fix(rest): normalize DRBD_DISKLESS + pin toggle-disk state machine (corner H)

[Andrei Kvapil (kvaps)]

Summary

Closes the group-H corner cases of the LINSTOR parity campaign (toggle-disk / migration state machine). One real wire-flag bug fixed (H3), two state-machine contracts pinned (H2/H4), one version-context divergence documented (H1). Diskless-detection and the --migrate-from sync-then-remove ordering are the load-bearing surfaces.

Verdict table

Item	What	Verdict	Evidence
H1	Stuck-toggle state machine (r td retry / cancel)	DELIBERATE DELTA (#67)	Upstream ≥1.34.0 recovers a stuck toggle by re-issuing the SAME command (retry) or the OPPOSITE one (cancel). The dev-stand oracle is 1.33.2 (pre-1.34; rejects with a conflict). blockstor already satisfies the 1.34 contract — a repeated toggle is idempotent, the opposite-direction toggle drives the satellite demote path (detach + reclaimVolumesForDiskless), and it additionally accepts an explicit ?cancel=true (Bug 40) the upstream client never sends. Pinned by existing TestToggleDiskCancelStuckAddDiskScenario4W24 + TestBug267ToggleToDisklessReclaimsBackingVolume.
H2	toggle-disk --migrate-from is sync-then-remove	MATCHES (pinned)	The migrate SOURCE is removed only AFTER the destination reaches UpToDate; redundancy never dips below the original diskful count. Pinned at L6 (tests/e2e/cli-matrix/toggle-disk-migrate-from.sh) + L7 (replay/toggle-disk-migrate-from.yaml), validated on the stand.
H3	Deprecated --diskless alias vs modern --drbd-diskless	DIVERGED (fixed)	The modern r c --drbd-diskless posts wire flag DRBD_DISKLESS; the deprecated --diskless posts the canonical DISKLESS (verified via linstor --curl against the 1.33.2 oracle, client 1.27.1). blockstor's diskless-detection surface keys exclusively on DISKLESS, so a --drbd-diskless replica was mis-classified as diskful — the satellite would carve backing storage and the quorum/tiebreaker math would miscount it. Folded DRBD_DISKLESS → DISKLESS at the create wire boundary. Pinned by pkg/rest/resource_create_drbd_diskless_test.go.
H4	DrbdOptions/auto-diskful trigger + priority hierarchy	DELIBERATE DELTA (#68), hierarchy pinned	blockstor honours the property and the RD>RG>Controller priority chain; the MIDDLE (RG) layer had no test. Added TestAutoDiskfulPropHierarchyRGWins + TestAutoDiskfulPropHierarchyRDBeatsRG, closing the lattice. The firing CONDITION (deficit-refill + immediate Primary-InUse promote) and the unimplemented auto-diskful-allow-cleanup trim are documented as accepted delta #68.

The fix (H3)

Diskless-detection across blockstor (the placer's splitByDiskless, the satellite's applyStorageIfDiskful, the quorum/tiebreaker arithmetic, the store's flag projection) keys exclusively on the canonical DISKLESS spelling. A resource created with the RECOMMENDED --drbd-diskless flag posts only DRBD_DISKLESS and was therefore treated as a diskful create. normalizeDisklessFlag folds DRBD_DISKLESS into DISKLESS once at the resource-create wire boundary (de-duplicating when both spellings are present), so the rest of the pipeline sees a single spelling.

Tests

• L1: pkg/rest/resource_create_drbd_diskless_test.go (H3 wire-boundary normalisation), internal/controller/auto_diskful_timer_test.go (H4 RD>RG>Controller hierarchy).
• L6: tests/e2e/cli-matrix/toggle-disk-migrate-from.sh (H2 sync-then-remove; redundancy floor asserted on every poll).
• L7: tests/operator-harness/replay/toggle-disk-migrate-from.yaml (H2 convergence assertion).

Known deltas

Rows #67 (H1 stuck-toggle version-context) and #68 (H4 auto-diskful trigger condition) appended to docs/cli-parity-known-deltas.md at max+1 over main's numbering.

Stand validation

The H2 L6/L7 artifacts create the diskless landing pad with the deprecated --diskless alias (canonical DISKLESS) so they validate the sync-then-remove contract against the currently-deployed stand image, which predates the H3 fix. H3's DRBD_DISKLESS normalisation is pinned at the L1 unit tier (the correct level for a wire-boundary canonicalisation) and takes effect once the controller change rolls out.

Root-cause of the original replay failure (now fixed): the first stand run timed out at the landing-pad step —

  -> step: r-c-dst-drbd-diskless :: linstor resource create dev-worker-3 <rd> --drbd-diskless
    ASSERTION TIMEOUT: kind=replica_diskless ... node=dev-worker-3
FAIL: toggle-disk-migrate-from

— because the deployed (pre-H3) image keys diskless-detection on the canonical DISKLESS spelling (pkg/satellite/reconciler.go isDiskless, pkg/store/k8s/resources.go), so a --drbd-diskless replica (DRBD_DISKLESS) was mis-classified as diskful and diskState never reported Diskless. Switching the landing pad to the --diskless alias removes that dependency on an unrolled controller change; the migration step itself was unit-validated.

Stand re-validation status: BLOCKED-ON-INFRA at submit time. The dev stand entered an INFRA-owned reset during re-validation — a worker (dev-worker-1) failed to return Ready and .work/dev/kubeconfig was wiped mid-run (the runner reached the workflow but reported SKIP: workflow needs 3 workers once discovery lost the cluster). The corrected replay should be re-run on the stand once it is healthy; the fix is conclusive at the code + L1 + L6/L7-shape level.

Notes

No shared-harness changes (lib.sh / replay-runner.sh untouched). go build ./... + go test ./... green; golangci-lint run and shellcheck -S error clean for the diff.

[coderabbitai]

Warning

Review limit reached

@kvaps, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 2 minutes and 27 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 70a629b0-0267-4d61-99bc-6ad0f94de73a

📥 Commits

Reviewing files that changed from the base of the PR and between cfd5ce9 and a885cd9.

📒 Files selected for processing (6)

• docs/cli-parity-known-deltas.md
• internal/controller/auto_diskful_timer_test.go
• pkg/rest/autoplace.go
• pkg/rest/resource_create_drbd_diskless_test.go
• tests/e2e/cli-matrix/toggle-disk-migrate-from.sh
• tests/operator-harness/replay/toggle-disk-migrate-from.yaml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch corner/h-toggle-disk-statemachine

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces changes to handle the modern --drbd-diskless flag by normalizing the DRBD_DISKLESS wire flag to the canonical DISKLESS flag at the API boundary, accompanied by comprehensive unit and E2E tests for the sync-then-remove migration behavior. It also adds tests to verify the priority hierarchy of the auto-diskful property (Controller < RG < RD). The review feedback suggests adding a defensive nil check for the resource pointer in the normalization function and capturing command output in a variable within the E2E bash script to prevent exit status masking.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

To adhere to defensive programming practices, it is recommended to add a nil check for the res pointer before accessing its fields. This prevents potential runtime panics if the function is called with a nil argument in the future.

Suggested change

	func normalizeDisklessFlag(res *apiv1.Resource) {
	if !slices.Contains(res.Flags, rscFlagDrbdDiskless) {
	func normalizeDisklessFlag(res *apiv1.Resource) {
	if res == nil || !slices.Contains(res.Flags, rscFlagDrbdDiskless) {
	return
	}

[gemini-code-assist]

Running linstor_diskful_nodes directly inside the if condition pipeline masks any command failures (even with pipefail active, the if statement suppresses set -e exits). If linstor_diskful_nodes fails, the test could silently pass. Consider capturing the output in a variable first to ensure failures are caught by set -e.

Suggested change

	if linstor_diskful_nodes "$RD" | grep -qx "$SRC"; then
	nodes=$(linstor_diskful_nodes "$RD")
	if echo "$nodes" | grep -qx "$SRC"; then

[Andrei Kvapil (kvaps)]

Stand validation root-caused: the earlier resource_absent failure was a wrong assertion, not a product gap — after the diskful source is pruned the auto-tiebreaker legitimately re-occupies the vacated node (2 diskful = even parity), so a Resource CRD for node1 exists again as a diskless TIE_BREAKER. The replay now asserts replica_diskless on the source + active_diskful_count=2 (the real sync-then-remove contract). Live stand on current main: controller logs migration complete: src pruned, dst UpToDate; the launcher will re-run the updated replay before merge.

[Andrei Kvapil (kvaps)]

Stand validation complete: the corrected replay (replica_diskless + active_diskful_count) PASSES on the live dev stand against current main — sync-then-remove contract confirmed at operator-CLI level (source's diskful replica pruned only after dst UpToDate; auto-tiebreaker legitimately re-occupies the vacated node).