Since the Newton release, users of HA routers have had a keepalived healthcheck that fails if it doesn't get a response to a single ping or if the expected tenant network address is not configured in the local namespace being watched. While this works for most cases where an environment is stable it appears to produce a lot of instability as soon as an environment gets loaded or a node fails and transitions/failovers occur. An example of this appears to be where transitions of the MASTER to a new node take a little longer than they should. For example we have seen in the field that under heavy load a node can, for a very short period of time, have the external network address that keepalived is tracking be configured on two interfaces/hosts at once and while neutron is still doing its garp updates it is possible that a ping from the new master router can fail to get a response for 50% of requests since the switch may still send the reply to either the new master or the old one.
In order to avoid transient problems like this from causing further instability we would like to be able to make the healthcheck a little more tolerant of transient issues. Currently the healthcheck script is generated by Neutron for each router and its contents are not configurable. It would be great to be able to change e.g. the number of pings that it will do before declaring a failure.
I think that this is pretty good idea for some use cases.
But as keepalived have got tons of different options can You maybe write exactly which of them You want to include and make configurable through neutron config files?
Or maybe we should do it differently and e.g. propose some template of the config file and fill this template with variables, like interface name, IP addresses, etc. for specific router.
That way user may be able to configure whatever keepalived options he would need by preparing this template file to the l3 agent. What do You think about it?