A resource lock is used as a synchronization point between pacemaker
cluster nodes. It is currently implemented by adding an attribute in
an offline copy of CIB, and merging the update in the CIB only if no
concurrent updates has occurred in the mean time.
The problem with that approach is that - even if the concurrency is
enforced by pacemaker - the offline CIB contains a snapshot of the
cluster state; so pushing back the entire offline CIB pushes old
resources' state back into the cluster. This causes additional burden
on the cluster and sometimes caused unexpected cluster state
transition.
Internally we have observed unexpected resource transitions in
pacemaker when this resource lock was used to synchronize certificate
renewal for the galera resource agent.
This issue was fixed in the openstack/