum...

 

[cjm571]

Ah, gotcha. Seems like I'm just trying to shoehorn a keepalived setup when it's really not the right tool.

Really appreciate the detailed response!