diff --git a/etc/sysconfig/pacemaker b/etc/sysconfig/pacemaker
index 72d690d8cd..40f075ba6c 100644
--- a/etc/sysconfig/pacemaker
+++ b/etc/sysconfig/pacemaker
@@ -1,173 +1,337 @@
-#==#==# Variables that control logging
+#
+# Pacemaker start-up configuration
+#
+# This file contains environment variables that affect Pacemaker behavior.
+# They are not options stored in the Cluster Information Base (CIB) because
+# they may be needed before the CIB is available.
+#
+
+
+## Logging
+
+# PCMK_logfacility
+#
+# Enable logging via the system log or journal, using the specified log
+# facility. Messages sent here are of value to all Pacemaker administrators.
+# This can be disabled using "none", but that is not recommended. Allowed
+# values:
+#
+#  none
+#  daemon
+#  user
+#  local0
+#  local1
+#  local2
+#  local3
+#  local4
+#  local5
+#  local6
+#  local7
+#
+# Default: PCMK_logfacility="daemon"
+
+# PCMK_logpriority
+#
+# Unless system logging is disabled using PCMK_logfacility=none, messages of
+# the specified log severity and higher will be sent to the system log. The
+# default is appropriate for most installations. Allowed values:
+#
+#  emerg
+#  alert
+#  crit
+#  error
+#  warning
+#  notice
+#  info
+#  debug
+#
+# Default: PCMK_logpriority="notice"
 
-# Enable debug logging globally (yes|no) or by subsystem. Multiple subsystems
-# may be comma-separated, for example: PCMK_debug=pacemakerd,pacemaker-execd
-# Subsystems are:
+# PCMK_logfile
+#
+# Unless set to "none", more detailed log messages will be sent to the
+# specified file (in addition to the system log, if enabled). These messages
+# may have extended information, and will include messages of info severity.
+# This log is of more use to developers and advanced system administrators, and
+# when reporting problems.
+#
+# Default: PCMK_logfile="/var/log/pacemaker/pacemaker.log"
+
+# PCMK_logfile_mode
+#
+# Pacemaker will set the permissions on the detail log to this value (see
+# chmod(1)).
+#
+# Default: PCMK_logfile_mode="0660"
+
+# PCMK_debug (Advanced Use Only)
+#
+# Whether to send debug severity messages to the detail log.
+# This may be set for all subsystems (yes or no) or for specific
+# (comma-separated) subsystems. Allowed subsystems are:
+#
 #  pacemakerd
 #  pacemaker-attrd
 #  pacemaker-based
 #  pacemaker-controld
 #  pacemaker-execd
 #  pacemaker-fenced
 #  pacemaker-schedulerd
-# PCMK_debug=no
-
-# Send detailed log messages to the specified file. Compared to messages logged
-# via syslog, messages in this file may have extended information, and will
-# include messages of "info" severity (and, if debug and/or trace logging
-# has been enabled, those as well). This log is of more use to developers and
-# advanced system administrators, and when reporting problems.
-# PCMK_logfile=/var/log/pacemaker/pacemaker.log
-
-# Set the permissions on the above log file to owner/group read/write
-# PCMK_logfile_mode=0660
-
-# Enable logging via syslog, using the specified syslog facility. Messages sent
-# here are of value to all Pacemaker users. This can be disabled using "none",
-# but that is not recommended. The default is "daemon".
-# PCMK_logfacility=none|daemon|user|local0|local1|local2|local3|local4|local5|local6|local7
-
-# Unless syslog logging is disabled using PCMK_logfacility=none, messages of
-# the specified severity and higher will be sent to syslog. The default value
-# of "notice" is appropriate for most installations; "info" is highly verbose
-# and "debug" is almost certain to send you blind (which is why there is a
-# separate detail log specified by PCMK_logfile).
-# PCMK_logpriority=emerg|alert|crit|error|warning|notice|info|debug
-
-# Log all messages from a comma-separated list of functions.
-# PCMK_trace_functions=function1,function2,function3
-
-# Log all messages from a comma-separated list of file names (without path).
-# PCMK_trace_files=file1.c,file2.c
-
-# Log all messages matching comma-separated list of formats.
-# PCMK_trace_formats="Sent delete %d"
-
-# Log all messages from a comma-separated list of tags.
-# PCMK_trace_tags=tag1,tag2
-
-# Dump the blackbox whenever the message at function and line is emitted,
-# e.g. PCMK_trace_blackbox=te_graph_trigger:223,unpack_clone:81
-# PCMK_trace_blackbox=fn:line,fn2:line2,...
-
-# Enable blackbox logging globally or per-subsystem. The blackbox contains a
-# rolling buffer of all logs (including info, debug, and trace) and is written
-# after a crash or assertion failure, and/or when SIGTRAP is received. The
-# blackbox recorder can also be enabled for Pacemaker daemons at runtime by
-# sending SIGUSR1 (or SIGTRAP), and disabled by sending SIGUSR2. Specify value
-# as for PCMK_debug above.
-# PCMK_blackbox=no
-
-#==#==# Advanced use only
-
-# By default, nodes will join the cluster in an online state when they first
-# start, unless they were previously put into standby mode. If this variable is
-# set to "standby" or "online", it will force this node to join in the
-# specified state when starting.
-# (only supported for cluster nodes, not Pacemaker Remote nodes)
-# PCMK_node_start_state=default
+#
+# Default: PCMK_debug="no"
+# Example: PCMK_debug="pacemakerd,pacemaker-execd"
 
-# Specify an alternate location for RNG schemas and XSL transforms.
-# (This is of use only to developers.)
-# PCMK_schema_directory=/some/path
-
-# Pacemaker consists of a main process with multiple subsidiary daemons. If
-# one of the daemons crashes, the main process will normally attempt to
-# restart it. If this is set to "true", the main process will instead panic
-# the host (see PCMK_panic_action). The default is unset.
-# PCMK_fail_fast=no
-
-# Pacemaker will panic its host under certain conditions. If this is set to
-# "crash", Pacemaker will trigger a kernel crash (which is useful if you want a
-# kernel dump to investigate). If "sync-reboot" or "sync-crash" is set, execute
-# sync() before host reboot or kernel crash (this leaves information about the
-# crashed daemon in the log file, but note that there is a possibility that the
-# sync() call may not return). For any other value, Pacemaker will trigger a
-# host reboot. The default is unset.
-# PCMK_panic_action=crash
-
-#==#==# Pacemaker Remote
+# PCMK_trace_functions (Advanced Use Only)
+#
+# Log trace severity messages from these (comma-separated) functions to the
+# detail log.
+#
+# Default: PCMK_trace_functions=""
+# Example: PCMK_trace_functions="unpack_colocation_set,pcmk__cmp_instance"
+
+# PCMK_trace_files (Advanced Use Only)
+#
+# Log trace severity messages from these (comma-separated) source file names to
+# the detail log.
+#
+# Default: PCMK_trace_files=""
+# Example: PCMK_trace_files="remote.c,watchdog.c"
+
+# PCMK_trace_formats (Advanced Use Only)
+#
+# Log trace severity messages from these (comma-separated) print formats.
+#
+# Default: PCMK_trace_formats=""
+# Example: PCMK_trace_formats="TLS handshake failed: %s (%d)"
+
+# PCMK_trace_tags (Advanced Use Only)
+#
+# Log trace severity messages related to these (comma-separated) resource IDs.
+#
+# Default: PCMK_trace_tags=""
+# Example: PCMK_trace_tags="client-ip,dbfs"
+
+# PCMK_blackbox (Advanced Use Only)
+#
+# Enable blackbox logging globally (yes or no) or by subsystem. A blackbox
+# contains a rolling buffer of all logs (of all severities). Blackboxes are
+# stored under /var/lib/pacemaker/blackbox by default, and their contents can
+# be viewed using the qb-blackbox(8) command.
+#
+# The blackbox recorder can be enabled at start using this variable, or at
+# runtime by sending a Pacemaker subsystem daemon process a SIGUSR1 or SIGTRAP
+# signal, and disabled by sending SIGUSR2 (see kill(1)). The blackbox will be
+# written after a crash, assertion failure, or SIGTRAP signal.
+#
+# Default: PCMK_blackbox="no"
+# Example: PCMK_blackbox="pacemaker-controld,pacemaker-fenced"
+
+# PCMK_trace_blackbox (Advanced Use Only)
+#
+# Write a blackbox whenever the message at the specified function and line is
+# logged. Multiple entries may be comma-separated.
+#
+# Default: PCMK_trace_blackbox=""
+# Example: PCMK_trace_blackbox="remote.c:144,remote.c:149"
+
+
+## Node start state
+
+# PCMK_node_start_state
+#
+# By default, the local host will join the cluster in an online or standby
+# state when Pacemaker first starts depending on whether it was previously put
+# into standby mode. If this variable is set to "standby" or "online", it will
+# force the local host to join in the specified state. This has no effect on
+# Pacemaker Remote nodes.
+#
+# Default: PCMK_node_start_state="default"
+
+
+## Crash Handling
+
+# PCMK_fail_fast
+#
+# By default, if a Pacemaker subsystem crashes, the main pacemakerd process
+# will attempt to restart it. If this variable is set to "yes", pacemakerd
+# will panic the local host instead.
+#
+# Default: PCMK_fail_fast="no"
+
+# PCMK_panic_action
+#
+# Pacemaker will panic the local host under certain conditions. By default,
+# this means rebooting the host. This variable can change that behavior: if
+# "crash", trigger a kernel crash (useful if you want a kernel dump to
+# investigate); if "sync-reboot" or "sync-crash", synchronize filesystems
+# before rebooting the host or triggering a kernel crash. The sync values are
+# more likely to preserve log messages, but with the risk that the host may be
+# left active if the synchronization hangs.
+#
+# Default: PCMK_panic_action="reboot"
+
+
+## Pacemaker Remote
+
+# PCMK_authkey_location
+#
 # Use the contents of this file as the authorization key to use with Pacemaker
 # Remote connections. This file must be readable by Pacemaker daemons (that is,
 # it must allow read permissions to either the hacluster user or the haclient
-# group), and its contents must be identical on all nodes. The default is
-# "/etc/pacemaker/authkey".
-# PCMK_authkey_location=/etc/pacemaker/authkey
-
-# If the Pacemaker Remote service is run on the local node, it will listen
-# for connections on this address. The value may be a resolvable hostname or an
-# IPv4 or IPv6 numeric address. When resolving names or using the default
-# wildcard address (i.e. listen on all available addresses), IPv6 will be
+# group), and its contents must be identical on all nodes.
+#
+# Default: PCMK_authkey_location="/etc/pacemaker/authkey"
+
+# PCMK_remote_address
+#
+# By default, if the Pacemaker Remote service is run on the local node, it will
+# listen for connections on all IP addresses. This may be set to one address to
+# listen on instead, as a resolvable hostname or as a numeric IPv4 or IPv6
+# address. When resolving names or listening on all addresses, IPv6 will be
 # preferred if available. When listening on an IPv6 address, IPv4 clients will
-# be supported (via IPv4-mapped IPv6 addresses).
-# PCMK_remote_address="192.0.2.1"
+# be supported via IPv4-mapped IPv6 addresses.
+#
+# Default: PCMK_remote_address=""
+# Example: PCMK_remote_address="192.0.2.1"
 
-# Use this TCP port number when connecting to a Pacemaker Remote node. This
-# value must be the same on all nodes. The default is "3121".
-# PCMK_remote_port=3121
+# PCMK_remote_port
+#
+# Use this TCP port number for Pacemaker Remote node connections. This value
+# must be the same on all nodes.
+#
+# Default: PCMK_remote_port="3121"
 
-# Use these GnuTLS cipher priorities for TLS connections. See:
+# PCMK_tls_priorities (Advanced Use Only)
+#
+# These GnuTLS cipher priorities will be used for TLS connections (whether for
+# Pacemaker Remote connections or remote CIB access, when enabled). See:
 #
 #   https://gnutls.org/manual/html_node/Priority-Strings.html
 #
-# Pacemaker will append ":+ANON-DH" for remote CIB access (when enabled) and
-# ":+DHE-PSK:+PSK" for Pacemaker Remote connections, as they are required for
-# the respective functionality.
-# PCMK_tls_priorities="NORMAL"
-
-# Set bounds on the bit length of the prime number generated for Diffie-Hellman
-# parameters needed by TLS connections. The default is not to set any bounds.
-#
-# If these values are specified, the server (Pacemaker Remote daemon, or CIB
-# manager configured to accept remote clients) will use these values to provide
-# a floor and/or ceiling for the value recommended by the GnuTLS library. The
-# library will only accept a limited number of specific values, which vary by
-# library version, so setting these is recommended only when required for
-# compatibility with specific client versions.
-#
-# If PCMK_dh_min_bits is specified, the client (connecting cluster node or
-# remote CIB command) will require that the server use a prime of at least this
-# size. This is only recommended when the value must be lowered in order for
-# the client's GnuTLS library to accept a connection to an older server.
-# The client side does not use PCMK_dh_max_bits.
+# Pacemaker will append ":+ANON-DH" for remote CIB access and ":+DHE-PSK:+PSK"
+# for Pacemaker Remote connections, as they are required for the respective
+# functionality.
+#
+# Default: PCMK_tls_priorities="NORMAL"
+# Example: PCMK_tls_priorities="SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2"
+
+# PCMK_dh_min_bits (Advanced Use Only)
+#
+# Set a lower bound on the bit length of the prime number generated for
+# Diffie-Hellman parameters needed by TLS connections. The default is no
+# minimum.
+#
+# The server (Pacemaker Remote daemon, or CIB manager configured to accept
+# remote clients) will use this value to provide a floor for the value
+# recommended by the GnuTLS library. The library will only accept a limited
+# number of specific values, which vary by library version, so setting these is
+# recommended only when required for compatibility with specific client
+# versions.
+#
+# Clients (connecting cluster nodes or remote CIB commands) will require that
+# the server use a prime of at least this size. This is recommended only when
+# the value must be lowered in order for the client's GnuTLS library to accept
+# a connection to an older server.
 # 
-# PCMK_dh_min_bits=1024
-# PCMK_dh_max_bits=2048
+# Default: PCMK_dh_min_bits="1024"
 
-#==#==# IPC
+# PCMK_dh_max_bits (Advanced Use Only)
+#
+# Set an upper bound on the bit length of the prime number generated for
+# Diffie-Hellman parameters needed by TLS connections. The default is no
+# maximum.
+#
+# The server (Pacemaker Remote daemon, or CIB manager configured to accept
+# remote clients) will use this value to provide a ceiling for the value
+# recommended by the GnuTLS library. The library will only accept a limited
+# number of specific values, which vary by library version, so setting these is
+# recommended only when required for compatibility with specific client
+# versions.
+#
+# Clients do not use PCMK_dh_max_bits.
+#
+# Default: PCMK_dh_max_bits="2048"
 
-# Force use of a particular class of IPC connection.
-# PCMK_ipc_type=shared-mem|socket|posix|sysv
 
-# Specify an IPC buffer size in bytes. This is useful when connecting to really
-# big clusters that exceed the default 128KB buffer.
-# PCMK_ipc_buffer=131072
+## Inter-process Communication
 
-#==#==# Profiling and memory leak testing (mainly useful to developers)
+# PCMK_ipc_type (Advanced Use Only)
+#
+# Force use of a particular IPC method. Allowed values:
+#
+#  shared-mem
+#  socket
+#  posix
+#  sysv
+#
+# Default: PCMK_ipc_type="shared-mem"
+
+# PCMK_ipc_buffer (Advanced Use Only)
+#
+# Specify an IPC buffer size in bytes. This can be useful when connecting to
+# large clusters that result in messages exceeding the default size (which will
+# also result in log messages referencing this variable).
+#
+# Default: PCMK_ipc_buffer="131072"
+
+
+## Developer Options
+
+# PCMK_schema_directory (Advanced Use Only)
+#
+# Specify an alternate location for RNG schemas and XSL transforms.
+#
+# Default: PCMK_schema_directory="/usr/share/pacemaker"
 
+# G_SLICE (Advanced Use Only)
+#
 # Affect the behavior of glib's memory allocator. Setting to "always-malloc"
 # when running under valgrind will help valgrind track malloc/free better;
 # setting to "debug-blocks" when not running under valgrind will perform
 # (somewhat expensive) memory checks.
-# G_SLICE=always-malloc
+#
+# Default: G_SLICE=""
+# Example: G_SLICE="always-malloc"
 
-# Uncommenting this will make malloc() initialize newly allocated memory
-# and free() wipe it (to help catch uninitialized-memory/use-after-free).
-# MALLOC_PERTURB_=221
+# MALLOC_PERTURB_ (Advanced Use Only)
+#
+# Setting this to a decimal byte value will make malloc() initialize newly
+# allocated memory and free() wipe it, to help catch uninitialized-memory and
+# use-after-free bugs.
+#
+# Default: MALLOC_PERTURB_=""
+# Example: MALLOC_PERTURB_="221"
 
-# Uncommenting this will make malloc() and friends print to stderr and abort
+# MALLOC_CHECK_ (Advanced Use Only)
+#
+# Setting this to 3 will make malloc() and friends print to stderr and abort
 # for some (inexpensive) memory checks.
-# MALLOC_CHECK_=3
+#
+# Default: MALLOC_CHECK_=""
+# Example: MALLOC_CHECK_="3"
 
-# Set as for PCMK_debug above to run some or all daemons under valgrind.
-# PCMK_valgrind_enabled=no
+# PCMK_valgrind_enabled (Advanced Use Only)
+#
+# Whether subsystem daemons should be run under valgrind. Allowed values are
+# the same as for PCMK_debug.
+#
+# Default: PCMK_valgrind_enabled="no"
 
-# Set as for PCMK_debug above to run some or all daemons under valgrind with
-# the callgrind tool enabled.
-# PCMK_callgrind_enabled=no
+# PCMK_callgrind_enabled
+#
+# Whether subsystem daemons should be run under valgrind with the callgrind
+# tool enabled. Allowed values are the same as for PCMK_debug.
+#
+# Default: PCMK_callgrind_enabled="no"
 
-# Set the options to pass to valgrind, when valgrind is enabled. See
-# valgrind(1) man page for details. "--vgdb=no" is specified because
-# pacemaker-execd can lower privileges when executing commands, which would
-# otherwise leave a bunch of unremovable files in /tmp.
-VALGRIND_OPTS="--leak-check=full --trace-children=no --vgdb=no --num-callers=25 --log-file=/var/lib/pacemaker/valgrind-%p --suppressions=/usr/share/pacemaker/tests/valgrind-pcmk.suppressions --gen-suppressions=all"
+# VALGRIND_OPTS
+#
+# Pass these options to valgrind, when enabled (see valgrind(1)). "--vgdb=no"
+# is specified because pacemaker-execd can lower privileges when executing
+# commands, which would otherwise leave a bunch of unremovable files in /tmp.
+#
+# Default: VALGRIND_OPTS=""
+VALGRIND_OPTS="--leak-check=full --trace-children=no --vgdb=no --num-callers=25"
+VALGRIND_OPTS="$VALGRIND_OPTS --log-file=/var/lib/pacemaker/valgrind-%p"
+VALGRIND_OPTS="$VALGRIND_OPTS --suppressions=/usr/share/pacemaker/tests/valgrind-pcmk.suppressions"
+VALGRIND_OPTS="$VALGRIND_OPTS --gen-suppressions=all"