CA-417520: Fix firewalld issues for HA (#6688)

BengangY · web-flow · commit 351f29c3d6bf · 2025-10-10T17:35:36.000+08:00
1. Modify startup order in `server_init`. Checking HA configuration
depends on the firewalld service, so move the updating firewalld service
before checking HA configuration.
2. HA supports 2 cluster stacks: xha and corosync. Only xha needs to
control firewalld service dynamically. For corosync HA, the firewalld
service dlm has been already controlled by the xapi-clusterd, so it
doesn't need to control dynamically.
3. Slave's HA is shutdown in `ha_wait_for_shutdown_via_statefile`. Add
disabling firewalld service here.
diff --git a/ocaml/xapi/xapi_ha.ml b/ocaml/xapi/xapi_ha.ml
@@ -966,13 +966,20 @@ let redo_log_ha_enabled_at_startup () =
 
 (* ----------------------------- *)
 
+let update_ha_firewalld_service status =
+  (* Only xha needs to enable firewalld service. Other HA cluster stacks don't
+     need. *)
+  if Localdb.get Constants.ha_cluster_stack = !Xapi_globs.cluster_stack_default
+  then
+    let module Fw =
+      ( val Firewall.firewall_provider !Xapi_globs.firewall_backend
+          : Firewall.FIREWALL
+        )
+    in
+    Fw.update_firewall_status Firewall.Xenha status
+
 let ha_start_daemon () =
-  let module Fw =
-    ( val Firewall.firewall_provider !Xapi_globs.firewall_backend
-        : Firewall.FIREWALL
-      )
-  in
-  Fw.update_firewall_status Firewall.Xenha Firewall.Enabled ;
+  update_ha_firewalld_service Firewall.Enabled ;
   let (_ : string) = call_script ha_start_daemon [] in
   ()
 
@@ -1133,15 +1140,9 @@ let ha_set_excluded __context _localhost =
   ()
 
 let ha_stop_daemon __context _localhost =
-  let module Fw =
-    ( val Firewall.firewall_provider !Xapi_globs.firewall_backend
-        : Firewall.FIREWALL
-      )
-  in
   Monitor.stop () ;
-  Fw.update_firewall_status Firewall.Xenha Firewall.Disabled ;
-
   let (_ : string) = call_script ha_stop_daemon [] in
+  update_ha_firewalld_service Firewall.Disabled ;
   ()
 
 let emergency_ha_disable __context soft =
@@ -1235,7 +1236,8 @@ let ha_wait_for_shutdown_via_statefile __context _localhost =
   with Xha_error Xha_errno.Mtc_exit_daemon_is_not_present ->
     info
       "ha_wait_for_shutdown_via_statefile: daemon has exited so returning \
-       success"
+       success" ;
+    update_ha_firewalld_service Firewall.Disabled
 
 (** Attach the statefile VDIs and return the resulting list of paths in dom0 *)
 let attach_statefiles ~__context statevdis =
diff --git a/ocaml/xapi/xapi_host.ml b/ocaml/xapi/xapi_host.ml
@@ -3404,7 +3404,11 @@ let update_firewalld_service_status ~__context =
               )
               (Db.Tunnel.get_all ~__context)
         | Xenha ->
+            (* Only xha needs to enable firewalld service. Other HA cluster
+               stacks don't need. *)
             bool_of_string (Localdb.get Constants.ha_armed)
+            && Localdb.get Constants.ha_cluster_stack
+               = !Xapi_globs.cluster_stack_default
       in
       List.iter
         (fun s -> if is_enabled s then enable_firewalld_service s)
