docs(roles/keepalived): document role scope and limitations

markuslf · markuslf · commit c247e3b2925f · 2026-04-19T21:55:26.000+02:00
Add a "Scope" section to the README right after the introduction,
spelling out what the role covers (single vrrp_instance, single VIP,
PASS auth, smtp_alert, priorities 255/200) and what it intentionally
does not (the net.ipv4.ip_nonlocal_bind sysctl, firewall rules for
VRRP, tracking, notify_* hooks). Pointers to kernel_settings and
firewall roles included.

Follows CONTRIBUTING.md: "To understand/use a role, reading the
README must be enough." Without the Scope block, admins assumed that
firewall opening and ip_nonlocal_bind were handled by the role.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -25,6 +25,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
+* **role:keepalived**: Document role scope in the README. The role intentionally covers only a minimal VRRP setup (single `vrrp_instance`, single `virtual_ipaddress`, PASS auth, `smtp_alert`). It does not set the `net.ipv4.ip_nonlocal_bind` sysctl and does not open the firewall for VRRP; pointers to the `kernel_settings` and `firewall` roles are included
 * **all roles**: Rewrite all role READMEs to use the new standard format: replace markdown tables with bullet lists for tags and variables, convert HTML/blockquote subkeys to expanded indented format, standardize terminology (`Bool` not `Boolean`, `Mandatory` not `Required`)
 * **role:opensearch**: Rewrite README with step-by-step cluster setup guide, single-node section, post-installation steps, and improved variable documentation
 * **role:elasticsearch**: Improve README with single-node section and clearer explanation of the manual certificate approach for cluster setup
diff --git a/roles/keepalived/README.md b/roles/keepalived/README.md
@@ -3,6 +3,31 @@
 This role installs and configures [keepalived](https://www.keepalived.org/).
 
 
+## Scope
+
+The role intentionally covers a minimal VRRP setup:
+
+* Deploys exactly one `vrrp_instance` (`VI_{{ keepalived__instance_id }}`) with a single
+  `virtual_ipaddress`.
+* PASS authentication (`auth_type PASS`) between MASTER and BACKUP. Note that keepalived
+  only evaluates the first eight characters of the password.
+* Priorities: `255` for MASTER, `200` for BACKUP.
+* `smtp_alert` for notifications; no `notify_*` hooks.
+* No tracking (no `track_process`, `track_file`, `track_interface` or `track_script`).
+
+It does **not**:
+
+* Set the `net.ipv4.ip_nonlocal_bind = 1` sysctl that services binding to the VIP typically
+  need. Use [linuxfabrik.lfops.kernel_settings](https://github.com/Linuxfabrik/lfops/tree/main/roles/kernel_settings)
+  or set it manually.
+* Open the firewall for VRRP (IP protocol 112). Use [linuxfabrik.lfops.firewall](https://github.com/Linuxfabrik/lfops/tree/main/roles/firewall)
+  or similar.
+
+For advanced setups (multiple VIPs, tracking-based priority adjustments, `notify_*` hooks),
+override the template in your own role or extend `/etc/keepalived/keepalived.conf`
+manually.
+
+
 ## Tags
 
 `keepalived`
