[PVE-User] 'HA' on a single node...

[Arjen]

On Wednesday, October 14, 2020 3:21 PM, Marco Gaiarin <gaio at sv.lnf.it> wrote:

>
>
> OK, subject is a bit an oxymoron, but...
>
> I need to setup a PVE standalone server, where one of the VMs is a
> firewall, that permit the connection to the Internet, and so also the
> management of the PVE instance.
>
> If 'something' (in the mostly vague sense of) goes wrong, and the
> firewall VM does not start, i'm cutted out.
>
> I think i've two chices:
>
> a) move the firewall part, at least the more critical one, to the
> phisical node, PVE. This is simple and effective, but clearly not a
> 'clean' solution.
>
> b) use a VM as firewall, but built around it some sort of 'HA', eg some
> scripts or something like that will do all the effort possible to keep
> the 'firewall' VM running.
>
> Because the firewall VM will be a rather simple one, could be also
> something like: throw away current vm and restore the more recent
> backup.
>
> Someone have just done something like that? Thanks.

Maybe the watchdog option[0] can be of help? You can make the VM restart if it freezes.

You can also use qm agent ${VMID} ping [1] to check if the QEMU guest agent is still running in the VM.
But you will have to do some scripting and check regularly (crontab?) and reset the VM hard if not responding
(and also give it some time to start the QEMU guest agent).

Note that none of those methods may be perfect, but multiple together might help restarting the VM in common cases.

[0] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#qm_configuration
[1] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_strong_qm_strong_qemu_kvm_virtual_machine_manager

Hope this helps. Maybe other people have more tips and tricks?