ubik: clones should not request votes

Clones should not be able to become the sync-site. To make it possible,
regular sites do not vote for a site tagged as clone. In other words,
the clones ask for votes but they cannot be the sync-site. Knowing that
their requests for votes should be refused by the regular sites, they
should never have enough votes to win the election.

In addition to the unnecessary network traffic created by these
unnecessary requests, this current approach can be problematic in some
specific situations. As an example, consider the following scenario:

    The user wants to turn a regular site, called host1, into a clone.
    To do so, he runs the following commands on every single server:

    $ bos removehost -server <server> -host host1
    $ bos addhost -server <server> -host host1 -clone

After that, he restarts the servers, one by one. Depending on the delay
between the restarts, a clone can become the sync-site. This is possible
because the clones request votes from the other sites. If enough regular
sites are not aware (yet) that the request for vote came from a clone,
the clone in question can get enough votes to win the election.

To fix the problems mentioned above, do not request votes if you cannot
be the sync-site.

Change-Id: Ic3569af8264dfff32f2a86b8dd99b922193f010a
Reviewed-on: https://gerrit.openafs.org/12654
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

diff --git a/src/ubik/vote.c b/src/ubik/vote.c
index 51b9220..ba4ff5a 100644 (file)
--- a/src/ubik/vote.c
+++ b/src/ubik/vote.c
@@ -112,6 +112,10 @@ uvote_ShouldIRun(void)
     afs_int32 now;
     int code = 1; /* default to yes */
 
+    if (amIClone) {
+       return 0;               /* if we cannot be the sync-site, do not ask for votes */
+    }
+
     UBIK_VOTE_LOCK;
     now = FT_ApproxTime();
     if (BIGTIME + vote_globals.ubik_lastYesTime < now)