From 50b0944c8add3f16b8190e75a6d06c3473c12a8f Mon Sep 17 00:00:00 2001
From: Ken Gaillot <kgaillot@redhat.com>
Date: Thu, 21 Nov 2019 14:48:02 -0600
Subject: [PATCH 06/18] Feature: scheduler: add shutdown lock cluster options

This commit adds shutdown-lock and shutdown-lock-limit options (just the
options, not the feature itself).

shutdown-lock defaults to false, which preserves current behavior. The intended
purpose of setting it to true is to *prevent* recovery of a node's resources
elsewhere when the node is cleanly shut down, until the node rejoins. If
shutdown-lock-limit is set to a nonzero time duration, the cluster will
be allowed to recover the resources if the node has not rejoined within this
time.

The use case is when rebooting a node (such as for software updates) is done by
cluster-unaware system administrators during scheduled maintenance windows,
resources prefer specific nodes, and resource recovery time is high.
---
 include/crm/msg_xml.h          |  4 +++-
 include/crm/pengine/pe_types.h |  2 ++
 lib/pengine/common.c           | 24 +++++++++++++++++++++++-
 lib/pengine/unpack.c           | 10 ++++++++++
 4 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/include/crm/msg_xml.h b/include/crm/msg_xml.h
index d56e40c..d0cdf6c 100644
--- a/include/crm/msg_xml.h
+++ b/include/crm/msg_xml.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004-2019 the Pacemaker project contributors
+ * Copyright 2004-2020 the Pacemaker project contributors
  *
  * The version control history for this file may have further details.
  *
@@ -346,6 +346,8 @@ extern "C" {
 #  define XML_CONFIG_ATTR_FORCE_QUIT	"shutdown-escalation"
 #  define XML_CONFIG_ATTR_RECHECK	"cluster-recheck-interval"
 #  define XML_CONFIG_ATTR_FENCE_REACTION	"fence-reaction"
+#  define XML_CONFIG_ATTR_SHUTDOWN_LOCK         "shutdown-lock"
+#  define XML_CONFIG_ATTR_SHUTDOWN_LOCK_LIMIT   "shutdown-lock-limit"
 
 #  define XML_ALERT_ATTR_PATH		"path"
 #  define XML_ALERT_ATTR_TIMEOUT	"timeout"
diff --git a/include/crm/pengine/pe_types.h b/include/crm/pengine/pe_types.h
index 23e1c46..8a735a3 100644
--- a/include/crm/pengine/pe_types.h
+++ b/include/crm/pengine/pe_types.h
@@ -102,6 +102,7 @@ enum pe_find {
 #  define pe_flag_start_failure_fatal   0x00001000ULL
 #  define pe_flag_remove_after_stop     0x00002000ULL
 #  define pe_flag_startup_fencing       0x00004000ULL
+#  define pe_flag_shutdown_lock         0x00008000ULL
 
 #  define pe_flag_startup_probes        0x00010000ULL
 #  define pe_flag_have_status           0x00020000ULL
@@ -167,6 +168,7 @@ struct pe_working_set_s {
     GList *stop_needed; // Containers that need stop actions
     time_t recheck_by;  // Hint to controller to re-run scheduler by this time
     int ninstances;     // Total number of resource instances
+    guint shutdown_lock;// How long (seconds) to lock resources to shutdown node
 };
 
 enum pe_check_parameters {
diff --git a/lib/pengine/common.c b/lib/pengine/common.c
index da39c99..e72a033 100644
--- a/lib/pengine/common.c
+++ b/lib/pengine/common.c
@@ -1,5 +1,7 @@
 /*
- * Copyright 2004-2018 Andrew Beekhof <andrew@beekhof.net>
+ * Copyright 2004-2020 the Pacemaker project contributors
+ *
+ * The version control history for this file may have further details.
  *
  * This source code is licensed under the GNU Lesser General Public License
  * version 2.1 or later (LGPLv2.1+) WITHOUT ANY WARRANTY.
@@ -85,6 +87,26 @@ static pe_cluster_option pe_opts[] = {
 	  "When set to TRUE, the cluster will immediately ban a resource from a node if it fails to start there. When FALSE, the cluster will instead check the resource's fail count against its migration-threshold." },
 	{ "enable-startup-probes", NULL, "boolean", NULL, "true", &check_boolean,
 	  "Should the cluster check for active resources during startup", NULL },
+    {
+        XML_CONFIG_ATTR_SHUTDOWN_LOCK,
+        NULL, "boolean", NULL, "false", &check_boolean,
+        "Whether to lock resources to a cleanly shut down node",
+        "When true, resources active on a node when it is cleanly shut down "
+            "are kept \"locked\" to that node (not allowed to run elsewhere) "
+            "until they start again on that node after it rejoins (or for at "
+            "most shutdown-lock-limit, if set). Stonith resources and "
+            "Pacemaker Remote connections are never locked. Clone and bundle "
+            "instances and the master role of promotable clones are currently "
+            "never locked, though support could be added in a future release."
+    },
+    {
+        XML_CONFIG_ATTR_SHUTDOWN_LOCK_LIMIT,
+        NULL, "time", NULL, "0", &check_timer,
+        "Do not lock resources to a cleanly shut down node longer than this",
+        "If shutdown-lock is true and this is set to a nonzero time duration, "
+            "shutdown locks will expire after this much time has passed since "
+            "the shutdown was initiated, even if the node has not rejoined."
+    },
 
 	/* Stonith Options */
 	{ "stonith-enabled", NULL, "boolean", NULL, "true", &check_boolean,
diff --git a/lib/pengine/unpack.c b/lib/pengine/unpack.c
index c9fc672..8c0d72a 100644
--- a/lib/pengine/unpack.c
+++ b/lib/pengine/unpack.c
@@ -319,6 +319,16 @@ unpack_config(xmlNode * config, pe_working_set_t * data_set)
     data_set->placement_strategy = pe_pref(data_set->config_hash, "placement-strategy");
     crm_trace("Placement strategy: %s", data_set->placement_strategy);
 
+    set_config_flag(data_set, "shutdown-lock", pe_flag_shutdown_lock);
+    crm_trace("Resources will%s be locked to cleanly shut down nodes",
+              (is_set(data_set->flags, pe_flag_shutdown_lock)? "" : " not"));
+    if (is_set(data_set->flags, pe_flag_shutdown_lock)) {
+        value = pe_pref(data_set->config_hash,
+                        XML_CONFIG_ATTR_SHUTDOWN_LOCK_LIMIT);
+        data_set->shutdown_lock = crm_parse_interval_spec(value) / 1000;
+        crm_trace("Shutdown locks expire after %us", data_set->shutdown_lock);
+    }
+
     return TRUE;
 }
 
-- 
1.8.3.1