Dev: cibconfig: Prevent adding Pacemaker remote resources to groups, orders, or colocations

liangxin1300 · liangxin1300 · commit 37b2578c2850 · 2025-05-06T11:03:21.000+08:00
diff --git a/crmsh/cibconfig.py b/crmsh/cibconfig.py
@@ -1702,14 +1702,21 @@ def check_sanity(self) -> VerifyResult:
         if self.node is None:  # eh?
             logger.error("%s: no xml (strange)", self.obj_id)
             return utils.get_check_rc()
+
+        rc = VerifyResult.SUCCESS
         l = get_resource_meta_list()
         if self.obj_type == "clone":
             l += constants.clone_meta_attributes
         elif self.obj_type == "ms":
             l += constants.clone_meta_attributes + constants.ms_meta_attributes
         elif self.obj_type == "group":
+            for c in self.node.iterchildren():
+                if c.tag == "primitive" and c.get("class") == "ocf" and c.get("type") == "remote":
+                    logger.error("Remote resource '%s' cannot be in a group", c.get("id"))
+                    rc |= VerifyResult.FATAL_ERROR
             l += constants.group_meta_attributes
-        return sanity_check_meta(self.obj_id, self.node, l)
+        rc |= sanity_check_meta(self.obj_id, self.node, l)
+        return rc
 
     def repr_gv(self, gv_obj, from_grp=False):
         '''
@@ -1774,6 +1781,24 @@ def _check_if_constraint_ref_is_child(obj) -> VerifyResult:
     return rc
 
 
+def check_if_primitive_in_constraint_is_remote(obj) -> VerifyResult:
+    rc = VerifyResult.SUCCESS
+    primitives = []
+    if obj.obj_type == "colocation":
+        primitives = [obj.node.get("rsc"), obj.node.get("with-rsc")]
+    elif obj.obj_type == "order":
+        primitives = [obj.node.get("first"), obj.node.get("then")]
+    for rscid in primitives:
+        tgt = cib_factory.find_object(rscid)
+        if not tgt:
+            logger.warning("%s: resource %s does not exist", obj.obj_id, rscid)
+            rc |= VerifyResult.WARNING
+        elif tgt.node.get("class") == "ocf" and tgt.node.get("type") == "remote":
+            logger.error("Cannot put remote resource '%s' in %s constraint", rscid, obj.obj_type)
+            rc |= VerifyResult.FATAL_ERROR
+    return rc
+
+
 class CibLocation(CibObject):
     '''
     Location constraint.
@@ -2000,7 +2025,9 @@ def check_sanity(self) -> VerifyResult:
         if self.node is None:
             logger.error("%s: no xml (strange)", self.obj_id)
             return utils.get_check_rc()
-        return _check_if_constraint_ref_is_child(self)
+        rc1 = _check_if_constraint_ref_is_child(self)
+        rc2 = check_if_primitive_in_constraint_is_remote(self)
+        return rc1 | rc2
 
 
 class CibRscTicket(CibSimpleConstraint):
