Heartbeat 3.0.3 requires Pacemaker, which provides cluster resource management functionality which was part of Heartbeat before the package split. Thus it is possible for a user to do a direct upgrade from Heartbeat 2.1.3 (lenny) to Heartbeat 3.0.3 + Pacemaker 1.0.8 (squeeze). When doing such an upgrade, Pacemaker should take the cluster configuration in /var/lib/heartbeat/crm/cib.xml, and continue to serve cluster resources. However, due to a subtle and unintended change in the digest algorithm which Pacemaker uses to compare the CIB to its signature (cib.xml.sig), Pacemaker complains about a non-matching signature on startup, refuses to read the CIB, and continues with an empty cluster configuration. Upstream is aware of this problem, but unwilling to fix it "just to make 2.1.3 work", as any fix would break digest verification on existing Pacemaker clusters. A workaround exists and is documented at http://www.linux-ha.org/doc/s-upgrade-crm.html. However, the current Debian packages do not backup/restore the CIB, while they do restart Heartbeat services. In total, this makes it very easy to break one's cluster by doing a naive dist-upgrade. AFAICS there are two ways of mitigating this issue: 1. quick and dirty: "dh_installinit --no-start" -- simply don't touch running Heartbeat services during the upgrade. 2. proper: add a debconf boolean saying "Have you backed up your CIB? Have you manually restored it on just the first node where you are running your upgrade? Have you read the upstream docs?" And only if the answer is yes, restart Heartbeat services.