RBMC: Only allow failovers after full sync

README.md

@@ -24,8 +24,8 @@ state to/by the end user.
 
 ## State Tracking and Control
 
-phosphor-state-manager makes extensive use of systemd. There is a writeup
-[here][1] with an overview of systemd and its use by OpenBMC.
+phosphor-state-manager makes extensive use of systemd. There is a [writeup][1]
+with an overview of systemd and its use by OpenBMC.
 
 phosphor-state-manager monitors for systemd targets to complete as a trigger to
 updating the its corresponding D-Bus property. When using PSM, a user must

redundant-bmc/README.md

@@ -174,7 +174,9 @@ Failovers aren't allowed when:
 
 1. Redundancy is disabled.
 2. The system is at some state other than off or runtime.
-3. More coming.
+3. `RedundancyEnabled` has changed to true but a full sync hasn't been
+   completed.
+4. More coming.
 
 When failovers aren't allowed, rbmctool can be used to display the reasons why.
 

redundant-bmc/src/redundancy.cpp

@@ -141,6 +141,11 @@ FailoversNotAllowedReasons getFailoversNotAllowedReasons(const Input& input)
         return reasons;
     }
 
+    if (!input.fullSyncComplete)
+    {
+        reasons.insert(fullSyncNotComplete);
+    }
+
     if ((input.systemState != SystemState::off) &&
         (input.systemState != SystemState::runtime))
     {
@@ -161,6 +166,9 @@ std::string getFailoversNotAllowedDescription(FailoversNotAllowedReason reason)
         case systemState:
             desc = "System state is not off or runtime"s;
             break;
+        case fullSyncNotComplete:
+            desc = "A full sync hasn't been completed"s;
+            break;
         case redundancyDisabled:
             desc = "Redundancy is disabled"s;
             break;

redundant-bmc/src/redundancy.hpp

@@ -84,6 +84,7 @@ struct Input
 {
     // TODO: Add more
     bool redundancyEnabled;
+    bool fullSyncComplete;
     SystemState systemState;
 };
 
@@ -93,6 +94,7 @@ struct Input
 enum class FailoversNotAllowedReason
 {
     redundancyDisabled,
+    fullSyncNotComplete,
     systemState
 };
 

redundant-bmc/src/redundancy_mgr.cpp

@@ -51,6 +51,8 @@ void RedundancyMgr::determineAndSetRedundancy()
     {
         // Make sure syncs are disabled if redundancy is disabled.
         ctx.spawn(providers.getSyncInterface().disableBackgroundSync());
+
+        providers.getSyncInterface().clearFullSyncComplete();
     }
 }
 
@@ -82,6 +84,11 @@ sdbusplus::async::task<> RedundancyMgr::determineRedundancyAndSync()
             determineAndSetRedundancy();
             syncFailed = false;
         }
+        else
+        {
+            // Full sync is done so recalculate FailoversAllowed
+            determineAndSetFailoversAllowed();
+        }
     }
 }
 
@@ -283,6 +290,7 @@ void RedundancyMgr::determineAndSetFailoversAllowed()
 {
     fona::Input input{
         .redundancyEnabled = redundancyInterface.redundancy_enabled(),
+        .fullSyncComplete = providers.getSyncInterface().isFullSyncComplete(),
         .systemState = systemState.value_or(SystemState::other)};
 
     auto notAllowedReasons = fona::getFailoversNotAllowedReasons(input);

redundant-bmc/src/sync_interface.hpp

@@ -45,6 +45,23 @@ class SyncInterface
         return fullSyncInProgress;
     }
 
+    /**
+     * @brief Says if a full sync has been completed since
+     *        redundancy was most recently enabled.
+     */
+    inline bool isFullSyncComplete() const
+    {
+        return fullSyncComplete;
+    }
+
+    /**
+     * @brief Clears the full sync complete indication
+     */
+    inline void clearFullSyncComplete()
+    {
+        fullSyncComplete = false;
+    }
+
     using SyncHealthCallback =
         std::function<void(SyncBMCData::SyncEventsHealth)>;
 
@@ -79,6 +96,12 @@ class SyncInterface
      */
     bool fullSyncInProgress = false;
 
+    /**
+     * @brief If a full sync has successfully been completed
+     *        this go around of redundancy being enabled.
+     */
+    bool fullSyncComplete = false;
+
     /**
      * @brief The health status callback functions
      */

redundant-bmc/src/sync_interface_impl.cpp

@@ -19,6 +19,8 @@ sdbusplus::async::task<bool> SyncInterfaceImpl::doFullSync()
 
     try
     {
+        fullSyncComplete = false;
+
         co_await lookupService();
 
         auto sync = SyncBMCData(ctx)
@@ -74,7 +76,8 @@ sdbusplus::async::task<bool> SyncInterfaceImpl::doFullSync()
     lg2::info("Full sync completed with status {STATUS}", "STATUS", status);
 
     fullSyncInProgress = false;
-    co_return status == SyncStatus::FullSyncCompleted;
+    fullSyncComplete = status == SyncStatus::FullSyncCompleted;
+    co_return fullSyncComplete;
 }
 
 // NOLINTNEXTLINE

redundant-bmc/test/redundancy_test.cpp

@@ -163,7 +163,9 @@ TEST(RedundancyTest, FailoversNotAllowedTest)
 
     for (const auto& [state, expectedReasons] : testStates)
     {
-        fona::Input input{.redundancyEnabled = true, .systemState = state};
+        fona::Input input{.redundancyEnabled = true,
+                          .fullSyncComplete = true,
+                          .systemState = state};
 
         auto reasons = fona::getFailoversNotAllowedReasons(input);
         EXPECT_EQ(reasons, expectedReasons);
@@ -172,12 +174,24 @@ TEST(RedundancyTest, FailoversNotAllowedTest)
     // Redundancy disabled
     {
         fona::Input input{.redundancyEnabled = false,
+                          .fullSyncComplete = true,
                           .systemState = rbmc::SystemState::off};
         auto reasons = fona::getFailoversNotAllowedReasons(input);
         ASSERT_EQ(reasons.size(), 1);
         EXPECT_EQ(*reasons.begin(),
                   fona::FailoversNotAllowedReason::redundancyDisabled);
     }
+
+    // Full sync not complete
+    {
+        fona::Input input{.redundancyEnabled = true,
+                          .fullSyncComplete = false,
+                          .systemState = rbmc::SystemState::off};
+        auto reasons = fona::getFailoversNotAllowedReasons(input);
+        ASSERT_EQ(reasons.size(), 1);
+        EXPECT_EQ(*reasons.begin(),
+                  fona::FailoversNotAllowedReason::fullSyncNotComplete);
+    }
 }
 
 TEST(RedundancyTest, GetFailoversNotAllowedDescTest)