#584206 heartbeat: Upgrade to 3.0.3 destroys cluster configuration from 2.1.3 due to digest mismatch

Package:
heartbeat
Source:
heartbeat
Description:
Subsystem for High-Availability Linux
Submitter:
Florian Haas
Date:
2010-06-02 09:21:05 UTC
Severity:
important
#584206#5
Date:
2010-06-02 09:16:48 UTC
From:
To:
Heartbeat 3.0.3 requires Pacemaker, which provides cluster resource management functionality
which was part of Heartbeat before the package split. Thus it is possible for a user to do a direct
upgrade from Heartbeat 2.1.3 (lenny) to Heartbeat 3.0.3 + Pacemaker 1.0.8 (squeeze). When doing such
an upgrade, Pacemaker should take the cluster configuration in /var/lib/heartbeat/crm/cib.xml, and
continue to serve cluster resources.

However, due to a subtle and unintended change in the digest algorithm which Pacemaker uses to
compare the CIB to its signature (cib.xml.sig), Pacemaker complains about a non-matching signature
on startup, refuses to read the CIB, and continues with an empty cluster configuration.

Upstream is aware of this problem, but unwilling to fix it "just to make 2.1.3 work", as any fix
would break digest verification on existing Pacemaker clusters.

A workaround exists and is documented at http://www.linux-ha.org/doc/s-upgrade-crm.html. However,
the current Debian packages do not backup/restore the CIB, while they do restart Heartbeat services.

In total, this makes it very easy to break one's cluster by doing a naive dist-upgrade.

AFAICS there are two ways of mitigating this issue:

1. quick and dirty: "dh_installinit --no-start" -- simply don't touch running Heartbeat services
   during the upgrade.

2. proper: add a debconf boolean saying "Have you backed up your CIB? Have you manually restored it
   on just the first node where you are running your upgrade? Have you read the upstream docs?"
   And only if the answer is yes, restart Heartbeat services.