diff --git a/cts/cli/regression.validity.exp b/cts/cli/regression.validity.exp
index 0cff2dfed0..c98b485ea2 100644
--- a/cts/cli/regression.validity.exp
+++ b/cts/cli/regression.validity.exp
@@ -1,427 +1,92 @@
-=#=#=#= Begin test: Try to make resulting CIB invalid (enum violation) =#=#=#=
+=#=#=#= Begin test: Try to set unrecognized validate-with =#=#=#=
 Call failed: Update does not conform to the configured schema
-=#=#=#= Current cib after: Try to make resulting CIB invalid (enum violation) =#=#=#=
-<cib epoch="4" num_updates="0" admin_epoch="0">
-  <configuration>
-    <crm_config/>
-    <nodes/>
-    <resources>
-      <primitive id="dummy1" class="ocf" provider="pacemaker" type="Dummy"/>
-      <primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/>
-    </resources>
-    <constraints>
-      <rsc_order id="ord_1-2" first="dummy1" first-action="start" then="dummy2"/>
-    </constraints>
-  </configuration>
-  <status/>
-</cib>
-=#=#=#= End test: Try to make resulting CIB invalid (enum violation) - Invalid configuration (78) =#=#=#=
-* Passed: cibadmin              - Try to make resulting CIB invalid (enum violation)
-=#=#=#= Begin test: Run crm_simulate with invalid CIB (enum violation) =#=#=#=
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-pcmk__update_schema 	debug: Schema pacemaker-1.2 does not validate
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-pcmk__update_schema 	debug: Schema pacemaker-1.3 does not validate
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-pcmk__update_schema 	debug: Schema pacemaker-2.0 does not validate
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-pcmk__update_schema 	debug: Schema pacemaker-2.1 does not validate
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-pcmk__update_schema 	debug: Schema pacemaker-2.2 does not validate
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-pcmk__update_schema 	debug: Schema pacemaker-2.3 does not validate
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-pcmk__update_schema 	debug: Schema pacemaker-2.4 does not validate
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-pcmk__update_schema 	debug: Schema pacemaker-2.5 does not validate
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-pcmk__update_schema 	debug: Schema pacemaker-2.6 does not validate
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-pcmk__update_schema 	debug: Schema pacemaker-2.7 does not validate
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-pcmk__update_schema 	debug: Schema pacemaker-2.8 does not validate
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-pcmk__update_schema 	debug: Schema pacemaker-2.9 does not validate
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-pcmk__update_schema 	debug: Schema pacemaker-2.10 does not validate
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-pcmk__update_schema 	debug: Schema pacemaker-3.0 does not validate
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-pcmk__update_schema 	debug: Schema pacemaker-3.1 does not validate
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-pcmk__update_schema 	debug: Schema pacemaker-3.2 does not validate
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-pcmk__update_schema 	debug: Schema pacemaker-3.3 does not validate
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-pcmk__update_schema 	debug: Schema pacemaker-3.4 does not validate
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-pcmk__update_schema 	debug: Schema pacemaker-3.5 does not validate
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-pcmk__update_schema 	debug: Schema pacemaker-3.6 does not validate
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-pcmk__update_schema 	debug: Schema pacemaker-3.7 does not validate
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-pcmk__update_schema 	debug: Schema pacemaker-3.8 does not validate
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-pcmk__update_schema 	debug: Schema pacemaker-3.9 does not validate
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-pcmk__update_schema 	debug: Schema pacemaker-3.10 does not validate
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-pcmk__update_schema 	debug: Schema pacemaker-4.0 does not validate
-Cannot upgrade configuration (claiming pacemaker-1.2 schema) to at least pacemaker-4.0 because it does not validate with any schema from pacemaker-1.2 to the latest
-=#=#=#= End test: Run crm_simulate with invalid CIB (enum violation) - Invalid configuration (78) =#=#=#=
-* Passed: crm_simulate          - Run crm_simulate with invalid CIB (enum violation)
-=#=#=#= Begin test: Try to make resulting CIB invalid (unrecognized validate-with) =#=#=#=
+=#=#=#= End test: Try to set unrecognized validate-with - Invalid configuration (78) =#=#=#=
+* Passed: cibadmin              - Try to set unrecognized validate-with
+=#=#=#= Begin test: Try to remove validate-with attribute =#=#=#=
+Call failed: Update does not conform to the configured schema
+=#=#=#= End test: Try to remove validate-with attribute - Invalid configuration (78) =#=#=#=
+* Passed: cibadmin              - Try to remove validate-with attribute
+=#=#=#= Begin test: Try to use rsc_order first-action value disallowed by schema =#=#=#=
 Call failed: Update does not conform to the configured schema
-=#=#=#= Current cib after: Try to make resulting CIB invalid (unrecognized validate-with) =#=#=#=
+=#=#=#= Current cib after: Try to use rsc_order first-action value disallowed by schema =#=#=#=
 <cib epoch="4" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config/>
     <nodes/>
     <resources>
       <primitive id="dummy1" class="ocf" provider="pacemaker" type="Dummy"/>
       <primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/>
     </resources>
     <constraints>
       <rsc_order id="ord_1-2" first="dummy1" first-action="start" then="dummy2"/>
     </constraints>
   </configuration>
   <status/>
 </cib>
-=#=#=#= End test: Try to make resulting CIB invalid (unrecognized validate-with) - Invalid configuration (78) =#=#=#=
-* Passed: cibadmin              - Try to make resulting CIB invalid (unrecognized validate-with)
-=#=#=#= Begin test: Run crm_simulate with invalid CIB (unrecognized validate-with) =#=#=#=
-Invalid attribute validate-with for element cib
-pcmk__update_schema 	debug: Schema pacemaker-1.0 does not validate
-Invalid attribute validate-with for element cib
-pcmk__update_schema 	debug: Schema pacemaker-1.2 does not validate
-Invalid attribute validate-with for element cib
-pcmk__update_schema 	debug: Schema pacemaker-1.3 does not validate
-Invalid attribute validate-with for element cib
-pcmk__update_schema 	debug: Schema pacemaker-2.0 does not validate
-Invalid attribute validate-with for element cib
-pcmk__update_schema 	debug: Schema pacemaker-2.1 does not validate
-Invalid attribute validate-with for element cib
-pcmk__update_schema 	debug: Schema pacemaker-2.2 does not validate
-Invalid attribute validate-with for element cib
-pcmk__update_schema 	debug: Schema pacemaker-2.3 does not validate
-Invalid attribute validate-with for element cib
-pcmk__update_schema 	debug: Schema pacemaker-2.4 does not validate
-Invalid attribute validate-with for element cib
-pcmk__update_schema 	debug: Schema pacemaker-2.5 does not validate
-Invalid attribute validate-with for element cib
-pcmk__update_schema 	debug: Schema pacemaker-2.6 does not validate
-Invalid attribute validate-with for element cib
-pcmk__update_schema 	debug: Schema pacemaker-2.7 does not validate
-Invalid attribute validate-with for element cib
-pcmk__update_schema 	debug: Schema pacemaker-2.8 does not validate
-Invalid attribute validate-with for element cib
-pcmk__update_schema 	debug: Schema pacemaker-2.9 does not validate
-Invalid attribute validate-with for element cib
-pcmk__update_schema 	debug: Schema pacemaker-2.10 does not validate
-Invalid attribute validate-with for element cib
-pcmk__update_schema 	debug: Schema pacemaker-3.0 does not validate
-Invalid attribute validate-with for element cib
-pcmk__update_schema 	debug: Schema pacemaker-3.1 does not validate
-Invalid attribute validate-with for element cib
-pcmk__update_schema 	debug: Schema pacemaker-3.2 does not validate
-Invalid attribute validate-with for element cib
-pcmk__update_schema 	debug: Schema pacemaker-3.3 does not validate
-Invalid attribute validate-with for element cib
-pcmk__update_schema 	debug: Schema pacemaker-3.4 does not validate
-Invalid attribute validate-with for element cib
-pcmk__update_schema 	debug: Schema pacemaker-3.5 does not validate
-Invalid attribute validate-with for element cib
-pcmk__update_schema 	debug: Schema pacemaker-3.6 does not validate
-Invalid attribute validate-with for element cib
-pcmk__update_schema 	debug: Schema pacemaker-3.7 does not validate
-Invalid attribute validate-with for element cib
-pcmk__update_schema 	debug: Schema pacemaker-3.8 does not validate
-Invalid attribute validate-with for element cib
-pcmk__update_schema 	debug: Schema pacemaker-3.9 does not validate
-Invalid attribute validate-with for element cib
-pcmk__update_schema 	debug: Schema pacemaker-3.10 does not validate
-Invalid attribute validate-with for element cib
-pcmk__update_schema 	debug: Schema pacemaker-4.0 does not validate
-Cannot upgrade configuration (claiming pacemaker-9999.0 schema) to at least pacemaker-4.0 because it does not validate with any schema from the first to the latest
-=#=#=#= End test: Run crm_simulate with invalid CIB (unrecognized validate-with) - Invalid configuration (78) =#=#=#=
-* Passed: crm_simulate          - Run crm_simulate with invalid CIB (unrecognized validate-with)
-=#=#=#= Begin test: Try to make resulting CIB invalid, but possibly recoverable (valid with X.Y+1) =#=#=#=
+=#=#=#= End test: Try to use rsc_order first-action value disallowed by schema - Invalid configuration (78) =#=#=#=
+* Passed: cibadmin              - Try to use rsc_order first-action value disallowed by schema
+=#=#=#= Begin test: Try to use configuration legal only with schema after configured one =#=#=#=
 Call failed: Update does not conform to the configured schema
-=#=#=#= Current cib after: Try to make resulting CIB invalid, but possibly recoverable (valid with X.Y+1) =#=#=#=
+=#=#=#= Current cib after: Try to use configuration legal only with schema after configured one =#=#=#=
 <cib epoch="4" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config/>
     <nodes/>
     <resources>
       <primitive id="dummy1" class="ocf" provider="pacemaker" type="Dummy"/>
       <primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/>
     </resources>
     <constraints>
       <rsc_order id="ord_1-2" first="dummy1" first-action="start" then="dummy2"/>
     </constraints>
   </configuration>
   <status/>
 </cib>
-=#=#=#= End test: Try to make resulting CIB invalid, but possibly recoverable (valid with X.Y+1) - Invalid configuration (78) =#=#=#=
-* Passed: cibadmin              - Try to make resulting CIB invalid, but possibly recoverable (valid with X.Y+1)
-=#=#=#= Begin test: Run crm_simulate with invalid, but possibly recoverable CIB (valid with X.Y+1) =#=#=#=
-Element configuration has extra content: tags
-pcmk__update_schema 	debug: Schema pacemaker-1.2 does not validate
-pcmk__update_schema 	debug: Schema pacemaker-1.3 validates
-pcmk__update_schema 	debug: Schema pacemaker-2.0 validates
-pcmk__update_schema 	debug: Schema pacemaker-2.1 validates
-pcmk__update_schema 	debug: Schema pacemaker-2.2 validates
-pcmk__update_schema 	debug: Schema pacemaker-2.3 validates
-pcmk__update_schema 	debug: Schema pacemaker-2.4 validates
-pcmk__update_schema 	debug: Schema pacemaker-2.5 validates
-pcmk__update_schema 	debug: Schema pacemaker-2.6 validates
-pcmk__update_schema 	debug: Schema pacemaker-2.7 validates
-pcmk__update_schema 	debug: Schema pacemaker-2.8 validates
-pcmk__update_schema 	debug: Schema pacemaker-2.9 validates
-pcmk__update_schema 	debug: Schema pacemaker-2.10 validates
-pcmk__update_schema 	debug: Schema pacemaker-3.0 validates
-pcmk__update_schema 	debug: Schema pacemaker-3.1 validates
-pcmk__update_schema 	debug: Schema pacemaker-3.2 validates
-pcmk__update_schema 	debug: Schema pacemaker-3.3 validates
-pcmk__update_schema 	debug: Schema pacemaker-3.4 validates
-pcmk__update_schema 	debug: Schema pacemaker-3.5 validates
-pcmk__update_schema 	debug: Schema pacemaker-3.6 validates
-pcmk__update_schema 	debug: Schema pacemaker-3.7 validates
-pcmk__update_schema 	debug: Schema pacemaker-3.8 validates
-pcmk__update_schema 	debug: Schema pacemaker-3.9 validates
-pcmk__update_schema 	debug: Schema pacemaker-3.10 validates
-pcmk__update_schema 	debug: Schema pacemaker-4.0 validates
-pcmk__update_schema 	info: Transformed the configuration schema to pacemaker-4.0
-unpack_resources 	error: Resource start-up disabled since no STONITH resources have been defined
-unpack_resources 	error: Either configure some or disable STONITH with the stonith-enabled option
-unpack_resources 	error: NOTE: Clusters with shared data need STONITH to ensure data integrity
-unpack_resources 	error: Resource start-up disabled since no STONITH resources have been defined
-unpack_resources 	error: Either configure some or disable STONITH with the stonith-enabled option
-unpack_resources 	error: NOTE: Clusters with shared data need STONITH to ensure data integrity
-Current cluster status:
-  * Full List of Resources:
-    * dummy1	(ocf:pacemaker:Dummy):	 Stopped
-    * dummy2	(ocf:pacemaker:Dummy):	 Stopped
-
-Transition Summary:
-
-Executing Cluster Transition:
-
-Revised Cluster Status:
-  * Full List of Resources:
-    * dummy1	(ocf:pacemaker:Dummy):	 Stopped
-    * dummy2	(ocf:pacemaker:Dummy):	 Stopped
-=#=#=#= End test: Run crm_simulate with invalid, but possibly recoverable CIB (valid with X.Y+1) - OK (0) =#=#=#=
-* Passed: crm_simulate          - Run crm_simulate with invalid, but possibly recoverable CIB (valid with X.Y+1)
-=#=#=#= Begin test: Make resulting CIB valid, although without validate-with attribute =#=#=#=
-=#=#=#= Current cib after: Make resulting CIB valid, although without validate-with attribute =#=#=#=
-<cib epoch="4" num_updates="1" admin_epoch="0">
-  <configuration>
-    <crm_config/>
-    <nodes/>
-    <resources>
-      <primitive id="dummy1" class="ocf" provider="pacemaker" type="Dummy"/>
-      <primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/>
-    </resources>
-    <constraints>
-      <rsc_order id="ord_1-2" first="dummy1" first-action="start" then="dummy2"/>
-    </constraints>
-  </configuration>
-  <status/>
-</cib>
-=#=#=#= End test: Make resulting CIB valid, although without validate-with attribute - OK (0) =#=#=#=
-* Passed: cibadmin              - Make resulting CIB valid, although without validate-with attribute
-=#=#=#= Begin test: Run crm_simulate with valid CIB, but without validate-with attribute =#=#=#=
-Schema validation of configuration is disabled (support for validate-with set to "none" is deprecated and will be removed in a future release)
-unpack_resources 	error: Resource start-up disabled since no STONITH resources have been defined
-unpack_resources 	error: Either configure some or disable STONITH with the stonith-enabled option
-unpack_resources 	error: NOTE: Clusters with shared data need STONITH to ensure data integrity
-unpack_resources 	error: Resource start-up disabled since no STONITH resources have been defined
-unpack_resources 	error: Either configure some or disable STONITH with the stonith-enabled option
-unpack_resources 	error: NOTE: Clusters with shared data need STONITH to ensure data integrity
-Current cluster status:
-  * Full List of Resources:
-    * dummy1	(ocf:pacemaker:Dummy):	 Stopped
-    * dummy2	(ocf:pacemaker:Dummy):	 Stopped
-
-Transition Summary:
-
-Executing Cluster Transition:
-
-Revised Cluster Status:
-  * Full List of Resources:
-    * dummy1	(ocf:pacemaker:Dummy):	 Stopped
-    * dummy2	(ocf:pacemaker:Dummy):	 Stopped
-=#=#=#= End test: Run crm_simulate with valid CIB, but without validate-with attribute - OK (0) =#=#=#=
-* Passed: crm_simulate          - Run crm_simulate with valid CIB, but without validate-with attribute
-=#=#=#= Begin test: Make resulting CIB invalid, and without validate-with attribute =#=#=#=
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-=#=#=#= Current cib after: Make resulting CIB invalid, and without validate-with attribute =#=#=#=
-<cib epoch="41" num_updates="0" admin_epoch="0">
+=#=#=#= End test: Try to use configuration legal only with schema after configured one - Invalid configuration (78) =#=#=#=
+* Passed: cibadmin              - Try to use configuration legal only with schema after configured one
+=#=#=#= Begin test: Disable schema validation =#=#=#=
+=#=#=#= End test: Disable schema validation - OK (0) =#=#=#=
+* Passed: cibadmin              - Disable schema validation
+=#=#=#= Begin test: Set invalid rsc_order first-action value (schema validation disabled) =#=#=#=
+=#=#=#= Current cib after: Set invalid rsc_order first-action value (schema validation disabled) =#=#=#=
+<cib epoch="5" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config/>
     <nodes/>
     <resources>
       <primitive id="dummy1" class="ocf" provider="pacemaker" type="Dummy"/>
       <primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/>
     </resources>
     <constraints>
       <rsc_order id="ord_1-2" first="dummy1" first-action="break" then="dummy2"/>
     </constraints>
   </configuration>
   <status/>
 </cib>
-=#=#=#= End test: Make resulting CIB invalid, and without validate-with attribute - OK (0) =#=#=#=
-* Passed: cibadmin              - Make resulting CIB invalid, and without validate-with attribute
-=#=#=#= Begin test: Run crm_simulate with invalid CIB, also without validate-with attribute =#=#=#=
+=#=#=#= End test: Set invalid rsc_order first-action value (schema validation disabled) - OK (0) =#=#=#=
+* Passed: cibadmin              - Set invalid rsc_order first-action value (schema validation disabled)
+=#=#=#= Begin test: Run crm_simulate with invalid rsc_order first-action (schema validation disabled) =#=#=#=
 Schema validation of configuration is disabled (support for validate-with set to "none" is deprecated and will be removed in a future release)
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
-Invalid attribute first-action for element rsc_order
-Element constraints has extra content: rsc_order
 unpack_resources 	error: Resource start-up disabled since no STONITH resources have been defined
 unpack_resources 	error: Either configure some or disable STONITH with the stonith-enabled option
 unpack_resources 	error: NOTE: Clusters with shared data need STONITH to ensure data integrity
+invert_action 	warning: Unknown action 'break' specified in order constraint
+invert_action 	warning: Unknown action 'break' specified in order constraint
 unpack_resources 	error: Resource start-up disabled since no STONITH resources have been defined
 unpack_resources 	error: Either configure some or disable STONITH with the stonith-enabled option
 unpack_resources 	error: NOTE: Clusters with shared data need STONITH to ensure data integrity
 Current cluster status:
   * Full List of Resources:
     * dummy1	(ocf:pacemaker:Dummy):	 Stopped
     * dummy2	(ocf:pacemaker:Dummy):	 Stopped
 
 Transition Summary:
 
 Executing Cluster Transition:
 
 Revised Cluster Status:
   * Full List of Resources:
     * dummy1	(ocf:pacemaker:Dummy):	 Stopped
     * dummy2	(ocf:pacemaker:Dummy):	 Stopped
-=#=#=#= End test: Run crm_simulate with invalid CIB, also without validate-with attribute - OK (0) =#=#=#=
-* Passed: crm_simulate          - Run crm_simulate with invalid CIB, also without validate-with attribute
+=#=#=#= End test: Run crm_simulate with invalid rsc_order first-action (schema validation disabled) - OK (0) =#=#=#=
+* Passed: crm_simulate          - Run crm_simulate with invalid rsc_order first-action (schema validation disabled)
diff --git a/cts/cts-cli.in b/cts/cts-cli.in
index 80e5733c63..6bf848d10f 100644
--- a/cts/cts-cli.in
+++ b/cts/cts-cli.in
@@ -1,3429 +1,3419 @@
 #!@PYTHON@
 """Regression tests for Pacemaker's command line tools."""
 
 # pylint doesn't like the module name "cts-cli" which is an invalid complaint for this file
 # but probably something we want to continue warning about elsewhere
 # pylint: disable=invalid-name
 # pacemaker imports need to come after we modify sys.path, which pylint will complain about.
 # pylint: disable=wrong-import-position
 # We know this is a very long file.
 # pylint: disable=too-many-lines
 
 __copyright__ = "Copyright 2024 the Pacemaker project contributors"
 __license__ = "GNU General Public License version 2 or later (GPLv2+) WITHOUT ANY WARRANTY"
 
 import argparse
 from contextlib import contextmanager
 from datetime import datetime, timedelta
 import fileinput
 from functools import partial
 from gettext import ngettext
 from multiprocessing import Pool, cpu_count
 import os
 import pathlib
 import re
 from shutil import copyfile
 import signal
 from string import Formatter
 import subprocess
 import sys
 from tempfile import NamedTemporaryFile, TemporaryDirectory, mkstemp
 import types
 
 # These imports allow running from a source checkout after running `make`.
 if os.path.exists("@abs_top_srcdir@/python"):
     sys.path.insert(0, "@abs_top_srcdir@/python")
 
 # pylint: disable=comparison-of-constants,comparison-with-itself,condition-evals-to-constant
 if os.path.exists("@abs_top_builddir@/python") and "@abs_top_builddir@" != "@abs_top_srcdir@":
     sys.path.insert(0, "@abs_top_builddir@/python")
 
 from pacemaker._cts.errors import XmlValidationError
 from pacemaker._cts.validate import validate
 from pacemaker.buildoptions import BuildOptions
 from pacemaker.exitstatus import ExitStatus
 
 # Individual tool tests are split out, but can also be accessed as a group with "tools"
 tools_tests = ["cibadmin", "crm_attribute", "crm_standby", "crm_resource",
                "crm_ticket", "crmadmin", "crm_shadow", "crm_verify"]
 # The default list of tests to run, in the order they should be run
 default_tests = ["access_render", "daemons", "dates", "error_codes"] + tools_tests + \
                 ["crm_mon", "acls", "validity", "upgrade", "rules", "feature_set"]
 other_tests = ["agents"]
 
 # The directory containing this program
 test_home = os.path.dirname(os.path.realpath(__file__))
 
 # The name of the shadow CIB
 SHADOW_NAME = "cts-cli"
 
 # Arguments to pass to valgrind
 VALGRIND_ARGS = ["-q", "--gen-suppressions=all", "--show-reachable=no", "--leak-check=full",
                  "--trace-children=no", "--time-stamp=yes", "--num-callers=20",
                  "--suppressions=%s/valgrind-pcmk.suppressions" % test_home]
 
 
 class PluralFormatter(Formatter):
     """
     Special string formatting class for selecting singular vs. plurals.
 
     Use like so:
     fmt = PluralFormatter()
     print(fmt.format("{0} {0}:plural,test,tests} succeeded", n_tests))
     """
 
     def format_field(self, value, format_spec):
         """Convert a value to a formatted representation."""
         if format_spec.startswith("plural,"):
             eles = format_spec.split(',')
             if len(eles) == 2:
                 singular = eles[1]
                 plural = singular + "s"
             else:
                 singular = eles[1]
                 plural = eles[2]
 
             return ngettext(singular, plural, value)
 
         return super().format_field(value, format_spec)
 
 
 def apply_substitutions(s, extra=None):
     """Apply text substitutions to an input string and return it."""
     substitutions = {
         "cts_cli_data": "%s/cli" % test_home,
         "shadow": SHADOW_NAME,
         "test_home": test_home,
     }
 
     if extra is not None:
         substitutions.update(extra)
 
     return s.format(**substitutions)
 
 
 def cleanup_shadow_dir():
     """Remove any previously created shadow CIB directory."""
     subprocess.run(["crm_shadow", "--force", "--delete", SHADOW_NAME],
                    stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
                    check=True)
 
 
 def copy_existing_cib(existing):
     """
     Generate a CIB by copying an existing one to a temporary location.
 
     This is suitable for use with the cib_gen= parameter to the TestGroup class.
     """
     (fp, new) = mkstemp(prefix="cts-cli.cib.xml.")
     os.close(fp)
     copyfile(apply_substitutions(existing), new)
     return new
 
 
 def current_cib():
     """Return the complete current CIB."""
     with environ({"CIB_user": "root"}):
         return subprocess.check_output(["cibadmin", "-Q"], encoding="utf-8")
 
 
 def make_test_group(desc, cmd, classes, **kwargs):
     """
     Create a TestGroup that replicates the same test for multiple classes.
 
     The given description, cmd, and kwargs will be passed as arguments to each
     Test subclass in the classes parameter.  The resulting objects will then be
     added to a TestGroup and returned.
 
     The main purpose of this function is to be able to run the same test for
     both text and XML formats without having to duplicate everything.  Thus, the
     cmd string may contain "{fmt}", which will have any --output-as= class
     variable substituted in.
     """
     tests = []
 
     for c in classes:
         obj = c(desc, apply_substitutions(cmd, extra={"fmt": c.format_args}),
                 **kwargs)
         tests.append(obj)
 
     return TestGroup(tests)
 
 
 def create_shadow_cib(shadow_dir, create_empty=True, validate_with=None,
                       valgrind=False):
     """
     Create a shadow CIB file.
 
     Keyword arguments:
     create_empty    -- If True, the shadow CIB will be empty.  Otherwise, the
                        shadow CIB will be a copy of the currently active
                        cluster configuration.
     validate_with   -- If not None, the schema version to validate the CIB
                        against
     valgrind        -- If True, run the create operation under valgrind
     """
     args = ["crm_shadow", "--batch", "--force"]
 
     if create_empty:
         args += ["--create-empty", SHADOW_NAME]
     else:
         args += ["--create", SHADOW_NAME]
 
     if validate_with is not None:
         args += ["--validate-with", validate_with]
 
     if valgrind:
         args = ["valgrind"] + VALGRIND_ARGS + args
 
     os.environ["CIB_shadow_dir"] = shadow_dir
     os.environ["CIB_shadow"] = SHADOW_NAME
 
     subprocess.run(args, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
                    check=True)
     delete_shadow_resource_defaults()
 
 
 def delete_shadow_resource_defaults():
     """Clear out the rsc_defaults section from a shadow CIB file."""
     # A newly created empty CIB might or might not have a rsc_defaults section
     # depending on whether the --with-resource-stickiness-default configure
     # option was used. To ensure regression tests behave the same either way,
     # delete any rsc_defaults after creating or erasing a CIB.
     subprocess.run(["cibadmin", "--delete", "--xml-text", "<rsc_defaults/>"],
                    stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
                    check=True)
 
     # The above command might or might not bump the CIB version, so reset it
     # to ensure future changes result in the same version for comparison.
     reset_shadow_cib_version()
 
 
 def reset_shadow_cib_version():
     """Set various version numbers in a shadow CIB file back to 0."""
     with fileinput.input(files=[shadow_path()], inplace=True) as f:
         for line in f:
             line = re.sub('epoch="[0-9]*"', 'epoch="1"', line)
             line = re.sub('num_updates="[0-9]*"', 'num_updates="0"', line)
             line = re.sub('admin_epoch="[0-9]*"', 'admin_epoch="0"', line)
             print(line, end='')
 
 
 def run_cmd_list(cmds):
     """
     Run one or more shell commands.
 
     cmds can be:
     * A string
     * A Python function
     * A list of the above
 
     Raises subprocess.CalledProcessError on error.
     """
     if cmds is None:
         return
 
     if isinstance(cmds, (str, types.FunctionType)):
         cmds = [cmds]
 
     for c in cmds:
         if isinstance(c, types.FunctionType):
             c()
         else:
             subprocess.run(apply_substitutions(c), stdout=subprocess.PIPE, stderr=subprocess.PIPE,
                            shell=True, universal_newlines=True, check=True)
 
 
 def sanitize_output(s):
     """
     Replace content in the output expected to change between test runs.
 
     This is stuff like version numbers, timestamps, source line numbers,
     build options, system names and messages, etc.
     """
     # A list of tuples of regular expressions and their replacements.
     replacements = [
         (r'Created new pacemaker-.* configuration', r'Created new pacemaker configuration'),
         (r'Device not configured', r'No such device or address'),
         (r'^Entity: line [0-9]+: ', r''),
         (r'Last change: .*', r'Last change:'),
         (r'Last updated: .*', r'Last updated:'),
         (r'^Migration will take effect until: .*', r'Migration will take effect until:'),
         (r'(\* Possible values.*: .*)\(default: [^)]*\)', r'\1(default: )'),
         (r"""-X '.*'""", r"""-X '...'"""),
         (r' api-version="[^"]*"', r' api-version="X"'),
         (r'\(apply_upgrade@.*\.c:[0-9]+\)', r'apply_upgrade'),
+        (r'\(invert_action@.*\.c:[0-9]+\)', r'invert_action'),
+        (r'\(pcmk__update_schema@.*\.c:[0-9]+\)', r'pcmk__update_schema'),
         (r'(<change-attr name="crm_feature_set" .* value=")[0-9.]*"', r'\1"'),
         (r'(<change-attr name="validate-with" .* value="pacemaker-)[0-9.]+"', r'\1X"'),
         (r'(<cib.*) cib-last-written="[^"]*"', r'\1'),
         (r'crm_feature_set="[^"]*" ', r''),
         (r'@crm_feature_set=[0-9.]+, ', r''),
         (r'\(crm_time_parse_duration@.*\.c:[0-9]+\)', r'crm_time_parse_duration'),
         (r'\(crm_time_parse_period@.*\.c:[0-9]+\)', r'crm_time_parse_period'),
         (r'\(crm_time_parse_sec@.*\.c:[0-9]+\)', r'crm_time_parse_sec'),
         (r' default="[^"]*"', r' default=""'),
         (r' end="[0-9][-+: 0-9]*Z*"', r' end=""'),
         (r'last_change time=".*"', r'last_change time=""'),
         (r'last_update time=".*"', r'last_update time=""'),
         (r' last-rc-change=[\'"][-+A-Za-z0-9: ]*[\'"],?', r''),
         (r'\(parse_date@.*\.c:[0-9]+\)', r'parse_date'),
         (r'\((pcmk__.*)@.*\.c:[0-9]+\)', r'\1'),
         (r'.*Relax-NG validity error : ', r''),
         (r'request=".*(crm_?[a-zA-Z0-9]+) ', r'request="\1 '),
         (r'request=".*iso8601', r'request="iso8601'),
         (r' start="[0-9][-+: 0-9]*Z*"', r' start=""'),
         (r'/tmp/cts-cli\.[^/]*/shadow.cts-cli', r'/tmp/cts-cli.shadow/shadow.cts-cli'),
         (r'^/tmp/cts-cli\.xmllint\.[^:]*:', r'/tmp/cts-cli.xmllint:'),
         (r'^/tmp/cts-cli\.xmllint\.[^ ]* fails to validate', r'/tmp/cts-cli.xmllint fails to validate'),
         (r'.*\((unpack_.*)@.*\.c:[0-9]+\)', r'\1'),
         (r' validate-with="[^"]*"', r''),
         (r'(@validate-with=pacemaker-)[0-9.]+,', r'\1X,'),
         (r' version="[^"]*"', r' version=""'),
         (r'\(version .*\)', r'(version)'),
         (r'--xml-file .*cli/(.*)\.xml', r'--xml-file \1.xml'),
     ]
 
     new_output = []
 
     for line in s:
         # @TODO Add a way to suppress this message within cibadmin, and then drop
         # the handling here.
         if line.startswith("The supplied command can provide skewed result"):
             continue
 
         for (pattern, repl) in replacements:
             line = re.sub(pattern, repl, line)
 
         new_output.append(line)
 
     return new_output
 
 
 def shadow_path():
     """Return the current shadow CIB path."""
     p = subprocess.check_output(["crm_shadow", "--file"], encoding="utf-8")
     return p.strip()
 
 
 def write_cib(s):
     """
     Generate a CIB by writing a string to a temporary location.
 
     This is suitable for use with the cib_gen= parameter to the TestGroup class.
     """
     (fp, new) = mkstemp(prefix="cts-cli.cib.xml.")
     os.write(fp, s.encode())
     os.close(fp)
     return new
 
 
 @contextmanager
 def environ(env):
     """
     Run code in an environment modified with the provided dict.
 
     This context manager augments the current process environment with the provided
     dict, allowing code to be constructed like so:
 
         e = {"CIB_user": "xyx"}
         with environ(e):
             ...
 
     When the context manager exits, the previous environment will be restored.
 
     It is possible to remove an environment key (whether it was in the environment by
     default, or given with a nested call to this context) by passing None for the
     value.  Additionally, this context manager accepts None for the env parameter,
     in which case nothing will be done.
 
     Finally, note that values in env will be passed to apply_substitutions before
     being set in the environment.
     """
     if env is None:
         env = {}
         original_env = {}
     else:
         original_env = os.environ.copy()
 
     for k, v in env.items():
         if v is None:
             os.environ.pop(k)
         else:
             os.environ[k] = apply_substitutions(v)
 
     try:
         yield
     finally:
         for k, v in original_env.items():
             if v is None:
                 os.environ.pop(k)
             else:
                 os.environ[k] = v
 
 
 class StdinCmd:
     """
     A class for defining a command that should be run later.
 
     subprocess.Popen (and its various helper functions) start running the command
     immediately, which doesn't work if we want to provide the command when a Test
     is created, but delay its execution until the environment is defined when the
     Test is run.
 
     This class allows us to do that.
     """
 
     def __init__(self, cmd):
         """Create a new StdinCmd instance.
 
         Arguments:
         cmd -- The command string to run later.  This string will be passed
                to apply_substitutions before being executed.
         """
         self._cmd = cmd
 
     def run(self):
         """Run this command, returning a subprocess.Popen object."""
         return subprocess.Popen(apply_substitutions(self._cmd), shell=True,
                                 encoding="utf-8", stdout=subprocess.PIPE)
 
 
 class Test:
     """A base class for defining a single command line regression test."""
 
     format_args = ""
 
     def __init__(self, desc, cmd, expected_rc=ExitStatus.OK, update_cib=False,
                  setup=None, teardown=None, stdin=None, env=None):
         """
         Create a new Test instance.
 
         Arguments:
         desc        -- A short human-readable description of this test
         cmd         -- The command to run for this test, as a string.  This string
                        will be passed to apply_substitutions before being executed.
 
         Keyword arguments:
         expected_rc -- The expected return value of cmd
         update_cib  -- If True, the resulting CIB will be printed after
                        performing the test
         setup       -- A shell command to be run in the same environment as
                        cmd, immediately before the test.  Valid types are:
                        a string, a Python function, or a list of the above
         teardown    -- Like setup, but runs immediately after the test
         stdin       -- If not None, the text to feed to cmd as its stdin
         env         -- If not None, a dict of values to be added to the test
                        environment.  This will be added when the test is run
                        and will override anything given to the TestGroup.
         """
         self.desc = desc
         self.cmd = cmd
         self.expected_rc = expected_rc
         self.update_cib = update_cib
 
         self._setup = setup
         self._teardown = teardown
         self._stdin = stdin
 
         if env is None:
             self._env = {}
         else:
             self._env = env
 
         self._output = None
 
     @property
     def output(self):
         """Return the test's detailed output."""
         return self._output
 
     def _log_end_test(self, rc):
         """Log a message when a test ends."""
         if isinstance(rc, ExitStatus):
             rc_str = str(rc)
         else:
             if rc < 0:
                 rc = abs(rc)
                 rc_str = signal.strsignal(rc)
             else:
                 rc = ExitStatus(rc)
                 rc_str = str(rc)
 
         self._output.append("=#=#=#= End test: %s - %s (%d) =#=#=#=" % (self.desc, rc_str, rc))
 
     def _log_start_test(self):
         """Log a message when a test starts."""
         self._output.append("=#=#=#= Begin test: %s =#=#=#=" % self.desc)
 
     def _log_test_failed(self, app, rc):
         """Log a message when a test fails."""
         self._output.append("* Failed (rc=%.3d): %-23s - %s" % (rc, app, self.desc))
 
     def _log_test_passed(self, app):
         """Log a message when a test passes."""
         self._output.append("* Passed: %-21s - %s" % (app, self.desc))
 
     # pylint: disable=unused-argument
     def _validate_hook(self, rc, _stdout, _stderr, valgrind=False):
         """Validate test output."""
         self._log_end_test(rc)
         return rc
 
     def _run_setup_teardown(self, cmd, app):
         """
         Run any setup or teardown command required by this test.
 
         On success (or if no command is present), return True.  On failure,
         return False and log the stdout/stderr of the command for debugging.
 
         Arguments:
         cmd -- The setup/teardown command(s) to run
         app -- The base name of the test command, for logging purposes
         """
         try:
             run_cmd_list(cmd)
             return True
         except subprocess.CalledProcessError as exn:
             rc = exn.returncode
 
             self._output.extend(exn.stderr.splitlines())
             self._output.extend(exn.stdout.splitlines())
             self._log_test_failed(app, rc)
             return False
 
     def run(self, group, env=None, valgrind=False):
         """
         Run this test.
 
         Basic output is printed to stdout, while detailed output is available
         in the self.output property after this function has been run.  Return
         True if the return code matches self.expected_rc, and False otherwise.
 
         Arguments:
         group -- The name of the group this test is a part of, for logging purposes
 
         Keyword arguments:
         env   -- If not None, a dict of values to be added to the test environment
         """
         self._output = []
 
         cmd = apply_substitutions(self.cmd)
         app = cmd.split(" ")[0]
 
         test_id = "%s(%s)" % (app, group)
         print("* Running: %-31s - %s" % (test_id, self.desc))
         self._log_start_test()
 
         # Add any environment variables specified in Test.__init__
         if env is None:
             env = self._env
         else:
             env = env.update(self._env)
 
         with environ(env):
             # Run the setup hook, if any
             if not self._run_setup_teardown(self._setup, app):
                 return False
 
             # Define basic arguments for all forms of running this test.
             kwargs = {"stdout": subprocess.PIPE, "stderr": subprocess.PIPE,
                       "shell": True, "universal_newlines": True, "check": False}
             stdin_p = None
 
             # Handle the stdin= parameter.
             if isinstance(self._stdin, StdinCmd):
                 stdin_p = self._stdin.run()
                 kwargs["stdin"] = stdin_p.stdout
             elif isinstance(self._stdin, pathlib.Path):
                 kwargs["input"] = self._stdin.read_text()
             else:
                 kwargs["input"] = self._stdin
 
             if valgrind:
                 cmd = "valgrind %s %s" % (" ".join(VALGRIND_ARGS), cmd)
 
             # Run the test command
             # We handle the "check" argument above in the kwargs dict.
             # pylint: disable-msg=subprocess-run-check
             cmd_p = subprocess.run(cmd, **kwargs)
             rc = cmd_p.returncode
 
             if stdin_p is not None:
                 stdin_p.stdout.close()
 
             self._output.extend(cmd_p.stderr.splitlines())
             self._output.extend(cmd_p.stdout.splitlines())
 
             # Run the teardown hook, if any
             if not self._run_setup_teardown(self._teardown, app):
                 return False
 
         if self.update_cib:
             self._output.append("=#=#=#= Current cib after: %s =#=#=#=" % self.desc)
             self._output.extend(current_cib().splitlines())
 
         self._validate_hook(rc, cmd_p.stdout, cmd_p.stderr, valgrind=valgrind)
 
         if rc == self.expected_rc:
             self._log_test_passed(app)
             return True
 
         self._log_test_failed(app, rc)
         return False
 
 
 class AclTest(Test):
     """
     A Test subclass specialized for running certain ACL tests.
 
     Differences from the Test class:
 
     * Does not use the stdin= parameter.
     * Runs the setup and teardown hooks in an environment that also sets
       CIB_user=root, CIB_shadow="", and CIB_file to a temporary file.
     * The setup hooks should construct a new CIB and write it to that
       temporary file.
     * Prints the input CIB before running the test.
     """
 
     def run(self, group, env=None, valgrind=False):
         """
         Run this test.
 
         Basic output is printed to stdout, while detailed output is available
         in the self.output property after this function has been run.  Return
         True if the return code matches self.expected_rc, and False otherwise.
 
         Arguments:
         group -- The name of the group this test is a part of, for logging purposes
 
         Keyword arguments:
         env   -- If not None, a dict of values to be added to the test environment
         """
         self._output = []
 
         cmd = apply_substitutions(self.cmd)
         app = cmd.split(" ")[0]
 
         test_id = "%s(%s)" % (app, group)
         print("* Running: %-31s - %s" % (test_id, self.desc))
 
         # Add any environment variables specified in Test.__init__
         if env is None:
             env = self._env
         else:
             env = env.update(self._env)
 
         with environ(env):
             with NamedTemporaryFile(prefix="cts-cli.cib.") as fp:
                 fp.write(current_cib().encode())
                 fp.flush()
 
                 # Run the setup hook, if any.  Typically, this is something that
                 # modifies the existing CIB.  We need to do these modifications
                 # in a different environment from what the test will run in, since
                 # the test may not have the permissions necessary to do the
                 # modifications.
                 with environ({"CIB_user": "root", "CIB_file": fp.name, "CIB_shadow": None}):
                     if not self._run_setup_teardown(self._setup, app):
                         return False
 
                     # At the least, print the CIB that will be the test input.
                     self._output.extend(current_cib().splitlines())
 
                 # Note: This is positioned differently from where it is in Test.run.
                 self._log_start_test()
 
                 # Define basic arguments for running this test.
                 kwargs = {"stdout": subprocess.PIPE, "stderr": subprocess.PIPE,
                           "shell": True, "universal_newlines": True, "check": False}
 
                 # Read in the potentially modified CIB as the stdin for the test.
                 fp.seek(0)
                 kwargs["input"] = fp.read().decode(encoding="utf-8")
 
                 if valgrind:
                     cmd = "valgrind %s %s" % (" ".join(VALGRIND_ARGS), cmd)
 
                 # Run the test command
                 # We handle the "check" argument above in the kwargs dict.
                 # pylint: disable-msg=subprocess-run-check
                 cmd_p = subprocess.run(cmd, **kwargs)
                 rc = cmd_p.returncode
 
                 self._output.extend(cmd_p.stderr.splitlines())
                 self._output.extend(cmd_p.stdout.splitlines())
 
                 # Run the teardown hook, if any
                 with environ({"CIB_user": "root", "CIB_file": fp.name, "CIB_shadow": None}):
                     if not self._run_setup_teardown(self._teardown, app):
                         return False
 
         if self.update_cib:
             self._output.append("=#=#=#= Current cib after: %s =#=#=#=" % self.desc)
             self._output.extend(current_cib().splitlines())
 
         self._validate_hook(rc, cmd_p.stdout, cmd_p.stderr, valgrind=valgrind)
 
         if rc == self.expected_rc:
             self._log_test_passed(app)
             return True
 
         self._log_test_failed(app, rc)
         return False
 
 
 class ValidatingTest(Test):
     """A Test subclass that additionally runs test results through xmllint."""
 
     format_args = "--output-as=xml"
 
     def __init__(self, desc, cmd, **kwargs):
         """Create a new ValidatingTest instance."""
         Test.__init__(self, desc + " (XML)", cmd, **kwargs)
 
     def _validate_hook(self, rc, stdout, stderr, valgrind=False):
         """Validate test output with xmllint."""
         # Do not validate if running under valgrind, even if told to do so.  Valgrind
         # will output a lot more stuff that is not XML, so it wouldn't validate
         # anyway.
         if valgrind:
             return Test._validate_hook(self, rc, stdout, stderr, valgrind=valgrind)
 
         try:
             validate(stdout)
             # We only care about the return code from validation if there was an error,
             # which will be dealt with below.  Here, we want to log the original return
             # code from the test itself.
             self._log_end_test(rc)
             return 0
         except XmlValidationError as e:
             self._output.append("=#=#=#= End test: %s - Failed to validate (%d) =#=#=#=" % (self.desc, e.exit_code))
             self._output.extend(e.output.splitlines())
             return e.exit_code
 
 
 class TestGroup:
     """A base class for a group of related tests."""
 
     def __init__(self, tests, cib_gen=None, env=None, setup=None, teardown=None):
         """
         Create a new TestGroup instance.
 
         Arguments:
         tests    -- A list of Test instances
 
         Keyword arguments:
         cib_gen  -- If not None, a function that generates a CIB file and returns the
                     name of that CIB.  This will be added to the test environment as
                     CIB_file and used for all tests in this group.  The file will then
                     be deleted after all tests have been run.
         env      -- If not None, a dict of values to be added to the test environment
         setup    -- A command string, python function, or list of the previous
                     types to run immediately before the test.  This will be run in
                     the same environment as cmd.
         teardown -- Like setup, but runs immediately after the tests
         """
         self.tests = tests
         self._cib_gen = cib_gen
         self._env = env
         self._setup = setup
         self._teardown = teardown
 
         self._successes = None
         self._failures = None
         self._output = None
 
     @property
     def failures(self):
         """Return the number of member tests that failed."""
         return self._failures
 
     @property
     def output(self):
         """Return the test's detailed output."""
         return self._output
 
     @property
     def successes(self):
         """Return the number of member tests that succeeded."""
         return self._successes
 
     def _run_setup_teardown(self, cmd):
         """
         Run any setup or teardown command required by this test group.
 
         On success (or if no command is present), return True.  On failure,
         return False and log the stdout/stderr of the command for debugging.
 
         Arguments:
         cmd -- The setup/teardown command(s) to run
         """
         try:
             run_cmd_list(cmd)
             return True
         except subprocess.CalledProcessError as exn:
             self._output.extend(exn.stderr.splitlines())
             self._output.extend(exn.stdout.splitlines())
             return False
 
     def run(self, group, valgrind=False):
         """
         Run all Test instances that are a part of this regression test.
 
         Additionally, record their stdout and stderr in the self.output property
         and the total number of tests that passed and failed.
 
         Arguments:
         group -- The name of the group this test is a part of, for logging purposes
         """
         self._failures = 0
         self._successes = 0
         self._output = []
 
         cib_file = None
 
         with environ(self._env):
             # If we were given a way to generate a CIB, do that now and add it to the
             # environment.
             if self._cib_gen is not None:
                 cib_file = self._cib_gen()
                 os.environ.update({"CIB_file": cib_file})
 
             # Run the setup hook, if any
             if not self._run_setup_teardown(self._setup):
                 return False
 
             # Run the tests
             for t in self.tests:
                 rc = t.run(group, valgrind=valgrind)
 
                 if isinstance(t, TestGroup):
                     self._successes += t.successes
                     self._failures += t.failures
                 else:
                     if rc:
                         self._successes += 1
                     else:
                         self._failures += 1
 
                 self._output.extend(t.output)
 
             if cib_file is not None:
                 os.environ.pop("CIB_file")
                 os.unlink(cib_file)
 
             # Run the teardown hook, if any
             if self._run_setup_teardown(self._teardown):
                 return False
 
         return True
 
 
 class ShadowTestGroup(TestGroup):
     """A group of related tests that require a shadow CIB."""
 
     def __init__(self, tests, **kwargs):
         """
         Create a new ShadowTestGroup instance.
 
         Arguments:
         tests           -- A list of Test instances
 
         Keyword arguments:
         create          -- If True, create a shadow CIB file (see create_empty).
                            Otherwise, just create a temp directory and set environment
                            variables.
         create_empty    -- If True, the shadow CIB will be empty.  Otherwise, the
                            shadow CIB will be a copy of the currently active
                            cluster configuration.
         validate_with   -- If not None, the schema version to validate the CIB
                            against
         """
         self._create = kwargs.pop("create", True)
         self._create_empty = kwargs.pop("create_empty", True)
         self._validate_with = kwargs.pop("validate_with", None)
         TestGroup.__init__(self, tests, **kwargs)
 
     def run(self, group, valgrind=False):
         """
         Run all Test instances that are a part of this regression test.
 
         Additionally, record their stdout and stderr in the self.output property
         and the total number of tests that passed and failed.
 
         Arguments:
         group -- The name of the group this test is a part of, for logging purposes
         """
         with TemporaryDirectory(prefix="cts-cli.shadow.") as shadow_dir:
             if self._create:
                 create_shadow_cib(shadow_dir, create_empty=self._create_empty,
                                   validate_with=self._validate_with, valgrind=valgrind)
             else:
                 os.environ["CIB_shadow_dir"] = shadow_dir
                 os.environ["CIB_shadow"] = SHADOW_NAME
 
             rc = TestGroup.run(self, group, valgrind=valgrind)
 
             if self._create:
                 cleanup_shadow_dir()
 
             os.environ.pop("CIB_shadow_dir")
             os.environ.pop("CIB_shadow")
             return rc
 
 
 class RegressionTest:
     """A base class for testing a single command line tool."""
 
     def __init__(self):
         """Create a new RegressionTest instance."""
         self._identical = None
         self._successes = None
         self._failures = None
 
         self._tempfile = None
         self._output = None
 
     @property
     def failures(self):
         """Return the number of member tests that failed."""
         return self._failures
 
     @property
     def identical(self):
         """Return whether the expected output matches the actual output."""
         return self._identical
 
     @property
     def name(self):
         """
         Return the name of this regression test.
 
         This should be a unique, very short, single word name without any special
         characters.  It must match the name of some word in the default_tests
         list because it may be given with the -r option on the command line
         to select only certain tests to run.
 
         All subclasses must define this property.
         """
         raise NotImplementedError
 
     @property
     def results_file(self):
         """Return the location where the regression test results are stored."""
         return self._tempfile
 
     @property
     def successes(self):
         """Return the number of member tests that succeeded."""
         return self._successes
 
     @property
     def summary(self):
         """Return a list of all Passed/Failed lines for tests in this regression test."""
         retval = []
 
         for line in self._output:
             if line.startswith("* Failed") or line.startswith("* Passed"):
                 retval.append(line)
 
         return retval
 
     @property
     def tests(self):
         """A list of Test and TestGroup instances to be run as part of this regression test."""
         return []
 
     def cleanup(self):
         """Remove the temp file where test output is stored."""
         os.remove(self._tempfile)
         self._tempfile = None
 
     def diff(self, verbose=False):
         """
         Compare the results of this regression test to the expected results.
 
         Arguments:
         verbose -- If True, the diff will be written to stdout
         """
         args = ["diff", "-wu", "%s/cli/regression.%s.exp" % (test_home, self.name), self.results_file]
 
         try:
             if verbose:
                 subprocess.run(args, check=True)
             else:
                 subprocess.run(args, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
                                check=True)
 
             self._identical = True
         except subprocess.CalledProcessError:
             self._identical = False
 
     def process_results(self, verbose):
         """If actual output differs from expected output, print the actual output."""
         if self.identical:
             self.cleanup()
             return
 
         print("    %s" % self.results_file)
 
         if verbose:
             print("======================================================")
             with open(self.results_file, encoding="utf-8") as f:
                 print(f.read())
             print("======================================================")
 
     def run(self, valgrind=False):
         """
         Run all Test and TestGroup instances that are a part of this regression test.
 
         Additionally, record their stdout and stderr in the self.output property
         and the total number of tests that passed and failed.
         """
         self._failures = 0
         self._successes = 0
         self._output = []
 
         for t in self.tests:
             rc = t.run(self.name, valgrind=valgrind)
 
             if isinstance(t, TestGroup):
                 self._successes += t.successes
                 self._failures += t.failures
             else:
                 if rc:
                     self._successes += 1
                 else:
                     self._failures += 1
 
             self._output.extend(t.output)
 
         self._output = sanitize_output(self._output)
 
     def write(self):
         """
         Write test results to a temporary file and set self.results to its location.
 
         If self.run() has not yet been called, or there is otherwise no output,
         self.results will be None
         """
         if not self._output:
             self._tempfile = None
             return
 
         s = "\n".join(self._output).encode()
         s += b"\n"
 
         (fp, self._tempfile) = mkstemp(prefix="cts-cli.%s." % self.name)
         os.write(fp, s)
         os.close(fp)
 
 
 class AccessRenderRegressionTest(RegressionTest):
     """A class for testing rendering of ACLs."""
 
     @property
     def name(self):
         """Return the name of this regression test."""
         return "access_render"
 
     @property
     def tests(self):
         """A list of Test instances to be run as part of this regression test."""
         acl_cib = """
 <acls>
   <acl_role id="role-deny-acls-write-resources">
     <acl_permission id="deny-acls" kind="deny" xpath="/cib/configuration/acls"/>
     <acl_permission id="write-resources" kind="write"
                     xpath="/cib/configuration/resources"/>
     <acl_permission id="read-rest" kind="read" xpath="/cib"/>
   </acl_role>
   <acl_target id="tony">
     <role id="role-deny-acls-write-resources"/>
   </acl_target>
 </acls>
 """
 
         # Create a test CIB that has ACL roles
         basic_tests = [
             Test("Configure some ACLs", "cibadmin -M -o acls -p", update_cib=True,
                  stdin=acl_cib),
             Test("Enable ACLs", "crm_attribute -n enable-acl -v true",
                  update_cib=True),
             # Run cibadmin --show-access on the test CIB as an ACL-restricted user
             Test("An instance of ACLs render (into color)",
                  "cibadmin --force --show-access=color -Q --user tony"),
             Test("An instance of ACLs render (into namespacing)",
                  "cibadmin --force --show-access=namespace -Q --user tony"),
             Test("An instance of ACLs render (into text)",
                  "cibadmin --force --show-access=text -Q --user tony"),
         ]
 
         return [
             ShadowTestGroup(basic_tests),
         ]
 
 
 class DaemonsRegressionTest(RegressionTest):
     """A class for testing command line options of pacemaker daemons."""
 
     @property
     def name(self):
         """Return the name of this regression test."""
         return "daemons"
 
     @property
     def tests(self):
         """A list of Test instances to be run as part of this regression test."""
         return [
             Test("Get CIB manager metadata", "pacemaker-based metadata"),
             Test("Get controller metadata", "pacemaker-controld metadata"),
             Test("Get fencer metadata", "pacemaker-fenced metadata"),
             Test("Get scheduler metadata", "pacemaker-schedulerd metadata"),
         ]
 
 
 class DatesRegressionTest(RegressionTest):
     """A class for testing handling of ISO8601 dates."""
 
     @property
     def name(self):
         """Return the name of this regression test."""
         return "dates"
 
     @property
     def tests(self):
         """A list of Test instances to be run as part of this regression test."""
         invalid_periods = [
             "",
             "2019-01-01 00:00:00Z",             # Start with no end
             "2019-01-01 00:00:00Z/",            # Start with only a trailing slash
             "PT2S/P1M",                         # Two durations
             "2019-13-01 00:00:00Z/P1M",         # Out-of-range month
             "20191077T15/P1M",                  # Out-of-range day
             "2019-10-01T25:00:00Z/P1M",         # Out-of-range hour
             "2019-10-01T24:00:01Z/P1M",         # Hour 24 with anything but :00:00
             "PT5H/20191001T007000Z",            # Out-of-range minute
             "2019-10-01 00:00:80Z/P1M",         # Out-of-range second
             "2019-10-01 00:00:10 +25:00/P1M",   # Out-of-range offset hour
             "20191001T000010 -00:61/P1M",       # Out-of-range offset minute
             "P1Y/2019-02-29 00:00:00Z",         # Feb. 29 in non-leap-year
             "2019-01-01 00:00:00Z/P",           # Duration with no values
             "P1Z/2019-02-20 00:00:00Z",         # Invalid duration unit
             "P1YM/2019-02-20 00:00:00Z",        # No number for duration unit
         ]
 
         # Ensure invalid period specifications are rejected
         invalid_period_tests = []
         for p in invalid_periods:
             invalid_period_tests.append(Test("Invalid period - [%s]" % p,
                                              "iso8601 -p '%s'" % p,
                                              expected_rc=ExitStatus.INVALID_PARAM))
 
         year_tests = []
         for y in ["06", "07", "08", "09", "10", "11", "12", "13", "14", "15", "16", "17", "18", "40"]:
             year_tests.extend([
                 Test("20%s-W01-7" % y,
                      "iso8601 -d '20%s-W01-7 00Z'" % y),
                 Test("20%s-W01-7 - round-trip" % y,
                      "iso8601 -d '20%s-W01-7 00Z' -W -E '20%s-W01-7 00:00:00Z'" % (y, y)),
                 Test("20%s-W01-1" % y,
                      "iso8601 -d '20%s-W01-1 00Z'" % y),
                 Test("20%s-W01-1 - round-trip" % y,
                      "iso8601 -d '20%s-W01-1 00Z' -W -E '20%s-W01-1 00:00:00Z'" % (y, y))
             ])
 
         return invalid_period_tests + [
             make_test_group("'2005-040/2005-043' period", "iso8601 {fmt} -p '2005-040/2005-043'",
                             [Test, ValidatingTest]),
             Test("2014-01-01 00:30:00 - 1 Hour",
                  "iso8601 -d '2014-01-01 00:30:00Z' -D P-1H -E '2013-12-31 23:30:00Z'"),
             Test("Valid date - Feb 29 in leap year",
                  "iso8601 -d '2020-02-29 00:00:00Z' -E '2020-02-29 00:00:00Z'"),
             Test("Valid date - using 'T' and offset",
                  "iso8601 -d '20191201T131211 -05:00' -E '2019-12-01 18:12:11Z'"),
             Test("24:00:00 equivalent to 00:00:00 of next day",
                  "iso8601 -d '2019-12-31 24:00:00Z' -E '2020-01-01 00:00:00Z'"),
         ] + year_tests + [
             make_test_group("2009-W53-07",
                             "iso8601 {fmt} -d '2009-W53-7 00:00:00Z' -W -E '2009-W53-7 00:00:00Z'",
                             [Test, ValidatingTest]),
             Test("epoch + 2 Years 5 Months 6 Minutes",
                  "iso8601 -d 'epoch' -D P2Y5MT6M -E '1972-06-01 00:06:00Z'"),
             Test("2009-01-31 + 1 Month",
                  "iso8601 -d '20090131T000000Z' -D P1M -E '2009-02-28 00:00:00Z'"),
             Test("2009-01-31 + 2 Months",
                  "iso8601 -d '2009-01-31 00:00:00Z' -D P2M -E '2009-03-31 00:00:00Z'"),
             Test("2009-01-31 + 3 Months",
                  "iso8601 -d '2009-01-31 00:00:00Z' -D P3M -E '2009-04-30 00:00:00Z'"),
             make_test_group("2009-03-31 - 1 Month",
                             "iso8601 {fmt} -d '2009-03-31 01:00:00 +01:00' -D P-1M -E '2009-02-28 00:00:00Z'",
                             [Test, ValidatingTest]),
             make_test_group("2038-01-01 + 3 Months",
                             "iso8601 {fmt} -d '2038-01-01 00:00:00Z' -D P3M -E '2038-04-01 00:00:00Z'",
                             [Test, ValidatingTest]),
         ]
 
 
 class ErrorCodeRegressionTest(RegressionTest):
     """A class for testing error code reporting."""
 
     @property
     def name(self):
         """Return the name of this regression test."""
         return "error_codes"
 
     @property
     def tests(self):
         """A list of Test instances to be run as part of this regression test."""
         # Legacy return codes
         #
         # Don't test unknown legacy code. FreeBSD includes a colon in strerror(),
         # while other distros do not.
         legacy_tests = [
             make_test_group("Get legacy return code", "crm_error {fmt} 201",
                             [Test, ValidatingTest]),
             make_test_group("Get legacy return code (with name)", "crm_error -n {fmt} 201",
                             [Test, ValidatingTest]),
             make_test_group("Get multiple legacy return codes", "crm_error {fmt} 201 202",
                             [Test, ValidatingTest]),
             make_test_group("Get multiple legacy return codes (with names)",
                             "crm_error -n {fmt} 201 202",
                             [Test, ValidatingTest]),
             # We can only rely on our custom codes, so we'll spot-check codes 201-209
             Test("List legacy return codes (spot check)",
                  "crm_error -l | grep 20[1-9]"),
             ValidatingTest("List legacy return codes (spot check)",
                            "crm_error -l --output-as=xml | grep -Ev '<result-code.*code=\"([^2]|2[^0]|20[^1-9])'"),
             Test("List legacy return codes (spot check) (with names)",
                  "crm_error -n -l | grep 20[1-9]"),
             ValidatingTest("List legacy return codes (spot check) (with names)",
                            "crm_error -n -l --output-as=xml | grep -Ev '<result-code.*code=\"([^2]|2[^0]|20[^1-9])'"),
         ]
 
         # Standard Pacemaker return codes
         #
         # Don't test positive (system) error codes, which may vary by OS
         standard_tests = [
             make_test_group("Get unknown Pacemaker return code", "crm_error -r {fmt} -- -10000",
                             [Test, ValidatingTest]),
             make_test_group("Get unknown Pacemaker return code (with name)",
                             "crm_error -n -r {fmt} -- -10000",
                             [Test, ValidatingTest]),
             # Negative return codes require parsing out the "--" explicitly, so we need
             # to test them as a separate case
             make_test_group("Get negative Pacemaker return code", "crm_error -r {fmt} -- -1005",
                             [Test, ValidatingTest]),
             # Testing name lookups for negative return codes only is sufficient
             make_test_group("Get negative Pacemaker return code (with name)",
                             "crm_error -n -r {fmt} -- -1005",
                             [Test, ValidatingTest]),
             # We can only rely on our custom codes (negative and zero)
             Test("List Pacemaker return codes (non-positive)",
                  "crm_error -l -r | grep -E '^[[:blank:]]*(-[[:digit:]]+|0):'"),
             ValidatingTest("List Pacemaker return codes (non-positive)",
                            "crm_error -l -r --output-as=xml | grep -E -v '<result-code.*code=\"[[:digit:]]'"),
             Test("List Pacemaker return codes (non-positive) (with names)",
                  "crm_error -n -l -r | grep -E '^[[:blank:]]*(-[[:digit:]]+|0):'"),
             ValidatingTest("List Pacemaker return codes (non-positive) (with names)",
                            "crm_error -n -l -r --output-as=xml | grep -E -v '<result-code.*code=\"[[:digit:]]'"),
         ]
 
         # crm_exit_t exit codes
         crm_exit_t_tests = [
             make_test_group("Get unknown crm_exit_t exit code", "crm_error -X {fmt} -- -10000",
                             [Test, ValidatingTest]),
             make_test_group("Get unknown crm_exit_t exit code (with name)",
                             "crm_error -n -X {fmt} -- -10000",
                             [Test, ValidatingTest]),
             make_test_group("Get crm_exit_t exit code", "crm_error -X {fmt} 1",
                             [Test, ValidatingTest]),
             make_test_group("Get crm_exit_t exit code (with name)",
                             "crm_error -n -X {fmt} 1",
                             [Test, ValidatingTest]),
             make_test_group("Get all crm_exit_t exit codes", "crm_error -l -X {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("Get all crm_exit_t exit codes (with name)",
                             "crm_error -l -n -X {fmt}",
                             [Test, ValidatingTest]),
         ]
 
         return legacy_tests + standard_tests + crm_exit_t_tests
 
 
 class CibadminRegressionTest(RegressionTest):
     """A class for testing cibadmin."""
 
     @property
     def name(self):
         """Return the name of this regression test."""
         return "cibadmin"
 
     @property
     def tests(self):
         """A list of Test instances to be run as part of this regression test."""
         basic_tests = [
             Test("Validate CIB", "cibadmin -Q", update_cib=True),
             Test("Digest calculation", "cibadmin -Q | cibadmin -5 -p 2>&1"),
             Test("Require --force for CIB erasure", "cibadmin -E",
                  expected_rc=ExitStatus.UNSAFE, update_cib=True),
             Test("Allow CIB erasure with --force", "cibadmin -E --force"),
             # Verify the output after erasure
             Test("Query CIB", "cibadmin -Q",
                  setup=delete_shadow_resource_defaults,
                  update_cib=True),
         ]
 
         # Add some stuff to the empty CIB so we know that erasing it did something.
         basic_tests_setup = [
             """cibadmin -C -o nodes --xml-text '<node id="node1" uname="node1"/>'""",
             """cibadmin -C -o crm_config --xml-text '<cluster_property_set id="cib-bootstrap-options"><nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/></cluster_property_set>'""",
             """cibadmin -C -o resources --xml-text '<primitive class="ocf" id="dummy" provider="heartbeat" type="Dummy" />'"""
         ]
 
         return [
             ShadowTestGroup(basic_tests, setup=basic_tests_setup),
         ]
 
 
 class CrmAttributeRegressionTest(RegressionTest):
     """A class for testing crm_attribute."""
 
     @property
     def name(self):
         """Return the name of this regression test."""
         return "crm_attribute"
 
     @property
     def tests(self):
         """A list of Test instances to be run as part of this regression test."""
         options_tests = [
             make_test_group("List all available options (invalid type)",
                             "crm_attribute --list-options=asdf {fmt}",
                             [Test, ValidatingTest],
                             expected_rc=ExitStatus.USAGE),
             make_test_group("List non-advanced cluster options",
                             "crm_attribute --list-options=cluster {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("List all available cluster options",
                             "crm_attribute --list-options=cluster --all {fmt}",
                             [Test, ValidatingTest]),
             Test("Return usage error if both -p and OCF_RESOURCE_INSTANCE are empty strings",
                  "crm_attribute -N cluster01 -p '' -G",
                  expected_rc=ExitStatus.USAGE),
         ]
 
         value_update_tests = [
             Test("Query the value of an attribute that does not exist",
                  "crm_attribute -n ABCD --query --quiet",
                  expected_rc=ExitStatus.NOSUCH),
             Test("Configure something before erasing",
                  "crm_attribute -n test_attr -v 5", update_cib=True),
             Test("Test '++' XML attribute update syntax",
                  """cibadmin -M --score --xml-text='<cib admin_epoch="admin_epoch++"/>'""",
                  update_cib=True),
             Test("Test '+=' XML attribute update syntax",
                  """cibadmin -M --score --xml-text='<cib admin_epoch="admin_epoch+=2"/>'""",
                  update_cib=True),
             make_test_group("Test '++' nvpair value update syntax",
                             "crm_attribute -n test_attr -v 'value++' --score {fmt}",
                             [Test, ValidatingTest], update_cib=True),
             make_test_group("Test '+=' nvpair value update syntax",
                             "crm_attribute -n test_attr -v 'value+=2' --score {fmt}",
                             [Test, ValidatingTest], update_cib=True),
             Test("Test '++' XML attribute update syntax (--score not set)",
                  """cibadmin -M --xml-text='<cib admin_epoch="admin_epoch++"/>'""",
                  update_cib=True),
             Test("Test '+=' XML attribute update syntax (--score not set)",
                  """cibadmin -M --xml-text='<cib admin_epoch="admin_epoch+=2"/>'""",
                  update_cib=True),
             make_test_group("Test '++' nvpair value update syntax (--score not set)",
                             "crm_attribute -n test_attr -v 'value++' {fmt}",
                             [Test, ValidatingTest], update_cib=True),
             make_test_group("Test '+=' nvpair value update syntax (--score not set)",
                             "crm_attribute -n test_attr -v 'value+=2' {fmt}",
                             [Test, ValidatingTest], update_cib=True),
         ]
 
         query_set_tests = [
             Test("Set cluster option", "crm_attribute -n cluster-delay -v 60s",
                  update_cib=True),
             Test("Query new cluster option",
                  "cibadmin -Q -o crm_config | grep cib-bootstrap-options-cluster-delay"),
             Test("Set no-quorum policy",
                  "crm_attribute -n no-quorum-policy -v ignore", update_cib=True),
             Test("Delete nvpair",
                  """cibadmin -D -o crm_config --xml-text '<nvpair id="cib-bootstrap-options-cluster-delay"/>'""",
                  update_cib=True),
             Test("Create operation should fail",
                  """cibadmin -C -o crm_config --xml-text '<cluster_property_set id="cib-bootstrap-options"><nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/></cluster_property_set>'""",
                  expected_rc=ExitStatus.EXISTS, update_cib=True),
             Test("Modify cluster options section",
                  """cibadmin -M -o crm_config --xml-text '<cluster_property_set id="cib-bootstrap-options"><nvpair id="cib-bootstrap-options-cluster-delay" name="cluster-delay" value="60s"/></cluster_property_set>'""",
                  update_cib=True),
             Test("Query updated cluster option",
                  "cibadmin -Q -o crm_config | grep cib-bootstrap-options-cluster-delay",
                  update_cib=True),
             Test("Set duplicate cluster option",
                  "crm_attribute -n cluster-delay -v 40s -s duplicate",
                  update_cib=True),
             Test("Setting multiply defined cluster option should fail",
                  "crm_attribute -n cluster-delay -v 30s",
                  expected_rc=ExitStatus.MULTIPLE, update_cib=True),
             Test("Set cluster option with -s",
                  "crm_attribute -n cluster-delay -v 30s -s duplicate",
                  update_cib=True),
             Test("Delete cluster option with -i",
                  "crm_attribute -n cluster-delay -D -i cib-bootstrap-options-cluster-delay",
                  update_cib=True),
             Test("Create node1 and bring it online",
                  "crm_simulate --live-check --in-place --node-up=node1",
                  update_cib=True),
             Test("Create node attribute",
                  "crm_attribute -n ram -v 1024M -N node1 -t nodes",
                  update_cib=True),
             Test("Query new node attribute",
                  "cibadmin -Q -o nodes | grep node1-ram",
                  update_cib=True),
             Test("Create second node attribute",
                  "crm_attribute -n rattr -v XYZ -N node1 -t nodes",
                  update_cib=True),
             Test("Query node attributes by pattern",
                  "crm_attribute -t nodes -P 'ra.*' -N node1 --query"),
             Test("Update node attributes by pattern",
                  "crm_attribute -t nodes -P 'rat.*' -N node1 -v 10",
                  update_cib=True),
             Test("Delete node attributes by pattern",
                  "crm_attribute -t nodes -P 'rat.*' -N node1 -D",
                  update_cib=True),
             Test("Set a transient (fail-count) node attribute",
                  "crm_attribute -n fail-count-foo -v 3 -N node1 -t status",
                  update_cib=True),
             Test("Query a fail count", "crm_failcount --query -r foo -N node1",
                  update_cib=True),
             Test("Show node attributes with crm_simulate",
                  "crm_simulate --live-check --show-attrs"),
             Test("Set a second transient node attribute",
                  "crm_attribute -n fail-count-bar -v 5 -N node1 -t status",
                  update_cib=True),
             Test("Query transient node attributes by pattern",
                  "crm_attribute -t status -P fail-count -N node1 --query"),
             Test("Update transient node attributes by pattern",
                  "crm_attribute -t status -P fail-count -N node1 -v 10",
                  update_cib=True),
             Test("Delete transient node attributes by pattern",
                  "crm_attribute -t status -P fail-count -N node1 -D",
                  update_cib=True),
             Test("crm_attribute given invalid delete usage",
                  "crm_attribute -t nodes -N node1 -D",
                  expected_rc=ExitStatus.USAGE),
             Test("Set a utilization node attribute",
                  "crm_attribute -n cpu -v 1 -N node1 -z",
                  update_cib=True),
             Test("Query utilization node attribute",
                  "crm_attribute --query -n cpu -N node1 -z"),
             # This update will fail because it has version numbers
             Test("Replace operation should fail",
                  """cibadmin -Q | sed -e 's/epoch="[^"]*"/epoch="1"/' | cibadmin -R -p""",
                  expected_rc=ExitStatus.OLD),
         ]
 
         promotable_tests = [
             make_test_group("Query a nonexistent promotable score attribute",
                             "crm_attribute -N cluster01 -p promotable-rsc -G {fmt}",
                             [Test, ValidatingTest], expected_rc=ExitStatus.NOSUCH),
             make_test_group("Delete a nonexistent promotable score attribute",
                             "crm_attribute -N cluster01 -p promotable-rsc -D {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("Query after deleting a nonexistent promotable score attribute",
                             "crm_attribute -N cluster01 -p promotable-rsc -G {fmt}",
                             [Test, ValidatingTest], expected_rc=ExitStatus.NOSUCH),
             make_test_group("Update a nonexistent promotable score attribute",
                             "crm_attribute -N cluster01 -p promotable-rsc -v 1 {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("Query after updating a nonexistent promotable score attribute",
                             "crm_attribute -N cluster01 -p promotable-rsc -G {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("Update an existing promotable score attribute",
                             "crm_attribute -N cluster01 -p promotable-rsc -v 5 {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("Query after updating an existing promotable score attribute",
                             "crm_attribute -N cluster01 -p promotable-rsc -G {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("Delete an existing promotable score attribute",
                             "crm_attribute -N cluster01 -p promotable-rsc -D {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("Query after deleting an existing promotable score attribute",
                             "crm_attribute -N cluster01 -p promotable-rsc -G {fmt}",
                             [Test, ValidatingTest], expected_rc=ExitStatus.NOSUCH),
         ]
 
         # Test for an issue with legacy command line parsing when the resource is
         # specified in the environment (CLBZ#5509)
         ocf_rsc_instance_tests = [
             make_test_group("Update a promotable score attribute to -INFINITY",
                             "crm_attribute -N cluster01 -p -v -INFINITY {fmt}",
                             [Test, ValidatingTest],
                             env={"OCF_RESOURCE_INSTANCE": "promotable-rsc"}),
             make_test_group("Query after updating a promotable score attribute to -INFINITY",
                             "crm_attribute -N cluster01 -p -G {fmt}",
                             [Test, ValidatingTest],
                             env={"OCF_RESOURCE_INSTANCE": "promotable-rsc"}),
             Test("Try OCF_RESOURCE_INSTANCE if -p is specified with an empty string",
                  "crm_attribute -N cluster01 -p '' -G",
                  env={"OCF_RESOURCE_INSTANCE": "promotable-rsc"}),
         ]
 
         return options_tests + [
             ShadowTestGroup(value_update_tests),
             ShadowTestGroup(query_set_tests),
             TestGroup(promotable_tests + ocf_rsc_instance_tests,
                       env={"OCF_RESOURCE_INSTANCE": "promotable-rsc"},
                       cib_gen=partial(copy_existing_cib, "{cts_cli_data}/crm_mon.xml")),
         ]
 
 
 class CrmStandbyRegressionTest(RegressionTest):
     """A class for testing crm_standby."""
 
     @property
     def name(self):
         """Return the name of this regression test."""
         return "crm_standby"
 
     @property
     def tests(self):
         """A list of Test instances to be run as part of this regression test."""
         basic_tests = [
             Test("Default standby value", "crm_standby -N node1 -G"),
             Test("Set standby status", "crm_standby -N node1 -v true",
                  update_cib=True),
             Test("Query standby value", "crm_standby -N node1 -G"),
             Test("Delete standby value", "crm_standby -N node1 -D",
                  update_cib=True),
         ]
 
         return [
             ShadowTestGroup(basic_tests,
 			    setup="""cibadmin -C -o nodes --xml-text '<node id="node1" uname="node1"/>'"""),
         ]
 
 
 class CrmResourceRegressionTest(RegressionTest):
     """A class for testing crm_resource."""
 
     @property
     def name(self):
         """Return the name of this regression test."""
         return "crm_resource"
 
     @property
     def tests(self):
         """A list of Test instances to be run as part of this regression test."""
         options_tests = [
             Test("crm_resource run with extra arguments", "crm_resource foo bar",
                  expected_rc=ExitStatus.USAGE),
             Test("List all available resource options (invalid type)",
                  "crm_resource --list-options=asdf",
                  expected_rc=ExitStatus.USAGE),
             Test("List all available resource options (invalid type)",
                  "crm_resource --list-options=asdf --output-as=xml",
                  expected_rc=ExitStatus.USAGE),
             make_test_group("List non-advanced primitive meta-attributes",
                             "crm_resource --list-options=primitive {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("List all available primitive meta-attributes",
                             "crm_resource --list-options=primitive --all {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("List non-advanced fencing parameters",
                             "crm_resource --list-options=fencing {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("List all available fencing parameters",
                             "crm_resource --list-options=fencing --all {fmt}",
                             [Test, ValidatingTest]),
         ]
 
         basic_tests = [
             Test("Create a resource",
                  """cibadmin -C -o resources --xml-text '<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>'""",
                  update_cib=True),
             Test("crm_resource given both -r and resource config",
                  "crm_resource -r xyz --class ocf --provider pacemaker --agent Dummy",
                  expected_rc=ExitStatus.USAGE),
             Test("crm_resource given resource config with invalid action",
                  "crm_resource --class ocf --provider pacemaker --agent Dummy -D",
                  expected_rc=ExitStatus.USAGE),
             Test("Create a resource meta attribute",
                  "crm_resource -r dummy --meta -p is-managed -v false",
                  update_cib=True),
             Test("Query a resource meta attribute",
                  "crm_resource -r dummy --meta -g is-managed",
                  update_cib=True),
             Test("Remove a resource meta attribute",
                  "crm_resource -r dummy --meta -d is-managed",
                  update_cib=True),
             ValidatingTest("Create another resource meta attribute",
                            "crm_resource -r dummy --meta -p target-role -v Stopped --output-as=xml"),
             ValidatingTest("Show why a resource is not running",
                            "crm_resource -Y -r dummy --output-as=xml"),
             ValidatingTest("Remove another resource meta attribute",
                            "crm_resource -r dummy --meta -d target-role --output-as=xml"),
             ValidatingTest("Get a non-existent attribute from a resource element",
                            "crm_resource -r dummy --get-parameter nonexistent --element --output-as=xml"),
             make_test_group("Get a non-existent attribute from a resource element",
                             "crm_resource -r dummy --get-parameter nonexistent --element {fmt}",
                             [Test, ValidatingTest], update_cib=True),
             Test("Get an existent attribute from a resource element",
                  "crm_resource -r dummy --get-parameter class --element",
                  update_cib=True),
             ValidatingTest("Set a non-existent attribute for a resource element",
                            "crm_resource -r dummy --set-parameter=description -v test_description --element --output-as=xml",
                            update_cib=True),
             ValidatingTest("Set an existent attribute for a resource element",
                            "crm_resource -r dummy --set-parameter=description -v test_description --element --output-as=xml",
                            update_cib=True),
             ValidatingTest("Delete an existent attribute for a resource element",
                            "crm_resource -r dummy -d description --element --output-as=xml",
                            update_cib=True),
             ValidatingTest("Delete a non-existent attribute for a resource element",
                            "crm_resource -r dummy -d description --element --output-as=xml",
                            update_cib=True),
             Test("Set a non-existent attribute for a resource element",
                  "crm_resource -r dummy --set-parameter=description -v test_description --element",
                  update_cib=True),
             Test("Set an existent attribute for a resource element",
                  "crm_resource -r dummy --set-parameter=description -v test_description --element",
                  update_cib=True),
             Test("Delete an existent attribute for a resource element",
                  "crm_resource -r dummy -d description --element",
                  update_cib=True),
             Test("Delete a non-existent attribute for a resource element",
                  "crm_resource -r dummy -d description --element",
                  update_cib=True),
             Test("Create a resource attribute", "crm_resource -r dummy -p delay -v 10s",
                  update_cib=True),
             make_test_group("List the configured resources", "crm_resource -L {fmt}",
                             [Test, ValidatingTest], update_cib=True),
             Test("Implicitly list the configured resources", "crm_resource"),
             Test("List IDs of instantiated resources", "crm_resource -l"),
             make_test_group("Show XML configuration of resource", "crm_resource -q -r dummy {fmt}",
                             [Test, ValidatingTest]),
             Test("Require a destination when migrating a resource that is stopped",
                  "crm_resource -r dummy -M",
                  update_cib=True, expected_rc=ExitStatus.USAGE),
             Test("Don't support migration to non-existent locations",
                  "crm_resource -r dummy -M -N i.do.not.exist",
                  update_cib=True, expected_rc=ExitStatus.NOSUCH),
             Test("Create a fencing resource",
                  """cibadmin -C -o resources --xml-text '<primitive id="Fence" class="stonith" type="fence_true"/>'""",
                  update_cib=True),
             Test("Bring resources online", "crm_simulate --live-check --in-place",
                  update_cib=True),
             Test("Try to move a resource to its existing location",
                  "crm_resource -r dummy --move --node node1",
                  update_cib=True, expected_rc=ExitStatus.EXISTS),
             Test("Try to move a resource that doesn't exist",
                  "crm_resource -r xyz --move --node node1",
                  expected_rc=ExitStatus.NOSUCH),
             Test("Move a resource from its existing location",
                  "crm_resource -r dummy --move",
                  update_cib=True),
             Test("Clear out constraints generated by --move",
                  "crm_resource -r dummy --clear",
                  update_cib=True),
             Test("Ban a resource on unknown node",
                  "crm_resource -r dummy -B -N host1",
                  expected_rc=ExitStatus.NOSUCH),
             Test("Create two more nodes and bring them online",
                  "crm_simulate --live-check --in-place --node-up=node2 --node-up=node3",
                  update_cib=True),
             Test("Ban dummy from node1", "crm_resource -r dummy -B -N node1",
                  update_cib=True),
             Test("Show where a resource is running", "crm_resource -r dummy -W"),
             Test("Show constraints on a resource", "crm_resource -a -r dummy"),
             ValidatingTest("Ban dummy from node2",
                            "crm_resource -r dummy -B -N node2 --output-as=xml",
                            update_cib=True),
             Test("Relocate resources due to ban",
                  "crm_simulate --live-check --in-place -S",
                  update_cib=True),
             ValidatingTest("Move dummy to node1",
                            "crm_resource -r dummy -M -N node1 --output-as=xml",
                            update_cib=True),
             Test("Clear implicit constraints for dummy on node2",
                  "crm_resource -r dummy -U -N node2",
                  update_cib=True),
             Test("Drop the status section",
                  "cibadmin -R -o status --xml-text '<status/>'"),
             Test("Create a clone",
                  """cibadmin -C -o resources --xml-text '<clone id="test-clone"><primitive id="test-primitive" class="ocf" provider="pacemaker" type="Dummy"/></clone>'"""),
             Test("Create a resource meta attribute",
                  "crm_resource -r test-primitive --meta -p is-managed -v false",
                  update_cib=True),
             Test("Create a resource meta attribute in the primitive",
                  "crm_resource -r test-primitive --meta -p is-managed -v false --force",
                  update_cib=True),
             Test("Update resource meta attribute with duplicates",
                  "crm_resource -r test-clone --meta -p is-managed -v true",
                  update_cib=True),
             Test("Update resource meta attribute with duplicates (force clone)",
                  "crm_resource -r test-clone --meta -p is-managed -v true --force",
                  update_cib=True),
             Test("Update child resource meta attribute with duplicates",
                  "crm_resource -r test-primitive --meta -p is-managed -v false",
                  update_cib=True),
             Test("Delete resource meta attribute with duplicates",
                  "crm_resource -r test-clone --meta -d is-managed",
                  update_cib=True),
             Test("Delete resource meta attribute in parent",
                  "crm_resource -r test-primitive --meta -d is-managed",
                  update_cib=True),
             Test("Create a resource meta attribute in the primitive",
                  "crm_resource -r test-primitive --meta -p is-managed -v false --force",
                  update_cib=True),
             Test("Update existing resource meta attribute",
                  "crm_resource -r test-clone --meta -p is-managed -v true",
                  update_cib=True),
             Test("Create a resource meta attribute in the parent",
                  "crm_resource -r test-clone --meta -p is-managed -v true --force",
                  update_cib=True),
             Test("Delete resource parent meta attribute (force)",
                  "crm_resource -r test-clone --meta -d is-managed --force",
                  update_cib=True),
             # Restore meta-attributes before running this test
             Test("Delete resource child meta attribute",
                  "crm_resource -r test-primitive --meta -d is-managed",
                  setup=["crm_resource -r test-primitive --meta -p is-managed -v true --force",
                         "crm_resource -r test-clone --meta -p is-managed -v true --force"],
                  update_cib=True),
             Test("Create the dummy-group resource group",
                  """cibadmin -C -o resources --xml-text '<group id="dummy-group">"""
                  """<primitive id="dummy1" class="ocf" provider="pacemaker" type="Dummy"/>"""
                  """<primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/>"""
                  """</group>'""",
                  update_cib=True),
             Test("Create a resource meta attribute in dummy1",
                  "crm_resource -r dummy1 --meta -p is-managed -v true",
                  update_cib=True),
             Test("Create a resource meta attribute in dummy-group",
                  "crm_resource -r dummy-group --meta -p is-managed -v false",
                  update_cib=True),
             Test("Delete the dummy-group resource group",
                  "cibadmin -D -o resources --xml-text '<group id=\"dummy-group\"/>'",
                  update_cib=True),
             Test("Specify a lifetime when moving a resource",
                  "crm_resource -r dummy --move --node node2 --lifetime=PT1H",
                  update_cib=True),
             Test("Try to move a resource previously moved with a lifetime",
                  "crm_resource -r dummy --move --node node1",
                  update_cib=True),
             Test("Ban dummy from node1 for a short time",
                  "crm_resource -r dummy -B -N node1 --lifetime=PT1S",
                  update_cib=True),
             Test("Remove expired constraints",
                  "sleep 2 && crm_resource --clear --expired",
                  update_cib=True),
             # Clear has already been tested elsewhere, but we need to get rid of the
             # constraints so testing delete works.  It won't delete if there's still
             # a reference to the resource somewhere.
             Test("Clear all implicit constraints for dummy",
                  "crm_resource -r dummy -U",
                  update_cib=True),
             Test("Set a node health strategy",
                  "crm_attribute -n node-health-strategy -v migrate-on-red",
                  update_cib=True),
             Test("Set a node health attribute",
                  "crm_attribute -N node3 -n '#health-cts-cli' -v red",
                  update_cib=True),
             ValidatingTest("Show why a resource is not running on an unhealthy node",
                            "crm_resource -N node3 -Y -r dummy --output-as=xml"),
             Test("Delete a resource",
                  "crm_resource -D -r dummy -t primitive",
                  update_cib=True),
         ]
 
         constraint_tests = []
         for rsc in ["prim1", "prim2", "prim3", "prim4", "prim5", "prim6", "prim7",
                     "prim8", "prim9", "prim10", "prim11", "prim12", "prim13",
                     "group", "clone"]:
             constraint_tests.extend([
                 make_test_group("Check locations and constraints for %s" % rsc,
                                 "crm_resource -a -r %s {fmt}" % rsc,
                                 [Test, ValidatingTest]),
                 make_test_group("Recursively check locations and constraints for %s" % rsc,
                                 "crm_resource -A -r %s {fmt}" % rsc,
                                 [Test, ValidatingTest]),
             ])
 
         constraint_tests.extend([
             Test("Check locations and constraints for group member (referring to group)",
                  "crm_resource -a -r gr2"),
             Test("Check locations and constraints for group member (without referring to group)",
                  "crm_resource -a -r gr2 --force"),
         ])
 
         colocation_tests = [
             ValidatingTest("Set a meta-attribute for primitive and resources colocated with it",
                            "crm_resource -r prim5 --meta --set-parameter=target-role -v Stopped --recursive --output-as=xml"),
             Test("Set a meta-attribute for group and resource colocated with it",
                  "crm_resource -r group --meta --set-parameter=target-role -v Stopped --recursive"),
             ValidatingTest("Set a meta-attribute for clone and resource colocated with it",
                            "crm_resource -r clone --meta --set-parameter=target-role -v Stopped --recursive --output-as=xml"),
         ]
 
         digest_tests = [
             ValidatingTest("Show resource digests",
                            "crm_resource --digests -r rsc1 -N node1 --output-as=xml"),
             Test("Show resource digests with overrides",
                  "crm_resource --digests -r rsc1 -N node1 --output-as=xml CRM_meta_interval=10000 CRM_meta_timeout=20000"),
             make_test_group("Show resource operations", "crm_resource --list-operations {fmt}",
                             [Test, ValidatingTest]),
         ]
 
         basic2_tests = [
             make_test_group("List a promotable clone resource",
                             "crm_resource --locate -r promotable-clone {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("List the primitive of a promotable clone resource",
                             "crm_resource --locate -r promotable-rsc {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("List a single instance of a promotable clone resource",
                             "crm_resource --locate -r promotable-rsc:0 {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("List another instance of a promotable clone resource",
                             "crm_resource --locate -r promotable-rsc:1 {fmt}",
                             [Test, ValidatingTest]),
             Test("Try to move an instance of a cloned resource",
                  "crm_resource -r promotable-rsc:0 --move --node node1",
                  expected_rc=ExitStatus.INVALID_PARAM),
         ]
 
         basic_tests_setup = [
             "crm_attribute -n no-quorum-policy -v ignore",
             "crm_simulate --live-check --in-place --node-up=node1"
         ]
 
         return options_tests + [
             ShadowTestGroup(basic_tests, setup=basic_tests_setup),
             TestGroup(constraint_tests, env={"CIB_file": "{cts_cli_data}/constraints.xml"}),
             TestGroup(colocation_tests, cib_gen=partial(copy_existing_cib, "{cts_cli_data}/constraints.xml")),
             TestGroup(digest_tests, env={"CIB_file": "{cts_cli_data}/crm_resource_digests.xml"}),
             TestGroup(basic2_tests, env={"CIB_file": "{cts_cli_data}/crm_mon.xml"}),
             ValidatingTest("Check that CIB_file=\"-\" works - crm_resource",
                            "crm_resource --digests -r rsc1 -N node1 --output-as=xml",
                            env={"CIB_file": "-"},
                            stdin=pathlib.Path(apply_substitutions("{cts_cli_data}/crm_resource_digests.xml"))),
         ]
 
 
 class CrmTicketRegressionTest(RegressionTest):
     """A class for testing crm_ticket."""
 
     @property
     def name(self):
         """Return the name of this regression test."""
         return "crm_ticket"
 
     @property
     def tests(self):
         """A list of Test instances to be run as part of this regression test."""
         basic_tests = [
             Test("Default ticket granted state",
                  "crm_ticket -t ticketA -G granted -d false"),
             Test("Set ticket granted state", "crm_ticket -t ticketA -r --force",
                  update_cib=True),
             make_test_group("List ticket IDs", "crm_ticket -w {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("Query ticket state", "crm_ticket -t ticketA -q {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("Query ticket granted state",
                             "crm_ticket -t ticketA -G granted {fmt}",
                             [Test, ValidatingTest]),
             Test("Delete ticket granted state",
                  "crm_ticket -t ticketA -D granted --force",
                  update_cib=True),
             Test("Make a ticket standby", "crm_ticket -t ticketA -s",
                  update_cib=True),
             Test("Query ticket standby state", "crm_ticket -t ticketA -G standby"),
             Test("Activate a ticket", "crm_ticket -t ticketA -a",
                  update_cib=True),
             make_test_group("List ticket details", "crm_ticket -L -t ticketA {fmt}",
                             [Test, ValidatingTest]),
             Test("Add a second ticket", "crm_ticket -t ticketB -G granted -d false",
                  update_cib=True),
             Test("Set second ticket granted state",
                  "crm_ticket -t ticketB -r --force",
                  update_cib=True),
             make_test_group("List tickets", "crm_ticket -l {fmt}",
                             [Test, ValidatingTest]),
             Test("Delete second ticket",
                  """cibadmin --delete --xml-text '<ticket_state id="ticketB"/>'""",
                  update_cib=True),
             Test("Delete ticket standby state", "crm_ticket -t ticketA -D standby",
                  update_cib=True),
             Test("Add a constraint to a ticket",
                  """cibadmin -C -o constraints --xml-text '<rsc_ticket id="dummy-dep-ticketA" rsc="dummy" rsc-role="Started" ticket="ticketA" loss-policy="freeze"/>'""",
                  update_cib=True),
             make_test_group("Query ticket constraints", "crm_ticket -t ticketA -c {fmt}",
                             [Test, ValidatingTest]),
             Test("Delete ticket constraint",
                  """cibadmin --delete --xml-text '<rsc_ticket id="dummy-dep-ticketA"/>'""",
                  update_cib=True),
         ]
 
         basic_tests_setup = [
             """cibadmin -C -o crm_config --xml-text '<cluster_property_set id="cib-bootstrap-options"><nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/></cluster_property_set>'""",
             """cibadmin -C -o resources --xml-text '<primitive class="ocf" id="dummy" provider="heartbeat" type="Dummy" />'"""
         ]
 
         return [
             ShadowTestGroup(basic_tests, setup=basic_tests_setup),
         ]
 
 
 class CrmadminRegressionTest(RegressionTest):
     """A class for testing crmadmin."""
 
     @property
     def name(self):
         """Return the name of this regression test."""
         return "crmadmin"
 
     @property
     def tests(self):
         """A list of Test instances to be run as part of this regression test."""
         basic_tests = [
             make_test_group("List all nodes", "crmadmin -N {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("Minimally list all nodes", "crmadmin -N -q {fmt}",
                             [Test, ValidatingTest]),
             Test("List all nodes as bash exports", "crmadmin -N -B"),
             make_test_group("List cluster nodes",
                             "crmadmin -N cluster {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("List guest nodes",
                             "crmadmin -N guest {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("List remote nodes",
                             "crmadmin -N remote {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("List cluster,remote nodes",
                             "crmadmin -N cluster,remote {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("List guest,remote nodes",
                             "crmadmin -N guest,remote {fmt}",
                             [Test, ValidatingTest]),
         ]
 
         return [
             TestGroup(basic_tests,
                       env={"CIB_file": "{cts_cli_data}/crmadmin-cluster-remote-guest-nodes.xml"}),
             Test("Check that CIB_file=\"-\" works", "crmadmin -N",
                  env={"CIB_file": "-"},
                  stdin=pathlib.Path(apply_substitutions("{cts_cli_data}/crmadmin-cluster-remote-guest-nodes.xml"))),
         ]
 
 
 class CrmShadowRegressionTest(RegressionTest):
     """A class for testing crm_shadow."""
 
     @property
     def name(self):
         """Return the name of this regression test."""
         return "crm_shadow"
 
     @property
     def tests(self):
         """A list of Test instances to be run as part of this regression test."""
         no_instance_tests = [
             make_test_group("Get active shadow instance (no active instance)",
                             "crm_shadow --which {fmt}",
                             [Test, ValidatingTest], expected_rc=ExitStatus.NOSUCH),
             make_test_group("Get active shadow instance's file name (no active instance)",
                             "crm_shadow --file {fmt}",
                             [Test, ValidatingTest], expected_rc=ExitStatus.NOSUCH),
             make_test_group("Get active shadow instance's contents (no active instance)",
                             "crm_shadow --display {fmt}",
                             [Test, ValidatingTest], expected_rc=ExitStatus.NOSUCH),
             make_test_group("Get active shadow instance's diff (no active instance)",
                             "crm_shadow --diff {fmt}",
                             [Test, ValidatingTest], expected_rc=ExitStatus.NOSUCH),
         ]
 
         # Create new shadow instance based on active CIB
         # Don't use create_shadow_cib() here; test explicitly
         new_instance_tests = [
             make_test_group("Create copied shadow instance",
                             "crm_shadow --create {shadow} --batch {fmt}",
                             [Test, ValidatingTest],
                             setup="crm_shadow --delete {shadow} --force"),
             # Query shadow instance based on active CIB
             make_test_group("Get active shadow instance (copied)",
                             "crm_shadow --which {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("Get active shadow instance's file name (copied)",
                             "crm_shadow --file {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("Get active shadow instance's contents (copied)",
                             "crm_shadow --display {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("Get active shadow instance's diff (copied)",
                             "crm_shadow --diff {fmt}",
                             [Test, ValidatingTest]),
         ]
 
         # Make some changes to the shadow file
         modify_cib = """export CIB_file=$(crm_shadow --file) && """ \
                      """cibadmin --modify --xml-text '<primitive id="dummy" description="desc"/>' && """ \
                      """cibadmin --delete --xml-text '<op_defaults/>' && """ \
                      """cibadmin --create -o resources --xml-text '<primitive id="dummy1" class="ocf" provider="pacemaker" type="Dummy"/>' && """ \
                      """cibadmin --create -o status --xml-text '<node_state id="3" uname="cluster03" in_ccm="true" crmd="online" crm-debug-origin="do_update_resource" join="member" expected="member"/>'"""
 
         more_tests = [
             # We can't use make_test_group() here because we only want to run
             # the modify_cib setup code once, and make_test_group will pass all
             # kwargs to every instance it creates.
             Test("Get active shadow instance's diff (after changes)",
                  "crm_shadow --diff",
                  setup=modify_cib, expected_rc=ExitStatus.ERROR),
             ValidatingTest("Get active shadow instance's diff (after changes)",
                            "crm_shadow --diff --output-as=xml",
                            expected_rc=ExitStatus.ERROR),
             TestGroup([
                 # Commit the modified shadow CIB to a temp active CIB file
                 Test("Commit shadow instance",
                      "crm_shadow --commit {shadow}",
                      expected_rc=ExitStatus.USAGE),
                 Test("Commit shadow instance (force)",
                      "crm_shadow --commit {shadow} --force"),
                 Test("Get active shadow instance's diff (after commit)",
                      "crm_shadow --diff",
                      expected_rc=ExitStatus.ERROR),
                 Test("Commit shadow instance (force) (all)",
                      "crm_shadow --commit {shadow} --force --all"),
                 Test("Get active shadow instance's diff (after commit all)",
                      "crm_shadow --diff",
                      expected_rc=ExitStatus.ERROR),
             ], cib_gen=partial(copy_existing_cib, "{cts_cli_data}/crm_mon.xml")),
             TestGroup([
                 # Repeat sequence with XML output
                 ValidatingTest("Commit shadow instance",
                                "crm_shadow --commit {shadow} --output-as=xml",
                                expected_rc=ExitStatus.USAGE),
                 ValidatingTest("Commit shadow instance (force)",
                                "crm_shadow --commit {shadow} --force --output-as=xml"),
                 ValidatingTest("Get active shadow instance's diff (after commit)",
                                "crm_shadow --diff --output-as=xml",
                                expected_rc=ExitStatus.ERROR),
                 ValidatingTest("Commit shadow instance (force) (all)",
                                "crm_shadow --commit {shadow} --force --all --output-as=xml"),
                 ValidatingTest("Get active shadow instance's diff (after commit all)",
                                "crm_shadow --diff --output-as=xml",
                                expected_rc=ExitStatus.ERROR),
                 # Commit an inactive shadow instance with no active instance
                 make_test_group("Commit shadow instance (no active instance)",
                                 "crm_shadow --commit {shadow} {fmt}",
                                 [Test, ValidatingTest],
                                 env={"CIB_shadow": None},
                                 expected_rc=ExitStatus.USAGE),
                 make_test_group("Commit shadow instance (no active instance) (force)",
                                 "crm_shadow --commit {shadow} --force {fmt}",
                                 [Test, ValidatingTest],
                                 env={"CIB_shadow": None}),
                 # Commit an inactive shadow instance with an active instance
                 make_test_group("Commit shadow instance (mismatch)",
                                 "crm_shadow --commit {shadow} {fmt}",
                                 [Test, ValidatingTest],
                                 env={"CIB_shadow": "nonexistent_shadow"},
                                 expected_rc=ExitStatus.USAGE),
                 make_test_group("Commit shadow instance (mismatch) (force)",
                                 "crm_shadow --commit {shadow} --force {fmt}",
                                 [Test, ValidatingTest],
                                 env={"CIB_shadow": "nonexistent_shadow"}),
                 # Commit an active shadow instance whose shadow file is missing
                 make_test_group("Commit shadow instance (nonexistent shadow file)",
                                 "crm_shadow --commit nonexistent_shadow {fmt}",
                                 [Test, ValidatingTest],
                                 env={"CIB_shadow": "nonexistent_shadow"},
                                 expected_rc=ExitStatus.USAGE),
                 make_test_group("Commit shadow instance (nonexistent shadow file) (force)",
                                 "crm_shadow --commit nonexistent_shadow --force {fmt}",
                                 [Test, ValidatingTest],
                                 env={"CIB_shadow": "nonexistent_shadow"},
                                 expected_rc=ExitStatus.NOSUCH),
                 make_test_group("Get active shadow instance's diff (nonexistent shadow file)",
                                 "crm_shadow --diff {fmt}",
                                 [Test, ValidatingTest],
                                 env={"CIB_shadow": "nonexistent_shadow"},
                                 expected_rc=ExitStatus.NOSUCH),
                 # Commit an active shadow instance when the CIB file is missing
                 make_test_group("Commit shadow instance (nonexistent CIB file)",
                                 "crm_shadow --commit {shadow} {fmt}",
                                 [Test, ValidatingTest],
                                 env={"CIB_file": "{cts_cli_data}/nonexistent_cib.xml"},
                                 expected_rc=ExitStatus.USAGE),
                 make_test_group("Commit shadow instance (nonexistent CIB file) (force)",
                                 "crm_shadow --commit {shadow} --force {fmt}",
                                 [Test, ValidatingTest],
                                 env={"CIB_file": "{cts_cli_data}/nonexistent_cib.xml"},
                                 expected_rc=ExitStatus.NOSUCH),
                 make_test_group("Get active shadow instance's diff (nonexistent CIB file)",
                                 "crm_shadow --diff {fmt}",
                                 [Test, ValidatingTest],
                                 env={"CIB_file": "{cts_cli_data}/nonexistent_cib.xml"},
                                 expected_rc=ExitStatus.NOSUCH),
             ], cib_gen=partial(copy_existing_cib, "{cts_cli_data}/crm_mon.xml")),
         ]
 
         delete_1_tests = [
             # Delete an active shadow instance
             Test("Delete shadow instance", "crm_shadow --delete {shadow}",
                  expected_rc=ExitStatus.USAGE),
             Test("Delete shadow instance (force)", "crm_shadow --delete {shadow} --force"),
             ShadowTestGroup([
                 ValidatingTest("Delete shadow instance",
                                "crm_shadow --delete {shadow} --output-as=xml",
                                expected_rc=ExitStatus.USAGE),
                 ValidatingTest("Delete shadow instance (force)",
                                "crm_shadow --delete {shadow} --force --output-as=xml"),
             ])
         ]
 
         delete_2_tests = [
             # Delete an inactive shadow instance with no active instance
             Test("Delete shadow instance (no active instance)",
                  "crm_shadow --delete {shadow}",
                  expected_rc=ExitStatus.USAGE),
             Test("Delete shadow instance (no active instance) (force)",
                  "crm_shadow --delete {shadow} --force"),
         ]
 
         delete_3_tests = [
             ValidatingTest("Delete shadow instance (no active instance)",
                            "crm_shadow --delete {shadow} --output-as=xml",
                            expected_rc=ExitStatus.USAGE),
             ValidatingTest("Delete shadow instance (no active instance) (force)",
                            "crm_shadow --delete {shadow} --force --output-as=xml"),
         ]
 
         delete_4_tests = [
             # Delete an inactive shadow instance with an active instance
             Test("Delete shadow instance (mismatch)",
                  "crm_shadow --delete {shadow}",
                  expected_rc=ExitStatus.USAGE),
             Test("Delete shadow instance (mismatch) (force)",
                  "crm_shadow --delete {shadow} --force"),
         ]
 
         delete_5_tests = [
             ValidatingTest("Delete shadow instance (mismatch)",
                            "crm_shadow --delete {shadow} --output-as=xml",
                            expected_rc=ExitStatus.USAGE),
             ValidatingTest("Delete shadow instance (mismatch) (force)",
                            "crm_shadow --delete {shadow} --force --output-as=xml"),
             # Delete an active shadow instance whose shadow file is missing
             Test("Delete shadow instance (nonexistent shadow file)",
                  "crm_shadow --delete nonexistent_shadow",
                  expected_rc=ExitStatus.USAGE),
             Test("Delete shadow instance (nonexistent shadow file) (force)",
                  "crm_shadow --delete nonexistent_shadow --force"),
             ValidatingTest("Delete shadow instance (nonexistent shadow file)",
                            "crm_shadow --delete nonexistent_shadow --output-as=xml",
                            expected_rc=ExitStatus.USAGE),
             ValidatingTest("Delete shadow instance (nonexistent shadow file) (force)",
                            "crm_shadow --delete nonexistent_shadow --force --output-as=xml"),
         ]
 
         delete_6_tests = [
             # Delete an active shadow instance when the CIB file is missing
             Test("Delete shadow instance (nonexistent CIB file)",
                  "crm_shadow --delete {shadow}",
                  expected_rc=ExitStatus.USAGE),
             Test("Delete shadow instance (nonexistent CIB file) (force)",
                  "crm_shadow --delete {shadow} --force"),
         ]
 
         delete_7_tests = [
             ValidatingTest("Delete shadow instance (nonexistent CIB file)",
                            "crm_shadow --delete {shadow} --output-as=xml",
                            expected_rc=ExitStatus.USAGE),
             ValidatingTest("Delete shadow instance (nonexistent CIB file) (force)",
                            "crm_shadow --delete {shadow} --force --output-as=xml"),
         ]
 
         create_1_tests = [
             # Create new shadow instance based on active CIB with no instance active
             make_test_group("Create copied shadow instance (no active instance)",
                             "crm_shadow --create {shadow} --batch {fmt}",
                             [Test, ValidatingTest],
                             setup="crm_shadow --delete {shadow} --force",
                             env={"CIB_shadow": None}),
             # Create new shadow instance based on active CIB with other instance active
             make_test_group("Create copied shadow instance (mismatch)",
                             "crm_shadow --create {shadow} --batch {fmt}",
                             [Test, ValidatingTest],
                             setup="crm_shadow --delete {shadow} --force",
                             env={"CIB_shadow": "nonexistent_shadow"}),
             # Create new shadow instance based on CIB (shadow file already exists)
             make_test_group("Create copied shadow instance (file already exists)",
                             "crm_shadow --create {shadow} --batch {fmt}",
                             [Test, ValidatingTest],
                             expected_rc=ExitStatus.CANTCREAT),
             make_test_group("Create copied shadow instance (file already exists) (force)",
                             "crm_shadow --create {shadow} --batch --force {fmt}",
                             [Test, ValidatingTest]),
             # Create new shadow instance based on active CIB when the CIB file is missing
             make_test_group("Create copied shadow instance (nonexistent CIB file) (force)",
                             "crm_shadow --create {shadow} --batch --force {fmt}",
                             [Test, ValidatingTest],
                             expected_rc=ExitStatus.NOSUCH,
                             setup="crm_shadow --delete {shadow} --force",
                             env={"CIB_file": "{cts_cli_data}/nonexistent_cib.xml"}),
         ]
 
         create_2_tests = [
             # Create new empty shadow instance
             make_test_group("Create empty shadow instance",
                             "crm_shadow --create-empty {shadow} --batch {fmt}",
                             [Test, ValidatingTest],
                             setup="crm_shadow --delete {shadow} --force"),
             # Create empty shadow instance with no active instance
             make_test_group("Create empty shadow instance (no active instance)",
                             "crm_shadow --create-empty {shadow} --batch {fmt}",
                             [Test, ValidatingTest],
                             setup="crm_shadow --delete {shadow} --force",
                             env={"CIB_shadow": None}),
             # Create empty shadow instance with other instance active
             make_test_group("Create empty shadow instance (mismatch)",
                             "crm_shadow --create-empty {shadow} --batch {fmt}",
                             [Test, ValidatingTest],
                             setup="crm_shadow --delete {shadow} --force",
                             env={"CIB_shadow": "nonexistent_shadow"}),
             # Create empty shadow instance when the CIB file is missing
             make_test_group("Create empty shadow instance (nonexistent CIB file)",
                             "crm_shadow --create-empty {shadow} --batch {fmt}",
                             [Test, ValidatingTest],
                             setup="crm_shadow --delete {shadow} --force",
                             env={"CIB_file": "{cts_cli_data}/nonexistent_cib.xml"}),
             # Create empty shadow instance (shadow file already exists)
             make_test_group("Create empty shadow instance (file already exists)",
                             "crm_shadow --create-empty {shadow} --batch {fmt}",
                             [Test, ValidatingTest],
                             expected_rc=ExitStatus.CANTCREAT),
             make_test_group("Create empty shadow instance (file already exists) (force)",
                             "crm_shadow --create-empty {shadow} --batch --force {fmt}",
                             [Test, ValidatingTest]),
             # Query shadow instance with an empty CIB.
             # --which and --file queries were done earlier.
             TestGroup([
                 make_test_group("Get active shadow instance's contents (empty CIB)",
                                 "crm_shadow --display {fmt}",
                                 [Test, ValidatingTest]),
                 make_test_group("Get active shadow instance's diff (empty CIB)",
                                 "crm_shadow --diff {fmt}",
                                 [Test, ValidatingTest],
                                 expected_rc=ExitStatus.ERROR),
             ], setup=delete_shadow_resource_defaults),
             # Reset shadow instance (overwrite existing shadow file based on active CIB)
             Test("Reset shadow instance", "crm_shadow --reset {shadow} --batch"),
             Test("Get active shadow instance's diff (after reset)", "crm_shadow --diff"),
         ]
 
         reset_1_tests = [
             ValidatingTest("Reset shadow instance",
                            "crm_shadow --reset {shadow} --batch --output-as=xml"),
             ValidatingTest("Get active shadow instance's diff (after reset)",
                            "crm_shadow --diff --output-as=xml"),
             # Reset an inactive shadow instance with no active instance
             Test("Reset shadow instance (no active instance)",
                  "crm_shadow --reset {shadow} --batch",
                  env={"CIB_shadow": None}),
         ]
 
         reset_2_tests = [
             ValidatingTest("Reset shadow instance (no active instance)",
                            "crm_shadow --reset {shadow} --batch --output-as=xml"),
             # Reset an inactive shadow instance with an active instance
             Test("Reset shadow instance (mismatch)",
                  "crm_shadow --reset {shadow} --batch",
                  env={"CIB_shadow": "nonexistent_shadow"},
                  expected_rc=ExitStatus.USAGE),
             Test("Reset shadow instance (mismatch) (force)",
                  "crm_shadow --reset {shadow} --batch --force",
                  env={"CIB_shadow": "nonexistent_shadow"}),
         ]
 
         reset_3_tests = [
             ValidatingTest("Reset shadow instance (mismatch)",
                            "crm_shadow --reset {shadow} --batch --output-as=xml",
                            expected_rc=ExitStatus.USAGE),
             ValidatingTest("Reset shadow instance (mismatch) (force)",
                            "crm_shadow --reset {shadow} --batch --force --output-as=xml"),
         ]
 
         reset_4_tests = [
             # Reset an active shadow instance when the CIB file is missing
             make_test_group("Reset shadow instance (nonexistent CIB file)",
                             "crm_shadow --reset {shadow} --batch {fmt}",
                             [Test, ValidatingTest],
                             expected_rc=ExitStatus.NOSUCH),
             make_test_group("Reset shadow instance (nonexistent CIB file) (force)",
                             "crm_shadow --reset {shadow} --batch --force {fmt}",
                             [Test, ValidatingTest],
                             expected_rc=ExitStatus.NOSUCH),
             # Reset an active shadow instance whose shadow file is missing
             TestGroup([
                 make_test_group("Reset shadow instance (nonexistent shadow file)",
                                 "crm_shadow --reset {shadow} --batch {fmt}",
                                 [Test, ValidatingTest],
                                 expected_rc=ExitStatus.NOSUCH),
             ], env={"CIB_file": "{cts_cli_data}/crm_mon.xml"}, setup="crm_shadow --delete {shadow} --force"),
             TestGroup([
                 make_test_group("Reset shadow instance (nonexistent shadow file) (force)",
                                 "crm_shadow --reset {shadow} --batch --force {fmt}",
                                 [Test, ValidatingTest]),
             ], env={"CIB_file": "{cts_cli_data}/crm_mon.xml"}, setup="crm_shadow --delete {shadow} --force"),
         ]
 
         # Switch shadow instances
         switch_tests = [
             make_test_group("Switch to new shadow instance",
                             "crm_shadow --switch {shadow} --batch {fmt}",
                             [Test, ValidatingTest]),
             TestGroup([
                 make_test_group("Switch to nonexistent shadow instance",
                                 "crm_shadow --switch {shadow} --batch {fmt}",
                                 [Test, ValidatingTest],
                                 expected_rc=ExitStatus.NOSUCH),
                 make_test_group("Switch to nonexistent shadow instance (force)",
                                 "crm_shadow --switch {shadow} --batch --force {fmt}",
                                 [Test, ValidatingTest],
                                 expected_rc=ExitStatus.NOSUCH),
             ], setup="crm_shadow --delete {shadow} --force"),
         ]
 
         return no_instance_tests + [
             ShadowTestGroup(new_instance_tests + more_tests,
                             env={"CIB_file": "{cts_cli_data}/crm_mon.xml"},
                             create=False),
             ShadowTestGroup(delete_1_tests,
                             env={"CIB_file": "{cts_cli_data}/crm_mon.xml"}),
             ShadowTestGroup(delete_2_tests,
                             env={"CIB_file": "{cts_cli_data}/crm_mon.xml",
                                  "CIB_shadow": None}),
             ShadowTestGroup(delete_3_tests,
                             env={"CIB_file": "{cts_cli_data}/crm_mon.xml",
                                  "CIB_shadow": None}),
             ShadowTestGroup(delete_4_tests,
                             env={"CIB_file": "{cts_cli_data}/crm_mon.xml",
                                  "CIB_shadow": "nonexistent_shadow"}),
             ShadowTestGroup(delete_5_tests,
                             env={"CIB_file": "{cts_cli_data}/crm_mon.xml",
                                  "CIB_shadow": "nonexistent_shadow"}),
             ShadowTestGroup(delete_6_tests,
                             env={"CIB_file": "{cts_cli_data}/nonexistent_cib.xml"}),
             ShadowTestGroup(delete_7_tests,
                             env={"CIB_file": "{cts_cli_data}/nonexistent_cib.xml"}),
             ShadowTestGroup(create_1_tests,
                             env={"CIB_file": "{cts_cli_data}/crm_mon.xml"},
                             create=False),
             ShadowTestGroup(create_2_tests,
                             env={"CIB_file": "{cts_cli_data}/crm_mon.xml"},
                             create=False),
             ShadowTestGroup(reset_1_tests,
                             env={"CIB_file": "{cts_cli_data}/crm_mon.xml"},
                             create_empty=True),
             ShadowTestGroup(reset_2_tests,
                             env={"CIB_file": "{cts_cli_data}/crm_mon.xml",
                                  "CIB_shadow": None},
                             create_empty=True),
             ShadowTestGroup(reset_3_tests,
                             env={"CIB_file": "{cts_cli_data}/crm_mon.xml",
                                  "CIB_shadow": "nonexistent_shadow"},
                             create_empty=True),
             ShadowTestGroup(reset_4_tests,
                             env={"CIB_file": "{cts_cli_data}/nonexistent_cib.xml"},
                             create_empty=True),
             ShadowTestGroup(switch_tests,
                             env={"CIB_shadow": "nonexistent_shadow"},
                             create_empty=True),
         ]
 
 
 class CrmVerifyRegressionTest(RegressionTest):
     """A class for testing crm_verify."""
 
     @property
     def name(self):
         """Return the name of this regression test."""
         return "crm_verify"
 
     @property
     def tests(self):
         """A list of Test instances to be run as part of this regression test."""
         invalid_tests = [
             Test("Verbosely verify a file-specified configuration with an unallowed fencing level ID",
                  "crm_verify --xml-file {cts_cli_data}/crm_verify_invalid_fencing_topology.xml --verbose",
                  expected_rc=ExitStatus.CONFIG),
             make_test_group("Verify a file-specified invalid configuration",
                             "crm_verify --xml-file {cts_cli_data}/crm_verify_invalid_bz.xml {fmt}",
                             [Test, ValidatingTest],
                             expected_rc=ExitStatus.CONFIG),
             make_test_group("Verify a file-specified invalid configuration (verbose)",
                             "crm_verify --xml-file {cts_cli_data}/crm_verify_invalid_bz.xml --verbose {fmt}",
                             [Test, ValidatingTest],
                             expected_rc=ExitStatus.CONFIG),
             make_test_group("Verify a file-specified invalid configuration (quiet)",
                             "crm_verify --xml-file {cts_cli_data}/crm_verify_invalid_bz.xml --quiet {fmt}",
                             [Test, ValidatingTest],
                             expected_rc=ExitStatus.CONFIG),
             ValidatingTest("Verify another file-specified invalid configuration",
                            "crm_verify --xml-file {cts_cli_data}/crm_verify_invalid_no_stonith.xml --output-as=xml",
                            expected_rc=ExitStatus.CONFIG),
         ]
 
         with open("%s/cli/crm_mon.xml" % test_home, encoding="utf-8") as f:
             cib_contents = f.read()
 
         valid_tests = [
             ValidatingTest("Verify a file-specified valid configuration",
                            "crm_verify --xml-file {cts_cli_data}/crm_mon.xml --output-as=xml"),
             ValidatingTest("Verify a piped-in valid configuration",
                            "crm_verify -p --output-as=xml",
                            stdin=pathlib.Path(apply_substitutions("{cts_cli_data}/crm_mon.xml"))),
             ValidatingTest("Verbosely verify a file-specified valid configuration",
                            "crm_verify --xml-file {cts_cli_data}/crm_mon.xml --output-as=xml --verbose"),
             ValidatingTest("Verbosely verify a piped-in valid configuration",
                            "crm_verify -p --output-as=xml --verbose",
                            stdin=pathlib.Path(apply_substitutions("{cts_cli_data}/crm_mon.xml"))),
             ValidatingTest("Verify a string-supplied valid configuration",
                            "crm_verify -X '%s' --output-as=xml" % cib_contents),
             ValidatingTest("Verbosely verify a string-supplied valid configuration",
                            "crm_verify -X '%s' --output-as=xml --verbose" % cib_contents),
         ]
 
         return invalid_tests + valid_tests
 
 
 class CrmMonRegressionTest(RegressionTest):
     """A class for testing crm_mon."""
 
     @property
     def name(self):
         """Return the name of this regression test."""
         return "crm_mon"
 
     @property
     def tests(self):
         """A list of Test instances to be run as part of this regression test."""
         basic_tests = [
             make_test_group("Basic output", "crm_mon -1 {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("Output without node section",
                             "crm_mon -1 --exclude=nodes {fmt}",
                             [Test, ValidatingTest]),
             # The next test doesn't need to be performed for other output formats.  It's
             # really just a test to make sure that blank lines are correct.
             Test("Output with only the node section",
                  "crm_mon -1 --exclude=all --include=nodes"),
             # XML includes everything already so there's no need for a complete test
             Test("Complete text output", "crm_mon -1 --include=all"),
             # XML includes detailed output already
             Test("Complete text output with detail", "crm_mon -1R --include=all"),
             Test("Complete brief text output", "crm_mon -1 --include=all --brief"),
             Test("Complete text output grouped by node",
                  "crm_mon -1 --include=all --group-by-node"),
             # XML does not have a brief output option
             Test("Complete brief text output grouped by node",
                  "crm_mon -1 --include=all --group-by-node --brief"),
             ValidatingTest("Output grouped by node",
                            "crm_mon --output-as=xml --group-by-node"),
             make_test_group("Complete output filtered by node",
                             "crm_mon -1 --include=all --node=cluster01 {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("Complete output filtered by tag",
                             "crm_mon -1 --include=all --node=even-nodes {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("Complete output filtered by resource tag",
                             "crm_mon -1 --include=all --resource=fencing-rscs {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("Output filtered by node that doesn't exist",
                             "crm_mon -1 --node=blah {fmt}",
                             [Test, ValidatingTest]),
             Test("Basic text output with inactive resources", "crm_mon -1 -r"),
             # XML already includes inactive resources
             Test("Basic text output with inactive resources, filtered by node",
                  "crm_mon -1 -r --node=cluster02"),
             make_test_group("Complete output filtered by primitive resource",
                             "crm_mon -1 --include=all --resource=Fencing {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("Complete output filtered by group resource",
                             "crm_mon -1 --include=all --resource=exim-group {fmt}",
                             [Test, ValidatingTest]),
             Test("Complete text output filtered by group resource member",
                  "crm_mon -1 --include=all --resource=Public-IP"),
             ValidatingTest("Output filtered by group resource member",
                            "crm_mon --output-as=xml --resource=Email"),
             make_test_group("Complete output filtered by clone resource",
                             "crm_mon -1 --include=all --resource=ping-clone {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("Complete output filtered by clone resource instance",
                             "crm_mon -1 --include=all --resource=ping {fmt}",
                             [Test, ValidatingTest]),
             Test("Complete text output filtered by exact clone resource instance",
                  "crm_mon -1 --include=all --show-detail --resource=ping:0"),
             ValidatingTest("Output filtered by exact clone resource instance",
                            "crm_mon --output-as=xml --resource=ping:1"),
             make_test_group("Output filtered by resource that doesn't exist",
                             "crm_mon -1 --resource=blah {fmt}",
                             [Test, ValidatingTest]),
             Test("Basic text output with inactive resources, filtered by tag",
                  "crm_mon -1 -r --resource=inactive-rscs"),
             Test("Basic text output with inactive resources, filtered by bundle resource",
                  "crm_mon -1 -r --resource=httpd-bundle"),
             ValidatingTest("Output filtered by inactive bundle resource",
                            "crm_mon --output-as=xml --resource=httpd-bundle"),
             Test("Basic text output with inactive resources, filtered by bundled IP address resource",
                  "crm_mon -1 -r --resource=httpd-bundle-ip-192.168.122.131"),
             ValidatingTest("Output filtered by bundled IP address resource",
                            "crm_mon --output-as=xml --resource=httpd-bundle-ip-192.168.122.132"),
             Test("Basic text output with inactive resources, filtered by bundled container",
                  "crm_mon -1 -r --resource=httpd-bundle-docker-1"),
             ValidatingTest("Output filtered by bundled container",
                            "crm_mon --output-as=xml --resource=httpd-bundle-docker-2"),
             Test("Basic text output with inactive resources, filtered by bundle connection",
                  "crm_mon -1 -r --resource=httpd-bundle-0"),
             ValidatingTest("Output filtered by bundle connection",
                            "crm_mon --output-as=xml --resource=httpd-bundle-0"),
             Test("Basic text output with inactive resources, filtered by bundled primitive resource",
                  "crm_mon -1 -r --resource=httpd"),
             ValidatingTest("Output filtered by bundled primitive resource",
                            "crm_mon --output-as=xml --resource=httpd"),
             Test("Complete text output, filtered by clone name in cloned group",
                  "crm_mon -1 --include=all --show-detail --resource=mysql-clone-group"),
             ValidatingTest("Output, filtered by clone name in cloned group",
                            "crm_mon --output-as=xml --resource=mysql-clone-group"),
             Test("Complete text output, filtered by group name in cloned group",
                  "crm_mon -1 --include=all --show-detail --resource=mysql-group"),
             ValidatingTest("Output, filtered by group name in cloned group",
                            "crm_mon --output-as=xml --resource=mysql-group"),
             Test("Complete text output, filtered by exact group instance name in cloned group",
                  "crm_mon -1 --include=all --show-detail --resource=mysql-group:1"),
             ValidatingTest("Output, filtered by exact group instance name in cloned group",
                            "crm_mon --output-as=xml --resource=mysql-group:1"),
             Test("Complete text output, filtered by primitive name in cloned group",
                  "crm_mon -1 --include=all --show-detail --resource=mysql-proxy"),
             ValidatingTest("Output, filtered by primitive name in cloned group",
                            "crm_mon --output-as=xml --resource=mysql-proxy"),
             Test("Complete text output, filtered by exact primitive instance name in cloned group",
                  "crm_mon -1 --include=all --show-detail --resource=mysql-proxy:1"),
             ValidatingTest("Output, filtered by exact primitive instance name in cloned group",
                            "crm_mon --output-as=xml --resource=mysql-proxy:1"),
         ]
 
         partial_tests = [
             Test("Output of partially active resources", "crm_mon -1 --show-detail"),
             ValidatingTest("Output of partially active resources", "crm_mon --output-as=xml"),
             Test("Output of partially active resources, with inactive resources",
                  "crm_mon -1 -r --show-detail"),
             # XML already includes inactive resources
             Test("Complete brief text output, with inactive resources",
                  "crm_mon -1 -r --include=all --brief --show-detail"),
             # XML does not have a brief output option
             Test("Text output of partially active group", "crm_mon -1 --resource=partially-active-group"),
             Test("Text output of partially active group, with inactive resources",
                  "crm_mon -1 --resource=partially-active-group -r"),
             Test("Text output of active member of partially active group",
                  "crm_mon -1 --resource=dummy-1"),
             Test("Text output of inactive member of partially active group",
                  "crm_mon -1 --resource=dummy-2 --show-detail"),
             Test("Complete brief text output grouped by node, with inactive resources",
                  "crm_mon -1 -r --include=all --group-by-node --brief --show-detail"),
             Test("Text output of partially active resources, with inactive resources, filtered by node",
                  "crm_mon -1 -r --node=cluster01"),
             ValidatingTest("Output of partially active resources, filtered by node",
                            "crm_mon --output-as=xml --node=cluster01"),
         ]
 
         unmanaged_tests = [
             make_test_group("Output of active unmanaged resource on offline node",
                             "crm_mon -1 {fmt}",
                             [Test, ValidatingTest]),
             Test("Brief text output of active unmanaged resource on offline node",
                  "crm_mon -1 --brief"),
             Test("Brief text output of active unmanaged resource on offline node, grouped by node",
                  "crm_mon -1 --brief --group-by-node"),
         ]
 
         maint1_tests = [
             make_test_group("Output of all resources with maintenance-mode enabled",
                             "crm_mon -1 -r {fmt}",
                             [Test, ValidatingTest],
                             setup="crm_attribute -n maintenance-mode -v true",
                             teardown="crm_attribute -n maintenance-mode -v false"),
             make_test_group("Output of all resources with maintenance enabled for a node",
                             "crm_mon -1 -r {fmt}",
                             [Test, ValidatingTest],
                             setup="crm_attribute -n maintenance -N cluster02 -v true",
                             teardown="crm_attribute -n maintenance -N cluster02 -v false"),
         ]
 
         maint2_tests = [
             # The fence resource is excluded, for comparison
             make_test_group("Output of all resources with maintenance meta attribute true",
                             "crm_mon -1 -r {fmt}",
                             [Test, ValidatingTest]),
         ]
 
         t180_tests = [
             Test("Text output of guest node's container on different node from its remote resource",
                  "crm_mon -1"),
             Test("Complete text output of guest node's container on different node from its remote resource",
                  "crm_mon -1 --show-detail"),
         ]
 
         return [
             TestGroup(basic_tests,
                       env={"CIB_file": "{cts_cli_data}/crm_mon.xml"}),
             Test("Check that CIB_file=\"-\" works", "crm_mon -1",
                  env={"CIB_file": "-"},
                  stdin=pathlib.Path(apply_substitutions("{cts_cli_data}/crm_mon.xml"))),
             TestGroup(partial_tests,
                       env={"CIB_file": "{cts_cli_data}/crm_mon-partial.xml"}),
             TestGroup(unmanaged_tests,
                       env={"CIB_file": "{cts_cli_data}/crm_mon-unmanaged.xml"}),
             TestGroup(maint1_tests,
                       cib_gen=partial(copy_existing_cib, "{cts_cli_data}/crm_mon.xml")),
             TestGroup(maint2_tests,
                       env={"CIB_file": "{cts_cli_data}/crm_mon-rsc-maint.xml"}),
             TestGroup(t180_tests,
                       env={"CIB_file": "{cts_cli_data}/crm_mon-T180.xml"}),
         ]
 
 
 class AclsRegressionTest(RegressionTest):
     """A class for testing access control lists."""
 
     @property
     def name(self):
         """Return the name of this regression test."""
         return "acls"
 
     @property
     def tests(self):
         """A list of Test instances to be run as part of this regression test."""
         acl_cib = """
 <acls>
   <acl_target id="l33t-haxor">
     <role id="nothing"/>
   </acl_target>
   <acl_target id="niceguy">
     <role id="observer"/>
   </acl_target>
   <acl_target id="bob">
     <role id="admin"/>
   </acl_target>
   <acl_target id="joe">
     <role id="super_user"/>
   </acl_target>
   <acl_target id="mike">
     <role id="rsc_writer"/>
   </acl_target>
   <acl_target id="chris">
     <role id="rsc_denied"/>
   </acl_target>
   <acl_role id="nothing">
     <acl_permission id="nothing-deny" kind="deny" xpath="/cib"/>
   </acl_role>
   <acl_role id="observer">
     <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
     <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name='stonith-enabled']"/>
     <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name='target-role']"/>
   </acl_role>
   <acl_role id="admin">
     <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
     <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
   </acl_role>
   <acl_role id="super_user">
     <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
   </acl_role>
   <acl_role id="rsc_writer">
     <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
     <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
   </acl_role>
   <acl_role id="rsc_denied">
     <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
     <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
   </acl_role>
 </acls>
 """
 
         basic_tests = [
             Test("Configure some ACLs", "cibadmin -M -o acls -p",
                  update_cib=True, stdin=acl_cib),
             Test("Enable ACLs", "crm_attribute -n enable-acl -v true",
                  update_cib=True),
             Test("Set cluster option", "crm_attribute -n no-quorum-policy -v ignore",
                  update_cib=True),
             Test("New ACL role",
                  """cibadmin --create -o acls --xml-text '<acl_role id="badidea-role"><acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/></acl_role>'""",
                  update_cib=True),
             Test("New ACL target",
                  """cibadmin --create -o acls --xml-text '<acl_target id="badidea"><role id="badidea-role"/></acl_target>'""",
                  update_cib=True),
             Test("Another ACL role",
                  """cibadmin --create -o acls --xml-text '<acl_role id="betteridea-role"><acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/></acl_role>'""",
                  update_cib=True),
             Test("Another ACL target",
                  """cibadmin --create -o acls --xml-text '<acl_target id="betteridea"><role id="betteridea-role"/></acl_target>'""",
                  update_cib=True),
             Test("Updated ACL",
                  """cibadmin --replace -o acls --xml-text '<acl_role id="betteridea-role"><acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/><acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/></acl_role>'""",
                  update_cib=True),
         ]
 
         no_acl_tests = [
             Test("unknownguy: Query configuration", "cibadmin -Q",
                  expected_rc=ExitStatus.INSUFFICIENT_PRIV),
             Test("unknownguy: Set enable-acl",
                  "crm_attribute -n enable-acl -v false",
                  expected_rc=ExitStatus.INSUFFICIENT_PRIV),
             Test("unknownguy: Set stonith-enabled",
                  "crm_attribute -n stonith-enabled -v false",
                  expected_rc=ExitStatus.INSUFFICIENT_PRIV),
             Test("unknownguy: Create a resource",
                  """cibadmin -C -o resources --xml-text '<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>'""",
                  expected_rc=ExitStatus.INSUFFICIENT_PRIV),
         ]
 
         deny_cib_tests = [
             Test("l33t-haxor: Query configuration",
                  "cibadmin -Q",
                  expected_rc=ExitStatus.INSUFFICIENT_PRIV),
             Test("l33t-haxor: Set enable-acl",
                  "crm_attribute -n enable-acl -v false",
                  expected_rc=ExitStatus.INSUFFICIENT_PRIV),
             Test("l33t-haxor: Set stonith-enabled",
                  "crm_attribute -n stonith-enabled -v false",
                  expected_rc=ExitStatus.INSUFFICIENT_PRIV),
             Test("l33t-haxor: Create a resource",
                  """cibadmin -C -o resources --xml-text '<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>'""",
                  expected_rc=ExitStatus.INSUFFICIENT_PRIV),
         ]
 
         observer_tests = [
             Test("niceguy: Query configuration", "cibadmin -Q"),
             Test("niceguy: Set enable-acl",
                  "crm_attribute -n enable-acl -v false",
                  expected_rc=ExitStatus.INSUFFICIENT_PRIV),
             Test("niceguy: Set stonith-enabled",
                  "crm_attribute -n stonith-enabled -v false",
                  update_cib=True),
             Test("niceguy: Create a resource",
                  """cibadmin -C -o resources --xml-text '<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>'""",
                  expected_rc=ExitStatus.INSUFFICIENT_PRIV),
             Test("root: Query configuration", "cibadmin -Q",
                  env={"CIB_user": "root"}),
             Test("root: Set stonith-enabled", "crm_attribute -n stonith-enabled -v true",
                  update_cib=True, env={"CIB_user": "root"}),
             Test("root: Create a resource",
                  """cibadmin -C -o resources --xml-text '<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>'""",
                  update_cib=True, env={"CIB_user": "root"}),
         ]
 
         deny_cib_2_tests = [
             Test("l33t-haxor: Create a resource meta attribute",
                  "crm_resource -r dummy --meta -p target-role -v Stopped",
                  expected_rc=ExitStatus.INSUFFICIENT_PRIV),
             Test("l33t-haxor: Query a resource meta attribute",
                  "crm_resource -r dummy --meta -g target-role",
                  expected_rc=ExitStatus.INSUFFICIENT_PRIV),
             Test("l33t-haxor: Remove a resource meta attribute",
                  "crm_resource -r dummy --meta -d target-role",
                  expected_rc=ExitStatus.INSUFFICIENT_PRIV),
         ]
 
         observer_2_tests = [
             Test("niceguy: Create a resource meta attribute",
                  "crm_resource -r dummy --meta -p target-role -v Stopped",
                  update_cib=True),
             Test("niceguy: Query a resource meta attribute",
                  "crm_resource -r dummy --meta -g target-role",
                  update_cib=True),
             Test("niceguy: Remove a resource meta attribute",
                  "crm_resource -r dummy --meta -d target-role",
                  update_cib=True),
             Test("niceguy: Create a resource meta attribute",
                  "crm_resource -r dummy --meta -p target-role -v Started",
                  update_cib=True),
         ]
 
         read_meta_tests = [
             Test("badidea: Query configuration - implied deny", "cibadmin -Q"),
         ]
 
         deny_cib_3_tests = [
             Test("betteridea: Query configuration - explicit deny", "cibadmin -Q"),
         ]
 
         replace_tests = [
             TestGroup([
                 AclTest("niceguy: Replace - remove acls",
                         "cibadmin --replace -p",
                         setup="cibadmin --delete --xml-text '<acls/>'",
                         expected_rc=ExitStatus.INSUFFICIENT_PRIV),
                 AclTest("niceguy: Replace - create resource",
                         "cibadmin --replace -p",
                         setup="""cibadmin -C -o resources --xml-text '<primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/>'""",
                         expected_rc=ExitStatus.INSUFFICIENT_PRIV),
                 AclTest("niceguy: Replace - modify attribute (deny)",
                         "cibadmin --replace -p",
                         setup="crm_attribute -n enable-acl -v false",
                         expected_rc=ExitStatus.INSUFFICIENT_PRIV),
                 AclTest("niceguy: Replace - delete attribute (deny)",
                         "cibadmin --replace -p",
                         setup="""cibadmin --replace --xml-text '<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl"/>'""",
                         expected_rc=ExitStatus.INSUFFICIENT_PRIV),
                 AclTest("niceguy: Replace - create attribute (deny)",
                         "cibadmin --replace -p",
                         setup="""cibadmin --modify --xml-text '<primitive id="dummy" description="nothing interesting"/>'""",
                         expected_rc=ExitStatus.INSUFFICIENT_PRIV),
             ], env={"CIB_user": "niceguy"}),
 
             # admin role
             TestGroup([
                 AclTest("bob: Replace - create attribute (direct allow)",
                         "cibadmin --replace -o resources -p",
                         setup="""cibadmin --modify --xml-text '<primitive id="dummy" description="nothing interesting"/>'"""),
                 AclTest("bob: Replace - modify attribute (direct allow)",
                         "cibadmin --replace -o resources -p",
                         setup="""cibadmin --modify --xml-text '<primitive id="dummy" description="something interesting"/>'"""),
                 AclTest("bob: Replace - delete attribute (direct allow)",
                         "cibadmin --replace -o resources -p",
                         setup="""cibadmin --replace -o resources --xml-text '<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>'"""),
             ], env={"CIB_user": "bob"}),
 
             # super_user role
             TestGroup([
                 AclTest("joe: Replace - create attribute (inherited allow)",
                         "cibadmin --replace -o resources -p",
                         setup="""cibadmin --modify --xml-text '<primitive id="dummy" description="nothing interesting"/>'"""),
                 AclTest("joe: Replace - modify attribute (inherited allow)",
                         "cibadmin --replace -o resources -p",
                         setup="""cibadmin --modify --xml-text '<primitive id="dummy" description="something interesting"/>'"""),
                 AclTest("joe: Replace - delete attribute (inherited allow)",
                         "cibadmin --replace -o resources -p",
                         setup="""cibadmin --replace -o resources --xml-text '<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>'"""),
             ], env={"CIB_user": "joe"}),
 
             # rsc_writer role
             TestGroup([
                 AclTest("mike: Replace - create attribute (allow overrides deny)",
                         "cibadmin --replace -o resources -p",
                         setup="""cibadmin --modify --xml-text '<primitive id="dummy" description="nothing interesting"/>'"""),
                 AclTest("mike: Replace - modify attribute (allow overrides deny)",
                         "cibadmin --replace -o resources -p",
                         setup="""cibadmin --modify --xml-text '<primitive id="dummy" description="something interesting"/>'"""),
                 AclTest("mike: Replace - delete attribute (allow overrides deny)",
                         "cibadmin --replace -o resources -p",
                         setup="""cibadmin --replace -o resources --xml-text '<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>'"""),
                 # Create an additional resource for deny-overrides-allow testing
                 AclTest("mike: Create another resource",
                         """cibadmin -C -o resources --xml-text '<primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"/>'""",
                         update_cib=True),
             ], env={"CIB_user": "mike"}),
 
             # rsc_denied role
             TestGroup([
                 AclTest("chris: Replace - create attribute (deny overrides allow)",
                         "cibadmin --replace -o resources -p",
                         setup="""cibadmin --modify --xml-text '<primitive id="dummy" description="nothing interesting"/>'""",
                         expected_rc=ExitStatus.INSUFFICIENT_PRIV),
                 AclTest("chris: Replace - modify attribute (deny overrides allow)",
                         "cibadmin --replace -o resources -p",
                         setup="""cibadmin --modify --xml-text '<primitive id="dummy" description="something interesting"/>'""",
                         expected_rc=ExitStatus.INSUFFICIENT_PRIV),
                 AclTest("chris: Replace - delete attribute (deny overrides allow)",
                         "cibadmin --replace -o resources -p",
                         setup="""cibadmin --replace -o resources --xml-text '<primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/>'""",
                         expected_rc=ExitStatus.INSUFFICIENT_PRIV),
             ], env={"CIB_user": "chris"}),
         ]
 
         loop_tests = [
             # no ACL
             TestGroup(no_acl_tests, env={"CIB_user": "unknownguy"}),
             # deny /cib permission
             TestGroup(deny_cib_tests, env={"CIB_user": "l33t-haxor"}),
             # observer role
             TestGroup(observer_tests, env={"CIB_user": "niceguy"}),
             # deny /cib permission
             TestGroup(deny_cib_2_tests, env={"CIB_user": "l33t-haxor"}),
             # observer role
             TestGroup(observer_2_tests, env={"CIB_user": "niceguy"}),
             # read //meta_attributes
             TestGroup(read_meta_tests, env={"CIB_user": "badidea"}),
             # deny /cib, read //meta_attributes
             TestGroup(deny_cib_3_tests, env={"CIB_user": "betteridea"}),
         ] + replace_tests
 
         return [
             ShadowTestGroup(basic_tests + [
                             TestGroup(loop_tests,
                                       env={"PCMK_trace_functions": "pcmk__check_acl,pcmk__apply_creation_acl"})]),
         ]
 
 
 class ValidityRegressionTest(RegressionTest):
     """A class for testing CIB validity."""
 
     @property
     def name(self):
         """Return the name of this regression test."""
         return "validity"
 
     @property
     def tests(self):
         """A list of Test instances to be run as part of this regression test."""
         basic_tests = [
-            Test("Try to make resulting CIB invalid (enum violation)",
-                 """cibadmin -M -o constraints --xml-text '<rsc_order id="ord_1-2" first="dummy1" first-action="break" then="dummy2"/>'""",
-                 expected_rc=ExitStatus.CONFIG, update_cib=True),
-            Test("Run crm_simulate with invalid CIB (enum violation)",
-                 "crm_simulate -p -S",
-                 stdin=StdinCmd("""cibadmin -Q | sed 's#"start"#"break"#'"""),
-                 expected_rc=ExitStatus.CONFIG),
-            Test("Try to make resulting CIB invalid (unrecognized validate-with)",
+            # sanitize_output() strips out validate-with, so there's no point in
+            # outputting the CIB after tests that modify it
+            Test("Try to set unrecognized validate-with",
                  "cibadmin -M --xml-text '<cib validate-with=\"pacemaker-9999.0\"/>'",
-                 expected_rc=ExitStatus.CONFIG, update_cib=True),
-            Test("Run crm_simulate with invalid CIB (unrecognized validate-with)",
-                 "crm_simulate -p -S",
-                 stdin=StdinCmd("""cibadmin -Q | sed 's#"pacemaker-1.2"#"pacemaker-9999.0"#'"""),
                  expected_rc=ExitStatus.CONFIG),
-            Test("Try to make resulting CIB invalid, but possibly recoverable (valid with X.Y+1)",
+            Test("Try to remove validate-with attribute",
+                 "cibadmin -R -p",
+                 stdin=StdinCmd("""cibadmin -Q | sed 's#validate-with="[^"]*"##'"""),
+                 expected_rc=ExitStatus.CONFIG),
+
+            Test("Try to use rsc_order first-action value disallowed by schema",
+                 "cibadmin -M -o constraints --xml-text '<rsc_order "
+                 "id=\"ord_1-2\" first=\"dummy1\" first-action=\"break\" "
+                 "then=\"dummy2\"/>'",
+                 expected_rc=ExitStatus.CONFIG, update_cib=True),
+            Test("Try to use configuration legal only with schema after configured one",
                  "cibadmin -C -o configuration --xml-text '<tags/>'",
                  expected_rc=ExitStatus.CONFIG, update_cib=True),
-            Test("Run crm_simulate with invalid, but possibly recoverable CIB (valid with X.Y+1)",
-                 "crm_simulate -p -S",
-                 stdin=StdinCmd("cibadmin -Q | sed 's#</configuration>#<tags/></configuration>#'")),
-            Test("Make resulting CIB valid, although without validate-with attribute",
-                 "cibadmin -p -R",
-                 stdin=StdinCmd("""cibadmin -Q | sed 's#[ 	][ 	]*validate-with="[^"]*"##'"""),
-                 update_cib=True),
-            Test("Run crm_simulate with valid CIB, but without validate-with attribute",
-                 "crm_simulate -p -S",
-                 stdin=StdinCmd("cibadmin -Q")),
-            # this will just disable validation and accept the config, outputting
-            # validation errors
-            Test("Make resulting CIB invalid, and without validate-with attribute",
-                 "cibadmin -p -R",
-                 stdin=StdinCmd("""cibadmin -Q | """
-                                """sed -e 's#[ 	][ 	]*validate-with="[^"]*"##' """
-                                """    -e 's#\\([ 	][ 	]*epoch="[^"]*\\)"#\\10"#' """
-                                """    -e 's#"start"#"break"#'"""),
-                 update_cib=True),
-            Test("Run crm_simulate with invalid CIB, also without validate-with attribute",
-                 "crm_simulate -p -S",
-                 stdin=StdinCmd("""cibadmin -Q | """
-                                """sed -e 's#[ 	][ 	]*validate-with="[^"]*"##' """
-                                """    -e 's#\\([ 	][ 	]*epoch="[^"]*\\)"#\\10"#' """
-                                """    -e 's#"start"#"break"#'""")),
+            Test("Disable schema validation",
+                 "cibadmin -M --xml-text '<cib validate-with=\"none\"/>'",
+                 expected_rc=ExitStatus.OK),
+            Test("Set invalid rsc_order first-action value (schema validation disabled)",
+                 "cibadmin -M -o constraints --xml-text '<rsc_order "
+                 "id=\"ord_1-2\" first=\"dummy1\" first-action=\"break\" "
+                 "then=\"dummy2\"/>'",
+                 expected_rc=ExitStatus.OK, update_cib=True),
+            Test("Run crm_simulate with invalid rsc_order first-action "
+                 "(schema validation disabled)",
+                 "crm_simulate -SL",
+                 expected_rc=ExitStatus.OK),
         ]
 
         basic_tests_setup = [
             """cibadmin -C -o resources --xml-text '<primitive id="dummy1" class="ocf" provider="pacemaker" type="Dummy"/>'""",
             """cibadmin -C -o resources --xml-text '<primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/>'""",
             """cibadmin -C -o constraints --xml-text '<rsc_order id="ord_1-2" first="dummy1" first-action="start" then="dummy2"/>'""",
         ]
 
         return [
             ShadowTestGroup(basic_tests, validate_with="pacemaker-1.2",
                             setup=basic_tests_setup,
-                            env={"PCMK_trace_functions": "apply_upgrade,pcmk__update_schema"}),
+                            env={"PCMK_trace_functions": "apply_upgrade,pcmk__update_schema,invert_action"}),
         ]
 
 
 class UpgradeRegressionTest(RegressionTest):
     """A class for testing upgrading the CIB."""
 
     @property
     def name(self):
         """Return the name of this regression test."""
         return "upgrade"
 
     @property
     def tests(self):
         """A list of Test instances to be run as part of this regression test."""
         resource_cib = """
 <resources>
   <primitive id="mySmartFuse" class="ocf" provider="experiment" type="SmartFuse">
     <operations>
       <op id="mySmartFuse-start" name="start" interval="0" timeout="40s"/>
       <op id="mySmartFuse-monitor-inputpower" name="monitor" interval="30s">
         <instance_attributes id="mySmartFuse-inputpower-instanceparams">
           <nvpair id="mySmartFuse-inputpower-requires" name="requires" value="inputpower"/>
         </instance_attributes>
       </op>
       <op id="mySmartFuse-monitor-outputpower" name="monitor" interval="2s">
         <instance_attributes id="mySmartFuse-outputpower-instanceparams">
           <nvpair id="mySmartFuse-outputpower-requires" name="requires" value="outputpower"/>
         </instance_attributes>
       </op>
     </operations>
     <instance_attributes id="mySmartFuse-params">
       <nvpair id="mySmartFuse-params-ip" name="ip" value="192.0.2.10"/>
     </instance_attributes>
 <!-- a bit hairy but valid -->
     <instance_attributes id-ref="mySmartFuse-outputpower-instanceparams"/>
   </primitive>
 </resources>
 """
 
         basic_tests = [
             Test("Set stonith-enabled=false", "crm_attribute -n stonith-enabled -v false",
                  update_cib=True),
             Test("Configure the initial resource", "cibadmin -M -o resources -p",
                  update_cib=True, stdin=resource_cib),
             Test("Upgrade to latest CIB schema (trigger 2.10.xsl + the wrapping)",
                  "cibadmin --upgrade --force -V -V",
                  update_cib=True),
             Test("Query a resource instance attribute (shall survive)",
                  "crm_resource -r mySmartFuse -g requires",
                  update_cib=True),
         ]
 
         return [
             ShadowTestGroup(basic_tests, validate_with="pacemaker-2.10",
                             env={"PCMK_trace_functions": "apply_upgrade,pcmk__update_schema"})
         ]
 
 
 class RulesRegressionTest(RegressionTest):
     """A class for testing support for CIB rules."""
 
     @property
     def name(self):
         """Return the name of this regression test."""
         return "rules"
 
     @property
     def tests(self):
         """A list of Test instances to be run as part of this regression test."""
         tomorrow = datetime.now() + timedelta(days=1)
 
         rule_cib = """<cib epoch="1" num_updates="0" admin_epoch="0"  validate-with="pacemaker-3.9">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
       <primitive class="ocf" id="dummy" provider="heartbeat" type="Dummy" />
     </resources>
     <constraints>
       <rsc_location id="cli-too-many-date-expressions" rsc="dummy">
         <rule id="cli-rule-too-many-date-expressions" score="INFINITY" boolean-op="or">
           <date_expression id="cli-date-expression-1" operation="gt" start="2020-01-01 01:00:00 -0500"/>
           <date_expression id="cli-date-expression-2" operation="lt" end="2019-01-01 01:00:00 -0500"/>
         </rule>
       </rsc_location>
       <rsc_location id="cli-prefer-dummy-expired" rsc="dummy">
         <rule id="cli-prefer-rule-dummy-expired" score="INFINITY">
           <date_expression id="cli-prefer-lifetime-end-dummy-expired" operation="lt" end="2019-01-01 12:00:00 -05:00"/>
         </rule>
       </rsc_location>
       <rsc_location id="cli-prefer-dummy-not-yet" rsc="dummy">
         <rule id="cli-prefer-rule-dummy-not-yet" score="INFINITY">
           <date_expression id="cli-prefer-lifetime-end-dummy-not-yet" operation="gt" start="%s"/>
         </rule>
       </rsc_location>
       <rsc_location id="cli-prefer-dummy-date_spec-only-years" rsc="dummy">
         <rule id="cli-prefer-rule-dummy-date_spec-only-years" score="INFINITY">
           <date_expression id="cli-prefer-dummy-date_spec-only-years-expr" operation="date_spec">
             <date_spec id="cli-prefer-dummy-date_spec-only-years-spec" years="2019"/>
           </date_expression>
         </rule>
       </rsc_location>
       <rsc_location id="cli-prefer-dummy-date_spec-without-years" rsc="dummy">
         <rule id="cli-prefer-rule-dummy-date_spec-without-years" score="INFINITY">
           <date_expression id="cli-prefer-dummy-date_spec-without-years-expr" operation="date_spec">
             <date_spec id="cli-prefer-dummy-date_spec-without-years-spec" hours="20" months="1,3,5,7"/>
           </date_expression>
         </rule>
       </rsc_location>
       <rsc_location id="cli-prefer-dummy-date_spec-years-moon" rsc="dummy">
         <rule id="cli-prefer-rule-dummy-date_spec-years-moon" score="INFINITY">
           <date_expression id="cli-prefer-dummy-date_spec-years-moon-expr" operation="date_spec">
             <date_spec id="cli-prefer-dummy-date_spec-years-moon-spec" years="2019" moon="1"/>
           </date_expression>
         </rule>
       </rsc_location>
       <rsc_location id="cli-no-date_expression" rsc="dummy">
         <rule id="cli-no-date_expression-rule" score="INFINITY">
           <expression id="ban-apache-expr" attribute="#uname" operation="eq" value="node3"/>
         </rule>
       </rsc_location>
     </constraints>
   </configuration>
   <status/>
 </cib>""" % tomorrow.strftime("%F %T %z")
 
         usage_tests = [
             make_test_group("crm_rule given no arguments", "crm_rule {fmt}",
                             [Test, ValidatingTest], expected_rc=ExitStatus.USAGE),
             make_test_group("crm_rule given no rule to check", "crm_rule -c {fmt}",
                             [Test, ValidatingTest], expected_rc=ExitStatus.USAGE),
             make_test_group("crm_rule given invalid input XML",
                             "crm_rule -c -r blahblah -X invalidxml {fmt}",
                             [Test, ValidatingTest], expected_rc=ExitStatus.DATAERR),
             make_test_group("crm_rule given invalid input XML on stdin",
                             "crm_rule -c -r blahblah -X - {fmt}",
                             [Test, ValidatingTest],
                             stdin=StdinCmd("echo invalidxml"),
                             expected_rc=ExitStatus.DATAERR),
         ]
 
         basic_tests = [
             make_test_group("Try to check a rule that doesn't exist",
                             "crm_rule -c -r blahblah {fmt}",
                             [Test, ValidatingTest], expected_rc=ExitStatus.NOSUCH),
             make_test_group("Try to check a rule that has too many date_expressions",
                             "crm_rule -c -r cli-rule-too-many-date-expressions {fmt}",
                             [Test, ValidatingTest], expected_rc=ExitStatus.UNIMPLEMENT_FEATURE),
             make_test_group("Verify basic rule is expired",
                             "crm_rule -c -r cli-prefer-rule-dummy-expired {fmt}",
                             [Test, ValidatingTest],
                             expected_rc=ExitStatus.EXPIRED),
             make_test_group("Verify basic rule worked in the past",
                             "crm_rule -c -r cli-prefer-rule-dummy-expired -d 20180101 {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("Verify basic rule is not yet in effect",
                             "crm_rule -c -r cli-prefer-rule-dummy-not-yet {fmt}",
                             [Test, ValidatingTest],
                             expected_rc=ExitStatus.NOT_YET_IN_EFFECT),
             make_test_group("Verify date_spec rule with years has expired",
                             "crm_rule -c -r cli-prefer-rule-dummy-date_spec-only-years {fmt}",
                             [Test, ValidatingTest],
                             expected_rc=ExitStatus.EXPIRED),
             make_test_group("Verify multiple rules at once",
                             "crm_rule -c -r cli-prefer-rule-dummy-not-yet -r cli-prefer-rule-dummy-date_spec-only-years {fmt}",
                             [Test, ValidatingTest],
                             expected_rc=ExitStatus.EXPIRED),
             make_test_group("Verify date_spec rule with years is in effect",
                             "crm_rule -c -r cli-prefer-rule-dummy-date_spec-only-years -d 20190201 {fmt}",
                             [Test, ValidatingTest]),
             make_test_group("Try to check a rule whose date_spec does not contain years=",
                             "crm_rule -c -r cli-prefer-rule-dummy-date_spec-without-years {fmt}",
                             [Test, ValidatingTest],
                             expected_rc=ExitStatus.UNIMPLEMENT_FEATURE),
             make_test_group("Try to check a rule whose date_spec contains years= and moon=",
                             "crm_rule -c -r cli-prefer-rule-dummy-date_spec-years-moon {fmt}",
                             [Test, ValidatingTest],
                             expected_rc=ExitStatus.UNIMPLEMENT_FEATURE),
             make_test_group("Try to check a rule with no date_expression",
                             "crm_rule -c -r cli-no-date_expression-rule {fmt}",
                             [Test, ValidatingTest],
                             expected_rc=ExitStatus.UNIMPLEMENT_FEATURE),
         ]
 
         return usage_tests + [
             TestGroup(basic_tests, cib_gen=partial(write_cib, rule_cib))
         ]
 
 
 class FeatureSetRegressionTest(RegressionTest):
     """A class for testing support for version-specific features."""
 
     @property
     def name(self):
         """Return the name of this regression test."""
         return "feature_set"
 
     @property
     def tests(self):
         """A list of Test instances to be run as part of this regression test."""
         basic_tests = [
             # Import the test CIB
             Test("Import the test CIB",
                  "cibadmin --replace --xml-file {cts_cli_data}/crm_mon-feature_set.xml",
                  update_cib=True),
             Test("Complete text output, no mixed status",
                  "crm_mon -1 --show-detail"),
             ValidatingTest("Output, no mixed status", "crm_mon --output-as=xml"),
             # Modify the CIB to fake that the cluster has mixed versions
             Test("Fake inconsistent feature set",
                  "crm_attribute --node=cluster02 --name=#feature-set --update=3.15.0 --lifetime=reboot",
                  update_cib=True),
             Test("Complete text output, mixed status",
                  "crm_mon -1 --show-detail"),
             ValidatingTest("Output, mixed status", "crm_mon --output-as=xml"),
         ]
 
         return [
             ShadowTestGroup(basic_tests),
         ]
 
 
 # Tests that depend on resource agents and must be run in an installed
 # environment
 class AgentRegressionTest(RegressionTest):
     """A class for testing resource agents."""
 
     @property
     def name(self):
         """Return the name of this regression test."""
         return "agents"
 
     @property
     def tests(self):
         """A list of Test instances to be run as part of this regression test."""
         return [
             make_test_group("Validate a valid resource configuration",
                             "crm_resource --validate --class ocf --provider pacemaker --agent Dummy {fmt}",
                             [Test, ValidatingTest]),
             # Make the Dummy configuration invalid (op_sleep can't be a generic string)
             make_test_group("Validate an invalid resource configuration",
                             "crm_resource --validate --class ocf --provider pacemaker --agent Dummy {fmt}",
                             [Test, ValidatingTest],
                             expected_rc=ExitStatus.NOT_CONFIGURED,
                             env={"OCF_RESKEY_op_sleep": "asdf"}),
         ]
 
 
 def build_options():
     """Handle command line arguments."""
     parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter,
                                      description="Command line tool regression tests",
                                      epilog="Default tests: %s\n"
                                             "Other tests: agents (must be run in an installed environment)" %
                                             " ".join(default_tests))
     parser.add_argument("-j", "--jobs", metavar="JOBS", default=cpu_count() - 1, type=int,
                         help="The number of tests to run simultaneously")
     parser.add_argument("-p", "--path", metavar="DIR", action="append",
                         help="Look for executables in DIR (may be specified multiple times)")
     parser.add_argument("-r", "--run-only", metavar="TEST", choices=default_tests + ["tools"] + other_tests,
                         action="append",
                         help="Run only specified tests (may be specified multiple times)")
     parser.add_argument("-s", "--save", action="store_true",
                         help="Save actual output as expected output")
     parser.add_argument("-v", "--valgrind", action="store_true",
                         help="Run all commands under valgrind")
     parser.add_argument("-V", "--verbose", action="store_true",
                         help="Display any differences from expected output")
 
     args = parser.parse_args()
 
     if args.path is None:
         args.path = []
 
     return args
 
 
 def setup_environment(valgrind):
     """Set various environment variables needed for operation."""
     if valgrind:
         os.environ["G_SLICE"] = "always-malloc"
 
     # Ensure all command output is in portable locale for comparison
     os.environ["LC_ALL"] = "C"
 
     # Log test errors to stderr
     os.environ["PCMK_stderr"] = "1"
 
     # Because we will change the value of PCMK_trace_functions and then reset it
     # back to some initial value at various points, it's easiest to assume it is
     # defined but empty by default
     if "PCMK_trace_functions" not in os.environ:
         os.environ["PCMK_trace_functions"] = ""
 
 
 def path_prepend(p):
     """Add another directory to the front of $PATH."""
     old = os.environ["PATH"]
     os.environ["PATH"] = "%s:%s" % (p, old)
 
 
 def setup_path(opts_path):
     """Set the PATH environment variable appropriately for the tests."""
     srcdir = os.path.dirname(test_home)
 
     # Add any search paths given on the command line
     for p in opts_path:
         path_prepend(p)
 
     if os.path.exists("%s/tools/crm_simulate" % srcdir):
         print("Using local binaries from: %s" % srcdir)
 
         path_prepend("%s/tools" % srcdir)
 
         for daemon in ["based", "controld", "fenced", "schedulerd"]:
             path_prepend("%s/daemons/%s" % (srcdir, daemon))
 
         print("Using local schemas from: %s/xml" % srcdir)
         os.environ["PCMK_schema_directory"] = "%s/xml" % srcdir
     else:
         path_prepend(BuildOptions.DAEMON_DIR)
         os.environ["PCMK_schema_directory"] = BuildOptions.SCHEMA_DIR
 
 
 def _run_one(valgrind, r):
     """Run and return a TestGroup object."""
     # See comments in run_regression_tests.
     r.run(valgrind=valgrind)
     return r
 
 
 def run_regression_tests(regs, jobs, valgrind=False):
     """Run the given tests and return the modified objects."""
     executed = []
 
     with Pool(processes=jobs) as pool:
         # What we really want to do here is:
         #     pool.map(lambda r: r.run(),regs)
         #
         # However, multiprocessing uses pickle somehow in its operation, and python
         # doesn't want to pickle a lambda (nor a nested function within this one).
         # Thus, we need to use the _run_one wrapper at the file level just to call
         # run().  Further, if we don't return the modified object from that and then
         # return the list of modified objects here, it looks like the rest of the
         # program will use the originals, before this was ever run.
         executed = pool.map(partial(_run_one, valgrind), regs)
 
     return executed
 
 
 def results(regs, save, verbose):
     """Print the output from each regression test, returning the number whose output differs."""
     output_differs = 0
 
     if verbose:
         print("\n\nResults")
 
     for r in regs:
         r.write()
 
         if save:
             dest = "%s/cli/regression.%s.exp" % (test_home, r.name)
             copyfile(r.results_file, dest)
 
         r.diff()
         if not r.identical:
             output_differs += 1
 
     return output_differs
 
 
 def summary(regs, output_differs, verbose):
     """Print the summary output for the entire test run."""
     test_failures = 0
     test_successes = 0
 
     for r in regs:
         test_failures += r.failures
         test_successes += r.successes
 
     print("\n\nSummary")
 
     # First, print all the Passed/Failed lines from each Test run.
     for r in regs:
         print("\n".join(r.summary))
 
     fmt = PluralFormatter()
 
     # Then, print information specific to each result possibility.  Basically,
     # if there were failures then we print the output differences, leave the
     # failed output files in place, and exit with an error.  Otherwise, clean up
     # anything that passed.
     if test_failures > 0 and output_differs > 0:
         print(fmt.format("{0} {0:plural,test} failed; see output in:",
                          test_failures))
 
         for r in regs:
             r.process_results(verbose)
 
         return ExitStatus.ERROR
 
     if test_failures > 0:
         print(fmt.format("{0} {0:plural,test} failed", test_failures))
 
         for r in regs:
             r.process_results(verbose)
 
         return ExitStatus.ERROR
 
     if output_differs:
         print(fmt.format("{0} {0:plural,test} passed but output was "
                          "unexpected; see output in:", test_successes))
 
         for r in regs:
             r.process_results(verbose)
 
         return ExitStatus.DIGEST
 
     print(fmt.format("{0} {0:plural,test} passed", test_successes))
 
     for r in regs:
         r.cleanup()
 
     return ExitStatus.OK
 
 
 regression_classes = [
     AccessRenderRegressionTest,
     DaemonsRegressionTest,
     DatesRegressionTest,
     ErrorCodeRegressionTest,
     CibadminRegressionTest,
     CrmAttributeRegressionTest,
     CrmStandbyRegressionTest,
     CrmResourceRegressionTest,
     CrmTicketRegressionTest,
     CrmadminRegressionTest,
     CrmShadowRegressionTest,
     CrmVerifyRegressionTest,
     CrmMonRegressionTest,
     AclsRegressionTest,
     ValidityRegressionTest,
     UpgradeRegressionTest,
     RulesRegressionTest,
     FeatureSetRegressionTest,
     AgentRegressionTest,
 ]
 
 
 def main():
     """Run command line regression tests as specified by arguments."""
     opts = build_options()
 
     setup_environment(opts.valgrind)
     setup_path(opts.path)
 
     # Filter the list of all regression test classes to include only those that
     # were requested on the command line.  If empty, this defaults to default_tests.
     if not opts.run_only:
         opts.run_only = default_tests
 
     if opts.run_only == ["tools"]:
         opts.run_only = tools_tests
 
     regs = []
     for cls in regression_classes:
         obj = cls()
 
         if obj.name in opts.run_only:
             regs.append(obj)
 
     regs = run_regression_tests(regs, max(1, opts.jobs), valgrind=opts.valgrind)
     output_differs = results(regs, opts.save, opts.verbose)
     rc = summary(regs, output_differs, opts.verbose)
 
     sys.exit(rc)
 
 
 if __name__ == "__main__":
     main()
 
 # vim: set filetype=python expandtab tabstop=4 softtabstop=4 shiftwidth=4 textwidth=120:
diff --git a/daemons/based/based_io.c b/daemons/based/based_io.c
index d2215dba3c..bcafd01811 100644
--- a/daemons/based/based_io.c
+++ b/daemons/based/based_io.c
@@ -1,479 +1,462 @@
 /*
  * Copyright 2004-2024 the Pacemaker project contributors
  *
  * The version control history for this file may have further details.
  *
  * This source code is licensed under the GNU General Public License version 2
  * or later (GPLv2+) WITHOUT ANY WARRANTY.
  */
 
 #include <crm_internal.h>
 
 #include <stdio.h>
 #include <unistd.h>
 #include <string.h>
 #include <stdlib.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <dirent.h>
 
 #include <sys/param.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <sys/stat.h>
 
 #include <glib.h>
 #include <libxml/tree.h>
 
 #include <crm/crm.h>
 
 #include <crm/cib.h>
 #include <crm/common/util.h>
 #include <crm/common/xml.h>
 #include <crm/cib/internal.h>
 #include <crm/cluster.h>
 
 #include <pacemaker-based.h>
 
 crm_trigger_t *cib_writer = NULL;
 
 int write_cib_contents(gpointer p);
 
 static void
 cib_rename(const char *old)
 {
     int new_fd;
     char *new = crm_strdup_printf("%s/cib.auto.XXXXXX", cib_root);
 
     umask(S_IWGRP | S_IWOTH | S_IROTH);
     new_fd = mkstemp(new);
 
     if ((new_fd < 0) || (rename(old, new) < 0)) {
         crm_err("Couldn't archive unusable file %s (disabling disk writes and continuing)",
                 old);
         cib_writes_enabled = FALSE;
     } else {
         crm_err("Archived unusable file %s as %s", old, new);
     }
 
     if (new_fd > 0) {
         close(new_fd);
     }
     free(new);
 }
 
 /*
  * It is the callers responsibility to free the output of this function
  */
 
 static xmlNode *
 retrieveCib(const char *filename, const char *sigfile)
 {
     xmlNode *root = NULL;
 
     crm_info("Reading cluster configuration file %s (digest: %s)",
              filename, sigfile);
     switch (cib_file_read_and_verify(filename, sigfile, &root)) {
         case -pcmk_err_cib_corrupt:
             crm_warn("Continuing but %s will NOT be used.", filename);
             break;
 
         case -pcmk_err_cib_modified:
             /* Archive the original files so the contents are not lost */
             crm_warn("Continuing but %s will NOT be used.", filename);
             cib_rename(filename);
             cib_rename(sigfile);
             break;
     }
     return root;
 }
 
 /*
  * for OSs without support for direntry->d_type, like Solaris
  */
 #ifndef DT_UNKNOWN
 # define DT_UNKNOWN     0
 # define DT_FIFO        1
 # define DT_CHR         2
 # define DT_DIR         4
 # define DT_BLK         6
 # define DT_REG         8
 # define DT_LNK         10
 # define DT_SOCK        12
 # define DT_WHT         14
 #endif /*DT_UNKNOWN*/
 
 static int cib_archive_filter(const struct dirent * a)
 {
     int rc = 0;
     /* Looking for regular files (d_type = 8) starting with 'cib-' and not ending in .sig */
     struct stat s;
     char *a_path = crm_strdup_printf("%s/%s", cib_root, a->d_name);
 
     if(stat(a_path, &s) != 0) {
         rc = errno;
         crm_trace("%s - stat failed: %s (%d)", a->d_name, pcmk_rc_str(rc), rc);
         rc = 0;
 
     } else if ((s.st_mode & S_IFREG) != S_IFREG) {
         unsigned char dtype;
 #ifdef HAVE_STRUCT_DIRENT_D_TYPE
         dtype = a->d_type;
 #else
         switch (s.st_mode & S_IFMT) {
             case S_IFREG:  dtype = DT_REG;      break;
             case S_IFDIR:  dtype = DT_DIR;      break;
             case S_IFCHR:  dtype = DT_CHR;      break;
             case S_IFBLK:  dtype = DT_BLK;      break;
             case S_IFLNK:  dtype = DT_LNK;      break;
             case S_IFIFO:  dtype = DT_FIFO;     break;
             case S_IFSOCK: dtype = DT_SOCK;     break;
             default:       dtype = DT_UNKNOWN;  break;
         }
 #endif
          crm_trace("%s - wrong type (%d)", a->d_name, dtype);
 
     } else if(strstr(a->d_name, "cib-") != a->d_name) {
         crm_trace("%s - wrong prefix", a->d_name);
 
     } else if (pcmk__ends_with_ext(a->d_name, ".sig")) {
         crm_trace("%s - wrong suffix", a->d_name);
 
     } else {
         crm_debug("%s - candidate", a->d_name);
         rc = 1;
     }
 
     free(a_path);
     return rc;
 }
 
 static int cib_archive_sort(const struct dirent ** a, const struct dirent **b)
 {
     /* Order by creation date - most recently created file first */
     int rc = 0;
     struct stat buf;
 
     time_t a_age = 0;
     time_t b_age = 0;
 
     char *a_path = crm_strdup_printf("%s/%s", cib_root, a[0]->d_name);
     char *b_path = crm_strdup_printf("%s/%s", cib_root, b[0]->d_name);
 
     if(stat(a_path, &buf) == 0) {
         a_age = buf.st_ctime;
     }
     if(stat(b_path, &buf) == 0) {
         b_age = buf.st_ctime;
     }
 
     free(a_path);
     free(b_path);
 
     if(a_age > b_age) {
         rc = 1;
     } else if(a_age < b_age) {
         rc = -1;
     }
 
     crm_trace("%s (%lu) vs. %s (%lu) : %d",
 	a[0]->d_name, (unsigned long)a_age,
 	b[0]->d_name, (unsigned long)b_age, rc);
     return rc;
 }
 
 xmlNode *
 readCibXmlFile(const char *dir, const char *file, gboolean discard_status)
 {
     struct dirent **namelist = NULL;
 
     int lpc = 0;
     char *sigfile = NULL;
     char *sigfilepath = NULL;
     char *filename = NULL;
     const char *name = NULL;
     const char *value = NULL;
-    const char *validation = NULL;
     const char *use_valgrind = pcmk__env_option(PCMK__ENV_VALGRIND_ENABLED);
 
     xmlNode *root = NULL;
     xmlNode *status = NULL;
 
     sigfile = crm_strdup_printf("%s.sig", file);
     if (pcmk__daemon_can_write(dir, file) == FALSE
             || pcmk__daemon_can_write(dir, sigfile) == FALSE) {
         cib_status = -EACCES;
         return NULL;
     }
 
     filename = crm_strdup_printf("%s/%s", dir, file);
     sigfilepath = crm_strdup_printf("%s/%s", dir, sigfile);
     free(sigfile);
 
     cib_status = pcmk_ok;
     root = retrieveCib(filename, sigfilepath);
     free(filename);
     free(sigfilepath);
 
     if (root == NULL) {
         crm_warn("Primary configuration corrupt or unusable, trying backups in %s", cib_root);
         lpc = scandir(cib_root, &namelist, cib_archive_filter, cib_archive_sort);
         if (lpc < 0) {
             crm_err("scandir(%s) failed: %s", cib_root, pcmk_rc_str(errno));
         }
     }
 
     while (root == NULL && lpc > 1) {
         crm_debug("Testing %d candidates", lpc);
 
         lpc--;
 
         filename = crm_strdup_printf("%s/%s", cib_root, namelist[lpc]->d_name);
         sigfile = crm_strdup_printf("%s.sig", filename);
 
         crm_info("Reading cluster configuration file %s (digest: %s)",
                  filename, sigfile);
         if (cib_file_read_and_verify(filename, sigfile, &root) < 0) {
             crm_warn("Continuing but %s will NOT be used.", filename);
         } else {
             crm_notice("Continuing with last valid configuration archive: %s", filename);
         }
 
         free(namelist[lpc]);
         free(filename);
         free(sigfile);
     }
     free(namelist);
 
     if (root == NULL) {
         root = createEmptyCib(0);
         crm_warn("Continuing with an empty configuration.");
     }
 
     if (cib_writes_enabled && (use_valgrind != NULL)
         && (crm_is_true(use_valgrind)
             || (strstr(use_valgrind, PCMK__SERVER_BASED) != NULL))) {
 
         cib_writes_enabled = FALSE;
         crm_err("*** Disabling disk writes to avoid confusing Valgrind ***");
     }
 
     status = pcmk__xe_first_child(root, PCMK_XE_STATUS, NULL, NULL);
     if (discard_status && status != NULL) {
         // Strip out the PCMK_XE_STATUS section if there is one
         pcmk__xml_free(status);
         status = NULL;
     }
     if (status == NULL) {
         pcmk__xe_create(root, PCMK_XE_STATUS);
     }
 
     /* Do this before schema validation happens */
 
     /* fill in some defaults */
     name = PCMK_XA_ADMIN_EPOCH;
     value = crm_element_value(root, name);
     if (value == NULL) {
         crm_warn("No value for %s was specified in the configuration.", name);
         crm_warn("The recommended course of action is to shutdown,"
                  " run crm_verify and fix any errors it reports.");
         crm_warn("We will default to zero and continue but may get"
                  " confused about which configuration to use if"
                  " multiple nodes are powered up at the same time.");
         crm_xml_add_int(root, name, 0);
     }
 
     name = PCMK_XA_EPOCH;
     value = crm_element_value(root, name);
     if (value == NULL) {
         crm_xml_add_int(root, name, 0);
     }
 
     name = PCMK_XA_NUM_UPDATES;
     value = crm_element_value(root, name);
     if (value == NULL) {
         crm_xml_add_int(root, name, 0);
     }
 
     // Unset (DC should set appropriate value)
     pcmk__xe_remove_attr(root, PCMK_XA_DC_UUID);
 
     if (discard_status) {
         crm_log_xml_trace(root, "[on-disk]");
     }
 
-    validation = crm_element_value(root, PCMK_XA_VALIDATE_WITH);
     if (!pcmk__configured_schema_validates(root)) {
-        crm_err("CIB does not validate with %s",
-                pcmk__s(validation, "no schema specified"));
         cib_status = -pcmk_err_schema_validation;
-
-    // @COMPAT Not specifying validate-with is deprecated since 2.1.8
-    } else if (validation == NULL) {
-        pcmk__update_schema(&root, NULL, false, false);
-        validation = crm_element_value(root, PCMK_XA_VALIDATE_WITH);
-        if (validation != NULL) {
-            crm_notice("Enabling %s validation on"
-                       " the existing (sane) configuration", validation);
-        } else {
-            crm_err("CIB does not validate with any known schema");
-            cib_status = -pcmk_err_schema_validation;
-        }
     }
-
     return root;
 }
 
 gboolean
 uninitializeCib(void)
 {
     xmlNode *tmp_cib = the_cib;
 
     if (tmp_cib == NULL) {
         crm_debug("The CIB has already been deallocated.");
         return FALSE;
     }
 
     the_cib = NULL;
 
     crm_debug("Deallocating the CIB.");
 
     pcmk__xml_free(tmp_cib);
 
     crm_debug("The CIB has been deallocated.");
 
     return TRUE;
 }
 
 /*
  * This method will free the old CIB pointer on success and the new one
  * on failure.
  */
 int
 activateCibXml(xmlNode * new_cib, gboolean to_disk, const char *op)
 {
     if (new_cib) {
         xmlNode *saved_cib = the_cib;
 
         CRM_ASSERT(new_cib != saved_cib);
         the_cib = new_cib;
         pcmk__xml_free(saved_cib);
         if (cib_writes_enabled && cib_status == pcmk_ok && to_disk) {
             crm_debug("Triggering CIB write for %s op", op);
             mainloop_set_trigger(cib_writer);
         }
         return pcmk_ok;
     }
 
     crm_err("Ignoring invalid CIB");
     if (the_cib) {
         crm_warn("Reverting to last known CIB");
     } else {
         crm_crit("Could not write out new CIB and no saved version to revert to");
     }
     return -ENODATA;
 }
 
 static void
 cib_diskwrite_complete(mainloop_child_t * p, pid_t pid, int core, int signo, int exitcode)
 {
     const char *errmsg = "Could not write CIB to disk";
 
     if ((exitcode != 0) && cib_writes_enabled) {
         cib_writes_enabled = FALSE;
         errmsg = "Disabling CIB disk writes after failure";
     }
 
     if ((signo == 0) && (exitcode == 0)) {
         crm_trace("Disk write [%d] succeeded", (int) pid);
 
     } else if (signo == 0) {
         crm_err("%s: process %d exited %d", errmsg, (int) pid, exitcode);
 
     } else {
         crm_err("%s: process %d terminated with signal %d (%s)%s",
                 errmsg, (int) pid, signo, strsignal(signo),
                 (core? " and dumped core" : ""));
     }
 
     mainloop_trigger_complete(cib_writer);
 }
 
 int
 write_cib_contents(gpointer p)
 {
     int exit_rc = pcmk_ok;
     xmlNode *cib_local = NULL;
 
     /* Make a copy of the CIB to write (possibly in a forked child) */
     if (p) {
         /* Synchronous write out */
         cib_local = pcmk__xml_copy(NULL, p);
 
     } else {
         int pid = 0;
         int bb_state = qb_log_ctl(QB_LOG_BLACKBOX, QB_LOG_CONF_STATE_GET, 0);
 
         /* Turn it off before the fork() to avoid:
          * - 2 processes writing to the same shared mem
          * - the child needing to disable it
          *   (which would close it from underneath the parent)
          * This way, the shared mem files are already closed
          */
         qb_log_ctl(QB_LOG_BLACKBOX, QB_LOG_CONF_ENABLED, QB_FALSE);
 
         pid = fork();
         if (pid < 0) {
             crm_err("Disabling disk writes after fork failure: %s", pcmk_rc_str(errno));
             cib_writes_enabled = FALSE;
             return FALSE;
         }
 
         if (pid) {
             /* Parent */
             mainloop_child_add(pid, 0, "disk-writer", NULL, cib_diskwrite_complete);
             if (bb_state == QB_LOG_STATE_ENABLED) {
                 /* Re-enable now that it it safe */
                 qb_log_ctl(QB_LOG_BLACKBOX, QB_LOG_CONF_ENABLED, QB_TRUE);
             }
 
             return -1;          /* -1 means 'still work to do' */
         }
 
         /* Asynchronous write-out after a fork() */
 
         /* In theory, we can scribble on the_cib here and not affect the parent,
          * but let's be safe anyway.
          */
         cib_local = pcmk__xml_copy(NULL, the_cib);
     }
 
     /* Write the CIB */
     exit_rc = cib_file_write_with_digest(cib_local, cib_root, "cib.xml");
 
     /* A nonzero exit code will cause further writes to be disabled */
     pcmk__xml_free(cib_local);
     if (p == NULL) {
         crm_exit_t exit_code = CRM_EX_OK;
 
         switch (exit_rc) {
             case pcmk_ok:
                 exit_code = CRM_EX_OK;
                 break;
             case pcmk_err_cib_modified:
                 exit_code = CRM_EX_DIGEST; // Existing CIB doesn't match digest
                 break;
             case pcmk_err_cib_backup: // Existing CIB couldn't be backed up
             case pcmk_err_cib_save:   // New CIB couldn't be saved
                 exit_code = CRM_EX_CANTCREAT;
                 break;
             default:
                 exit_code = CRM_EX_ERROR;
                 break;
         }
 
         /* Use _exit() because exit() could affect the parent adversely */
         _exit(exit_code);
     }
     return exit_rc;
 }
diff --git a/daemons/based/based_messages.c b/daemons/based/based_messages.c
index fb9571ca0a..25d31f49ac 100644
--- a/daemons/based/based_messages.c
+++ b/daemons/based/based_messages.c
@@ -1,523 +1,529 @@
 /*
  * Copyright 2004-2024 the Pacemaker project contributors
  *
  * The version control history for this file may have further details.
  *
  * This source code is licensed under the GNU General Public License version 2
  * or later (GPLv2+) WITHOUT ANY WARRANTY.
  */
 
 #include <crm_internal.h>
 
 #include <stdio.h>
 #include <unistd.h>
 #include <stdlib.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <time.h>
 
 #include <sys/param.h>
 #include <sys/types.h>
 
 #include <glib.h>
 #include <libxml/tree.h>
 
 #include <crm/crm.h>
 #include <crm/cib/internal.h>
 
 #include <crm/common/xml.h>
 #include <crm/common/ipc_internal.h>
 #include <crm/common/xml_internal.h>
 #include <crm/cluster/internal.h>
 
 #include <pacemaker-based.h>
 
 /* Maximum number of diffs to ignore while waiting for a resync */
 #define MAX_DIFF_RETRY 5
 
 bool based_is_primary = false;
 
 xmlNode *the_cib = NULL;
 
 int
 cib_process_shutdown_req(const char *op, int options, const char *section, xmlNode * req,
                          xmlNode * input, xmlNode * existing_cib, xmlNode ** result_cib,
                          xmlNode ** answer)
 {
     const char *host = crm_element_value(req, PCMK__XA_SRC);
 
     *answer = NULL;
 
     if (crm_element_value(req, PCMK__XA_CIB_ISREPLYTO) == NULL) {
         crm_info("Peer %s is requesting to shut down", host);
         return pcmk_ok;
     }
 
     if (cib_shutdown_flag == FALSE) {
         crm_err("Peer %s mistakenly thinks we wanted to shut down", host);
         return -EINVAL;
     }
 
     crm_info("Peer %s has acknowledged our shutdown request", host);
     terminate_cib(__func__, 0);
     return pcmk_ok;
 }
 
 // @COMPAT: Remove when PCMK__CIB_REQUEST_NOOP is removed
 int
 cib_process_noop(const char *op, int options, const char *section, xmlNode *req,
                  xmlNode *input, xmlNode *existing_cib, xmlNode **result_cib,
                  xmlNode **answer)
 {
     crm_trace("Processing \"%s\" event", op);
     *answer = NULL;
     return pcmk_ok;
 }
 
 int
 cib_process_readwrite(const char *op, int options, const char *section, xmlNode * req,
                       xmlNode * input, xmlNode * existing_cib, xmlNode ** result_cib,
                       xmlNode ** answer)
 {
     int result = pcmk_ok;
 
     crm_trace("Processing \"%s\" event", op);
 
     // @COMPAT Pacemaker Remote clients <3.0.0 may send this
     if (pcmk__str_eq(op, PCMK__CIB_REQUEST_IS_PRIMARY, pcmk__str_none)) {
         if (based_is_primary) {
             result = pcmk_ok;
         } else {
             result = -EPERM;
         }
         return result;
     }
 
     if (pcmk__str_eq(op, PCMK__CIB_REQUEST_PRIMARY, pcmk__str_none)) {
         if (!based_is_primary) {
             crm_info("We are now in R/W mode");
             based_is_primary = true;
         } else {
             crm_debug("We are still in R/W mode");
         }
 
     } else if (based_is_primary) {
         crm_info("We are now in R/O mode");
         based_is_primary = false;
     }
 
     return result;
 }
 
 /* Set to 1 when a sync is requested, incremented when a diff is ignored,
  * reset to 0 when a sync is received
  */
 static int sync_in_progress = 0;
 
 void
 send_sync_request(const char *host)
 {
     xmlNode *sync_me = pcmk__xe_create(NULL, "sync-me");
     pcmk__node_status_t *peer = NULL;
 
     crm_info("Requesting re-sync from %s", (host? host : "all peers"));
     sync_in_progress = 1;
 
     crm_xml_add(sync_me, PCMK__XA_T, PCMK__VALUE_CIB);
     crm_xml_add(sync_me, PCMK__XA_CIB_OP, PCMK__CIB_REQUEST_SYNC_TO_ONE);
     crm_xml_add(sync_me, PCMK__XA_CIB_DELEGATED_FROM, OUR_NODENAME);
 
     if (host != NULL) {
         peer = pcmk__get_node(0, host, NULL, pcmk__node_search_cluster_member);
     }
     pcmk__cluster_send_message(peer, pcmk_ipc_based, sync_me);
     pcmk__xml_free(sync_me);
 }
 
 int
 cib_process_ping(const char *op, int options, const char *section, xmlNode * req, xmlNode * input,
                  xmlNode * existing_cib, xmlNode ** result_cib, xmlNode ** answer)
 {
     const char *host = crm_element_value(req, PCMK__XA_SRC);
     const char *seq = crm_element_value(req, PCMK__XA_CIB_PING_ID);
     char *digest = pcmk__digest_xml(the_cib, true);
 
     xmlNode *wrapper = NULL;
 
     crm_trace("Processing \"%s\" event %s from %s", op, seq, host);
     *answer = pcmk__xe_create(NULL, PCMK__XE_PING_RESPONSE);
 
     crm_xml_add(*answer, PCMK_XA_CRM_FEATURE_SET, CRM_FEATURE_SET);
     crm_xml_add(*answer, PCMK__XA_DIGEST, digest);
     crm_xml_add(*answer, PCMK__XA_CIB_PING_ID, seq);
 
     wrapper = pcmk__xe_create(*answer, PCMK__XE_CIB_CALLDATA);
 
     if (the_cib != NULL) {
         pcmk__if_tracing(
             {
                 /* Append additional detail so the receiver can log the
                  * differences
                  */
                 pcmk__xml_copy(wrapper, the_cib);
             },
             {
                 // Always include at least the version details
                 const char *name = (const char *) the_cib->name;
                 xmlNode *shallow = pcmk__xe_create(wrapper, name);
 
                 pcmk__xe_copy_attrs(shallow, the_cib, pcmk__xaf_none);
             }
         );
     }
 
     crm_info("Reporting our current digest to %s: %s for %s.%s.%s",
              host, digest,
              crm_element_value(existing_cib, PCMK_XA_ADMIN_EPOCH),
              crm_element_value(existing_cib, PCMK_XA_EPOCH),
              crm_element_value(existing_cib, PCMK_XA_NUM_UPDATES));
 
     free(digest);
 
     return pcmk_ok;
 }
 
 int
 cib_process_sync(const char *op, int options, const char *section, xmlNode * req, xmlNode * input,
                  xmlNode * existing_cib, xmlNode ** result_cib, xmlNode ** answer)
 {
     return sync_our_cib(req, TRUE);
 }
 
 int
 cib_process_upgrade_server(const char *op, int options, const char *section, xmlNode * req, xmlNode * input,
                            xmlNode * existing_cib, xmlNode ** result_cib, xmlNode ** answer)
 {
     int rc = pcmk_ok;
 
     *answer = NULL;
 
     if (crm_element_value(req, PCMK__XA_CIB_SCHEMA_MAX) != NULL) {
         /* The originator of an upgrade request sends it to the DC, without
          * PCMK__XA_CIB_SCHEMA_MAX. If an upgrade is needed, the DC
          * re-broadcasts the request with PCMK__XA_CIB_SCHEMA_MAX, and each node
          * performs the upgrade (and notifies its local clients) here.
          */
         return cib_process_upgrade(
             op, options, section, req, input, existing_cib, result_cib, answer);
 
     } else {
         xmlNode *scratch = pcmk__xml_copy(NULL, existing_cib);
         const char *host = crm_element_value(req, PCMK__XA_SRC);
         const char *original_schema = NULL;
         const char *new_schema = NULL;
         const char *client_id = crm_element_value(req, PCMK__XA_CIB_CLIENTID);
         const char *call_opts = crm_element_value(req, PCMK__XA_CIB_CALLOPT);
         const char *call_id = crm_element_value(req, PCMK__XA_CIB_CALLID);
 
         crm_trace("Processing \"%s\" event", op);
         original_schema = crm_element_value(existing_cib,
                                             PCMK_XA_VALIDATE_WITH);
+        if (original_schema == NULL) {
+            crm_info("Rejecting upgrade request from %s: No "
+                     PCMK_XA_VALIDATE_WITH, host);
+            return -pcmk_err_cib_corrupt;
+        }
+
         rc = pcmk__update_schema(&scratch, NULL, true, true);
         rc = pcmk_rc2legacy(rc);
         new_schema = crm_element_value(scratch, PCMK_XA_VALIDATE_WITH);
 
         if (pcmk__cmp_schemas_by_name(new_schema, original_schema) > 0) {
             xmlNode *up = pcmk__xe_create(NULL, __func__);
 
             rc = pcmk_ok;
             crm_notice("Upgrade request from %s verified", host);
 
             crm_xml_add(up, PCMK__XA_T, PCMK__VALUE_CIB);
             crm_xml_add(up, PCMK__XA_CIB_OP, PCMK__CIB_REQUEST_UPGRADE);
             crm_xml_add(up, PCMK__XA_CIB_SCHEMA_MAX, new_schema);
             crm_xml_add(up, PCMK__XA_CIB_DELEGATED_FROM, host);
             crm_xml_add(up, PCMK__XA_CIB_CLIENTID, client_id);
             crm_xml_add(up, PCMK__XA_CIB_CALLOPT, call_opts);
             crm_xml_add(up, PCMK__XA_CIB_CALLID, call_id);
 
             pcmk__cluster_send_message(NULL, pcmk_ipc_based, up);
 
             pcmk__xml_free(up);
 
         } else if(rc == pcmk_ok) {
             rc = -pcmk_err_schema_unchanged;
         }
 
         if (rc != pcmk_ok) {
             // Notify originating peer so it can notify its local clients
             pcmk__node_status_t *origin = NULL;
 
             origin = pcmk__search_node_caches(0, host,
                                               pcmk__node_search_cluster_member);
 
             crm_info("Rejecting upgrade request from %s: %s "
                      QB_XS " rc=%d peer=%s", host, pcmk_strerror(rc), rc,
                      (origin? origin->name : "lost"));
 
             if (origin) {
                 xmlNode *up = pcmk__xe_create(NULL, __func__);
 
                 crm_xml_add(up, PCMK__XA_T, PCMK__VALUE_CIB);
                 crm_xml_add(up, PCMK__XA_CIB_OP, PCMK__CIB_REQUEST_UPGRADE);
                 crm_xml_add(up, PCMK__XA_CIB_DELEGATED_FROM, host);
                 crm_xml_add(up, PCMK__XA_CIB_ISREPLYTO, host);
                 crm_xml_add(up, PCMK__XA_CIB_CLIENTID, client_id);
                 crm_xml_add(up, PCMK__XA_CIB_CALLOPT, call_opts);
                 crm_xml_add(up, PCMK__XA_CIB_CALLID, call_id);
                 crm_xml_add_int(up, PCMK__XA_CIB_UPGRADE_RC, rc);
                 if (!pcmk__cluster_send_message(origin, pcmk_ipc_based, up)) {
                     crm_warn("Could not send CIB upgrade result to %s", host);
                 }
                 pcmk__xml_free(up);
             }
         }
         pcmk__xml_free(scratch);
     }
     return rc;
 }
 
 int
 cib_process_sync_one(const char *op, int options, const char *section, xmlNode * req,
                      xmlNode * input, xmlNode * existing_cib, xmlNode ** result_cib,
                      xmlNode ** answer)
 {
     return sync_our_cib(req, FALSE);
 }
 
 int
 cib_server_process_diff(const char *op, int options, const char *section, xmlNode * req,
                         xmlNode * input, xmlNode * existing_cib, xmlNode ** result_cib,
                         xmlNode ** answer)
 {
     int rc = pcmk_ok;
 
     if (sync_in_progress > MAX_DIFF_RETRY) {
         /* Don't ignore diffs forever; the last request may have been lost.
          * If the diff fails, we'll ask for another full resync.
          */
         sync_in_progress = 0;
     }
 
     // The primary instance should never ignore a diff
     if (sync_in_progress && !based_is_primary) {
         int diff_add_updates = 0;
         int diff_add_epoch = 0;
         int diff_add_admin_epoch = 0;
 
         int diff_del_updates = 0;
         int diff_del_epoch = 0;
         int diff_del_admin_epoch = 0;
 
         cib_diff_version_details(input,
                                  &diff_add_admin_epoch, &diff_add_epoch, &diff_add_updates,
                                  &diff_del_admin_epoch, &diff_del_epoch, &diff_del_updates);
 
         sync_in_progress++;
         crm_notice("Not applying diff %d.%d.%d -> %d.%d.%d (sync in progress)",
                    diff_del_admin_epoch, diff_del_epoch, diff_del_updates,
                    diff_add_admin_epoch, diff_add_epoch, diff_add_updates);
         return -pcmk_err_diff_resync;
     }
 
     rc = cib_process_diff(op, options, section, req, input, existing_cib, result_cib, answer);
     crm_trace("result: %s (%d), %s", pcmk_strerror(rc), rc,
               (based_is_primary? "primary": "secondary"));
 
     if ((rc == -pcmk_err_diff_resync) && !based_is_primary) {
         pcmk__xml_free(*result_cib);
         *result_cib = NULL;
         send_sync_request(NULL);
 
     } else if (rc == -pcmk_err_diff_resync) {
         rc = -pcmk_err_diff_failed;
         if (options & cib_force_diff) {
             crm_warn("Not requesting full refresh in R/W mode");
         }
     }
 
     return rc;
 }
 
 int
 cib_process_replace_svr(const char *op, int options, const char *section, xmlNode * req,
                         xmlNode * input, xmlNode * existing_cib, xmlNode ** result_cib,
                         xmlNode ** answer)
 {
     int rc =
         cib_process_replace(op, options, section, req, input, existing_cib, result_cib, answer);
 
     if ((rc == pcmk_ok) && pcmk__xe_is(input, PCMK_XE_CIB)) {
         sync_in_progress = 0;
     }
     return rc;
 }
 
 /* @COMPAT: Remove when PCMK__CIB_REQUEST_ABS_DELETE is removed
  * (At least external client code <3.0.0 can send it)
  */
 int
 cib_process_delete_absolute(const char *op, int options, const char *section, xmlNode * req,
                             xmlNode * input, xmlNode * existing_cib, xmlNode ** result_cib,
                             xmlNode ** answer)
 {
     return -EINVAL;
 }
 
 static xmlNode *
 cib_msg_copy(xmlNode *msg)
 {
     static const char *field_list[] = {
         PCMK__XA_T,
         PCMK__XA_CIB_CLIENTID,
         PCMK__XA_CIB_CALLOPT,
         PCMK__XA_CIB_CALLID,
         PCMK__XA_CIB_OP,
         PCMK__XA_CIB_ISREPLYTO,
         PCMK__XA_CIB_SECTION,
         PCMK__XA_CIB_HOST,
         PCMK__XA_CIB_RC,
         PCMK__XA_CIB_DELEGATED_FROM,
         PCMK__XA_CIB_UPDATE,
         PCMK__XA_CIB_CLIENTNAME,
         PCMK__XA_CIB_USER,
         PCMK__XA_CIB_NOTIFY_TYPE,
         PCMK__XA_CIB_NOTIFY_ACTIVATE,
     };
 
     xmlNode *copy = pcmk__xe_create(NULL, PCMK__XE_COPY);
 
     for (int lpc = 0; lpc < PCMK__NELEM(field_list); lpc++) {
         const char *field = field_list[lpc];
         const char *value = crm_element_value(msg, field);
 
         if (value != NULL) {
             crm_xml_add(copy, field, value);
         }
     }
 
     return copy;
 }
 
 int
 sync_our_cib(xmlNode * request, gboolean all)
 {
     int result = pcmk_ok;
     char *digest = NULL;
     const char *host = crm_element_value(request, PCMK__XA_SRC);
     const char *op = crm_element_value(request, PCMK__XA_CIB_OP);
     pcmk__node_status_t *peer = NULL;
     xmlNode *replace_request = NULL;
     xmlNode *wrapper = NULL;
 
     CRM_CHECK(the_cib != NULL, return -EINVAL);
     CRM_CHECK(all || (host != NULL), return -EINVAL);
 
     crm_debug("Syncing CIB to %s", all ? "all peers" : host);
 
     replace_request = cib_msg_copy(request);
 
     if (host != NULL) {
         crm_xml_add(replace_request, PCMK__XA_CIB_ISREPLYTO, host);
     }
     if (all) {
         pcmk__xe_remove_attr(replace_request, PCMK__XA_CIB_HOST);
     }
 
     crm_xml_add(replace_request, PCMK__XA_CIB_OP, PCMK__CIB_REQUEST_REPLACE);
 
     // @TODO Keep for tracing, or drop?
     crm_xml_add(replace_request, PCMK__XA_ORIGINAL_CIB_OP, op);
 
     pcmk__xe_set_bool_attr(replace_request, PCMK__XA_CIB_UPDATE, true);
 
     crm_xml_add(replace_request, PCMK_XA_CRM_FEATURE_SET, CRM_FEATURE_SET);
     digest = pcmk__digest_xml(the_cib, true);
     crm_xml_add(replace_request, PCMK__XA_DIGEST, digest);
 
     wrapper = pcmk__xe_create(replace_request, PCMK__XE_CIB_CALLDATA);
     pcmk__xml_copy(wrapper, the_cib);
 
     if (!all) {
         peer = pcmk__get_node(0, host, NULL, pcmk__node_search_cluster_member);
     }
     if (!pcmk__cluster_send_message(peer, pcmk_ipc_based, replace_request)) {
         result = -ENOTCONN;
     }
     pcmk__xml_free(replace_request);
     free(digest);
     return result;
 }
 
 int
 cib_process_commit_transaction(const char *op, int options, const char *section,
                                xmlNode *req, xmlNode *input,
                                xmlNode *existing_cib, xmlNode **result_cib,
                                xmlNode **answer)
 {
     /* On success, our caller will activate *result_cib locally, trigger a
      * replace notification if appropriate, and sync *result_cib to all nodes.
      * On failure, our caller will free *result_cib.
      */
     int rc = pcmk_rc_ok;
     const char *client_id = crm_element_value(req, PCMK__XA_CIB_CLIENTID);
     const char *origin = crm_element_value(req, PCMK__XA_SRC);
     pcmk__client_t *client = pcmk__find_client_by_id(client_id);
 
     rc = based_commit_transaction(input, client, origin, result_cib);
 
     if (rc != pcmk_rc_ok) {
         char *source = based_transaction_source_str(client, origin);
 
         crm_err("Could not commit transaction for %s: %s",
                 source, pcmk_rc_str(rc));
         free(source);
     }
     return pcmk_rc2legacy(rc);
 }
 
 int
 cib_process_schemas(const char *op, int options, const char *section, xmlNode *req,
                     xmlNode *input, xmlNode *existing_cib, xmlNode **result_cib,
                     xmlNode **answer)
 {
     xmlNode *wrapper = NULL;
     xmlNode *data = NULL;
 
     const char *after_ver = NULL;
     GList *schemas = NULL;
     GList *already_included = NULL;
 
     *answer = pcmk__xe_create(NULL, PCMK__XA_SCHEMAS);
 
     wrapper = pcmk__xe_first_child(req, PCMK__XE_CIB_CALLDATA, NULL, NULL);
     data = pcmk__xe_first_child(wrapper, NULL, NULL, NULL);
     if (data == NULL) {
         crm_warn("No data specified in request");
         return -EPROTO;
     }
 
     after_ver = crm_element_value(data, PCMK_XA_VERSION);
     if (after_ver == NULL) {
         crm_warn("No version specified in request");
         return -EPROTO;
     }
 
     /* The client requested all schemas after the latest one we know about, which
      * means the client is fully up-to-date.  Return a properly formatted reply
      * with no schemas.
      */
     if (pcmk__str_eq(after_ver, pcmk__highest_schema_name(), pcmk__str_none)) {
         return pcmk_ok;
     }
 
     schemas = pcmk__schema_files_later_than(after_ver);
 
     for (GList *iter = schemas; iter != NULL; iter = iter->next) {
         pcmk__build_schema_xml_node(*answer, iter->data, &already_included);
     }
 
     g_list_free_full(schemas, free);
     g_list_free_full(already_included, free);
     return pcmk_ok;
 }
diff --git a/daemons/controld/controld_join_dc.c b/daemons/controld/controld_join_dc.c
index 146115efb6..c611109b34 100644
--- a/daemons/controld/controld_join_dc.c
+++ b/daemons/controld/controld_join_dc.c
@@ -1,1090 +1,1092 @@
 /*
  * Copyright 2004-2024 the Pacemaker project contributors
  *
  * The version control history for this file may have further details.
  *
  * This source code is licensed under the GNU General Public License version 2
  * or later (GPLv2+) WITHOUT ANY WARRANTY.
  */
 
 #include <crm_internal.h>
 
 #include <inttypes.h>               // PRIu32
 #include <stdbool.h>                // bool, true, false
 #include <stdio.h>                  // NULL
 #include <stdlib.h>                 // free(), etc.
 
 #include <glib.h>                   // gboolean, etc.
 #include <libxml/tree.h>            // xmlNode
 
 #include <crm/crm.h>
 
 #include <crm/common/xml.h>
 #include <crm/cluster.h>
 
 #include <pacemaker-controld.h>
 
 static char *max_generation_from = NULL;
 static xmlNodePtr max_generation_xml = NULL;
 
 /*!
  * \internal
  * \brief Nodes from which a CIB sync has failed since the peer joined
  *
  * This table is of the form (<tt>node_name -> join_id</tt>). \p node_name is
  * the name of a client node from which a CIB \p sync_from() call has failed in
  * \p do_dc_join_finalize() since the client joined the cluster as a peer.
  * \p join_id is the ID of the join round in which the \p sync_from() failed,
  * and is intended for use in nack log messages.
  */
 static GHashTable *failed_sync_nodes = NULL;
 
 void finalize_join_for(gpointer key, gpointer value, gpointer user_data);
 void finalize_sync_callback(xmlNode * msg, int call_id, int rc, xmlNode * output, void *user_data);
 gboolean check_join_state(enum crmd_fsa_state cur_state, const char *source);
 
 /* Numeric counter used to identify join rounds (an unsigned int would be
  * appropriate, except we get and set it in XML as int)
  */
 static int current_join_id = 0;
 
 /*!
  * \internal
  * \brief Get log-friendly string equivalent of a controller group join phase
  *
  * \param[in] phase  Join phase
  *
  * \return Log-friendly string equivalent of \p phase
  */
 static const char *
 join_phase_text(enum controld_join_phase phase)
 {
     switch (phase) {
         case controld_join_nack:
             return "nack";
         case controld_join_none:
             return "none";
         case controld_join_welcomed:
             return "welcomed";
         case controld_join_integrated:
             return "integrated";
         case controld_join_finalized:
             return "finalized";
         case controld_join_confirmed:
             return "confirmed";
         default:
             return "invalid";
     }
 }
 
 /*!
  * \internal
  * \brief Destroy the hash table containing failed sync nodes
  */
 void
 controld_destroy_failed_sync_table(void)
 {
     if (failed_sync_nodes != NULL) {
         g_hash_table_destroy(failed_sync_nodes);
         failed_sync_nodes = NULL;
     }
 }
 
 /*!
  * \internal
  * \brief Remove a node from the failed sync nodes table if present
  *
  * \param[in] node_name  Node name to remove
  */
 void
 controld_remove_failed_sync_node(const char *node_name)
 {
     if (failed_sync_nodes != NULL) {
         g_hash_table_remove(failed_sync_nodes, (gchar *) node_name);
     }
 }
 
 /*!
  * \internal
  * \brief Add to a hash table a node whose CIB failed to sync
  *
  * \param[in] node_name  Name of node whose CIB failed to sync
  * \param[in] join_id    Join round when the failure occurred
  */
 static void
 record_failed_sync_node(const char *node_name, gint join_id)
 {
     if (failed_sync_nodes == NULL) {
         failed_sync_nodes = pcmk__strikey_table(g_free, NULL);
     }
 
     /* If the node is already in the table then we failed to nack it during the
      * filter offer step
      */
     CRM_LOG_ASSERT(g_hash_table_insert(failed_sync_nodes, g_strdup(node_name),
                                        GINT_TO_POINTER(join_id)));
 }
 
 /*!
  * \internal
  * \brief Look up a node name in the failed sync table
  *
  * \param[in]  node_name  Name of node to look up
  * \param[out] join_id    Where to store the join ID of when the sync failed
  *
  * \return Standard Pacemaker return code. Specifically, \p pcmk_rc_ok if the
  *         node name was found, or \p pcmk_rc_node_unknown otherwise.
  * \note \p *join_id is set to -1 if the node is not found.
  */
 static int
 lookup_failed_sync_node(const char *node_name, gint *join_id)
 {
     *join_id = -1;
 
     if (failed_sync_nodes != NULL) {
         gpointer result = g_hash_table_lookup(failed_sync_nodes,
                                               (gchar *) node_name);
         if (result != NULL) {
             *join_id = GPOINTER_TO_INT(result);
             return pcmk_rc_ok;
         }
     }
     return pcmk_rc_node_unknown;
 }
 
 void
 crm_update_peer_join(const char *source, pcmk__node_status_t *node,
                      enum controld_join_phase phase)
 {
     enum controld_join_phase last = controld_get_join_phase(node);
 
     CRM_CHECK(node != NULL, return);
 
     /* Remote nodes do not participate in joins */
     if (pcmk_is_set(node->flags, pcmk__node_status_remote)) {
         return;
     }
 
     if (phase == last) {
         crm_trace("Node %s join-%d phase is still %s "
                   QB_XS " nodeid=%" PRIu32 " source=%s",
                   node->name, current_join_id, join_phase_text(last),
                   node->cluster_layer_id, source);
         return;
     }
 
     if ((phase <= controld_join_none) || (phase == (last + 1))) {
         struct controld_node_status_data *data =
             pcmk__assert_alloc(1, sizeof(struct controld_node_status_data));
 
         data->join_phase = phase;
         node->user_data = data;
 
         crm_trace("Node %s join-%d phase is now %s (was %s) "
                   QB_XS " nodeid=%" PRIu32 " source=%s",
                   node->name, current_join_id, join_phase_text(phase),
                   join_phase_text(last), node->cluster_layer_id,
                   source);
         return;
     }
 
     crm_warn("Rejecting join-%d phase update for node %s because can't go from "
              "%s to %s " QB_XS " nodeid=%" PRIu32 " source=%s",
              current_join_id, node->name, join_phase_text(last),
              join_phase_text(phase), node->cluster_layer_id, source);
 }
 
 static void
 start_join_round(void)
 {
     GHashTableIter iter;
     pcmk__node_status_t *peer = NULL;
 
     crm_debug("Starting new join round join-%d", current_join_id);
 
     g_hash_table_iter_init(&iter, pcmk__peer_cache);
     while (g_hash_table_iter_next(&iter, NULL, (gpointer *) &peer)) {
         crm_update_peer_join(__func__, peer, controld_join_none);
     }
     if (max_generation_from != NULL) {
         free(max_generation_from);
         max_generation_from = NULL;
     }
     if (max_generation_xml != NULL) {
         pcmk__xml_free(max_generation_xml);
         max_generation_xml = NULL;
     }
     controld_clear_fsa_input_flags(R_HAVE_CIB);
 }
 
 /*!
  * \internal
  * \brief Create a join message from the DC
  *
  * \param[in] join_op  Join operation name
  * \param[in] host_to  Recipient of message
  */
 static xmlNode *
 create_dc_message(const char *join_op, const char *host_to)
 {
     xmlNode *msg = pcmk__new_request(pcmk_ipc_controld, CRM_SYSTEM_DC, host_to,
                                      CRM_SYSTEM_CRMD, join_op, NULL);
 
     /* Identify which election this is a part of */
     crm_xml_add_int(msg, PCMK__XA_JOIN_ID, current_join_id);
 
     /* Add a field specifying whether the DC is shutting down. This keeps the
      * joining node from fencing the old DC if it becomes the new DC.
      */
     pcmk__xe_set_bool_attr(msg, PCMK__XA_DC_LEAVING,
                            pcmk_is_set(controld_globals.fsa_input_register,
                                        R_SHUTDOWN));
     return msg;
 }
 
 static void
 join_make_offer(gpointer key, gpointer value, gpointer user_data)
 {
     /* @TODO We don't use user_data except to distinguish one particular call
      * from others. Make this clearer.
      */
     xmlNode *offer = NULL;
     pcmk__node_status_t *member = (pcmk__node_status_t *) value;
 
     CRM_ASSERT(member != NULL);
     if (!pcmk__cluster_is_node_active(member)) {
         crm_info("Not making join-%d offer to inactive node %s",
                  current_join_id, pcmk__s(member->name, "with unknown name"));
         if ((member->expected == NULL)
             && pcmk__str_eq(member->state, PCMK__VALUE_LOST, pcmk__str_none)) {
             /* You would think this unsafe, but in fact this plus an
              * active resource is what causes it to be fenced.
              *
              * Yes, this does mean that any node that dies at the same
              * time as the old DC and is not running resource (still)
              * won't be fenced.
              *
              * I'm not happy about this either.
              */
             pcmk__update_peer_expected(__func__, member, CRMD_JOINSTATE_DOWN);
         }
         return;
     }
 
     if (member->name == NULL) {
         crm_info("Not making join-%d offer to node uuid %s with unknown name",
                  current_join_id, member->xml_id);
         return;
     }
 
     if (controld_globals.membership_id != controld_globals.peer_seq) {
         controld_globals.membership_id = controld_globals.peer_seq;
         crm_info("Making join-%d offers based on membership event %llu",
                  current_join_id, controld_globals.peer_seq);
     }
 
     if (user_data != NULL) {
         enum controld_join_phase phase = controld_get_join_phase(member);
 
         if (phase > controld_join_none) {
             crm_info("Not making join-%d offer to already known node %s (%s)",
                      current_join_id, member->name, join_phase_text(phase));
             return;
         }
     }
 
     crm_update_peer_join(__func__, (pcmk__node_status_t*) member,
                          controld_join_none);
 
     offer = create_dc_message(CRM_OP_JOIN_OFFER, member->name);
 
     // Advertise our feature set so the joining node can bail if not compatible
     crm_xml_add(offer, PCMK_XA_CRM_FEATURE_SET, CRM_FEATURE_SET);
 
     crm_info("Sending join-%d offer to %s", current_join_id, member->name);
     pcmk__cluster_send_message(member, pcmk_ipc_controld, offer);
     pcmk__xml_free(offer);
 
     crm_update_peer_join(__func__, member, controld_join_welcomed);
 }
 
 /*	 A_DC_JOIN_OFFER_ALL	*/
 void
 do_dc_join_offer_all(long long action,
                      enum crmd_fsa_cause cause,
                      enum crmd_fsa_state cur_state,
                      enum crmd_fsa_input current_input, fsa_data_t * msg_data)
 {
     int count;
 
     /* Reset everyone's status back to down or in_ccm in the CIB.
      * Any nodes that are active in the CIB but not in the cluster membership
      * will be seen as offline by the scheduler anyway.
      */
     current_join_id++;
     start_join_round();
 
     update_dc(NULL);
     if (cause == C_HA_MESSAGE && current_input == I_NODE_JOIN) {
         crm_info("A new node joined the cluster");
     }
     g_hash_table_foreach(pcmk__peer_cache, join_make_offer, NULL);
 
     count = crmd_join_phase_count(controld_join_welcomed);
     crm_info("Waiting on join-%d requests from %d outstanding node%s",
              current_join_id, count, pcmk__plural_s(count));
 
     // Don't waste time by invoking the scheduler yet
 }
 
 /*	 A_DC_JOIN_OFFER_ONE	*/
 void
 do_dc_join_offer_one(long long action,
                      enum crmd_fsa_cause cause,
                      enum crmd_fsa_state cur_state,
                      enum crmd_fsa_input current_input, fsa_data_t * msg_data)
 {
     pcmk__node_status_t *member = NULL;
     ha_msg_input_t *welcome = NULL;
     int count;
     const char *join_to = NULL;
 
     if (msg_data->data == NULL) {
         crm_info("Making join-%d offers to any unconfirmed nodes "
                  "because an unknown node joined", current_join_id);
         g_hash_table_foreach(pcmk__peer_cache, join_make_offer, &member);
         check_join_state(cur_state, __func__);
         return;
     }
 
     welcome = fsa_typed_data(fsa_dt_ha_msg);
     if (welcome == NULL) {
         // fsa_typed_data() already logged an error
         return;
     }
 
     join_to = crm_element_value(welcome->msg, PCMK__XA_SRC);
     if (join_to == NULL) {
         crm_err("Can't make join-%d offer to unknown node", current_join_id);
         return;
     }
     member = pcmk__get_node(0, join_to, NULL, pcmk__node_search_cluster_member);
 
     /* It is possible that a node will have been sick or starting up when the
      * original offer was made. However, it will either re-announce itself in
      * due course, or we can re-store the original offer on the client.
      */
 
     crm_update_peer_join(__func__, member, controld_join_none);
     join_make_offer(NULL, member, NULL);
 
     /* If the offer isn't to the local node, make an offer to the local node as
      * well, to ensure the correct value for max_generation_from.
      */
     if (!controld_is_local_node(join_to)) {
         member = controld_get_local_node_status();
         join_make_offer(NULL, member, NULL);
     }
 
     /* This was a genuine join request; cancel any existing transition and
      * invoke the scheduler.
      */
     abort_transition(PCMK_SCORE_INFINITY, pcmk__graph_restart, "Node join",
                      NULL);
 
     count = crmd_join_phase_count(controld_join_welcomed);
     crm_info("Waiting on join-%d requests from %d outstanding node%s",
              current_join_id, count, pcmk__plural_s(count));
 
     // Don't waste time by invoking the scheduler yet
 }
 
 static int
 compare_int_fields(xmlNode * left, xmlNode * right, const char *field)
 {
     const char *elem_l = crm_element_value(left, field);
     const char *elem_r = crm_element_value(right, field);
 
     long long int_elem_l;
     long long int_elem_r;
 
     int rc = pcmk_rc_ok;
 
     rc = pcmk__scan_ll(elem_l, &int_elem_l, -1LL);
     if (rc != pcmk_rc_ok) { // Shouldn't be possible
         crm_warn("Comparing current CIB %s as -1 "
                  "because '%s' is not an integer", field, elem_l);
     }
 
     rc = pcmk__scan_ll(elem_r, &int_elem_r, -1LL);
     if (rc != pcmk_rc_ok) { // Shouldn't be possible
         crm_warn("Comparing joining node's CIB %s as -1 "
                  "because '%s' is not an integer", field, elem_r);
     }
 
     if (int_elem_l < int_elem_r) {
         return -1;
 
     } else if (int_elem_l > int_elem_r) {
         return 1;
     }
 
     return 0;
 }
 
 /*	 A_DC_JOIN_PROCESS_REQ	*/
 void
 do_dc_join_filter_offer(long long action,
                         enum crmd_fsa_cause cause,
                         enum crmd_fsa_state cur_state,
                         enum crmd_fsa_input current_input, fsa_data_t * msg_data)
 {
     xmlNode *generation = NULL;
 
     int cmp = 0;
     int join_id = -1;
     int count = 0;
     gint value = 0;
     gboolean ack_nack_bool = TRUE;
     ha_msg_input_t *join_ack = fsa_typed_data(fsa_dt_ha_msg);
 
     const char *join_from = crm_element_value(join_ack->msg, PCMK__XA_SRC);
     const char *ref = crm_element_value(join_ack->msg, PCMK_XA_REFERENCE);
     const char *join_version = crm_element_value(join_ack->msg,
                                                  PCMK_XA_CRM_FEATURE_SET);
     pcmk__node_status_t *join_node = NULL;
 
     if (join_from == NULL) {
         crm_err("Ignoring invalid join request without node name");
         return;
     }
     join_node = pcmk__get_node(0, join_from, NULL,
                                pcmk__node_search_cluster_member);
 
     crm_element_value_int(join_ack->msg, PCMK__XA_JOIN_ID, &join_id);
     if (join_id != current_join_id) {
         crm_debug("Ignoring join-%d request from %s because we are on join-%d",
                   join_id, join_from, current_join_id);
         check_join_state(cur_state, __func__);
         return;
     }
 
     generation = join_ack->xml;
     if (max_generation_xml != NULL && generation != NULL) {
         int lpc = 0;
 
         const char *attributes[] = {
             PCMK_XA_ADMIN_EPOCH,
             PCMK_XA_EPOCH,
             PCMK_XA_NUM_UPDATES,
         };
 
         /* It's not obvious that join_ack->xml is the PCMK__XE_GENERATION_TUPLE
          * element from the join client. The "if" guard is for clarity.
          */
         if (pcmk__xe_is(generation, PCMK__XE_GENERATION_TUPLE)) {
             for (lpc = 0; cmp == 0 && lpc < PCMK__NELEM(attributes); lpc++) {
                 cmp = compare_int_fields(max_generation_xml, generation,
                                          attributes[lpc]);
             }
 
         } else {    // Should always be PCMK__XE_GENERATION_TUPLE
             CRM_LOG_ASSERT(false);
         }
     }
 
     if (ref == NULL) {
         ref = "none"; // for logging only
     }
 
     if (lookup_failed_sync_node(join_from, &value) == pcmk_rc_ok) {
         crm_err("Rejecting join-%d request from node %s because we failed to "
                 "sync its CIB in join-%d " QB_XS " ref=%s",
                 join_id, join_from, value, ref);
         ack_nack_bool = FALSE;
 
     } else if (!pcmk__cluster_is_node_active(join_node)) {
         if (match_down_event(join_from) != NULL) {
             /* The join request was received after the node was fenced or
              * otherwise shutdown in a way that we're aware of. No need to log
              * an error in this rare occurrence; we know the client was recently
              * shut down, and receiving a lingering in-flight request is not
              * cause for alarm.
              */
             crm_debug("Rejecting join-%d request from inactive node %s "
                       QB_XS " ref=%s", join_id, join_from, ref);
         } else {
             crm_err("Rejecting join-%d request from inactive node %s "
                     QB_XS " ref=%s", join_id, join_from, ref);
         }
         ack_nack_bool = FALSE;
 
     } else if (generation == NULL) {
         crm_err("Rejecting invalid join-%d request from node %s "
                 "missing CIB generation " QB_XS " ref=%s",
                 join_id, join_from, ref);
         ack_nack_bool = FALSE;
 
     } else if ((join_version == NULL)
                || !feature_set_compatible(CRM_FEATURE_SET, join_version)) {
         crm_err("Rejecting join-%d request from node %s because feature set %s"
                 " is incompatible with ours (%s) " QB_XS " ref=%s",
                 join_id, join_from, (join_version? join_version : "pre-3.1.0"),
                 CRM_FEATURE_SET, ref);
         ack_nack_bool = FALSE;
 
     } else if (max_generation_xml == NULL) {
         const char *validation = crm_element_value(generation,
                                                    PCMK_XA_VALIDATE_WITH);
 
         if (pcmk__get_schema(validation) == NULL) {
             crm_err("Rejecting join-%d request from %s (with first CIB "
-                    "generation) due to unknown schema version %s "
-                    QB_XS " ref=%s",
-                    join_id, join_from, pcmk__s(validation, "(missing)"), ref);
+                    "generation) due to %s schema version %s " QB_XS " ref=%s",
+                    join_id, join_from,
+                    ((validation == NULL)? "missing" : "unknown"),
+                    pcmk__s(validation, ""), ref);
             ack_nack_bool = FALSE;
 
         } else {
             crm_debug("Accepting join-%d request from %s (with first CIB "
                       "generation) " QB_XS " ref=%s",
                       join_id, join_from, ref);
             max_generation_xml = pcmk__xml_copy(NULL, generation);
             pcmk__str_update(&max_generation_from, join_from);
         }
 
     } else if ((cmp < 0)
                || ((cmp == 0) && controld_is_local_node(join_from))) {
         const char *validation = crm_element_value(generation,
                                                    PCMK_XA_VALIDATE_WITH);
 
         if (pcmk__get_schema(validation) == NULL) {
             crm_err("Rejecting join-%d request from %s (with better CIB "
-                    "generation than current best from %s) due to unknown "
+                    "generation than current best from %s) due to %s "
                     "schema version %s " QB_XS " ref=%s",
                     join_id, join_from, max_generation_from,
-                    pcmk__s(validation, "(missing)"), ref);
+                    ((validation == NULL)? "missing" : "unknown"),
+                    pcmk__s(validation, ""), ref);
             ack_nack_bool = FALSE;
 
         } else {
             crm_debug("Accepting join-%d request from %s (with better CIB "
                       "generation than current best from %s) " QB_XS " ref=%s",
                       join_id, join_from, max_generation_from, ref);
             crm_log_xml_debug(max_generation_xml, "Old max generation");
             crm_log_xml_debug(generation, "New max generation");
 
             pcmk__xml_free(max_generation_xml);
             max_generation_xml = pcmk__xml_copy(NULL, join_ack->xml);
             pcmk__str_update(&max_generation_from, join_from);
         }
 
     } else {
         crm_debug("Accepting join-%d request from %s " QB_XS " ref=%s",
                   join_id, join_from, ref);
     }
 
     if (!ack_nack_bool) {
         crm_update_peer_join(__func__, join_node, controld_join_nack);
         pcmk__update_peer_expected(__func__, join_node, CRMD_JOINSTATE_NACK);
 
     } else {
         crm_update_peer_join(__func__, join_node, controld_join_integrated);
         pcmk__update_peer_expected(__func__, join_node, CRMD_JOINSTATE_MEMBER);
     }
 
     count = crmd_join_phase_count(controld_join_integrated);
     crm_debug("%d node%s currently integrated in join-%d",
               count, pcmk__plural_s(count), join_id);
 
     if (check_join_state(cur_state, __func__) == FALSE) {
         // Don't waste time by invoking the scheduler yet
         count = crmd_join_phase_count(controld_join_welcomed);
         crm_debug("Waiting on join-%d requests from %d outstanding node%s",
                   join_id, count, pcmk__plural_s(count));
     }
 }
 
 /*	A_DC_JOIN_FINALIZE	*/
 void
 do_dc_join_finalize(long long action,
                     enum crmd_fsa_cause cause,
                     enum crmd_fsa_state cur_state,
                     enum crmd_fsa_input current_input, fsa_data_t * msg_data)
 {
     char *sync_from = NULL;
     int rc = pcmk_ok;
     int count_welcomed = crmd_join_phase_count(controld_join_welcomed);
     int count_finalizable = crmd_join_phase_count(controld_join_integrated)
                             + crmd_join_phase_count(controld_join_nack);
 
     /* This we can do straight away and avoid clients timing us out
      *  while we compute the latest CIB
      */
     if (count_welcomed != 0) {
         crm_debug("Waiting on join-%d requests from %d outstanding node%s "
                   "before finalizing join", current_join_id, count_welcomed,
                   pcmk__plural_s(count_welcomed));
         crmd_join_phase_log(LOG_DEBUG);
         /* crmd_fsa_stall(FALSE); Needed? */
         return;
 
     } else if (count_finalizable == 0) {
         crm_debug("Finalization not needed for join-%d at the current time",
                   current_join_id);
         crmd_join_phase_log(LOG_DEBUG);
         check_join_state(controld_globals.fsa_state, __func__);
         return;
     }
 
     controld_clear_fsa_input_flags(R_HAVE_CIB);
     if ((max_generation_from == NULL)
         || controld_is_local_node(max_generation_from)) {
         controld_set_fsa_input_flags(R_HAVE_CIB);
     }
 
     if (!controld_globals.transition_graph->complete) {
         crm_warn("Delaying join-%d finalization while transition in progress",
                  current_join_id);
         crmd_join_phase_log(LOG_DEBUG);
         crmd_fsa_stall(FALSE);
         return;
     }
 
     if (pcmk_is_set(controld_globals.fsa_input_register, R_HAVE_CIB)) {
         // Send our CIB out to everyone
         sync_from = pcmk__str_copy(controld_globals.cluster->priv->node_name);
         crm_debug("Finalizing join-%d for %d node%s (sync'ing from local CIB)",
                   current_join_id, count_finalizable,
                   pcmk__plural_s(count_finalizable));
         crm_log_xml_debug(max_generation_xml, "Requested CIB version");
 
     } else {
         // Ask for the agreed best CIB
         sync_from = pcmk__str_copy(max_generation_from);
         crm_notice("Finalizing join-%d for %d node%s (sync'ing CIB from %s)",
                    current_join_id, count_finalizable,
                    pcmk__plural_s(count_finalizable), sync_from);
         crm_log_xml_notice(max_generation_xml, "Requested CIB version");
     }
     crmd_join_phase_log(LOG_DEBUG);
 
     rc = controld_globals.cib_conn->cmds->sync_from(controld_globals.cib_conn,
                                                     sync_from, NULL, cib_none);
     fsa_register_cib_callback(rc, sync_from, finalize_sync_callback);
 }
 
 void
 free_max_generation(void)
 {
     free(max_generation_from);
     max_generation_from = NULL;
 
     pcmk__xml_free(max_generation_xml);
     max_generation_xml = NULL;
 }
 
 void
 finalize_sync_callback(xmlNode * msg, int call_id, int rc, xmlNode * output, void *user_data)
 {
     CRM_LOG_ASSERT(-EPERM != rc);
 
     if (rc != pcmk_ok) {
         const char *sync_from = (const char *) user_data;
 
         do_crm_log(((rc == -pcmk_err_old_data)? LOG_WARNING : LOG_ERR),
                    "Could not sync CIB from %s in join-%d: %s",
                    sync_from, current_join_id, pcmk_strerror(rc));
 
         if (rc != -pcmk_err_old_data) {
             record_failed_sync_node(sync_from, current_join_id);
         }
 
         /* restart the whole join process */
         register_fsa_error_adv(C_FSA_INTERNAL, I_ELECTION_DC, NULL, NULL,
                                __func__);
 
     } else if (!AM_I_DC) {
         crm_debug("Sync'ed CIB for join-%d but no longer DC", current_join_id);
 
     } else if (controld_globals.fsa_state != S_FINALIZE_JOIN) {
         crm_debug("Sync'ed CIB for join-%d but no longer in S_FINALIZE_JOIN "
                   "(%s)", current_join_id,
                   fsa_state2string(controld_globals.fsa_state));
 
     } else {
         controld_set_fsa_input_flags(R_HAVE_CIB);
 
         /* make sure dc_uuid is re-set to us */
         if (!check_join_state(controld_globals.fsa_state, __func__)) {
             int count_finalizable = 0;
 
             count_finalizable = crmd_join_phase_count(controld_join_integrated)
                                 + crmd_join_phase_count(controld_join_nack);
 
             crm_debug("Notifying %d node%s of join-%d results",
                       count_finalizable, pcmk__plural_s(count_finalizable),
                       current_join_id);
             g_hash_table_foreach(pcmk__peer_cache, finalize_join_for, NULL);
         }
     }
 }
 
 static void
 join_node_state_commit_callback(xmlNode *msg, int call_id, int rc,
                                 xmlNode *output, void *user_data)
 {
     const char *node = user_data;
 
     if (rc != pcmk_ok) {
         fsa_data_t *msg_data = NULL;    // for register_fsa_error() macro
 
         crm_crit("join-%d node history update (via CIB call %d) for node %s "
                  "failed: %s",
                  current_join_id, call_id, node, pcmk_strerror(rc));
         crm_log_xml_debug(msg, "failed");
         register_fsa_error(C_FSA_INTERNAL, I_ERROR, NULL);
     }
 
     crm_debug("join-%d node history update (via CIB call %d) for node %s "
               "complete",
               current_join_id, call_id, node);
     check_join_state(controld_globals.fsa_state, __func__);
 }
 
 /*	A_DC_JOIN_PROCESS_ACK	*/
 void
 do_dc_join_ack(long long action,
                enum crmd_fsa_cause cause,
                enum crmd_fsa_state cur_state,
                enum crmd_fsa_input current_input, fsa_data_t * msg_data)
 {
     int join_id = -1;
     ha_msg_input_t *join_ack = fsa_typed_data(fsa_dt_ha_msg);
 
     const char *op = crm_element_value(join_ack->msg, PCMK__XA_CRM_TASK);
     char *join_from = crm_element_value_copy(join_ack->msg, PCMK__XA_SRC);
     pcmk__node_status_t *peer = NULL;
     enum controld_join_phase phase = controld_join_none;
 
     enum controld_section_e section = controld_section_lrm;
     char *xpath = NULL;
     xmlNode *state = join_ack->xml;
     xmlNode *execd_state = NULL;
 
     cib_t *cib = controld_globals.cib_conn;
     int rc = pcmk_ok;
 
     // Sanity checks
     if (join_from == NULL) {
         crm_warn("Ignoring message received without node identification");
         goto done;
     }
     if (op == NULL) {
         crm_warn("Ignoring message received from %s without task", join_from);
         goto done;
     }
 
     if (strcmp(op, CRM_OP_JOIN_CONFIRM)) {
         crm_debug("Ignoring '%s' message from %s while waiting for '%s'",
                   op, join_from, CRM_OP_JOIN_CONFIRM);
         goto done;
     }
 
     if (crm_element_value_int(join_ack->msg, PCMK__XA_JOIN_ID, &join_id) != 0) {
         crm_warn("Ignoring join confirmation from %s without valid join ID",
                  join_from);
         goto done;
     }
 
     peer = pcmk__get_node(0, join_from, NULL, pcmk__node_search_cluster_member);
     phase = controld_get_join_phase(peer);
     if (phase != controld_join_finalized) {
         crm_info("Ignoring out-of-sequence join-%d confirmation from %s "
                  "(currently %s not %s)",
                  join_id, join_from, join_phase_text(phase),
                  join_phase_text(controld_join_finalized));
         goto done;
     }
 
     if (join_id != current_join_id) {
         crm_err("Rejecting join-%d confirmation from %s "
                 "because currently on join-%d",
                 join_id, join_from, current_join_id);
         crm_update_peer_join(__func__, peer, controld_join_nack);
         goto done;
     }
 
     crm_update_peer_join(__func__, peer, controld_join_confirmed);
 
     /* Update CIB with node's current executor state. A new transition will be
      * triggered later, when the CIB manager notifies us of the change.
      *
      * The delete and modify requests are part of an atomic transaction.
      */
     rc = cib->cmds->init_transaction(cib);
     if (rc != pcmk_ok) {
         goto done;
     }
 
     // Delete relevant parts of node's current executor state from CIB
     if (pcmk_is_set(controld_globals.flags, controld_shutdown_lock_enabled)) {
         section = controld_section_lrm_unlocked;
     }
     controld_node_state_deletion_strings(join_from, section, &xpath, NULL);
 
     rc = cib->cmds->remove(cib, xpath, NULL,
                            cib_xpath|cib_multiple|cib_transaction);
     if (rc != pcmk_ok) {
         goto done;
     }
 
     // Update CIB with node's latest known executor state
     if (controld_is_local_node(join_from)) {
 
         // Use the latest possible state if processing our own join ack
         execd_state = controld_query_executor_state();
 
         if (execd_state != NULL) {
             crm_debug("Updating local node history for join-%d from query "
                       "result",
                       current_join_id);
             state = execd_state;
 
         } else {
             crm_warn("Updating local node history from join-%d confirmation "
                      "because query failed",
                      current_join_id);
         }
 
     } else {
         crm_debug("Updating node history for %s from join-%d confirmation",
                   join_from, current_join_id);
     }
 
     rc = cib->cmds->modify(cib, PCMK_XE_STATUS, state,
                            cib_can_create|cib_transaction);
     pcmk__xml_free(execd_state);
     if (rc != pcmk_ok) {
         goto done;
     }
 
     // Commit the transaction
     rc = cib->cmds->end_transaction(cib, true, cib_none);
     fsa_register_cib_callback(rc, join_from, join_node_state_commit_callback);
 
     if (rc > 0) {
         // join_from will be freed after callback
         join_from = NULL;
         rc = pcmk_ok;
     }
 
 done:
     if (rc != pcmk_ok) {
         crm_crit("join-%d node history update for node %s failed: %s",
                  current_join_id, join_from, pcmk_strerror(rc));
         register_fsa_error(C_FSA_INTERNAL, I_ERROR, NULL);
     }
     free(join_from);
     free(xpath);
 }
 
 void
 finalize_join_for(gpointer key, gpointer value, gpointer user_data)
 {
     xmlNode *acknak = NULL;
     xmlNode *tmp1 = NULL;
     pcmk__node_status_t *join_node = value;
     const char *join_to = join_node->name;
     enum controld_join_phase phase = controld_get_join_phase(join_node);
     bool integrated = false;
 
     switch (phase) {
         case controld_join_integrated:
             integrated = true;
             break;
         case controld_join_nack:
             break;
         default:
             crm_trace("Not updating non-integrated and non-nacked node %s (%s) "
                       "for join-%d",
                       join_to, join_phase_text(phase), current_join_id);
             return;
     }
 
     /* Update the <node> element with the node's name and UUID, in case they
      * weren't known before
      */
     crm_trace("Updating node name and UUID in CIB for %s", join_to);
     tmp1 = pcmk__xe_create(NULL, PCMK_XE_NODE);
     crm_xml_add(tmp1, PCMK_XA_ID, pcmk__cluster_node_uuid(join_node));
     crm_xml_add(tmp1, PCMK_XA_UNAME, join_to);
     fsa_cib_anon_update(PCMK_XE_NODES, tmp1);
     pcmk__xml_free(tmp1);
 
     join_node = pcmk__get_node(0, join_to, NULL,
                                pcmk__node_search_cluster_member);
     if (!pcmk__cluster_is_node_active(join_node)) {
         /*
          * NACK'ing nodes that the membership layer doesn't know about yet
          * simply creates more churn
          *
          * Better to leave them waiting and let the join restart when
          * the new membership event comes in
          *
          * All other NACKs (due to versions etc) should still be processed
          */
         pcmk__update_peer_expected(__func__, join_node, CRMD_JOINSTATE_PENDING);
         return;
     }
 
     // Acknowledge or nack node's join request
     crm_debug("%sing join-%d request from %s",
               integrated? "Acknowledg" : "Nack", current_join_id, join_to);
     acknak = create_dc_message(CRM_OP_JOIN_ACKNAK, join_to);
     pcmk__xe_set_bool_attr(acknak, CRM_OP_JOIN_ACKNAK, integrated);
 
     if (integrated) {
         // No change needed for a nacked node
         crm_update_peer_join(__func__, join_node, controld_join_finalized);
         pcmk__update_peer_expected(__func__, join_node, CRMD_JOINSTATE_MEMBER);
 
         /* Iterate through the remote peer cache and add information on which
          * node hosts each to the ACK message.  This keeps new controllers in
          * sync with what has already happened.
          */
         if (pcmk__cluster_num_remote_nodes() > 0) {
             GHashTableIter iter;
             pcmk__node_status_t *node = NULL;
             xmlNode *remotes = pcmk__xe_create(acknak, PCMK_XE_NODES);
 
             g_hash_table_iter_init(&iter, pcmk__remote_peer_cache);
             while (g_hash_table_iter_next(&iter, NULL, (gpointer *) &node)) {
                 xmlNode *remote = NULL;
 
                 if (!node->conn_host) {
                     continue;
                 }
 
                 remote = pcmk__xe_create(remotes, PCMK_XE_NODE);
                 pcmk__xe_set_props(remote,
                                    PCMK_XA_ID, node->name,
                                    PCMK__XA_NODE_STATE, node->state,
                                    PCMK__XA_CONNECTION_HOST, node->conn_host,
                                    NULL);
             }
         }
     }
     pcmk__cluster_send_message(join_node, pcmk_ipc_controld, acknak);
     pcmk__xml_free(acknak);
     return;
 }
 
 gboolean
 check_join_state(enum crmd_fsa_state cur_state, const char *source)
 {
     static unsigned long long highest_seq = 0;
 
     if (controld_globals.membership_id != controld_globals.peer_seq) {
         crm_debug("join-%d: Membership changed from %llu to %llu "
                   QB_XS " highest=%llu state=%s for=%s",
                   current_join_id, controld_globals.membership_id,
                   controld_globals.peer_seq, highest_seq,
                   fsa_state2string(cur_state), source);
         if (highest_seq < controld_globals.peer_seq) {
             /* Don't spam the FSA with duplicates */
             highest_seq = controld_globals.peer_seq;
             register_fsa_input_before(C_FSA_INTERNAL, I_NODE_JOIN, NULL);
         }
 
     } else if (cur_state == S_INTEGRATION) {
         if (crmd_join_phase_count(controld_join_welcomed) == 0) {
             int count = crmd_join_phase_count(controld_join_integrated);
 
             crm_debug("join-%d: Integration of %d peer%s complete "
                       QB_XS " state=%s for=%s",
                       current_join_id, count, pcmk__plural_s(count),
                       fsa_state2string(cur_state), source);
             register_fsa_input_before(C_FSA_INTERNAL, I_INTEGRATED, NULL);
             return TRUE;
         }
 
     } else if (cur_state == S_FINALIZE_JOIN) {
         if (!pcmk_is_set(controld_globals.fsa_input_register, R_HAVE_CIB)) {
             crm_debug("join-%d: Delaying finalization until we have CIB "
                       QB_XS " state=%s for=%s",
                       current_join_id, fsa_state2string(cur_state), source);
             return TRUE;
 
         } else if (crmd_join_phase_count(controld_join_welcomed) != 0) {
             int count = crmd_join_phase_count(controld_join_welcomed);
 
             crm_debug("join-%d: Still waiting on %d welcomed node%s "
                       QB_XS " state=%s for=%s",
                       current_join_id, count, pcmk__plural_s(count),
                       fsa_state2string(cur_state), source);
             crmd_join_phase_log(LOG_DEBUG);
 
         } else if (crmd_join_phase_count(controld_join_integrated) != 0) {
             int count = crmd_join_phase_count(controld_join_integrated);
 
             crm_debug("join-%d: Still waiting on %d integrated node%s "
                       QB_XS " state=%s for=%s",
                       current_join_id, count, pcmk__plural_s(count),
                       fsa_state2string(cur_state), source);
             crmd_join_phase_log(LOG_DEBUG);
 
         } else if (crmd_join_phase_count(controld_join_finalized) != 0) {
             int count = crmd_join_phase_count(controld_join_finalized);
 
             crm_debug("join-%d: Still waiting on %d finalized node%s "
                       QB_XS " state=%s for=%s",
                       current_join_id, count, pcmk__plural_s(count),
                       fsa_state2string(cur_state), source);
             crmd_join_phase_log(LOG_DEBUG);
 
         } else {
             crm_debug("join-%d: Complete " QB_XS " state=%s for=%s",
                       current_join_id, fsa_state2string(cur_state), source);
             register_fsa_input_later(C_FSA_INTERNAL, I_FINALIZED, NULL);
             return TRUE;
         }
     }
 
     return FALSE;
 }
 
 void
 do_dc_join_final(long long action,
                  enum crmd_fsa_cause cause,
                  enum crmd_fsa_state cur_state,
                  enum crmd_fsa_input current_input, fsa_data_t * msg_data)
 {
     crm_debug("Ensuring DC, quorum and node attributes are up-to-date");
     crm_update_quorum(pcmk__cluster_has_quorum(), TRUE);
 }
 
 int crmd_join_phase_count(enum controld_join_phase phase)
 {
     int count = 0;
     pcmk__node_status_t *peer;
     GHashTableIter iter;
 
     g_hash_table_iter_init(&iter, pcmk__peer_cache);
     while (g_hash_table_iter_next(&iter, NULL, (gpointer *) &peer)) {
         if (controld_get_join_phase(peer) == phase) {
             count++;
         }
     }
     return count;
 }
 
 void crmd_join_phase_log(int level)
 {
     pcmk__node_status_t *peer;
     GHashTableIter iter;
 
     g_hash_table_iter_init(&iter, pcmk__peer_cache);
     while (g_hash_table_iter_next(&iter, NULL, (gpointer *) &peer)) {
         do_crm_log(level, "join-%d: %s=%s", current_join_id, peer->name,
                    join_phase_text(controld_get_join_phase(peer)));
     }
 }
diff --git a/lib/cib/cib_file.c b/lib/cib/cib_file.c
index 5d2832f26b..aca7e495ca 100644
--- a/lib/cib/cib_file.c
+++ b/lib/cib/cib_file.c
@@ -1,1176 +1,1173 @@
 /*
  * Original copyright 2004 International Business Machines
  * Later changes copyright 2008-2024 the Pacemaker project contributors
  *
  * The version control history for this file may have further details.
  *
  * This source code is licensed under the GNU Lesser General Public License
  * version 2.1 or later (LGPLv2.1+) WITHOUT ANY WARRANTY.
  */
 
 #include <crm_internal.h>
 #include <unistd.h>
 #include <limits.h>
 #include <stdlib.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdarg.h>
 #include <string.h>
 #include <pwd.h>
 
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <glib.h>
 
 #include <crm/crm.h>
 #include <crm/cib/internal.h>
 #include <crm/common/ipc.h>
 #include <crm/common/xml.h>
 #include <crm/common/xml_internal.h>
 
 #define CIB_SERIES "cib"
 #define CIB_SERIES_MAX 100
 #define CIB_SERIES_BZIP FALSE /* Must be false because archived copies are
                                  created with hard links
                                */
 
 #define CIB_LIVE_NAME CIB_SERIES ".xml"
 
 // key: client ID (const char *) -> value: client (cib_t *)
 static GHashTable *client_table = NULL;
 
 enum cib_file_flags {
     cib_file_flag_dirty = (1 << 0),
     cib_file_flag_live  = (1 << 1),
 };
 
 typedef struct cib_file_opaque_s {
     char *id;
     char *filename;
     uint32_t flags; // Group of enum cib_file_flags
     xmlNode *cib_xml;
 } cib_file_opaque_t;
 
 static int cib_file_process_commit_transaction(const char *op, int options,
                                                const char *section,
                                                xmlNode *req, xmlNode *input,
                                                xmlNode *existing_cib,
                                                xmlNode **result_cib,
                                                xmlNode **answer);
 
 /*!
  * \internal
  * \brief Add a CIB file client to client table
  *
  * \param[in] cib  CIB client
  */
 static void
 register_client(const cib_t *cib)
 {
     cib_file_opaque_t *private = cib->variant_opaque;
 
     if (client_table == NULL) {
         client_table = pcmk__strkey_table(NULL, NULL);
     }
     g_hash_table_insert(client_table, private->id, (gpointer) cib);
 }
 
 /*!
  * \internal
  * \brief Remove a CIB file client from client table
  *
  * \param[in] cib  CIB client
  */
 static void
 unregister_client(const cib_t *cib)
 {
     cib_file_opaque_t *private = cib->variant_opaque;
 
     if (client_table == NULL) {
         return;
     }
 
     g_hash_table_remove(client_table, private->id);
 
     /* @COMPAT: Add to crm_exit() when libcib and libcrmcommon are merged,
      * instead of destroying the client table when there are no more clients.
      */
     if (g_hash_table_size(client_table) == 0) {
         g_hash_table_destroy(client_table);
         client_table = NULL;
     }
 }
 
 /*!
  * \internal
  * \brief Look up a CIB file client by its ID
  *
  * \param[in] client_id  CIB client ID
  *
  * \return CIB client with matching ID if found, or \p NULL otherwise
  */
 static cib_t *
 get_client(const char *client_id)
 {
     if (client_table == NULL) {
         return NULL;
     }
     return g_hash_table_lookup(client_table, (gpointer) client_id);
 }
 
 static const cib__op_fn_t cib_op_functions[] = {
     [cib__op_apply_patch]      = cib_process_diff,
     [cib__op_bump]             = cib_process_bump,
     [cib__op_commit_transact]  = cib_file_process_commit_transaction,
     [cib__op_create]           = cib_process_create,
     [cib__op_delete]           = cib_process_delete,
     [cib__op_erase]            = cib_process_erase,
     [cib__op_modify]           = cib_process_modify,
     [cib__op_query]            = cib_process_query,
     [cib__op_replace]          = cib_process_replace,
     [cib__op_upgrade]          = cib_process_upgrade,
 };
 
 /* cib_file_backup() and cib_file_write_with_digest() need to chown the
  * written files only in limited circumstances, so these variables allow
  * that to be indicated without affecting external callers
  */
 static uid_t cib_file_owner = 0;
 static uid_t cib_file_group = 0;
 static gboolean cib_do_chown = FALSE;
 
 #define cib_set_file_flags(cibfile, flags_to_set) do {                  \
         (cibfile)->flags = pcmk__set_flags_as(__func__, __LINE__,       \
                                               LOG_TRACE, "CIB file",    \
                                               cibfile->filename,        \
                                               (cibfile)->flags,         \
                                               (flags_to_set),           \
                                               #flags_to_set);           \
     } while (0)
 
 #define cib_clear_file_flags(cibfile, flags_to_clear) do {              \
         (cibfile)->flags = pcmk__clear_flags_as(__func__, __LINE__,     \
                                                 LOG_TRACE, "CIB file",  \
                                                 cibfile->filename,      \
                                                 (cibfile)->flags,       \
                                                 (flags_to_clear),       \
                                                 #flags_to_clear);       \
     } while (0)
 
 /*!
  * \internal
  * \brief Get the function that performs a given CIB file operation
  *
  * \param[in] operation  Operation whose function to look up
  *
  * \return Function that performs \p operation for a CIB file client
  */
 static cib__op_fn_t
 file_get_op_function(const cib__operation_t *operation)
 {
     enum cib__op_type type = operation->type;
 
     CRM_ASSERT(type >= 0);
 
     if (type >= PCMK__NELEM(cib_op_functions)) {
         return NULL;
     }
     return cib_op_functions[type];
 }
 
 /*!
  * \internal
  * \brief Check whether a file is the live CIB
  *
  * \param[in] filename Name of file to check
  *
  * \return TRUE if file exists and its real path is same as live CIB's
  */
 static gboolean
 cib_file_is_live(const char *filename)
 {
     gboolean same = FALSE;
 
     if (filename != NULL) {
         // Canonicalize file names for true comparison
         char *real_filename = NULL;
 
         if (pcmk__real_path(filename, &real_filename) == pcmk_rc_ok) {
             char *real_livename = NULL;
 
             if (pcmk__real_path(CRM_CONFIG_DIR "/" CIB_LIVE_NAME,
                                 &real_livename) == pcmk_rc_ok) {
                 same = !strcmp(real_filename, real_livename);
                 free(real_livename);
             }
             free(real_filename);
         }
     }
     return same;
 }
 
 static int
 cib_file_process_request(cib_t *cib, xmlNode *request, xmlNode **output)
 {
     int rc = pcmk_ok;
     const cib__operation_t *operation = NULL;
     cib__op_fn_t op_function = NULL;
 
     int call_id = 0;
     int call_options = cib_none;
     const char *op = crm_element_value(request, PCMK__XA_CIB_OP);
     const char *section = crm_element_value(request, PCMK__XA_CIB_SECTION);
     xmlNode *wrapper = pcmk__xe_first_child(request, PCMK__XE_CIB_CALLDATA,
                                             NULL, NULL);
     xmlNode *data = pcmk__xe_first_child(wrapper, NULL, NULL, NULL);
 
     bool changed = false;
     bool read_only = false;
     xmlNode *result_cib = NULL;
     xmlNode *cib_diff = NULL;
 
     cib_file_opaque_t *private = cib->variant_opaque;
 
     // We error checked these in callers
     cib__get_operation(op, &operation);
     op_function = file_get_op_function(operation);
 
     crm_element_value_int(request, PCMK__XA_CIB_CALLID, &call_id);
     crm_element_value_int(request, PCMK__XA_CIB_CALLOPT, &call_options);
 
     read_only = !pcmk_is_set(operation->flags, cib__op_attr_modifies);
 
     // Mirror the logic in prepare_input() in the CIB manager
     if ((section != NULL) && pcmk__xe_is(data, PCMK_XE_CIB)) {
 
         data = pcmk_find_cib_element(data, section);
     }
 
     rc = cib_perform_op(cib, op, call_options, op_function, read_only, section,
                         request, data, true, &changed, &private->cib_xml,
                         &result_cib, &cib_diff, output);
 
     if (pcmk_is_set(call_options, cib_transaction)) {
         /* The rest of the logic applies only to the transaction as a whole, not
          * to individual requests.
          */
         goto done;
     }
 
     if (rc == -pcmk_err_schema_validation) {
         // Show validation errors to stderr
         pcmk__validate_xml(result_cib, NULL, NULL, NULL);
 
     } else if ((rc == pcmk_ok) && !read_only) {
         pcmk__log_xml_patchset(LOG_DEBUG, cib_diff);
 
         if (result_cib != private->cib_xml) {
             pcmk__xml_free(private->cib_xml);
             private->cib_xml = result_cib;
         }
         cib_set_file_flags(private, cib_file_flag_dirty);
     }
 
 done:
     if ((result_cib != private->cib_xml) && (result_cib != *output)) {
         pcmk__xml_free(result_cib);
     }
     pcmk__xml_free(cib_diff);
     return rc;
 }
 
 static int
 cib_file_perform_op_delegate(cib_t *cib, const char *op, const char *host,
                              const char *section, xmlNode *data,
                              xmlNode **output_data, int call_options,
                              const char *user_name)
 {
     int rc = pcmk_ok;
     xmlNode *request = NULL;
     xmlNode *output = NULL;
     cib_file_opaque_t *private = cib->variant_opaque;
 
     const cib__operation_t *operation = NULL;
 
     crm_info("Handling %s operation for %s as %s",
              pcmk__s(op, "invalid"), pcmk__s(section, "entire CIB"),
              pcmk__s(user_name, "default user"));
 
     if (output_data != NULL) {
         *output_data = NULL;
     }
 
     if (cib->state == cib_disconnected) {
         return -ENOTCONN;
     }
 
     rc = cib__get_operation(op, &operation);
     rc = pcmk_rc2legacy(rc);
     if (rc != pcmk_ok) {
         // @COMPAT: At compatibility break, use rc directly
         return -EPROTONOSUPPORT;
     }
 
     if (file_get_op_function(operation) == NULL) {
         // @COMPAT: At compatibility break, use EOPNOTSUPP
         crm_err("Operation %s is not supported by CIB file clients", op);
         return -EPROTONOSUPPORT;
     }
 
     cib__set_call_options(call_options, "file operation", cib_no_mtime);
 
     rc = cib__create_op(cib, op, host, section, data, call_options, user_name,
                         NULL, &request);
     if (rc != pcmk_ok) {
         return rc;
     }
     crm_xml_add(request, PCMK__XA_ACL_TARGET, user_name);
     crm_xml_add(request, PCMK__XA_CIB_CLIENTID, private->id);
 
     if (pcmk_is_set(call_options, cib_transaction)) {
         rc = cib__extend_transaction(cib, request);
         goto done;
     }
 
     rc = cib_file_process_request(cib, request, &output);
 
     if ((output_data != NULL) && (output != NULL)) {
         if (output->doc == private->cib_xml->doc) {
             *output_data = pcmk__xml_copy(NULL, output);
         } else {
             *output_data = output;
         }
     }
 
 done:
     if ((output != NULL)
         && (output->doc != private->cib_xml->doc)
         && ((output_data == NULL) || (output != *output_data))) {
 
         pcmk__xml_free(output);
     }
     pcmk__xml_free(request);
     return rc;
 }
 
 /*!
  * \internal
  * \brief Read CIB from disk and validate it against XML schema
  *
  * \param[in]   filename  Name of file to read CIB from
  * \param[out]  output    Where to store the read CIB XML
  *
  * \return pcmk_ok on success,
  *         -ENXIO if file does not exist (or stat() otherwise fails), or
  *         -pcmk_err_schema_validation if XML doesn't parse or validate
  * \note If filename is the live CIB, this will *not* verify its digest,
  *       though that functionality would be trivial to add here.
  *       Also, this will *not* verify that the file is writable,
  *       because some callers might not need to write.
  */
 static int
 load_file_cib(const char *filename, xmlNode **output)
 {
     struct stat buf;
     xmlNode *root = NULL;
 
     /* Ensure file is readable */
     if (strcmp(filename, "-") && (stat(filename, &buf) < 0)) {
         return -ENXIO;
     }
 
     /* Parse XML from file */
     root = pcmk__xml_read(filename);
     if (root == NULL) {
         return -pcmk_err_schema_validation;
     }
 
     /* Add a status section if not already present */
     if (pcmk__xe_first_child(root, PCMK_XE_STATUS, NULL, NULL) == NULL) {
         pcmk__xe_create(root, PCMK_XE_STATUS);
     }
 
     /* Validate XML against its specified schema */
     if (!pcmk__configured_schema_validates(root)) {
-        const char *schema = crm_element_value(root, PCMK_XA_VALIDATE_WITH);
-
-        crm_err("CIB does not validate against %s, or that schema is unknown", schema);
         pcmk__xml_free(root);
         return -pcmk_err_schema_validation;
     }
 
     /* Remember the parsed XML for later use */
     *output = root;
     return pcmk_ok;
 }
 
 static int
 cib_file_signon(cib_t *cib, const char *name, enum cib_conn_type type)
 {
     int rc = pcmk_ok;
     cib_file_opaque_t *private = cib->variant_opaque;
 
     if (private->filename == NULL) {
         rc = -EINVAL;
     } else {
         rc = load_file_cib(private->filename, &private->cib_xml);
     }
 
     if (rc == pcmk_ok) {
         crm_debug("Opened connection to local file '%s' for %s",
                   private->filename, pcmk__s(name, "client"));
         cib->state = cib_connected_command;
         cib->type = cib_command;
         register_client(cib);
 
     } else {
         crm_info("Connection to local file '%s' for %s (client %s) failed: %s",
                  private->filename, pcmk__s(name, "client"), private->id,
                  pcmk_strerror(rc));
     }
     return rc;
 }
 
 /*!
  * \internal
  * \brief Write out the in-memory CIB to a live CIB file
  *
  * \param[in]     cib_root  Root of XML tree to write
  * \param[in,out] path      Full path to file to write
  *
  * \return 0 on success, -1 on failure
  */
 static int
 cib_file_write_live(xmlNode *cib_root, char *path)
 {
     uid_t uid = geteuid();
     struct passwd *daemon_pwent;
     char *sep = strrchr(path, '/');
     const char *cib_dirname, *cib_filename;
     int rc = 0;
 
     /* Get the desired uid/gid */
     errno = 0;
     daemon_pwent = getpwnam(CRM_DAEMON_USER);
     if (daemon_pwent == NULL) {
         crm_perror(LOG_ERR, "Could not find %s user", CRM_DAEMON_USER);
         return -1;
     }
 
     /* If we're root, we can change the ownership;
      * if we're daemon, anything we create will be OK;
      * otherwise, block access so we don't create wrong owner
      */
     if ((uid != 0) && (uid != daemon_pwent->pw_uid)) {
         crm_perror(LOG_ERR, "Must be root or %s to modify live CIB",
                    CRM_DAEMON_USER);
         return 0;
     }
 
     /* fancy footwork to separate dirname from filename
      * (we know the canonical name maps to the live CIB,
      * but the given name might be relative, or symlinked)
      */
     if (sep == NULL) { /* no directory component specified */
         cib_dirname = "./";
         cib_filename = path;
     } else if (sep == path) { /* given name is in / */
         cib_dirname = "/";
         cib_filename = path + 1;
     } else { /* typical case; split given name into parts */
         *sep = '\0';
         cib_dirname = path;
         cib_filename = sep + 1;
     }
 
     /* if we're root, we want to update the file ownership */
     if (uid == 0) {
         cib_file_owner = daemon_pwent->pw_uid;
         cib_file_group = daemon_pwent->pw_gid;
         cib_do_chown = TRUE;
     }
 
     /* write the file */
     if (cib_file_write_with_digest(cib_root, cib_dirname,
                                    cib_filename) != pcmk_ok) {
         rc = -1;
     }
 
     /* turn off file ownership changes, for other callers */
     if (uid == 0) {
         cib_do_chown = FALSE;
     }
 
     /* undo fancy stuff */
     if ((sep != NULL) && (*sep == '\0')) {
         *sep = '/';
     }
 
     return rc;
 }
 
 /*!
  * \internal
  * \brief Sign-off method for CIB file variants
  *
  * This will write the file to disk if needed, and free the in-memory CIB. If
  * the file is the live CIB, it will compute and write a signature as well.
  *
  * \param[in,out] cib  CIB object to sign off
  *
  * \return pcmk_ok on success, pcmk_err_generic on failure
  * \todo This method should refuse to write the live CIB if the CIB manager is
  *       running.
  */
 static int
 cib_file_signoff(cib_t *cib)
 {
     int rc = pcmk_ok;
     cib_file_opaque_t *private = cib->variant_opaque;
 
     crm_debug("Disconnecting from the CIB manager");
     cib->state = cib_disconnected;
     cib->type = cib_no_connection;
     unregister_client(cib);
     cib->cmds->end_transaction(cib, false, cib_none);
 
     /* If the in-memory CIB has been changed, write it to disk */
     if (pcmk_is_set(private->flags, cib_file_flag_dirty)) {
 
         /* If this is the live CIB, write it out with a digest */
         if (pcmk_is_set(private->flags, cib_file_flag_live)) {
             if (cib_file_write_live(private->cib_xml, private->filename) < 0) {
                 rc = pcmk_err_generic;
             }
 
         /* Otherwise, it's a simple write */
         } else {
             bool compress = pcmk__ends_with_ext(private->filename, ".bz2");
 
             if (pcmk__xml_write_file(private->cib_xml, private->filename,
                                      compress) != pcmk_rc_ok) {
                 rc = pcmk_err_generic;
             }
         }
 
         if (rc == pcmk_ok) {
             crm_info("Wrote CIB to %s", private->filename);
             cib_clear_file_flags(private, cib_file_flag_dirty);
         } else {
             crm_err("Could not write CIB to %s", private->filename);
         }
     }
 
     /* Free the in-memory CIB */
     pcmk__xml_free(private->cib_xml);
     private->cib_xml = NULL;
     return rc;
 }
 
 static int
 cib_file_free(cib_t *cib)
 {
     int rc = pcmk_ok;
 
     if (cib->state != cib_disconnected) {
         rc = cib_file_signoff(cib);
     }
 
     if (rc == pcmk_ok) {
         cib_file_opaque_t *private = cib->variant_opaque;
 
         free(private->id);
         free(private->filename);
         free(private);
         free(cib->cmds);
         free(cib->user);
         free(cib);
 
     } else {
         fprintf(stderr, "Couldn't sign off: %d\n", rc);
     }
 
     return rc;
 }
 
 static int
 cib_file_register_notification(cib_t *cib, const char *callback, int enabled)
 {
     return -EPROTONOSUPPORT;
 }
 
 static int
 cib_file_set_connection_dnotify(cib_t *cib,
                                 void (*dnotify) (gpointer user_data))
 {
     return -EPROTONOSUPPORT;
 }
 
 /*!
  * \internal
  * \brief Get the given CIB connection's unique client identifier
  *
  * \param[in]  cib       CIB connection
  * \param[out] async_id  If not \p NULL, where to store asynchronous client ID
  * \param[out] sync_id   If not \p NULL, where to store synchronous client ID
  *
  * \return Legacy Pacemaker return code
  *
  * \note This is the \p cib_file variant implementation of
  *       \p cib_api_operations_t:client_id().
  */
 static int
 cib_file_client_id(const cib_t *cib, const char **async_id,
                    const char **sync_id)
 {
     cib_file_opaque_t *private = cib->variant_opaque;
 
     if (async_id != NULL) {
         *async_id = private->id;
     }
     if (sync_id != NULL) {
         *sync_id = private->id;
     }
     return pcmk_ok;
 }
 
 cib_t *
 cib_file_new(const char *cib_location)
 {
     cib_t *cib = NULL;
     cib_file_opaque_t *private = NULL;
     char *filename = NULL;
 
     if (cib_location == NULL) {
         cib_location = getenv("CIB_file");
         if (cib_location == NULL) {
             return NULL; // Shouldn't be possible if we were called internally
         }
     }
 
     cib = cib_new_variant();
     if (cib == NULL) {
         return NULL;
     }
 
     filename = strdup(cib_location);
     if (filename == NULL) {
         free(cib);
         return NULL;
     }
 
     private = calloc(1, sizeof(cib_file_opaque_t));
     if (private == NULL) {
         free(cib);
         free(filename);
         return NULL;
     }
 
     private->id = crm_generate_uuid();
     private->filename = filename;
 
     cib->variant = cib_file;
     cib->variant_opaque = private;
 
     private->flags = 0;
     if (cib_file_is_live(cib_location)) {
         cib_set_file_flags(private, cib_file_flag_live);
         crm_trace("File %s detected as live CIB", cib_location);
     }
 
     /* assign variant specific ops */
     cib->delegate_fn = cib_file_perform_op_delegate;
     cib->cmds->signon = cib_file_signon;
     cib->cmds->signoff = cib_file_signoff;
     cib->cmds->free = cib_file_free;
     cib->cmds->register_notification = cib_file_register_notification;
     cib->cmds->set_connection_dnotify = cib_file_set_connection_dnotify;
 
     cib->cmds->client_id = cib_file_client_id;
 
     return cib;
 }
 
 /*!
  * \internal
  * \brief Compare the calculated digest of an XML tree against a signature file
  *
  * \param[in] root     Root of XML tree to compare
  * \param[in] sigfile  Name of signature file containing digest to compare
  *
  * \return TRUE if digests match or signature file does not exist, else FALSE
  */
 static gboolean
 cib_file_verify_digest(xmlNode *root, const char *sigfile)
 {
     gboolean passed = FALSE;
     char *expected;
     int rc = pcmk__file_contents(sigfile, &expected);
 
     switch (rc) {
         case pcmk_rc_ok:
             if (expected == NULL) {
                 crm_err("On-disk digest at %s is empty", sigfile);
                 return FALSE;
             }
             break;
         case ENOENT:
             crm_warn("No on-disk digest present at %s", sigfile);
             return TRUE;
         default:
             crm_err("Could not read on-disk digest from %s: %s",
                     sigfile, pcmk_rc_str(rc));
             return FALSE;
     }
     passed = pcmk__verify_digest(root, expected);
     free(expected);
     return passed;
 }
 
 /*!
  * \internal
  * \brief Read an XML tree from a file and verify its digest
  *
  * \param[in]  filename  Name of XML file to read
  * \param[in]  sigfile   Name of signature file containing digest to compare
  * \param[out] root      If non-NULL, will be set to pointer to parsed XML tree
  *
  * \return 0 if file was successfully read, parsed and verified, otherwise:
  *         -errno on stat() failure,
  *         -pcmk_err_cib_corrupt if file size is 0 or XML is not parseable, or
  *         -pcmk_err_cib_modified if digests do not match
  * \note If root is non-NULL, it is the caller's responsibility to free *root on
  *       successful return.
  */
 int
 cib_file_read_and_verify(const char *filename, const char *sigfile, xmlNode **root)
 {
     int s_res;
     struct stat buf;
     char *local_sigfile = NULL;
     xmlNode *local_root = NULL;
 
     CRM_ASSERT(filename != NULL);
     if (root) {
         *root = NULL;
     }
 
     /* Verify that file exists and its size is nonzero */
     s_res = stat(filename, &buf);
     if (s_res < 0) {
         crm_perror(LOG_WARNING, "Could not verify cluster configuration file %s", filename);
         return -errno;
     } else if (buf.st_size == 0) {
         crm_warn("Cluster configuration file %s is corrupt (size is zero)", filename);
         return -pcmk_err_cib_corrupt;
     }
 
     /* Parse XML */
     local_root = pcmk__xml_read(filename);
     if (local_root == NULL) {
         crm_warn("Cluster configuration file %s is corrupt (unparseable as XML)", filename);
         return -pcmk_err_cib_corrupt;
     }
 
     /* If sigfile is not specified, use original file name plus .sig */
     if (sigfile == NULL) {
         sigfile = local_sigfile = crm_strdup_printf("%s.sig", filename);
     }
 
     /* Verify that digests match */
     if (cib_file_verify_digest(local_root, sigfile) == FALSE) {
         free(local_sigfile);
         pcmk__xml_free(local_root);
         return -pcmk_err_cib_modified;
     }
 
     free(local_sigfile);
     if (root) {
         *root = local_root;
     } else {
         pcmk__xml_free(local_root);
     }
     return pcmk_ok;
 }
 
 /*!
  * \internal
  * \brief Back up a CIB
  *
  * \param[in] cib_dirname Directory containing CIB file and backups
  * \param[in] cib_filename Name (relative to cib_dirname) of CIB file to back up
  *
  * \return 0 on success, -1 on error
  */
 static int
 cib_file_backup(const char *cib_dirname, const char *cib_filename)
 {
     int rc = 0;
     unsigned int seq;
     char *cib_path = crm_strdup_printf("%s/%s", cib_dirname, cib_filename);
     char *cib_digest = crm_strdup_printf("%s.sig", cib_path);
     char *backup_path;
     char *backup_digest;
 
     // Determine backup and digest file names
     if (pcmk__read_series_sequence(cib_dirname, CIB_SERIES,
                                    &seq) != pcmk_rc_ok) {
         // @TODO maybe handle errors better ...
         seq = 0;
     }
     backup_path = pcmk__series_filename(cib_dirname, CIB_SERIES, seq,
                                         CIB_SERIES_BZIP);
     backup_digest = crm_strdup_printf("%s.sig", backup_path);
 
     /* Remove the old backups if they exist */
     unlink(backup_path);
     unlink(backup_digest);
 
     /* Back up the CIB, by hard-linking it to the backup name */
     if ((link(cib_path, backup_path) < 0) && (errno != ENOENT)) {
         crm_perror(LOG_ERR, "Could not archive %s by linking to %s",
                    cib_path, backup_path);
         rc = -1;
 
     /* Back up the CIB signature similarly */
     } else if ((link(cib_digest, backup_digest) < 0) && (errno != ENOENT)) {
         crm_perror(LOG_ERR, "Could not archive %s by linking to %s",
                    cib_digest, backup_digest);
         rc = -1;
 
     /* Update the last counter and ensure everything is sync'd to media */
     } else {
         pcmk__write_series_sequence(cib_dirname, CIB_SERIES, ++seq,
                                     CIB_SERIES_MAX);
         if (cib_do_chown) {
             int rc2;
 
             if ((chown(backup_path, cib_file_owner, cib_file_group) < 0)
                     && (errno != ENOENT)) {
                 crm_perror(LOG_ERR, "Could not set owner of %s", backup_path);
                 rc = -1;
             }
             if ((chown(backup_digest, cib_file_owner, cib_file_group) < 0)
                     && (errno != ENOENT)) {
                 crm_perror(LOG_ERR, "Could not set owner of %s", backup_digest);
                 rc = -1;
             }
             rc2 = pcmk__chown_series_sequence(cib_dirname, CIB_SERIES,
                                               cib_file_owner, cib_file_group);
             if (rc2 != pcmk_rc_ok) {
                 crm_err("Could not set owner of sequence file in %s: %s",
                         cib_dirname, pcmk_rc_str(rc2));
                 rc = -1;
             }
         }
         pcmk__sync_directory(cib_dirname);
         crm_info("Archived previous version as %s", backup_path);
     }
 
     free(cib_path);
     free(cib_digest);
     free(backup_path);
     free(backup_digest);
     return rc;
 }
 
 /*!
  * \internal
  * \brief Prepare CIB XML to be written to disk
  *
  * Set \c PCMK_XA_NUM_UPDATES to 0, set \c PCMK_XA_CIB_LAST_WRITTEN to the
  * current timestamp, and strip out the status section.
  *
  * \param[in,out] root  Root of CIB XML tree
  *
  * \return void
  */
 static void
 cib_file_prepare_xml(xmlNode *root)
 {
     xmlNode *cib_status_root = NULL;
 
     /* Always write out with num_updates=0 and current last-written timestamp */
     crm_xml_add(root, PCMK_XA_NUM_UPDATES, "0");
     pcmk__xe_add_last_written(root);
 
     /* Delete status section before writing to file, because
      * we discard it on startup anyway, and users get confused by it */
     cib_status_root = pcmk__xe_first_child(root, PCMK_XE_STATUS, NULL, NULL);
     CRM_CHECK(cib_status_root != NULL, return);
     pcmk__xml_free(cib_status_root);
 }
 
 /*!
  * \internal
  * \brief Write CIB to disk, along with a signature file containing its digest
  *
  * \param[in,out] cib_root      Root of XML tree to write
  * \param[in]     cib_dirname   Directory containing CIB and signature files
  * \param[in]     cib_filename  Name (relative to cib_dirname) of file to write
  *
  * \return pcmk_ok on success,
  *         pcmk_err_cib_modified if existing cib_filename doesn't match digest,
  *         pcmk_err_cib_backup if existing cib_filename couldn't be backed up,
  *         or pcmk_err_cib_save if new cib_filename couldn't be saved
  */
 int
 cib_file_write_with_digest(xmlNode *cib_root, const char *cib_dirname,
                            const char *cib_filename)
 {
     int exit_rc = pcmk_ok;
     int rc, fd;
     char *digest = NULL;
 
     /* Detect CIB version for diagnostic purposes */
     const char *epoch = crm_element_value(cib_root, PCMK_XA_EPOCH);
     const char *admin_epoch = crm_element_value(cib_root, PCMK_XA_ADMIN_EPOCH);
 
     /* Determine full CIB and signature pathnames */
     char *cib_path = crm_strdup_printf("%s/%s", cib_dirname, cib_filename);
     char *digest_path = crm_strdup_printf("%s.sig", cib_path);
 
     /* Create temporary file name patterns for writing out CIB and signature */
     char *tmp_cib = crm_strdup_printf("%s/cib.XXXXXX", cib_dirname);
     char *tmp_digest = crm_strdup_printf("%s/cib.XXXXXX", cib_dirname);
 
     /* Ensure the admin didn't modify the existing CIB underneath us */
     crm_trace("Reading cluster configuration file %s", cib_path);
     rc = cib_file_read_and_verify(cib_path, NULL, NULL);
     if ((rc != pcmk_ok) && (rc != -ENOENT)) {
         crm_err("%s was manually modified while the cluster was active!",
                 cib_path);
         exit_rc = pcmk_err_cib_modified;
         goto cleanup;
     }
 
     /* Back up the existing CIB */
     if (cib_file_backup(cib_dirname, cib_filename) < 0) {
         exit_rc = pcmk_err_cib_backup;
         goto cleanup;
     }
 
     crm_debug("Writing CIB to disk");
     umask(S_IWGRP | S_IWOTH | S_IROTH);
     cib_file_prepare_xml(cib_root);
 
     /* Write the CIB to a temporary file, so we can deploy (near) atomically */
     fd = mkstemp(tmp_cib);
     if (fd < 0) {
         crm_perror(LOG_ERR, "Couldn't open temporary file %s for writing CIB",
                    tmp_cib);
         exit_rc = pcmk_err_cib_save;
         goto cleanup;
     }
 
     /* Protect the temporary file */
     if (fchmod(fd, S_IRUSR | S_IWUSR) < 0) {
         crm_perror(LOG_ERR, "Couldn't protect temporary file %s for writing CIB",
                    tmp_cib);
         exit_rc = pcmk_err_cib_save;
         goto cleanup;
     }
     if (cib_do_chown && (fchown(fd, cib_file_owner, cib_file_group) < 0)) {
         crm_perror(LOG_ERR, "Couldn't protect temporary file %s for writing CIB",
                    tmp_cib);
         exit_rc = pcmk_err_cib_save;
         goto cleanup;
     }
 
     /* Write out the CIB */
     if (pcmk__xml_write_fd(cib_root, tmp_cib, fd) != pcmk_rc_ok) {
         crm_err("Changes couldn't be written to %s", tmp_cib);
         exit_rc = pcmk_err_cib_save;
         goto cleanup;
     }
 
     /* Calculate CIB digest */
     digest = pcmk__digest_on_disk_cib(cib_root);
     CRM_ASSERT(digest != NULL);
     crm_info("Wrote version %s.%s.0 of the CIB to disk (digest: %s)",
              (admin_epoch ? admin_epoch : "0"), (epoch ? epoch : "0"), digest);
 
     /* Write the CIB digest to a temporary file */
     fd = mkstemp(tmp_digest);
     if (fd < 0) {
         crm_perror(LOG_ERR, "Could not create temporary file for CIB digest");
         exit_rc = pcmk_err_cib_save;
         goto cleanup;
     }
     if (cib_do_chown && (fchown(fd, cib_file_owner, cib_file_group) < 0)) {
         crm_perror(LOG_ERR, "Couldn't protect temporary file %s for writing CIB",
                    tmp_cib);
         exit_rc = pcmk_err_cib_save;
         close(fd);
         goto cleanup;
     }
     rc = pcmk__write_sync(fd, digest);
     if (rc != pcmk_rc_ok) {
         crm_err("Could not write digest to %s: %s",
                 tmp_digest, pcmk_rc_str(rc));
         exit_rc = pcmk_err_cib_save;
         close(fd);
         goto cleanup;
     }
     close(fd);
     crm_debug("Wrote digest %s to disk", digest);
 
     /* Verify that what we wrote is sane */
     crm_info("Reading cluster configuration file %s (digest: %s)",
              tmp_cib, tmp_digest);
     rc = cib_file_read_and_verify(tmp_cib, tmp_digest, NULL);
     CRM_ASSERT(rc == 0);
 
     /* Rename temporary files to live, and sync directory changes to media */
     crm_debug("Activating %s", tmp_cib);
     if (rename(tmp_cib, cib_path) < 0) {
         crm_perror(LOG_ERR, "Couldn't rename %s as %s", tmp_cib, cib_path);
         exit_rc = pcmk_err_cib_save;
     }
     if (rename(tmp_digest, digest_path) < 0) {
         crm_perror(LOG_ERR, "Couldn't rename %s as %s", tmp_digest,
                    digest_path);
         exit_rc = pcmk_err_cib_save;
     }
     pcmk__sync_directory(cib_dirname);
 
   cleanup:
     free(cib_path);
     free(digest_path);
     free(digest);
     free(tmp_digest);
     free(tmp_cib);
     return exit_rc;
 }
 
 /*!
  * \internal
  * \brief Process requests in a CIB transaction
  *
  * Stop when a request fails or when all requests have been processed.
  *
  * \param[in,out] cib          CIB client
  * \param[in,out] transaction  CIB transaction
  *
  * \return Standard Pacemaker return code
  */
 static int
 cib_file_process_transaction_requests(cib_t *cib, xmlNode *transaction)
 {
     cib_file_opaque_t *private = cib->variant_opaque;
 
     for (xmlNode *request = pcmk__xe_first_child(transaction,
                                                  PCMK__XE_CIB_COMMAND, NULL,
                                                  NULL);
          request != NULL; request = pcmk__xe_next_same(request)) {
 
         xmlNode *output = NULL;
         const char *op = crm_element_value(request, PCMK__XA_CIB_OP);
 
         int rc = cib_file_process_request(cib, request, &output);
 
         rc = pcmk_legacy2rc(rc);
         if (rc != pcmk_rc_ok) {
             crm_err("Aborting transaction for CIB file client (%s) on file "
                     "'%s' due to failed %s request: %s",
                     private->id, private->filename, op, pcmk_rc_str(rc));
             crm_log_xml_info(request, "Failed request");
             return rc;
         }
 
         crm_trace("Applied %s request to transaction working CIB for CIB file "
                   "client (%s) on file '%s'",
                   op, private->id, private->filename);
         crm_log_xml_trace(request, "Successful request");
     }
 
     return pcmk_rc_ok;
 }
 
 /*!
  * \internal
  * \brief Commit a given CIB file client's transaction to a working CIB copy
  *
  * \param[in,out] cib          CIB file client
  * \param[in]     transaction  CIB transaction
  * \param[in,out] result_cib   Where to store result CIB
  *
  * \return Standard Pacemaker return code
  *
  * \note The caller is responsible for replacing the \p cib argument's
  *       \p private->cib_xml with \p result_cib on success, and for freeing
  *       \p result_cib using \p pcmk__xml_free() on failure.
  */
 static int
 cib_file_commit_transaction(cib_t *cib, xmlNode *transaction,
                             xmlNode **result_cib)
 {
     int rc = pcmk_rc_ok;
     cib_file_opaque_t *private = cib->variant_opaque;
     xmlNode *saved_cib = private->cib_xml;
 
     CRM_CHECK(pcmk__xe_is(transaction, PCMK__XE_CIB_TRANSACTION),
               return pcmk_rc_no_transaction);
 
     /* *result_cib should be a copy of private->cib_xml (created by
      * cib_perform_op()). If not, make a copy now. Change tracking isn't
      * strictly required here because:
      * * Each request in the transaction will have changes tracked and ACLs
      *   checked if appropriate.
      * * cib_perform_op() will infer changes for the commit request at the end.
      */
     CRM_CHECK((*result_cib != NULL) && (*result_cib != private->cib_xml),
               *result_cib = pcmk__xml_copy(NULL, private->cib_xml));
 
     crm_trace("Committing transaction for CIB file client (%s) on file '%s' to "
               "working CIB",
               private->id, private->filename);
 
     // Apply all changes to a working copy of the CIB
     private->cib_xml = *result_cib;
 
     rc = cib_file_process_transaction_requests(cib, transaction);
 
     crm_trace("Transaction commit %s for CIB file client (%s) on file '%s'",
               ((rc == pcmk_rc_ok)? "succeeded" : "failed"),
               private->id, private->filename);
 
     /* Some request types (for example, erase) may have freed private->cib_xml
      * (the working copy) and pointed it at a new XML object. In that case, it
      * follows that *result_cib (the working copy) was freed.
      *
      * Point *result_cib at the updated working copy stored in private->cib_xml.
      */
     *result_cib = private->cib_xml;
 
     // Point private->cib_xml back to the unchanged original copy
     private->cib_xml = saved_cib;
 
     return rc;
 }
 
 static int
 cib_file_process_commit_transaction(const char *op, int options,
                                     const char *section, xmlNode *req,
                                     xmlNode *input, xmlNode *existing_cib,
                                     xmlNode **result_cib, xmlNode **answer)
 {
     int rc = pcmk_rc_ok;
     const char *client_id = crm_element_value(req, PCMK__XA_CIB_CLIENTID);
     cib_t *cib = NULL;
 
     CRM_CHECK(client_id != NULL, return -EINVAL);
 
     cib = get_client(client_id);
     CRM_CHECK(cib != NULL, return -EINVAL);
 
     rc = cib_file_commit_transaction(cib, input, result_cib);
     if (rc != pcmk_rc_ok) {
         cib_file_opaque_t *private = cib->variant_opaque;
 
         crm_err("Could not commit transaction for CIB file client (%s) on "
                 "file '%s': %s",
                 private->id, private->filename, pcmk_rc_str(rc));
     }
     return pcmk_rc2legacy(rc);
 }
diff --git a/lib/cib/cib_utils.c b/lib/cib/cib_utils.c
index 9f54b9b58b..519dbfba27 100644
--- a/lib/cib/cib_utils.c
+++ b/lib/cib/cib_utils.c
@@ -1,934 +1,933 @@
 /*
  * Original copyright 2004 International Business Machines
  * Later changes copyright 2008-2024 the Pacemaker project contributors
  *
  * The version control history for this file may have further details.
  *
  * This source code is licensed under the GNU Lesser General Public License
  * version 2.1 or later (LGPLv2.1+) WITHOUT ANY WARRANTY.
  */
 #include <crm_internal.h>
 #include <unistd.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <stdarg.h>
 #include <string.h>
 #include <sys/utsname.h>
 
 #include <glib.h>
 
 #include <crm/crm.h>
 #include <crm/cib/internal.h>
 #include <crm/common/cib_internal.h>
 #include <crm/common/xml.h>
 #include <crm/common/xml_internal.h>
 #include <crm/pengine/rules.h>
 
 gboolean
 cib_version_details(xmlNode * cib, int *admin_epoch, int *epoch, int *updates)
 {
     *epoch = -1;
     *updates = -1;
     *admin_epoch = -1;
 
     if (cib == NULL) {
         return FALSE;
 
     } else {
         crm_element_value_int(cib, PCMK_XA_EPOCH, epoch);
         crm_element_value_int(cib, PCMK_XA_NUM_UPDATES, updates);
         crm_element_value_int(cib, PCMK_XA_ADMIN_EPOCH, admin_epoch);
     }
     return TRUE;
 }
 
 gboolean
 cib_diff_version_details(xmlNode * diff, int *admin_epoch, int *epoch, int *updates,
                          int *_admin_epoch, int *_epoch, int *_updates)
 {
     int add[] = { 0, 0, 0 };
     int del[] = { 0, 0, 0 };
 
     xml_patch_versions(diff, add, del);
 
     *admin_epoch = add[0];
     *epoch = add[1];
     *updates = add[2];
 
     *_admin_epoch = del[0];
     *_epoch = del[1];
     *_updates = del[2];
 
     return TRUE;
 }
 
 /*!
  * \internal
  * \brief Get the XML patchset from a CIB diff notification
  *
  * \param[in]  msg       CIB diff notification
  * \param[out] patchset  Where to store XML patchset
  *
  * \return Standard Pacemaker return code
  */
 int
 cib__get_notify_patchset(const xmlNode *msg, const xmlNode **patchset)
 {
     int rc = pcmk_err_generic;
     xmlNode *wrapper = NULL;
 
     CRM_ASSERT(patchset != NULL);
     *patchset = NULL;
 
     if (msg == NULL) {
         crm_err("CIB diff notification received with no XML");
         return ENOMSG;
     }
 
     if ((crm_element_value_int(msg, PCMK__XA_CIB_RC, &rc) != 0)
         || (rc != pcmk_ok)) {
 
         crm_warn("Ignore failed CIB update: %s " QB_XS " rc=%d",
                  pcmk_strerror(rc), rc);
         crm_log_xml_debug(msg, "failed");
         return pcmk_legacy2rc(rc);
     }
 
     wrapper = pcmk__xe_first_child(msg, PCMK__XE_CIB_UPDATE_RESULT, NULL, NULL);
     *patchset = pcmk__xe_first_child(wrapper, NULL, NULL, NULL);
 
     if (*patchset == NULL) {
         crm_err("CIB diff notification received with no patchset");
         return ENOMSG;
     }
     return pcmk_rc_ok;
 }
 
 /*!
  * \brief Create XML for a new (empty) CIB
  *
  * \param[in] cib_epoch  What to use as \c PCMK_XA_EPOCH CIB attribute
  *
  * \return Newly created XML for empty CIB
  *
  * \note It is the caller's responsibility to free the result with
  *       \c pcmk__xml_free().
  */
 xmlNode *
 createEmptyCib(int cib_epoch)
 {
     xmlNode *cib_root = NULL, *config = NULL;
 
     cib_root = pcmk__xe_create(NULL, PCMK_XE_CIB);
     crm_xml_add(cib_root, PCMK_XA_CRM_FEATURE_SET, CRM_FEATURE_SET);
     crm_xml_add(cib_root, PCMK_XA_VALIDATE_WITH, pcmk__highest_schema_name());
 
     crm_xml_add_int(cib_root, PCMK_XA_EPOCH, cib_epoch);
     crm_xml_add_int(cib_root, PCMK_XA_NUM_UPDATES, 0);
     crm_xml_add_int(cib_root, PCMK_XA_ADMIN_EPOCH, 0);
 
     config = pcmk__xe_create(cib_root, PCMK_XE_CONFIGURATION);
     pcmk__xe_create(cib_root, PCMK_XE_STATUS);
 
     pcmk__xe_create(config, PCMK_XE_CRM_CONFIG);
     pcmk__xe_create(config, PCMK_XE_NODES);
     pcmk__xe_create(config, PCMK_XE_RESOURCES);
     pcmk__xe_create(config, PCMK_XE_CONSTRAINTS);
 
 #if PCMK__RESOURCE_STICKINESS_DEFAULT != 0
     {
         xmlNode *rsc_defaults = pcmk__xe_create(config, PCMK_XE_RSC_DEFAULTS);
         xmlNode *meta = pcmk__xe_create(rsc_defaults, PCMK_XE_META_ATTRIBUTES);
         xmlNode *nvpair = pcmk__xe_create(meta, PCMK_XE_NVPAIR);
 
         crm_xml_add(meta, PCMK_XA_ID, "build-resource-defaults");
         crm_xml_add(nvpair, PCMK_XA_ID, "build-" PCMK_META_RESOURCE_STICKINESS);
         crm_xml_add(nvpair, PCMK_XA_NAME, PCMK_META_RESOURCE_STICKINESS);
         crm_xml_add_int(nvpair, PCMK_XA_VALUE,
                         PCMK__RESOURCE_STICKINESS_DEFAULT);
     }
 #endif
     return cib_root;
 }
 
 static bool
 cib_acl_enabled(xmlNode *xml, const char *user)
 {
     bool rc = FALSE;
 
     if(pcmk_acl_required(user)) {
         const char *value = NULL;
         GHashTable *options = pcmk__strkey_table(free, free);
 
         cib_read_config(options, xml);
         value = pcmk__cluster_option(options, PCMK_OPT_ENABLE_ACL);
         rc = crm_is_true(value);
         g_hash_table_destroy(options);
     }
 
     crm_trace("CIB ACL is %s", rc ? "enabled" : "disabled");
     return rc;
 }
 
 /*!
  * \internal
  * \brief Determine whether to perform operations on a scratch copy of the CIB
  *
  * \param[in] op            CIB operation
  * \param[in] section       CIB section
  * \param[in] call_options  CIB call options
  *
  * \return \p true if we should make a copy of the CIB, or \p false otherwise
  */
 static bool
 should_copy_cib(const char *op, const char *section, int call_options)
 {
     if (pcmk_is_set(call_options, cib_dryrun)) {
         // cib_dryrun implies a scratch copy by definition; no side effects
         return true;
     }
 
     if (pcmk__str_eq(op, PCMK__CIB_REQUEST_COMMIT_TRANSACT, pcmk__str_none)) {
         /* Commit-transaction must make a copy for atomicity. We must revert to
          * the original CIB if the entire transaction cannot be applied
          * successfully.
          */
         return true;
     }
 
     if (pcmk_is_set(call_options, cib_transaction)) {
         /* If cib_transaction is set, then we're in the process of committing a
          * transaction. The commit-transaction request already made a scratch
          * copy, and we're accumulating changes in that copy.
          */
         return false;
     }
 
     if (pcmk__str_eq(section, PCMK_XE_STATUS, pcmk__str_none)) {
         /* Copying large CIBs accounts for a huge percentage of our CIB usage,
          * and this avoids some of it.
          *
          * @TODO: Is this safe? See discussion at
          * https://github.com/ClusterLabs/pacemaker/pull/3094#discussion_r1211400690.
          */
         return false;
     }
 
     // Default behavior is to operate on a scratch copy
     return true;
 }
 
 int
 cib_perform_op(cib_t *cib, const char *op, int call_options, cib__op_fn_t fn,
                bool is_query, const char *section, xmlNode *req, xmlNode *input,
                bool manage_counters, bool *config_changed, xmlNode **current_cib,
                xmlNode **result_cib, xmlNode **diff, xmlNode **output)
 {
     int rc = pcmk_ok;
     bool check_schema = true;
     bool make_copy = true;
     xmlNode *top = NULL;
     xmlNode *scratch = NULL;
     xmlNode *patchset_cib = NULL;
     xmlNode *local_diff = NULL;
 
     const char *user = crm_element_value(req, PCMK__XA_CIB_USER);
     bool with_digest = false;
 
     crm_trace("Begin %s%s%s op",
               (pcmk_is_set(call_options, cib_dryrun)? "dry run of " : ""),
               (is_query? "read-only " : ""), op);
 
     CRM_CHECK(output != NULL, return -ENOMSG);
     CRM_CHECK(current_cib != NULL, return -ENOMSG);
     CRM_CHECK(result_cib != NULL, return -ENOMSG);
     CRM_CHECK(config_changed != NULL, return -ENOMSG);
 
     if(output) {
         *output = NULL;
     }
 
     *result_cib = NULL;
     *config_changed = false;
 
     if (fn == NULL) {
         return -EINVAL;
     }
 
     if (is_query) {
         xmlNode *cib_ro = *current_cib;
         xmlNode *cib_filtered = NULL;
 
         if (cib_acl_enabled(cib_ro, user)
             && xml_acl_filtered_copy(user, *current_cib, *current_cib,
                                      &cib_filtered)) {
 
             if (cib_filtered == NULL) {
                 crm_debug("Pre-filtered the entire cib");
                 return -EACCES;
             }
             cib_ro = cib_filtered;
             crm_log_xml_trace(cib_ro, "filtered");
         }
 
         rc = (*fn) (op, call_options, section, req, input, cib_ro, result_cib, output);
 
         if(output == NULL || *output == NULL) {
             /* nothing */
 
         } else if(cib_filtered == *output) {
             cib_filtered = NULL; /* Let them have this copy */
 
         } else if (*output == *current_cib) {
             /* They already know not to free it */
 
         } else if(cib_filtered && (*output)->doc == cib_filtered->doc) {
             /* We're about to free the document of which *output is a part */
             *output = pcmk__xml_copy(NULL, *output);
 
         } else if ((*output)->doc == (*current_cib)->doc) {
             /* Give them a copy they can free */
             *output = pcmk__xml_copy(NULL, *output);
         }
 
         pcmk__xml_free(cib_filtered);
         return rc;
     }
 
     make_copy = should_copy_cib(op, section, call_options);
 
     if (!make_copy) {
         /* Conditional on v2 patch style */
 
         scratch = *current_cib;
 
         // Make a copy of the top-level element to store version details
         top = pcmk__xe_create(NULL, (const char *) scratch->name);
         pcmk__xe_copy_attrs(top, scratch, pcmk__xaf_none);
         patchset_cib = top;
 
         xml_track_changes(scratch, user, NULL, cib_acl_enabled(scratch, user));
         rc = (*fn) (op, call_options, section, req, input, scratch, &scratch, output);
 
         /* If scratch points to a new object now (for example, after an erase
          * operation), then *current_cib should point to the same object.
          */
         *current_cib = scratch;
 
     } else {
         scratch = pcmk__xml_copy(NULL, *current_cib);
         patchset_cib = *current_cib;
 
         xml_track_changes(scratch, user, NULL, cib_acl_enabled(scratch, user));
         rc = (*fn) (op, call_options, section, req, input, *current_cib,
                     &scratch, output);
 
         if ((scratch != NULL) && !xml_tracking_changes(scratch)) {
             crm_trace("Inferring changes after %s op", op);
             xml_track_changes(scratch, user, *current_cib,
                               cib_acl_enabled(*current_cib, user));
             xml_calculate_changes(*current_cib, scratch);
         }
         CRM_CHECK(*current_cib != scratch, return -EINVAL);
     }
 
     xml_acl_disable(scratch); /* Allow the system to make any additional changes */
 
     if (rc == pcmk_ok && scratch == NULL) {
         rc = -EINVAL;
         goto done;
 
     } else if(rc == pcmk_ok && xml_acl_denied(scratch)) {
         crm_trace("ACL rejected part or all of the proposed changes");
         rc = -EACCES;
         goto done;
 
     } else if (rc != pcmk_ok) {
         goto done;
     }
 
     /* If the CIB is from a file, we don't need to check that the feature set is
      * supported.  All we care about in that case is the schema version, which
      * is checked elsewhere.
      */
     if (scratch && (cib == NULL || cib->variant != cib_file)) {
         const char *new_version = crm_element_value(scratch, PCMK_XA_CRM_FEATURE_SET);
 
         rc = pcmk__check_feature_set(new_version);
         if (rc != pcmk_rc_ok) {
             crm_err("Discarding update with feature set '%s' greater than "
                     "our own '%s'", new_version, CRM_FEATURE_SET);
             rc = pcmk_rc2legacy(rc);
             goto done;
         }
     }
 
     if (patchset_cib != NULL) {
         int old = 0;
         int new = 0;
 
         crm_element_value_int(scratch, PCMK_XA_ADMIN_EPOCH, &new);
         crm_element_value_int(patchset_cib, PCMK_XA_ADMIN_EPOCH, &old);
 
         if (old > new) {
             crm_err("%s went backwards: %d -> %d (Opts: %#x)",
                     PCMK_XA_ADMIN_EPOCH, old, new, call_options);
             crm_log_xml_warn(req, "Bad Op");
             crm_log_xml_warn(input, "Bad Data");
             rc = -pcmk_err_old_data;
 
         } else if (old == new) {
             crm_element_value_int(scratch, PCMK_XA_EPOCH, &new);
             crm_element_value_int(patchset_cib, PCMK_XA_EPOCH, &old);
             if (old > new) {
                 crm_err("%s went backwards: %d -> %d (Opts: %#x)",
                         PCMK_XA_EPOCH, old, new, call_options);
                 crm_log_xml_warn(req, "Bad Op");
                 crm_log_xml_warn(input, "Bad Data");
                 rc = -pcmk_err_old_data;
             }
         }
     }
 
     crm_trace("Massaging CIB contents");
     pcmk__strip_xml_text(scratch);
 
     if (make_copy) {
         static time_t expires = 0;
         time_t tm_now = time(NULL);
 
         if (expires < tm_now) {
             expires = tm_now + 60;  /* Validate clients are correctly applying v2-style diffs at most once a minute */
             with_digest = true;
         }
     }
 
     local_diff = xml_create_patchset(0, patchset_cib, scratch,
                                      config_changed, manage_counters);
 
     pcmk__log_xml_changes(LOG_TRACE, scratch);
     xml_accept_changes(scratch);
 
     if(local_diff) {
         patchset_process_digest(local_diff, patchset_cib, scratch, with_digest);
         pcmk__log_xml_patchset(LOG_INFO, local_diff);
         crm_log_xml_trace(local_diff, "raw patch");
     }
 
     if (make_copy && (local_diff != NULL)) {
         // Original to compare against doesn't exist
         pcmk__if_tracing(
             {
                 // Validate the calculated patch set
                 int test_rc = pcmk_ok;
                 int format = 1;
                 xmlNode *cib_copy = pcmk__xml_copy(NULL, patchset_cib);
 
                 crm_element_value_int(local_diff, PCMK_XA_FORMAT, &format);
                 test_rc = xml_apply_patchset(cib_copy, local_diff,
                                              manage_counters);
 
                 if (test_rc != pcmk_ok) {
                     save_xml_to_file(cib_copy, "PatchApply:calculated", NULL);
                     save_xml_to_file(patchset_cib, "PatchApply:input", NULL);
                     save_xml_to_file(scratch, "PatchApply:actual", NULL);
                     save_xml_to_file(local_diff, "PatchApply:diff", NULL);
                     crm_err("v%d patchset error, patch failed to apply: %s "
                             "(%d)",
                             format, pcmk_rc_str(pcmk_legacy2rc(test_rc)),
                             test_rc);
                 }
                 pcmk__xml_free(cib_copy);
             },
             {}
         );
     }
 
     if (pcmk__str_eq(section, PCMK_XE_STATUS, pcmk__str_casei)) {
         /* Throttle the amount of costly validation we perform due to status updates
          * a) we don't really care whats in the status section
          * b) we don't validate any of its contents at the moment anyway
          */
         check_schema = false;
     }
 
     /* === scratch must not be modified after this point ===
      * Exceptions, anything in:
 
      static filter_t filter[] = {
      { 0, PCMK_XA_CRM_DEBUG_ORIGIN },
      { 0, PCMK_XA_CIB_LAST_WRITTEN },
      { 0, PCMK_XA_UPDATE_ORIGIN },
      { 0, PCMK_XA_UPDATE_CLIENT },
      { 0, PCMK_XA_UPDATE_USER },
      };
      */
 
     if (*config_changed && !pcmk_is_set(call_options, cib_no_mtime)) {
         const char *schema = crm_element_value(scratch, PCMK_XA_VALIDATE_WITH);
 
+        if (schema == NULL) {
+            rc = -pcmk_err_cib_corrupt;
+        }
+
         pcmk__xe_add_last_written(scratch);
         pcmk__warn_if_schema_deprecated(schema);
 
         /* Make values of origin, client, and user in scratch match
          * the ones in req (if the schema allows the attributes)
          */
         if (pcmk__cmp_schemas_by_name(schema, "pacemaker-1.2") >= 0) {
             const char *origin = crm_element_value(req, PCMK__XA_SRC);
             const char *client = crm_element_value(req,
                                                    PCMK__XA_CIB_CLIENTNAME);
 
             if (origin != NULL) {
                 crm_xml_add(scratch, PCMK_XA_UPDATE_ORIGIN, origin);
             } else {
                 pcmk__xe_remove_attr(scratch, PCMK_XA_UPDATE_ORIGIN);
             }
 
             if (client != NULL) {
                 crm_xml_add(scratch, PCMK_XA_UPDATE_CLIENT, user);
             } else {
                 pcmk__xe_remove_attr(scratch, PCMK_XA_UPDATE_CLIENT);
             }
 
             if (user != NULL) {
                 crm_xml_add(scratch, PCMK_XA_UPDATE_USER, user);
             } else {
                 pcmk__xe_remove_attr(scratch, PCMK_XA_UPDATE_USER);
             }
         }
     }
 
     crm_trace("Perform validation: %s", pcmk__btoa(check_schema));
     if ((rc == pcmk_ok) && check_schema
         && !pcmk__configured_schema_validates(scratch)) {
-        const char *current_schema = crm_element_value(scratch,
-                                                       PCMK_XA_VALIDATE_WITH);
-
-        crm_warn("Updated CIB does not validate against %s schema",
-                 pcmk__s(current_schema, "unspecified"));
         rc = -pcmk_err_schema_validation;
     }
 
   done:
 
     *result_cib = scratch;
 
     /* @TODO: This may not work correctly with !make_copy, since we don't
      * keep the original CIB.
      */
     if ((rc != pcmk_ok) && cib_acl_enabled(patchset_cib, user)
         && xml_acl_filtered_copy(user, patchset_cib, scratch, result_cib)) {
 
         if (*result_cib == NULL) {
             crm_debug("Pre-filtered the entire cib result");
         }
         pcmk__xml_free(scratch);
     }
 
     if(diff) {
         *diff = local_diff;
     } else {
         pcmk__xml_free(local_diff);
     }
 
     pcmk__xml_free(top);
     crm_trace("Done");
     return rc;
 }
 
 int
 cib__create_op(cib_t *cib, const char *op, const char *host,
                const char *section, xmlNode *data, int call_options,
                const char *user_name, const char *client_name,
                xmlNode **op_msg)
 {
     CRM_CHECK((cib != NULL) && (op_msg != NULL), return -EPROTO);
 
     *op_msg = pcmk__xe_create(NULL, PCMK__XE_CIB_COMMAND);
 
     cib->call_id++;
     if (cib->call_id < 1) {
         cib->call_id = 1;
     }
 
     crm_xml_add(*op_msg, PCMK__XA_T, PCMK__VALUE_CIB);
     crm_xml_add(*op_msg, PCMK__XA_CIB_OP, op);
     crm_xml_add(*op_msg, PCMK__XA_CIB_HOST, host);
     crm_xml_add(*op_msg, PCMK__XA_CIB_SECTION, section);
     crm_xml_add(*op_msg, PCMK__XA_CIB_USER, user_name);
     crm_xml_add(*op_msg, PCMK__XA_CIB_CLIENTNAME, client_name);
     crm_xml_add_int(*op_msg, PCMK__XA_CIB_CALLID, cib->call_id);
 
     crm_trace("Sending call options: %.8lx, %d", (long)call_options, call_options);
     crm_xml_add_int(*op_msg, PCMK__XA_CIB_CALLOPT, call_options);
 
     if (data != NULL) {
         xmlNode *wrapper = pcmk__xe_create(*op_msg, PCMK__XE_CIB_CALLDATA);
 
         pcmk__xml_copy(wrapper, data);
     }
 
     return pcmk_ok;
 }
 
 /*!
  * \internal
  * \brief Check whether a CIB request is supported in a transaction
  *
  * \param[in] request  CIB request
  *
  * \return Standard Pacemaker return code
  */
 static int
 validate_transaction_request(const xmlNode *request)
 {
     const char *op = crm_element_value(request, PCMK__XA_CIB_OP);
     const char *host = crm_element_value(request, PCMK__XA_CIB_HOST);
     const cib__operation_t *operation = NULL;
     int rc = cib__get_operation(op, &operation);
 
     if (rc != pcmk_rc_ok) {
         // cib__get_operation() logs error
         return rc;
     }
 
     if (!pcmk_is_set(operation->flags, cib__op_attr_transaction)) {
         crm_err("Operation %s is not supported in CIB transactions", op);
         return EOPNOTSUPP;
     }
 
     if (host != NULL) {
         crm_err("Operation targeting a specific node (%s) is not supported in "
                 "a CIB transaction",
                 host);
         return EOPNOTSUPP;
     }
     return pcmk_rc_ok;
 }
 
 /*!
  * \internal
  * \brief Append a CIB request to a CIB transaction
  *
  * \param[in,out] cib      CIB client whose transaction to extend
  * \param[in,out] request  Request to add to transaction
  *
  * \return Legacy Pacemaker return code
  */
 int
 cib__extend_transaction(cib_t *cib, xmlNode *request)
 {
     int rc = pcmk_rc_ok;
 
     CRM_ASSERT((cib != NULL) && (request != NULL));
 
     rc = validate_transaction_request(request);
 
     if ((rc == pcmk_rc_ok) && (cib->transaction == NULL)) {
         rc = pcmk_rc_no_transaction;
     }
 
     if (rc == pcmk_rc_ok) {
         pcmk__xml_copy(cib->transaction, request);
 
     } else {
         const char *op = crm_element_value(request, PCMK__XA_CIB_OP);
         const char *client_id = NULL;
 
         cib->cmds->client_id(cib, NULL, &client_id);
         crm_err("Failed to add '%s' operation to transaction for client %s: %s",
                 op, pcmk__s(client_id, "(unidentified)"), pcmk_rc_str(rc));
         crm_log_xml_info(request, "failed");
     }
     return pcmk_rc2legacy(rc);
 }
 
 void
 cib_native_callback(cib_t * cib, xmlNode * msg, int call_id, int rc)
 {
     xmlNode *output = NULL;
     cib_callback_client_t *blob = NULL;
 
     if (msg != NULL) {
         xmlNode *wrapper = NULL;
 
         crm_element_value_int(msg, PCMK__XA_CIB_RC, &rc);
         crm_element_value_int(msg, PCMK__XA_CIB_CALLID, &call_id);
         wrapper = pcmk__xe_first_child(msg, PCMK__XE_CIB_CALLDATA, NULL, NULL);
         output = pcmk__xe_first_child(wrapper, NULL, NULL, NULL);
     }
 
     blob = cib__lookup_id(call_id);
 
     if (blob == NULL) {
         crm_trace("No callback found for call %d", call_id);
     }
 
     if (cib == NULL) {
         crm_debug("No cib object supplied");
     }
 
     if (rc == -pcmk_err_diff_resync) {
         /* This is an internal value that clients do not and should not care about */
         rc = pcmk_ok;
     }
 
     if (blob && blob->callback && (rc == pcmk_ok || blob->only_success == FALSE)) {
         crm_trace("Invoking callback %s for call %d",
                   pcmk__s(blob->id, "without ID"), call_id);
         blob->callback(msg, call_id, rc, output, blob->user_data);
 
     } else if ((cib != NULL) && (rc != pcmk_ok)) {
         crm_warn("CIB command failed: %s", pcmk_strerror(rc));
         crm_log_xml_debug(msg, "Failed CIB Update");
     }
 
     /* This may free user_data, so do it after the callback */
     if (blob) {
         remove_cib_op_callback(call_id, FALSE);
     }
 
     crm_trace("OP callback activated for %d", call_id);
 }
 
 void
 cib_native_notify(gpointer data, gpointer user_data)
 {
     xmlNode *msg = user_data;
     cib_notify_client_t *entry = data;
     const char *event = NULL;
 
     if (msg == NULL) {
         crm_warn("Skipping callback - NULL message");
         return;
     }
 
     event = crm_element_value(msg, PCMK__XA_SUBT);
 
     if (entry == NULL) {
         crm_warn("Skipping callback - NULL callback client");
         return;
 
     } else if (entry->callback == NULL) {
         crm_warn("Skipping callback - NULL callback");
         return;
 
     } else if (!pcmk__str_eq(entry->event, event, pcmk__str_casei)) {
         crm_trace("Skipping callback - event mismatch %p/%s vs. %s", entry, entry->event, event);
         return;
     }
 
     crm_trace("Invoking callback for %p/%s event...", entry, event);
     entry->callback(event, msg);
     crm_trace("Callback invoked...");
 }
 
 gboolean
 cib_read_config(GHashTable * options, xmlNode * current_cib)
 {
     xmlNode *config = NULL;
     crm_time_t *now = NULL;
 
     if (options == NULL || current_cib == NULL) {
         return FALSE;
     }
 
     now = crm_time_new(NULL);
 
     g_hash_table_remove_all(options);
 
     config = pcmk_find_cib_element(current_cib, PCMK_XE_CRM_CONFIG);
     if (config) {
         pe_unpack_nvpairs(NULL, config, PCMK_XE_CLUSTER_PROPERTY_SET, NULL,
                           options, PCMK_VALUE_CIB_BOOTSTRAP_OPTIONS, FALSE, now,
                           NULL);
     }
 
     pcmk__validate_cluster_options(options);
 
     crm_time_free(now);
 
     return TRUE;
 }
 
 int
 cib_internal_op(cib_t * cib, const char *op, const char *host,
                 const char *section, xmlNode * data,
                 xmlNode ** output_data, int call_options, const char *user_name)
 {
     int (*delegate)(cib_t *cib, const char *op, const char *host,
                     const char *section, xmlNode *data, xmlNode **output_data,
                     int call_options, const char *user_name) = NULL;
 
     if (cib == NULL) {
         return -EINVAL;
     }
 
     delegate = cib->delegate_fn;
     if (delegate == NULL) {
         return -EPROTONOSUPPORT;
     }
     if (user_name == NULL) {
         user_name = getenv("CIB_user");
     }
     return delegate(cib, op, host, section, data, output_data, call_options, user_name);
 }
 
 /*!
  * \brief Apply a CIB update patch to a given CIB
  *
  * \param[in]  event   CIB update patch
  * \param[in]  input   CIB to patch
  * \param[out] output  Resulting CIB after patch
  * \param[in]  level   Log the patch at this log level (unless LOG_CRIT)
  *
  * \return Legacy Pacemaker return code
  * \note sbd calls this function
  */
 int
 cib_apply_patch_event(xmlNode *event, xmlNode *input, xmlNode **output,
                       int level)
 {
     int rc = pcmk_err_generic;
 
     xmlNode *wrapper = NULL;
     xmlNode *diff = NULL;
 
     CRM_ASSERT(event);
     CRM_ASSERT(input);
     CRM_ASSERT(output);
 
     crm_element_value_int(event, PCMK__XA_CIB_RC, &rc);
     wrapper = pcmk__xe_first_child(event, PCMK__XE_CIB_UPDATE_RESULT, NULL,
                                    NULL);
     diff = pcmk__xe_first_child(wrapper, NULL, NULL, NULL);
 
     if (rc < pcmk_ok || diff == NULL) {
         return rc;
     }
 
     if (level > LOG_CRIT) {
         pcmk__log_xml_patchset(level, diff);
     }
 
     if (input != NULL) {
         rc = cib_process_diff(NULL, cib_none, NULL, event, diff, input, output,
                               NULL);
 
         if (rc != pcmk_ok) {
             crm_debug("Update didn't apply: %s (%d) %p",
                       pcmk_strerror(rc), rc, *output);
 
             if (rc == -pcmk_err_old_data) {
                 crm_trace("Masking error, we already have the supplied update");
                 return pcmk_ok;
             }
             pcmk__xml_free(*output);
             *output = NULL;
             return rc;
         }
     }
     return rc;
 }
 
 #define log_signon_query_err(out, fmt, args...) do {    \
         if (out != NULL) {                              \
             out->err(out, fmt, ##args);                 \
         } else {                                        \
             crm_err(fmt, ##args);                       \
         }                                               \
     } while (0)
 
 int
 cib__signon_query(pcmk__output_t *out, cib_t **cib, xmlNode **cib_object)
 {
     int rc = pcmk_rc_ok;
     cib_t *cib_conn = NULL;
 
     CRM_ASSERT(cib_object != NULL);
 
     if (cib == NULL) {
         cib_conn = cib_new();
     } else {
         if (*cib == NULL) {
             *cib = cib_new();
         }
         cib_conn = *cib;
     }
 
     if (cib_conn == NULL) {
         return ENOMEM;
     }
 
     if (cib_conn->state == cib_disconnected) {
         rc = cib_conn->cmds->signon(cib_conn, crm_system_name, cib_command);
         rc = pcmk_legacy2rc(rc);
     }
 
     if (rc != pcmk_rc_ok) {
         log_signon_query_err(out, "Could not connect to the CIB: %s",
                              pcmk_rc_str(rc));
         goto done;
     }
 
     if (out != NULL) {
         out->transient(out, "Querying CIB...");
     }
     rc = cib_conn->cmds->query(cib_conn, NULL, cib_object, cib_sync_call);
     rc = pcmk_legacy2rc(rc);
 
     if (rc != pcmk_rc_ok) {
         log_signon_query_err(out, "CIB query failed: %s", pcmk_rc_str(rc));
     }
 
 done:
     if (cib == NULL) {
         cib__clean_up_connection(&cib_conn);
     }
 
     if ((rc == pcmk_rc_ok) && (*cib_object == NULL)) {
         return pcmk_rc_no_input;
     }
     return rc;
 }
 
 int
 cib__signon_attempts(cib_t *cib, enum cib_conn_type type, int attempts)
 {
     int rc = pcmk_rc_ok;
 
     crm_trace("Attempting connection to CIB manager (up to %d time%s)",
               attempts, pcmk__plural_s(attempts));
 
     for (int remaining = attempts - 1; remaining >= 0; --remaining) {
         rc = cib->cmds->signon(cib, crm_system_name, type);
 
         if ((rc == pcmk_rc_ok)
             || (remaining == 0)
             || ((errno != EAGAIN) && (errno != EALREADY))) {
             break;
         }
 
         // Retry after soft error (interrupted by signal, etc.)
         pcmk__sleep_ms((attempts - remaining) * 500);
         crm_debug("Re-attempting connection to CIB manager (%d attempt%s remaining)",
                   remaining, pcmk__plural_s(remaining));
     }
 
     return rc;
 }
 
 int
 cib__clean_up_connection(cib_t **cib)
 {
     int rc;
 
     if (*cib == NULL) {
         return pcmk_rc_ok;
     }
 
     rc = (*cib)->cmds->signoff(*cib);
     cib_delete(*cib);
     *cib = NULL;
     return pcmk_legacy2rc(rc);
 }
diff --git a/lib/common/schemas.c b/lib/common/schemas.c
index 0470f99559..c12713a81a 100644
--- a/lib/common/schemas.c
+++ b/lib/common/schemas.c
@@ -1,1553 +1,1518 @@
 /*
  * Copyright 2004-2024 the Pacemaker project contributors
  *
  * The version control history for this file may have further details.
  *
  * This source code is licensed under the GNU Lesser General Public License
  * version 2.1 or later (LGPLv2.1+) WITHOUT ANY WARRANTY.
  */
 
 #include <crm_internal.h>
 
 #include <stdio.h>
 #include <string.h>
 #include <dirent.h>
 #include <errno.h>
 #include <sys/stat.h>
 #include <stdarg.h>
 
 #include <libxml/relaxng.h>
 #include <libxslt/xslt.h>
 #include <libxslt/transform.h>
 #include <libxslt/security.h>
 #include <libxslt/xsltutils.h>
 
 #include <crm/common/xml.h>
 #include <crm/common/xml_internal.h>  /* PCMK__XML_LOG_BASE */
 
 #include "crmcommon_private.h"
 
 #define SCHEMA_ZERO { .v = { 0, 0 } }
 
 #define schema_strdup_printf(prefix, version, suffix) \
     crm_strdup_printf(prefix "%u.%u" suffix, (version).v[0], (version).v[1])
 
 typedef struct {
     xmlRelaxNGPtr rng;
     xmlRelaxNGValidCtxtPtr valid;
     xmlRelaxNGParserCtxtPtr parser;
 } relaxng_ctx_cache_t;
 
 static GList *known_schemas = NULL;
 static bool initialized = false;
 static bool silent_logging = FALSE;
 
 static void G_GNUC_PRINTF(2, 3)
 xml_log(int priority, const char *fmt, ...)
 {
     va_list ap;
 
     va_start(ap, fmt);
     if (silent_logging == FALSE) {
         /* XXX should not this enable dechunking as well? */
         PCMK__XML_LOG_BASE(priority, FALSE, 0, NULL, fmt, ap);
     }
     va_end(ap);
 }
 
 static int
 xml_latest_schema_index(void)
 {
     /* This function assumes that pcmk__schema_init() has been called
      * beforehand, so we have at least two schemas (one real schema and the
      * "none" schema).
      *
      * @COMPAT: The "none" schema is deprecated since 2.1.8.
      * Update this when we drop that schema.
      */
     return g_list_length(known_schemas) - 2;
 }
 
 /*!
  * \internal
  * \brief Return the schema entry of the highest-versioned schema
  *
  * \return Schema entry of highest-versioned schema
  */
 static GList *
 get_highest_schema(void)
 {
     /* The highest numerically versioned schema is the one before none
      *
      * @COMPAT none is deprecated since 2.1.8
      */
     GList *entry = pcmk__get_schema("none");
 
     CRM_ASSERT((entry != NULL) && (entry->prev != NULL));
     return entry->prev;
 }
 
 /*!
  * \internal
  * \brief Return the name of the highest-versioned schema
  *
  * \return Name of highest-versioned schema (or NULL on error)
  */
 const char *
 pcmk__highest_schema_name(void)
 {
     GList *entry = get_highest_schema();
 
     return ((pcmk__schema_t *)(entry->data))->name;
 }
 
 /*!
  * \internal
  * \brief Find first entry of highest major schema version series
  *
  * \return Schema entry of first schema with highest major version
  */
 GList *
 pcmk__find_x_0_schema(void)
 {
 #if defined(PCMK__UNIT_TESTING)
     /* If we're unit testing, this can't be static because it'll stick
      * around from one test run to the next. It needs to be cleared out
      * every time.
      */
     GList *x_0_entry = NULL;
 #else
     static GList *x_0_entry = NULL;
 #endif
 
     pcmk__schema_t *highest_schema = NULL;
 
     if (x_0_entry != NULL) {
         return x_0_entry;
     }
     x_0_entry = get_highest_schema();
     highest_schema = x_0_entry->data;
 
     for (GList *iter = x_0_entry->prev; iter != NULL; iter = iter->prev) {
         pcmk__schema_t *schema = iter->data;
 
         /* We've found a schema in an older major version series.  Return
          * the index of the first one in the same major version series as
          * the highest schema.
          */
         if (schema->version.v[0] < highest_schema->version.v[0]) {
             x_0_entry = iter->next;
             break;
         }
 
         /* We're out of list to examine.  This probably means there was only
          * one major version series, so return the first schema entry.
          */
         if (iter->prev == NULL) {
             x_0_entry = known_schemas->data;
             break;
         }
     }
     return x_0_entry;
 }
 
 static inline bool
 version_from_filename(const char *filename, pcmk__schema_version_t *version)
 {
     if (pcmk__ends_with(filename, ".rng")) {
         return sscanf(filename, "pacemaker-%hhu.%hhu.rng", &(version->v[0]), &(version->v[1])) == 2;
     } else {
         return sscanf(filename, "pacemaker-%hhu.%hhu", &(version->v[0]), &(version->v[1])) == 2;
     }
 }
 
 static int
 schema_filter(const struct dirent *a)
 {
     int rc = 0;
     pcmk__schema_version_t version = SCHEMA_ZERO;
 
     if (strstr(a->d_name, "pacemaker-") != a->d_name) {
         /* crm_trace("%s - wrong prefix", a->d_name); */
 
     } else if (!pcmk__ends_with_ext(a->d_name, ".rng")) {
         /* crm_trace("%s - wrong suffix", a->d_name); */
 
     } else if (!version_from_filename(a->d_name, &version)) {
         /* crm_trace("%s - wrong format", a->d_name); */
 
     } else {
         /* crm_debug("%s - candidate", a->d_name); */
         rc = 1;
     }
 
     return rc;
 }
 
 static int
 schema_cmp(pcmk__schema_version_t a_version, pcmk__schema_version_t b_version)
 {
     for (int i = 0; i < 2; ++i) {
         if (a_version.v[i] < b_version.v[i]) {
             return -1;
         } else if (a_version.v[i] > b_version.v[i]) {
             return 1;
         }
     }
     return 0;
 }
 
 static int
 schema_cmp_directory(const struct dirent **a, const struct dirent **b)
 {
     pcmk__schema_version_t a_version = SCHEMA_ZERO;
     pcmk__schema_version_t b_version = SCHEMA_ZERO;
 
     if (!version_from_filename(a[0]->d_name, &a_version)
         || !version_from_filename(b[0]->d_name, &b_version)) {
         // Shouldn't be possible, but makes static analysis happy
         return 0;
     }
 
     return schema_cmp(a_version, b_version);
 }
 
 /*!
  * \internal
  * \brief Add given schema + auxiliary data to internal bookkeeping.
  */
 static void
 add_schema(enum pcmk__schema_validator validator,
            const pcmk__schema_version_t *version, const char *name,
            GList *transforms)
 {
     pcmk__schema_t *schema = NULL;
 
     schema = pcmk__assert_alloc(1, sizeof(pcmk__schema_t));
 
     schema->validator = validator;
     schema->version.v[0] = version->v[0];
     schema->version.v[1] = version->v[1];
     schema->transforms = transforms;
     // schema->schema_index is set after all schemas are loaded and sorted
 
     if (version->v[0] || version->v[1]) {
         schema->name = schema_strdup_printf("pacemaker-", *version, "");
     } else {
         schema->name = pcmk__str_copy(name);
     }
 
     known_schemas = g_list_prepend(known_schemas, schema);
 }
 
 static void
 wrap_libxslt(bool finalize)
 {
     static xsltSecurityPrefsPtr secprefs;
     int ret = 0;
 
     /* security framework preferences */
     if (!finalize) {
         CRM_ASSERT(secprefs == NULL);
         secprefs = xsltNewSecurityPrefs();
         ret = xsltSetSecurityPrefs(secprefs, XSLT_SECPREF_WRITE_FILE,
                                    xsltSecurityForbid)
               | xsltSetSecurityPrefs(secprefs, XSLT_SECPREF_CREATE_DIRECTORY,
                                      xsltSecurityForbid)
               | xsltSetSecurityPrefs(secprefs, XSLT_SECPREF_READ_NETWORK,
                                      xsltSecurityForbid)
               | xsltSetSecurityPrefs(secprefs, XSLT_SECPREF_WRITE_NETWORK,
                                      xsltSecurityForbid);
         if (ret != 0) {
             return;
         }
     } else {
         xsltFreeSecurityPrefs(secprefs);
         secprefs = NULL;
     }
 
     /* cleanup only */
     if (finalize) {
         xsltCleanupGlobals();
     }
 }
 
 /*!
  * \internal
  * \brief Check whether a directory entry matches the upgrade XSLT pattern
  *
  * \param[in] entry  Directory entry whose filename to check
  *
  * \return 1 if the entry's filename is of the form
  *         <tt>upgrade-X.Y-ORDER.xsl</tt>, or 0 otherwise
  */
 static int
 transform_filter(const struct dirent *entry)
 {
     return pcmk__str_eq(entry->d_name,
                         "upgrade-[[:digit:]]+.[[:digit:]]+-[[:digit:]]+.xsl",
                         pcmk__str_regex)? 1 : 0;
 }
 
 /*!
  * \internal
  * \brief Free a list of XSLT transform <tt>struct dirent</tt> objects
  *
  * \param[in,out] data  List to free
  */
 static void
 free_transform_list(void *data)
 {
     g_list_free_full((GList *) data, free);
 }
 
 /*!
  * \internal
  * \brief Load names of upgrade XSLT stylesheets from a directory into a table
  *
  * Stylesheets must have names of the form "upgrade-X.Y-order.xsl", where:
  * * X is the schema major version
  * * Y is the schema minor version
  * * ORDER is the order in which the stylesheet occurs in the transform pipeline
  *
  * \param[in] dir  Directory containing XSLT stylesheets
  *
  * \return Table with schema version as key and \c GList of associated transform
  *         files (as <tt>struct dirent</tt>) as value
  */
 static GHashTable *
 load_transforms_from_dir(const char *dir)
 {
     struct dirent **namelist = NULL;
     int num_matches = scandir(dir, &namelist, transform_filter, versionsort);
     GHashTable *transforms = pcmk__strkey_table(free, free_transform_list);
 
     for (int i = 0; i < num_matches; i++) {
         pcmk__schema_version_t version = SCHEMA_ZERO;
         int order = 0;  // Placeholder only
 
         if (sscanf(namelist[i]->d_name, "upgrade-%hhu.%hhu-%d.xsl",
                    &(version.v[0]), &(version.v[1]), &order) == 3) {
 
             char *version_s = crm_strdup_printf("%hhu.%hhu",
                                                 version.v[0], version.v[1]);
             GList *list = g_hash_table_lookup(transforms, version_s);
 
             if (list == NULL) {
                 /* Prepend is more efficient. However, there won't be many of
                  * these, and we want them to remain sorted by version. It's not
                  * worth reversing all the lists at the end.
                  *
                  * Avoid calling g_hash_table_insert() if the list already
                  * exists. Otherwise free_transform_list() gets called on it.
                  */
                 list = g_list_append(list, namelist[i]);
                 g_hash_table_insert(transforms, version_s, list);
 
             } else {
                 list = g_list_append(list, namelist[i]);
                 free(version_s);
             }
 
         } else {
             // Sanity only, should never happen thanks to transform_filter()
             free(namelist[i]);
         }
     }
 
     free(namelist);
     return transforms;
 }
 
 void
 pcmk__load_schemas_from_dir(const char *dir)
 {
     int lpc, max;
     struct dirent **namelist = NULL;
     GHashTable *transforms = NULL;
 
     max = scandir(dir, &namelist, schema_filter, schema_cmp_directory);
     if (max < 0) {
         crm_warn("Could not load schemas from %s: %s", dir, strerror(errno));
         return;
     }
 
     // Look for any upgrade transforms in the same directory
     transforms = load_transforms_from_dir(dir);
 
     for (lpc = 0; lpc < max; lpc++) {
         pcmk__schema_version_t version = SCHEMA_ZERO;
 
         if (version_from_filename(namelist[lpc]->d_name, &version)) {
             char *version_s = crm_strdup_printf("%hhu.%hhu",
                                                 version.v[0], version.v[1]);
             char *orig_key = NULL;
             GList *transform_list = NULL;
 
             // The schema becomes the owner of transform_list
             g_hash_table_lookup_extended(transforms, version_s,
                                          (gpointer *) &orig_key,
                                          (gpointer *) &transform_list);
             g_hash_table_steal(transforms, version_s);
 
             add_schema(pcmk__schema_validator_rng, &version, NULL,
                        transform_list);
 
             free(version_s);
             free(orig_key);
 
         } else {
             // Shouldn't be possible, but makes static analysis happy
             crm_warn("Skipping schema '%s': could not parse version",
                      namelist[lpc]->d_name);
         }
     }
 
     for (lpc = 0; lpc < max; lpc++) {
         free(namelist[lpc]);
     }
 
     free(namelist);
     g_hash_table_destroy(transforms);
 }
 
 static gint
 schema_sort_GCompareFunc(gconstpointer a, gconstpointer b)
 {
     const pcmk__schema_t *schema_a = a;
     const pcmk__schema_t *schema_b = b;
 
     // @COMPAT The "none" schema is deprecated since 2.1.8
     if (pcmk__str_eq(schema_a->name, PCMK_VALUE_NONE, pcmk__str_none)) {
         return 1;
     } else if (pcmk__str_eq(schema_b->name, PCMK_VALUE_NONE, pcmk__str_none)) {
         return -1;
     } else {
         return schema_cmp(schema_a->version, schema_b->version);
     }
 }
 
 /*!
  * \internal
  * \brief Sort the list of known schemas such that all pacemaker-X.Y are in
  *        version order, then "none"
  *
  * This function should be called whenever additional schemas are loaded using
  * \c pcmk__load_schemas_from_dir(), after the initial sets in
  * \c pcmk__schema_init().
  */
 void
 pcmk__sort_schemas(void)
 {
     known_schemas = g_list_sort(known_schemas, schema_sort_GCompareFunc);
 }
 
 /*!
  * \internal
  * \brief Load pacemaker schemas into cache
  *
  * \note This currently also serves as an entry point for the
  *       generic initialization of the libxslt library.
  */
 void
 pcmk__schema_init(void)
 {
     if (!initialized) {
         const char *remote_schema_dir = pcmk__remote_schema_dir();
         char *base = pcmk__xml_artefact_root(pcmk__xml_artefact_ns_legacy_rng);
         const pcmk__schema_version_t zero = SCHEMA_ZERO;
         int schema_index = 0;
 
         initialized = true;
 
         wrap_libxslt(false);
 
         pcmk__load_schemas_from_dir(base);
         pcmk__load_schemas_from_dir(remote_schema_dir);
         free(base);
 
         // @COMPAT Deprecated since 2.1.8
         add_schema(pcmk__schema_validator_none, &zero, PCMK_VALUE_NONE, NULL);
 
         /* add_schema() prepends items to the list, so in the simple case, this
          * just reverses the list. However if there were any remote schemas,
          * sorting is necessary.
          */
         pcmk__sort_schemas();
 
         // Now set the schema indexes and log the final result
         for (GList *iter = known_schemas; iter != NULL; iter = iter->next) {
             pcmk__schema_t *schema = iter->data;
 
             crm_debug("Loaded schema %d: %s", schema_index, schema->name);
             schema->schema_index = schema_index++;
         }
     }
 }
 
 static bool
 validate_with_relaxng(xmlDocPtr doc, xmlRelaxNGValidityErrorFunc error_handler,
                       void *error_handler_context, const char *relaxng_file,
                       relaxng_ctx_cache_t **cached_ctx)
 {
     int rc = 0;
     bool valid = true;
     relaxng_ctx_cache_t *ctx = NULL;
 
     CRM_CHECK(doc != NULL, return false);
     CRM_CHECK(relaxng_file != NULL, return false);
 
     if (cached_ctx && *cached_ctx) {
         ctx = *cached_ctx;
 
     } else {
         crm_debug("Creating RNG parser context");
         ctx = pcmk__assert_alloc(1, sizeof(relaxng_ctx_cache_t));
 
         ctx->parser = xmlRelaxNGNewParserCtxt(relaxng_file);
         CRM_CHECK(ctx->parser != NULL, goto cleanup);
 
         if (error_handler) {
             xmlRelaxNGSetParserErrors(ctx->parser,
                                       (xmlRelaxNGValidityErrorFunc) error_handler,
                                       (xmlRelaxNGValidityWarningFunc) error_handler,
                                       error_handler_context);
         } else {
             xmlRelaxNGSetParserErrors(ctx->parser,
                                       (xmlRelaxNGValidityErrorFunc) fprintf,
                                       (xmlRelaxNGValidityWarningFunc) fprintf,
                                       stderr);
         }
 
         ctx->rng = xmlRelaxNGParse(ctx->parser);
         CRM_CHECK(ctx->rng != NULL,
                   crm_err("Could not find/parse %s", relaxng_file);
                   goto cleanup);
 
         ctx->valid = xmlRelaxNGNewValidCtxt(ctx->rng);
         CRM_CHECK(ctx->valid != NULL, goto cleanup);
 
         if (error_handler) {
             xmlRelaxNGSetValidErrors(ctx->valid,
                                      (xmlRelaxNGValidityErrorFunc) error_handler,
                                      (xmlRelaxNGValidityWarningFunc) error_handler,
                                      error_handler_context);
         } else {
             xmlRelaxNGSetValidErrors(ctx->valid,
                                      (xmlRelaxNGValidityErrorFunc) fprintf,
                                      (xmlRelaxNGValidityWarningFunc) fprintf,
                                      stderr);
         }
     }
 
     rc = xmlRelaxNGValidateDoc(ctx->valid, doc);
     if (rc > 0) {
         valid = false;
 
     } else if (rc < 0) {
         crm_err("Internal libxml error during validation");
     }
 
   cleanup:
 
     if (cached_ctx) {
         *cached_ctx = ctx;
 
     } else {
         if (ctx->parser != NULL) {
             xmlRelaxNGFreeParserCtxt(ctx->parser);
         }
         if (ctx->valid != NULL) {
             xmlRelaxNGFreeValidCtxt(ctx->valid);
         }
         if (ctx->rng != NULL) {
             xmlRelaxNGFree(ctx->rng);
         }
         free(ctx);
     }
 
     return valid;
 }
 
 static void
 free_schema(gpointer data)
 {
     pcmk__schema_t *schema = data;
     relaxng_ctx_cache_t *ctx = NULL;
 
     switch (schema->validator) {
         case pcmk__schema_validator_none: // not cached
             break;
 
         case pcmk__schema_validator_rng: // cached
             ctx = (relaxng_ctx_cache_t *) schema->cache;
             if (ctx == NULL) {
                 break;
             }
 
             if (ctx->parser != NULL) {
                 xmlRelaxNGFreeParserCtxt(ctx->parser);
             }
 
             if (ctx->valid != NULL) {
                 xmlRelaxNGFreeValidCtxt(ctx->valid);
             }
 
             if (ctx->rng != NULL) {
                 xmlRelaxNGFree(ctx->rng);
             }
 
             free(ctx);
             schema->cache = NULL;
             break;
     }
 
     free(schema->name);
     g_list_free_full(schema->transforms, free);
     free(schema);
 }
 
 /*!
  * \internal
  * \brief Clean up global memory associated with XML schemas
  */
 void
 pcmk__schema_cleanup(void)
 {
     if (known_schemas != NULL) {
         g_list_free_full(known_schemas, free_schema);
         known_schemas = NULL;
     }
     initialized = false;
 
     wrap_libxslt(true);
 }
 
 /*!
  * \internal
  * \brief Get schema list entry corresponding to a schema name
  *
  * \param[in] name  Name of schema to get
  *
  * \return Schema list entry corresponding to \p name, or NULL if unknown
  */
 GList *
 pcmk__get_schema(const char *name)
 {
-    // @COMPAT Not specifying a schema name is deprecated since 2.1.8
     if (name == NULL) {
-        name = PCMK_VALUE_NONE;
+        return NULL;
     }
     for (GList *iter = known_schemas; iter != NULL; iter = iter->next) {
         pcmk__schema_t *schema = iter->data;
 
         if (pcmk__str_eq(name, schema->name, pcmk__str_none)) {
             return iter;
         }
     }
     return NULL;
 }
 
 /*!
  * \internal
  * \brief Compare two schema version numbers given the schema names
  *
  * \param[in] schema1  Name of first schema to compare
  * \param[in] schema2  Name of second schema to compare
  *
  * \return Standard comparison result (negative integer if \p schema1 has the
  *         lower version number, positive integer if \p schema1 has the higher
  *         version number, of 0 if the version numbers are equal)
  */
 int
 pcmk__cmp_schemas_by_name(const char *schema1_name, const char *schema2_name)
 {
     GList *entry1 = pcmk__get_schema(schema1_name);
     GList *entry2 = pcmk__get_schema(schema2_name);
 
     if (entry1 == NULL) {
         return (entry2 == NULL)? 0 : -1;
 
     } else if (entry2 == NULL) {
         return 1;
 
     } else {
         pcmk__schema_t *schema1 = entry1->data;
         pcmk__schema_t *schema2 = entry2->data;
 
         return schema1->schema_index - schema2->schema_index;
     }
 }
 
 static bool
 validate_with(xmlNode *xml, pcmk__schema_t *schema,
               xmlRelaxNGValidityErrorFunc error_handler,
               void *error_handler_context)
 {
     bool valid = false;
     char *file = NULL;
     relaxng_ctx_cache_t **cache = NULL;
 
     if (schema == NULL) {
         return false;
     }
 
     if (schema->validator == pcmk__schema_validator_none) {
         return true;
     }
 
     file = pcmk__xml_artefact_path(pcmk__xml_artefact_ns_legacy_rng,
                                    schema->name);
 
     crm_trace("Validating with %s (type=%d)",
               pcmk__s(file, "missing schema"), schema->validator);
     switch (schema->validator) {
         case pcmk__schema_validator_rng:
             cache = (relaxng_ctx_cache_t **) &(schema->cache);
             valid = validate_with_relaxng(xml->doc, error_handler, error_handler_context, file, cache);
             break;
         default:
             crm_err("Unknown validator type: %d", schema->validator);
             break;
     }
 
     free(file);
     return valid;
 }
 
 static bool
 validate_with_silent(xmlNode *xml, pcmk__schema_t *schema)
 {
     bool rc, sl_backup = silent_logging;
     silent_logging = TRUE;
     rc = validate_with(xml, schema, (xmlRelaxNGValidityErrorFunc) xml_log, GUINT_TO_POINTER(LOG_ERR));
     silent_logging = sl_backup;
     return rc;
 }
 
 bool
 pcmk__validate_xml(xmlNode *xml_blob, const char *validation,
                    xmlRelaxNGValidityErrorFunc error_handler,
                    void *error_handler_context)
 {
     GList *entry = NULL;
     pcmk__schema_t *schema = NULL;
 
     CRM_CHECK((xml_blob != NULL) && (xml_blob->doc != NULL), return false);
 
     if (validation == NULL) {
         validation = crm_element_value(xml_blob, PCMK_XA_VALIDATE_WITH);
     }
     pcmk__warn_if_schema_deprecated(validation);
 
-    // @COMPAT Not specifying a schema name is deprecated since 2.1.8
-    if (validation == NULL) {
-        bool valid = false;
-
-        for (entry = known_schemas; entry != NULL; entry = entry->next) {
-            schema = entry->data;
-            if (validate_with(xml_blob, schema, NULL, NULL)) {
-                valid = true;
-                crm_xml_add(xml_blob, PCMK_XA_VALIDATE_WITH, schema->name);
-                crm_info("XML validated against %s", schema->name);
-            }
-        }
-        return valid;
-    }
-
     entry = pcmk__get_schema(validation);
     if (entry == NULL) {
-        pcmk__config_err("Cannot validate CIB with " PCMK_XA_VALIDATE_WITH
-                         " set to an unknown schema such as '%s' (manually"
-                         " edit to use a known schema)",
-                         validation);
+        pcmk__config_err("Cannot validate CIB with %s " PCMK_XA_VALIDATE_WITH
+                         " (manually edit to use a known schema)",
+                         ((validation == NULL)? "missing" : "unknown"));
         return false;
     }
 
     schema = entry->data;
     return validate_with(xml_blob, schema, error_handler,
                          error_handler_context);
 }
 
 /*!
  * \internal
  * \brief Validate XML using its configured schema (and send errors to logs)
  *
  * \param[in] xml  XML to validate
  *
  * \return true if XML validates, otherwise false
  */
 bool
 pcmk__configured_schema_validates(xmlNode *xml)
 {
     return pcmk__validate_xml(xml, NULL,
                               (xmlRelaxNGValidityErrorFunc) xml_log,
                               GUINT_TO_POINTER(LOG_ERR));
 }
 
 /* With this arrangement, an attempt to identify the message severity
    as explicitly signalled directly from XSLT is performed in rather
    a smart way (no reliance on formatting string + arguments being
    always specified as ["%s", purposeful_string], as it can also be
    ["%s: %s", some_prefix, purposeful_string] etc. so every argument
    pertaining %s specifier is investigated), and if such a mark found,
    the respective level is determined and, when the messages are to go
    to the native logs, the mark itself gets dropped
    (by the means of string shift).
 
    NOTE: whether the native logging is the right sink is decided per
          the ctx parameter -- NULL denotes this case, otherwise it
          carries a pointer to the numeric expression of the desired
          target logging level (messages with higher level will be
          suppressed)
 
    NOTE: on some architectures, this string shift may not have any
          effect, but that's an acceptable tradeoff
 
    The logging level for not explicitly designated messages
    (suspicious, likely internal errors or some runaways) is
    LOG_WARNING.
  */
 static void G_GNUC_PRINTF(2, 3)
 cib_upgrade_err(void *ctx, const char *fmt, ...)
 {
     va_list ap, aq;
     char *arg_cur;
 
     bool found = FALSE;
     const char *fmt_iter = fmt;
     uint8_t msg_log_level = LOG_WARNING;  /* default for runaway messages */
     const unsigned * log_level = (const unsigned *) ctx;
     enum {
         escan_seennothing,
         escan_seenpercent,
     } scan_state = escan_seennothing;
 
     va_start(ap, fmt);
     va_copy(aq, ap);
 
     while (!found && *fmt_iter != '\0') {
         /* while casing schema borrowed from libqb:qb_vsnprintf_serialize */
         switch (*fmt_iter++) {
         case '%':
             if (scan_state == escan_seennothing) {
                 scan_state = escan_seenpercent;
             } else if (scan_state == escan_seenpercent) {
                 scan_state = escan_seennothing;
             }
             break;
         case 's':
             if (scan_state == escan_seenpercent) {
                 scan_state = escan_seennothing;
                 arg_cur = va_arg(aq, char *);
                 if (arg_cur != NULL) {
                     switch (arg_cur[0]) {
                     case 'W':
                         if (!strncmp(arg_cur, "WARNING: ",
                                      sizeof("WARNING: ") - 1)) {
                             msg_log_level = LOG_WARNING;
                         }
                         if (ctx == NULL) {
                             memmove(arg_cur, arg_cur + sizeof("WARNING: ") - 1,
                                     strlen(arg_cur + sizeof("WARNING: ") - 1) + 1);
                         }
                         found = TRUE;
                         break;
                     case 'I':
                         if (!strncmp(arg_cur, "INFO: ",
                                      sizeof("INFO: ") - 1)) {
                             msg_log_level = LOG_INFO;
                         }
                         if (ctx == NULL) {
                             memmove(arg_cur, arg_cur + sizeof("INFO: ") - 1,
                                     strlen(arg_cur + sizeof("INFO: ") - 1) + 1);
                         }
                         found = TRUE;
                         break;
                     case 'D':
                         if (!strncmp(arg_cur, "DEBUG: ",
                                      sizeof("DEBUG: ") - 1)) {
                             msg_log_level = LOG_DEBUG;
                         }
                         if (ctx == NULL) {
                             memmove(arg_cur, arg_cur + sizeof("DEBUG: ") - 1,
                                     strlen(arg_cur + sizeof("DEBUG: ") - 1) + 1);
                         }
                         found = TRUE;
                         break;
                     }
                 }
             }
             break;
         case '#': case '-': case ' ': case '+': case '\'': case 'I': case '.':
         case '0': case '1': case '2': case '3': case '4':
         case '5': case '6': case '7': case '8': case '9':
         case '*':
             break;
         case 'l':
         case 'z':
         case 't':
         case 'j':
         case 'd': case 'i':
         case 'o':
         case 'u':
         case 'x': case 'X':
         case 'e': case 'E':
         case 'f': case 'F':
         case 'g': case 'G':
         case 'a': case 'A':
         case 'c':
         case 'p':
             if (scan_state == escan_seenpercent) {
                 (void) va_arg(aq, void *);  /* skip forward */
                 scan_state = escan_seennothing;
             }
             break;
         default:
             scan_state = escan_seennothing;
             break;
         }
     }
 
     if (log_level != NULL) {
         /* intention of the following offset is:
            cibadmin -V -> start showing INFO labelled messages */
         if (*log_level + 4 >= msg_log_level) {
             vfprintf(stderr, fmt, ap);
         }
     } else {
         PCMK__XML_LOG_BASE(msg_log_level, TRUE, 0, "CIB upgrade: ", fmt, ap);
     }
 
     va_end(aq);
     va_end(ap);
 }
 
 /*!
  * \internal
  * \brief Apply a single XSL transformation to given XML
  *
  * \param[in] xml        XML to transform
  * \param[in] transform  XSL name
  * \param[in] to_logs    If false, certain validation errors will be sent to
  *                       stderr rather than logged
  *
  * \return Transformed XML on success, otherwise NULL
  */
 static xmlNode *
 apply_transformation(const xmlNode *xml, const char *transform,
                      gboolean to_logs)
 {
     char *xform = NULL;
     xmlNode *out = NULL;
     xmlDocPtr res = NULL;
     xsltStylesheet *xslt = NULL;
 
     xform = pcmk__xml_artefact_path(pcmk__xml_artefact_ns_legacy_xslt,
                                     transform);
 
     /* for capturing, e.g., what's emitted via <xsl:message> */
     if (to_logs) {
         xsltSetGenericErrorFunc(NULL, cib_upgrade_err);
     } else {
         xsltSetGenericErrorFunc(&crm_log_level, cib_upgrade_err);
     }
 
     xslt = xsltParseStylesheetFile((pcmkXmlStr) xform);
     CRM_CHECK(xslt != NULL, goto cleanup);
 
     /* Caller allocates private data for final result document. Intermediate
      * result documents are temporary and don't need private data.
      */
     res = xsltApplyStylesheet(xslt, xml->doc, NULL);
     CRM_CHECK(res != NULL, goto cleanup);
 
     xsltSetGenericErrorFunc(NULL, NULL);  /* restore default one */
 
     out = xmlDocGetRootElement(res);
 
   cleanup:
     if (xslt) {
         xsltFreeStylesheet(xslt);
     }
 
     free(xform);
 
     return out;
 }
 
 /*!
  * \internal
  * \brief Perform all transformations needed to upgrade XML to next schema
  *
  * \param[in] input_xml     XML to transform
  * \param[in] schema_index  Index of schema that successfully validates
  *                          \p original_xml
  * \param[in] to_logs       If false, certain validation errors will be sent to
  *                          stderr rather than logged
  *
  * \return XML result of schema transforms if successful, otherwise NULL
  */
 static xmlNode *
 apply_upgrade(const xmlNode *input_xml, int schema_index, gboolean to_logs)
 {
     pcmk__schema_t *schema = g_list_nth_data(known_schemas, schema_index);
     pcmk__schema_t *upgraded_schema = g_list_nth_data(known_schemas,
                                                       schema_index + 1);
 
     xmlNode *old_xml = NULL;
     xmlNode *new_xml = NULL;
     xmlRelaxNGValidityErrorFunc error_handler = NULL;
 
     CRM_ASSERT((schema != NULL) && (upgraded_schema != NULL));
 
     if (to_logs) {
         error_handler = (xmlRelaxNGValidityErrorFunc) xml_log;
     }
 
     for (GList *iter = schema->transforms; iter != NULL; iter = iter->next) {
         const struct dirent *entry = iter->data;
         const char *transform = entry->d_name;
 
         crm_debug("Upgrading schema from %s to %s: applying XSL transform %s",
                   schema->name, upgraded_schema->name, transform);
 
         new_xml = apply_transformation(input_xml, transform, to_logs);
         pcmk__xml_free(old_xml);
 
         if (new_xml == NULL) {
             crm_err("XSL transform %s failed, aborting upgrade", transform);
             return NULL;
         }
         input_xml = new_xml;
         old_xml = new_xml;
     }
 
     // Final result document from upgrade pipeline needs private data
     pcmk__xml_new_private_data((xmlNode *) new_xml->doc);
 
     // Ensure result validates with its new schema
     if (!validate_with(new_xml, upgraded_schema, error_handler,
                        GUINT_TO_POINTER(LOG_ERR))) {
         crm_err("Schema upgrade from %s to %s failed: "
                 "XSL transform pipeline produced an invalid configuration",
                 schema->name, upgraded_schema->name);
         crm_log_xml_debug(new_xml, "bad-transform-result");
         pcmk__xml_free(new_xml);
         return NULL;
     }
 
     crm_info("Schema upgrade from %s to %s succeeded",
              schema->name, upgraded_schema->name);
     return new_xml;
 }
 
 /*!
  * \internal
  * \brief Get the schema list entry corresponding to XML configuration
  *
  * \param[in] xml  CIB XML to check
  *
  * \return List entry of schema configured in \p xml
  */
 static GList *
 get_configured_schema(const xmlNode *xml)
 {
     const char *schema_name = crm_element_value(xml, PCMK_XA_VALIDATE_WITH);
 
     pcmk__warn_if_schema_deprecated(schema_name);
-    if (schema_name == NULL) {
-        return NULL;
-    }
     return pcmk__get_schema(schema_name);
 }
 
 /*!
  * \brief Update CIB XML to latest schema that validates it
  *
  * \param[in,out] xml              XML to update (may be freed and replaced
  *                                 after being transformed)
  * \param[in]     max_schema_name  If not NULL, do not update \p xml to any
  *                                 schema later than this one
  * \param[in]     transform        If false, do not update \p xml to any schema
  *                                 that requires an XSL transform
  * \param[in]     to_logs          If false, certain validation errors will be
  *                                 sent to stderr rather than logged
  *
  * \return Standard Pacemaker return code
  */
 int
 pcmk__update_schema(xmlNode **xml, const char *max_schema_name, bool transform,
                     bool to_logs)
 {
     int max_stable_schemas = xml_latest_schema_index();
     int max_schema_index = 0;
     int rc = pcmk_rc_ok;
     GList *entry = NULL;
     pcmk__schema_t *best_schema = NULL;
     pcmk__schema_t *original_schema = NULL;
     xmlRelaxNGValidityErrorFunc error_handler = 
         to_logs ? (xmlRelaxNGValidityErrorFunc) xml_log : NULL;
 
     CRM_CHECK((xml != NULL) && (*xml != NULL) && ((*xml)->doc != NULL),
               return EINVAL);
 
     if (max_schema_name != NULL) {
         GList *max_entry = pcmk__get_schema(max_schema_name);
 
         if (max_entry != NULL) {
             pcmk__schema_t *max_schema = max_entry->data;
 
             max_schema_index = max_schema->schema_index;
         }
     }
     if ((max_schema_index < 1) || (max_schema_index > max_stable_schemas)) {
         max_schema_index = max_stable_schemas;
     }
 
     entry = get_configured_schema(*xml);
     if (entry == NULL) {
-        // @COMPAT Not specifying a schema name is deprecated since 2.1.8
-        entry = known_schemas;
-    } else {
-        original_schema = entry->data;
-        if (original_schema->schema_index >= max_schema_index) {
-            return pcmk_rc_ok;
-        }
+        return pcmk_rc_cib_corrupt;
+    }
+    original_schema = entry->data;
+    if (original_schema->schema_index >= max_schema_index) {
+        return pcmk_rc_ok;
     }
 
     for (; entry != NULL; entry = entry->next) {
         pcmk__schema_t *current_schema = entry->data;
         xmlNode *upgrade = NULL;
 
         if (current_schema->schema_index > max_schema_index) {
             break;
         }
 
         if (!validate_with(*xml, current_schema, error_handler,
                            GUINT_TO_POINTER(LOG_ERR))) {
             crm_debug("Schema %s does not validate", current_schema->name);
             if (best_schema != NULL) {
                 /* we've satisfied the validation, no need to check further */
                 break;
             }
             rc = pcmk_rc_schema_validation;
             continue; // Try again with the next higher schema
         }
 
         crm_debug("Schema %s validates", current_schema->name);
         rc = pcmk_rc_ok;
         best_schema = current_schema;
         if (current_schema->schema_index == max_schema_index) {
             break; // No further transformations possible
         }
 
         if (!transform || (current_schema->transforms == NULL)
             || validate_with_silent(*xml, entry->next->data)) {
             /* The next schema either doesn't require a transform or validates
              * successfully even without the transform. Skip the transform and
              * try the next schema with the same XML.
              */
             continue;
         }
 
         upgrade = apply_upgrade(*xml, current_schema->schema_index, to_logs);
         if (upgrade == NULL) {
             /* The transform failed, so this schema can't be used. Later
              * schemas are unlikely to validate, but try anyway until we
              * run out of options.
              */
             rc = pcmk_rc_transform_failed;
         } else {
             best_schema = current_schema;
             pcmk__xml_free(*xml);
             *xml = upgrade;
         }
     }
 
-    if (best_schema != NULL) {
-        if ((original_schema == NULL)
-            || (best_schema->schema_index > original_schema->schema_index)) {
-            crm_info("%s the configuration schema to %s",
-                     (transform? "Transformed" : "Upgraded"),
-                     best_schema->name);
-            crm_xml_add(*xml, PCMK_XA_VALIDATE_WITH, best_schema->name);
-        }
+    if ((best_schema != NULL)
+        && (best_schema->schema_index > original_schema->schema_index)) {
+        crm_info("%s the configuration schema to %s",
+                 (transform? "Transformed" : "Upgraded"),
+                 best_schema->name);
+        crm_xml_add(*xml, PCMK_XA_VALIDATE_WITH, best_schema->name);
     }
     return rc;
 }
 
 int
 pcmk_update_configured_schema(xmlNode **xml)
 {
     return pcmk__update_configured_schema(xml, true);
 }
 
 /*!
  * \brief Update XML from its configured schema to the latest major series
  *
  * \param[in,out] xml      XML to update
  * \param[in]     to_logs  If false, certain validation errors will be
  *                         sent to stderr rather than logged
  *
  * \return Standard Pacemaker return code
  */
 int
 pcmk__update_configured_schema(xmlNode **xml, bool to_logs)
 {
-    int rc = pcmk_rc_ok;
-    char *original_schema_name = NULL;
-
-    // @COMPAT Not specifying a schema name is deprecated since 2.1.8
-    const char *effective_original_name = "the first";
-
-    int orig_version = -1;
     pcmk__schema_t *x_0_schema = pcmk__find_x_0_schema()->data;
+    pcmk__schema_t *original_schema = NULL;
     GList *entry = NULL;
 
-    CRM_CHECK(xml != NULL, return EINVAL);
-
-    original_schema_name = crm_element_value_copy(*xml, PCMK_XA_VALIDATE_WITH);
-    pcmk__warn_if_schema_deprecated(original_schema_name);
-    entry = pcmk__get_schema(original_schema_name);
-    if (entry != NULL) {
-        pcmk__schema_t *original_schema = entry->data;
+    if (xml == NULL) {
+        return EINVAL;
+    }
 
-        effective_original_name = original_schema->name;
-        orig_version = original_schema->schema_index;
+    entry = get_configured_schema(*xml);
+    if (entry == NULL) {
+        return pcmk_rc_cib_corrupt;
     }
 
-    if (orig_version < x_0_schema->schema_index) {
+    original_schema = entry->data;
+    if (original_schema->schema_index < x_0_schema->schema_index) {
         // Current configuration schema is not acceptable, try to update
         xmlNode *converted = NULL;
         const char *new_schema_name = NULL;
         pcmk__schema_t *schema = NULL;
 
         entry = NULL;
         converted = pcmk__xml_copy(NULL, *xml);
         if (pcmk__update_schema(&converted, NULL, true, to_logs) == pcmk_rc_ok) {
             new_schema_name = crm_element_value(converted,
                                                 PCMK_XA_VALIDATE_WITH);
             entry = pcmk__get_schema(new_schema_name);
         }
         schema = (entry == NULL)? NULL : entry->data;
 
         if ((schema == NULL)
             || (schema->schema_index < x_0_schema->schema_index)) {
             // Updated configuration schema is still not acceptable
 
-            if ((orig_version == -1) || (schema == NULL)
-                || (schema->schema_index < orig_version)) {
+            if ((schema == NULL)
+                || (schema->schema_index < original_schema->schema_index)) {
                 // We couldn't validate any schema at all
                 if (to_logs) {
                     pcmk__config_err("Cannot upgrade configuration (claiming "
                                      "%s schema) to at least %s because it "
                                      "does not validate with any schema from "
                                      "%s to the latest",
-                                     pcmk__s(original_schema_name, "no"),
-                                     x_0_schema->name, effective_original_name);
+                                     original_schema->name,
+                                     x_0_schema->name, original_schema->name);
                 } else {
                     fprintf(stderr, "Cannot upgrade configuration (claiming "
                                     "%s schema) to at least %s because it "
                                     "does not validate with any schema from "
                                     "%s to the latest\n",
-                                    pcmk__s(original_schema_name, "no"),
-                                    x_0_schema->name, effective_original_name);
+                                    original_schema->name,
+                                    x_0_schema->name, original_schema->name);
                 }
             } else {
                 // We updated configuration successfully, but still too low
                 if (to_logs) {
                     pcmk__config_err("Cannot upgrade configuration (claiming "
                                      "%s schema) to at least %s because it "
                                      "would not upgrade past %s",
-                                     pcmk__s(original_schema_name, "no"),
-                                     x_0_schema->name,
+                                     original_schema->name, x_0_schema->name,
                                      pcmk__s(new_schema_name, "unspecified version"));
                 } else {
                     fprintf(stderr, "Cannot upgrade configuration (claiming "
                                     "%s schema) to at least %s because it "
                                     "would not upgrade past %s\n",
-                                    pcmk__s(original_schema_name, "no"),
-                                    x_0_schema->name,
+                                    original_schema->name, x_0_schema->name,
                                     pcmk__s(new_schema_name, "unspecified version"));
                 }
             }
 
             pcmk__xml_free(converted);
             converted = NULL;
-            rc = pcmk_rc_transform_failed;
+            return pcmk_rc_transform_failed;
 
         } else {
             // Updated configuration schema is acceptable
             pcmk__xml_free(*xml);
             *xml = converted;
 
             if (schema->schema_index < xml_latest_schema_index()) {
                 if (to_logs) {
                     pcmk__config_warn("Configuration with %s schema was "
                                       "internally upgraded to acceptable (but "
                                       "not most recent) %s",
-                                      pcmk__s(original_schema_name, "no"),
-                                      schema->name);
+                                      original_schema->name, schema->name);
                 }
             } else if (to_logs) {
                 crm_info("Configuration with %s schema was internally "
                          "upgraded to latest version %s",
-                         pcmk__s(original_schema_name, "no"),
-                         schema->name);
+                         original_schema->name, schema->name);
             }
         }
 
-    } else {
-        // @COMPAT the none schema is deprecated since 2.1.8
+    } else if (!to_logs) {
         pcmk__schema_t *none_schema = NULL;
 
         entry = pcmk__get_schema(PCMK_VALUE_NONE);
         CRM_ASSERT((entry != NULL) && (entry->data != NULL));
 
         none_schema = entry->data;
-        if (!to_logs && (orig_version >= none_schema->schema_index)) {
+        if (original_schema->schema_index >= none_schema->schema_index) {
+            // @COMPAT the none schema is deprecated since 2.1.8
             fprintf(stderr, "Schema validation of configuration is "
                             "disabled (support for " PCMK_XA_VALIDATE_WITH
                             " set to \"" PCMK_VALUE_NONE "\" is deprecated"
                             " and will be removed in a future release)\n");
         }
     }
 
-    free(original_schema_name);
-    return rc;
+    return pcmk_rc_ok;
 }
 
 /*!
  * \internal
  * \brief Return a list of all schema files and any associated XSLT files
  *        later than the given one
  * \brief Return a list of all schema versions later than the given one
  *
  * \param[in] schema The schema to compare against (for example,
  *                   "pacemaker-3.1.rng" or "pacemaker-3.1")
  *
  * \note The caller is responsible for freeing both the returned list and
  *       the elements of the list
  */
 GList *
 pcmk__schema_files_later_than(const char *name)
 {
     GList *lst = NULL;
     pcmk__schema_version_t ver;
 
     if (!version_from_filename(name, &ver)) {
         return lst;
     }
 
     for (GList *iter = g_list_nth(known_schemas, xml_latest_schema_index());
          iter != NULL; iter = iter->prev) {
         pcmk__schema_t *schema = iter->data;
 
         if (schema_cmp(ver, schema->version) != -1) {
             continue;
         }
 
         for (GList *iter2 = g_list_last(schema->transforms); iter2 != NULL;
              iter2 = iter2->prev) {
 
             const struct dirent *entry = iter2->data;
 
             lst = g_list_prepend(lst, pcmk__str_copy(entry->d_name));
         }
 
         lst = g_list_prepend(lst, crm_strdup_printf("%s.rng", schema->name));
     }
 
     return lst;
 }
 
 static void
 append_href(xmlNode *xml, void *user_data)
 {
     GList **list = user_data;
     char *href = crm_element_value_copy(xml, "href");
 
     if (href == NULL) {
         return;
     }
     *list = g_list_prepend(*list, href);
 }
 
 static void
 external_refs_in_schema(GList **list, const char *contents)
 {
     /* local-name()= is needed to ignore the xmlns= setting at the top of
      * the XML file.  Otherwise, the xpath query will always return nothing.
      */
     const char *search = "//*[local-name()='externalRef'] | //*[local-name()='include']";
     xmlNode *xml = pcmk__xml_parse(contents);
 
     crm_foreach_xpath_result(xml, search, append_href, list);
     pcmk__xml_free(xml);
 }
 
 static int
 read_file_contents(const char *file, char **contents)
 {
     int rc = pcmk_rc_ok;
     char *path = NULL;
 
     if (pcmk__ends_with(file, ".rng")) {
         path = pcmk__xml_artefact_path(pcmk__xml_artefact_ns_legacy_rng, file);
     } else {
         path = pcmk__xml_artefact_path(pcmk__xml_artefact_ns_legacy_xslt, file);
     }
 
     rc = pcmk__file_contents(path, contents);
 
     free(path);
     return rc;
 }
 
 static void
 add_schema_file_to_xml(xmlNode *parent, const char *file, GList **already_included)
 {
     char *contents = NULL;
     char *path = NULL;
     xmlNode *file_node = NULL;
     GList *includes = NULL;
     int rc = pcmk_rc_ok;
 
     /* If we already included this file, don't do so again. */
     if (g_list_find_custom(*already_included, file, (GCompareFunc) strcmp) != NULL) {
         return;
     }
 
     /* Ensure whatever file we were given has a suffix we know about.  If not,
      * just assume it's an RNG file.
      */
     if (!pcmk__ends_with(file, ".rng") && !pcmk__ends_with(file, ".xsl")) {
         path = crm_strdup_printf("%s.rng", file);
     } else {
         path = pcmk__str_copy(file);
     }
 
     rc = read_file_contents(path, &contents);
     if (rc != pcmk_rc_ok || contents == NULL) {
         crm_warn("Could not read schema file %s: %s", file, pcmk_rc_str(rc));
         free(path);
         return;
     }
 
     /* Create a new <file path="..."> node with the contents of the file
      * as a CDATA block underneath it.
      */
     file_node = pcmk__xe_create(parent, PCMK_XA_FILE);
     crm_xml_add(file_node, PCMK_XA_PATH, path);
     *already_included = g_list_prepend(*already_included, path);
 
     xmlAddChild(file_node, xmlNewCDataBlock(parent->doc, (pcmkXmlStr) contents,
                                             strlen(contents)));
 
     /* Scan the file for any <externalRef> or <include> nodes and build up
      * a list of the files they reference.
      */
     external_refs_in_schema(&includes, contents);
 
     /* For each referenced file, recurse to add it (and potentially anything it
      * references, ...) to the XML.
      */
     for (GList *iter = includes; iter != NULL; iter = iter->next) {
         add_schema_file_to_xml(parent, iter->data, already_included);
     }
 
     free(contents);
     g_list_free_full(includes, free);
 }
 
 /*!
  * \internal
  * \brief Add an XML schema file and all the files it references as children
  *        of a given XML node
  *
  * \param[in,out] parent            The parent XML node
  * \param[in] name                  The schema version to compare against
  *                                  (for example, "pacemaker-3.1" or "pacemaker-3.1.rng")
  * \param[in,out] already_included  A list of names that have already been added
  *                                  to the parent node.
  *
  * \note The caller is responsible for freeing both the returned list and
  *       the elements of the list
  */
 void
 pcmk__build_schema_xml_node(xmlNode *parent, const char *name, GList **already_included)
 {
     xmlNode *schema_node = pcmk__xe_create(parent, PCMK__XA_SCHEMA);
 
     crm_xml_add(schema_node, PCMK_XA_VERSION, name);
     add_schema_file_to_xml(schema_node, name, already_included);
 
     if (schema_node->children == NULL) {
         // Not needed if empty. May happen if name was invalid, for example.
         pcmk__xml_free(schema_node);
     }
 }
 
 /*!
  * \internal
  * \brief Return the directory containing any extra schema files that a
  *        Pacemaker Remote node fetched from the cluster
  */
 const char *
 pcmk__remote_schema_dir(void)
 {
     const char *dir = pcmk__env_option(PCMK__ENV_REMOTE_SCHEMA_DIRECTORY);
 
     if (pcmk__str_empty(dir)) {
         return PCMK__REMOTE_SCHEMA_DIR;
     }
 
     return dir;
 }
 
 /*!
  * \internal
  * \brief Warn if a given validation schema is deprecated
  *
  * \param[in] Schema name to check
  */
 void
 pcmk__warn_if_schema_deprecated(const char *schema)
 {
-    if (pcmk__str_eq(schema, PCMK_VALUE_NONE,
-                     pcmk__str_none|pcmk__str_null_matches)) {
+    /* @COMPAT Disabling validation is deprecated since 2.1.8, but
+     * resource-agents' ocf-shellfuncs (at least as of 4.15.1) uses it
+     */
+    if (pcmk__str_eq(schema, PCMK_VALUE_NONE, pcmk__str_none)) {
         pcmk__config_warn("Support for " PCMK_XA_VALIDATE_WITH "='%s' is "
                           "deprecated and will be removed in a future release "
                           "without the possibility of upgrades (manually edit "
-                          "to use a supported schema)", pcmk__s(schema, ""));
+                          "to use a supported schema)", schema);
     }
 }
 
 // Deprecated functions kept only for backward API compatibility
 // LCOV_EXCL_START
 
 #include <crm/common/xml_compat.h>
 
 gboolean
 cli_config_update(xmlNode **xml, int *best_version, gboolean to_logs)
 {
     int rc = pcmk__update_configured_schema(xml, to_logs);
 
     if (best_version != NULL) {
         const char *name = crm_element_value(*xml, PCMK_XA_VALIDATE_WITH);
 
         if (name == NULL) {
             *best_version = -1;
         } else {
             GList *entry = pcmk__get_schema(name);
             pcmk__schema_t *schema = (entry == NULL)? NULL : entry->data;
 
             *best_version = (schema == NULL)? -1 : schema->schema_index;
         }
     }
     return (rc == pcmk_rc_ok)? TRUE: FALSE;
 }
 
 // LCOV_EXCL_STOP
 // End deprecated API
diff --git a/lib/common/tests/schemas/pcmk__cmp_schemas_by_name_test.c b/lib/common/tests/schemas/pcmk__cmp_schemas_by_name_test.c
index 608e28b27d..fa5d76f6f6 100644
--- a/lib/common/tests/schemas/pcmk__cmp_schemas_by_name_test.c
+++ b/lib/common/tests/schemas/pcmk__cmp_schemas_by_name_test.c
@@ -1,91 +1,93 @@
 /*
  * Copyright 2024 the Pacemaker project contributors
  *
  * The version control history for this file may have further details.
  *
  * This source code is licensed under the GNU General Public License version 2
  * or later (GPLv2+) WITHOUT ANY WARRANTY.
  */
 
 #include <crm_internal.h>
 
 #include <crm/common/xml.h>
 #include <crm/common/unittest_internal.h>
 #include <crm/common/xml_internal.h>
 #include "crmcommon_private.h"
 
 static int
 setup(void **state)
 {
     setenv("PCMK_schema_directory", PCMK__TEST_SCHEMA_DIR, 1);
     pcmk__schema_init();
     return 0;
 }
 
 static int
 teardown(void **state)
 {
     pcmk__schema_cleanup();
     unsetenv("PCMK_schema_directory");
     return 0;
 }
 
-// NULL schema name defaults to the "none" schema
-// @COMPAT none is deprecated since 2.1.8
-
+// Unknown schemas (including NULL) are unsupported, but sort first as failsafe
 static void
 unknown_is_lesser(void **state)
 {
     assert_true(pcmk__cmp_schemas_by_name("pacemaker-0.1",
                                           "pacemaker-0.2") == 0);
     assert_true(pcmk__cmp_schemas_by_name("pacemaker-0.1",
                                           "pacemaker-1.0") < 0);
     assert_true(pcmk__cmp_schemas_by_name("pacemaker-1.0",
                                           "pacemaker-0.1") > 0);
-    assert_true(pcmk__cmp_schemas_by_name("pacemaker-1.1", NULL) < 0);
-    assert_true(pcmk__cmp_schemas_by_name(NULL, "pacemaker-0.0") > 0);
+    assert_true(pcmk__cmp_schemas_by_name("pacemaker-0.1",
+                                          PCMK_VALUE_NONE) < 0);
+    assert_true(pcmk__cmp_schemas_by_name(PCMK_VALUE_NONE,
+                                          "pacemaker-0.1") > 0);
+    assert_true(pcmk__cmp_schemas_by_name(NULL, NULL) == 0);
+    assert_true(pcmk__cmp_schemas_by_name(NULL, "pacemaker-0.0") == 0);
+    assert_true(pcmk__cmp_schemas_by_name(NULL, "pacemaker-2.0") < 0);
+    assert_true(pcmk__cmp_schemas_by_name("pacemaker-1.3", NULL) > 0);
+    assert_true(pcmk__cmp_schemas_by_name(NULL, PCMK_VALUE_NONE) < 0);
+    assert_true(pcmk__cmp_schemas_by_name(PCMK_VALUE_NONE, NULL) > 0);
 }
 
 // @COMPAT none is deprecated since 2.1.8
 static void
 none_is_greater(void **state)
 {
-    assert_true(pcmk__cmp_schemas_by_name(NULL, NULL) == 0);
-    assert_true(pcmk__cmp_schemas_by_name(NULL, PCMK_VALUE_NONE) == 0);
-    assert_true(pcmk__cmp_schemas_by_name(PCMK_VALUE_NONE, NULL) == 0);
     assert_true(pcmk__cmp_schemas_by_name(PCMK_VALUE_NONE,
                                           PCMK_VALUE_NONE) == 0);
-
-    assert_true(pcmk__cmp_schemas_by_name("pacemaker-3.0",
+    assert_true(pcmk__cmp_schemas_by_name("pacemaker-3.10",
                                           PCMK_VALUE_NONE) < 0);
     assert_true(pcmk__cmp_schemas_by_name(PCMK_VALUE_NONE,
                                           "pacemaker-1.0") > 0);
 }
 
 static void
 known_numeric(void **state)
 {
     assert_true(pcmk__cmp_schemas_by_name("pacemaker-1.0",
                                           "pacemaker-1.0") == 0);
     assert_true(pcmk__cmp_schemas_by_name("pacemaker-1.2",
                                           "pacemaker-1.0") > 0);
     assert_true(pcmk__cmp_schemas_by_name("pacemaker-1.2",
                                           "pacemaker-2.0") < 0);
 }
 
 static void
 case_sensitive(void **state)
 {
     assert_true(pcmk__cmp_schemas_by_name("Pacemaker-1.0",
                                           "pacemaker-1.0") != 0);
     assert_true(pcmk__cmp_schemas_by_name("PACEMAKER-1.2",
                                           "pacemaker-1.2") != 0);
     assert_true(pcmk__cmp_schemas_by_name("PaceMaker-2.0",
                                           "pacemaker-2.0") != 0);
 }
 
 PCMK__UNIT_TEST(setup, teardown,
                 cmocka_unit_test(unknown_is_lesser),
                 cmocka_unit_test(none_is_greater),
                 cmocka_unit_test(known_numeric),
                 cmocka_unit_test(case_sensitive));
diff --git a/lib/common/tests/schemas/pcmk__get_schema_test.c b/lib/common/tests/schemas/pcmk__get_schema_test.c
index d1302481ba..3990171ff5 100644
--- a/lib/common/tests/schemas/pcmk__get_schema_test.c
+++ b/lib/common/tests/schemas/pcmk__get_schema_test.c
@@ -1,81 +1,79 @@
 /*
  * Copyright 2023-2024 the Pacemaker project contributors
  *
  * The version control history for this file may have further details.
  *
  * This source code is licensed under the GNU General Public License version 2
  * or later (GPLv2+) WITHOUT ANY WARRANTY.
  */
 
 #include <crm_internal.h>
 
 #include <crm/common/xml.h>
 #include <crm/common/unittest_internal.h>
 #include <crm/common/xml_internal.h>
 #include "crmcommon_private.h"
 
 static int
 setup(void **state)
 {
     setenv("PCMK_schema_directory", PCMK__TEST_SCHEMA_DIR, 1);
     pcmk__schema_init();
     return 0;
 }
 
 static int
 teardown(void **state)
 {
     pcmk__schema_cleanup();
     unsetenv("PCMK_schema_directory");
     return 0;
 }
 
 static void
 assert_schema(const char *name, int expected_index)
 {
     GList *schema_entry = NULL;
     pcmk__schema_t *schema = NULL;
 
     schema_entry = pcmk__get_schema(name);
     assert_non_null(schema_entry);
 
     schema = schema_entry->data;
     assert_non_null(schema);
 
     assert_int_equal(schema->schema_index, expected_index);
 }
 
 static void
 unknown_schema(void **state)
 {
+    assert_null(pcmk__get_schema(NULL));
     assert_null(pcmk__get_schema(""));
     assert_null(pcmk__get_schema("blahblah"));
     assert_null(pcmk__get_schema("pacemaker-2.47"));
     assert_null(pcmk__get_schema("pacemaker-47.0"));
 }
 
 static void
 known_schema(void **state)
 {
-    // @COMPAT none is deprecated since 2.1.8
-    assert_schema(NULL, 15); // defaults to "none"
-
     assert_schema("pacemaker-1.0", 0);
     assert_schema("pacemaker-1.2", 1);
     assert_schema("pacemaker-2.0", 3);
     assert_schema("pacemaker-2.5", 8);
     assert_schema("pacemaker-3.0", 14);
 }
 
 static void
 case_sensitive(void **state)
 {
     assert_null(pcmk__get_schema("PACEMAKER-1.0"));
     assert_null(pcmk__get_schema("pAcEmAkEr-2.0"));
     assert_null(pcmk__get_schema("paceMAKER-3.0"));
 }
 
 PCMK__UNIT_TEST(setup, teardown,
                 cmocka_unit_test(unknown_schema),
                 cmocka_unit_test(known_schema),
                 cmocka_unit_test(case_sensitive));
diff --git a/xml/Makefile.am b/xml/Makefile.am
index be3c29dda3..f5ed1321cc 100644
--- a/xml/Makefile.am
+++ b/xml/Makefile.am
@@ -1,289 +1,287 @@
 #
 # Copyright 2004-2024 the Pacemaker project contributors
 #
 # The version control history for this file may have further details.
 #
 # This source code is licensed under the GNU General Public License version 2
 # or later (GPLv2+) WITHOUT ANY WARRANTY.
 #
 
 include $(top_srcdir)/mk/common.mk
 
 noarch_pkgconfig_DATA	= $(builddir)/pacemaker-schemas.pc
 
 # Pacemaker has 3 schemas: the CIB schema, the API schema (for command-line
 # tool XML output), and a legacy schema for crm_mon --as-xml.
 #
 # See README.md for details on updating CIB schema files (API is similar)
 
 # The CIB and crm_mon schemas are installed directly in PCMK_SCHEMA_DIR
 # for historical reasons, while the API schema is installed in a subdirectory.
 APIdir	= $(PCMK_SCHEMA_DIR)/api
 CIBdir	= $(PCMK_SCHEMA_DIR)
 MONdir	= $(PCMK_SCHEMA_DIR)
 
 basexsltdir		= $(PCMK_SCHEMA_DIR)/base
 dist_basexslt_DATA	= $(srcdir)/base/access-render-2.xsl
 
 # Extract a sorted list of available numeric schema versions
 # from filenames like NAME-MAJOR[.MINOR][.MINOR-MINOR].rng
 numeric_versions = $(shell ls -1 $(1) \
 			  | sed -n -e 's/^.*-\([0-9][0-9.]*\).rng$$/\1/p' \
 			  | sort -u -t. -k 1,1n -k 2,2n -k 3,3n)
 
 version_pairs = $(join \
 			    $(1),$(addprefix \
 			      -,$(wordlist \
 			        2,$(words $(1)),$(1) \
 			      ) \
 			    ) \
 			  )
 
 version_pairs_last = $(wordlist \
 			    $(words \
 			      $(wordlist \
 			        2,$(1),$(2) \
 			      ) \
 			    ),$(1),$(2) \
 			  )
 
 # NOTE: All files in API_request_base, CIB_cfg_base, API_base, and CIB_base
 # need to start with a unique prefix.  These variables all get iterated over
 # and globbed, and two files starting with the same prefix will cause
 # problems.
 
 # Names of API schemas that form the choices for pacemaker-result content
 API_request_base	= command-output	\
 			  crm_attribute 	\
 			  crm_error 		\
 			  crm_mon 		\
 			  crm_node 		\
 			  crm_resource		\
 			  crm_rule 		\
 			  crm_shadow		\
 			  crm_simulate		\
 			  crm_ticket 		\
 			  crmadmin		\
 			  digests		\
 			  iso8601		\
 			  pacemakerd 		\
 			  stonith_admin		\
 			  version
 
 # Names of CIB schemas that form the choices for cib/configuration content
 CIB_cfg_base		= options 	\
 			  nodes 	\
 			  resources 	\
 			  constraints 	\
 			  fencing 	\
 			  acls 		\
 			  tags 		\
 			  alerts
 
 # Names of all schemas (including top level and those included by others)
 API_base		= $(API_request_base)	\
 			  any-element		\
 			  failure		\
 			  fence-event 		\
 			  generic-list		\
 			  instruction		\
 			  item			\
 			  node-attrs		\
 			  node-history		\
 			  nodes			\
 			  ocf-ra		\
 			  options		\
 			  patchset		\
 			  resources		\
 			  status		\
 			  subprocess-output 	\
 			  ticket
 
 CIB_base		= cib 			\
 			  $(CIB_cfg_base) 	\
 			  status 		\
 			  score 		\
 			  rule 			\
 			  nvset
 
 # Static schema files and transforms (only CIB has transforms)
 # 
 # This is more complicated than it should be due to the need to support
 # VPATH builds and "make distcheck". We need the absolute paths for reliable
 # substitution back and forth, and relative paths for distributed files.
 API_abs_files		= $(foreach base,$(API_base),$(wildcard $(abs_srcdir)/api/$(base)-*.rng))
 CIB_abs_files		= $(foreach base,$(CIB_base),$(wildcard $(abs_srcdir)/$(base).rng $(abs_srcdir)/$(base)-*.rng))
 CIB_abs_xsl		= $(abs_srcdir)/upgrade-1.3-0.xsl		\
 			  $(wildcard $(abs_srcdir)/upgrade-2.10-[0-2].xsl)	\
 			  $(wildcard $(abs_srcdir)/upgrade-3.10-*.xsl)
 MON_abs_files 		= $(abs_srcdir)/crm_mon.rng
 API_files		= $(foreach base,$(API_base),$(wildcard $(srcdir)/api/$(base)-*.rng))
 CIB_files		= $(foreach base,$(CIB_base),$(wildcard $(srcdir)/$(base).rng $(srcdir)/$(base)-*.rng))
 CIB_xsl			= $(srcdir)/upgrade-1.3-0.xsl			\
 			  $(wildcard $(srcdir)/upgrade-2.10-[0-2].xsl)	\
 			  $(wildcard $(srcdir)/upgrade-3.10-*.xsl)
 MON_files 		= $(srcdir)/crm_mon.rng
 
 # Sorted lists of all schema versions
 API_versions	= $(call numeric_versions,${API_files})
 CIB_versions	= $(call numeric_versions,${CIB_files})
 MON_versions 	= $(call numeric_versions,$(wildcard $(srcdir)/api/crm_mon*.rng))
 
 # The highest numeric schema version
 API_max			?= $(lastword $(API_versions))
 CIB_max			?= $(lastword $(CIB_versions))
 MON_max 		?= $(lastword $(MON_versions))
 
 # Build tree locations of static schema files and transforms (for VPATH builds)
 API_build_copies	= $(foreach f,$(API_abs_files),$(subst $(abs_srcdir),$(abs_builddir),$(f)))
 CIB_build_copies	= $(foreach f,$(CIB_abs_files) $(CIB_abs_xsl),$(subst $(abs_srcdir),$(abs_builddir),$(f)))
 MON_build_copies 	= $(foreach f,$(MON_abs_files),$(subst $(abs_srcdir),$(abs_builddir),$(f)))
 
 # Dynamically generated schema files
 API_generated		= api/api-result.rng $(foreach base,$(API_versions),api/api-result-$(base).rng)
 CIB_generated		= pacemaker.rng 					\
 			  $(foreach base,$(CIB_versions),pacemaker-$(base).rng) \
 			  versions.rng
 MON_generated 		= crm_mon.rng
 
 CIB_version_pairs	= $(call version_pairs,${CIB_versions})
 CIB_version_pairs_cnt	= $(words ${CIB_version_pairs})
 CIB_version_pairs_last  = $(call version_pairs_last,${CIB_version_pairs_cnt},${CIB_version_pairs})
 
 dist_API_DATA		= $(API_files)
 dist_CIB_DATA		= $(CIB_files) \
 			  $(CIB_xsl)
 
 nodist_API_DATA		= $(API_generated)
 nodist_CIB_DATA		= $(CIB_generated)
 nodist_MON_DATA		= $(MON_generated)
 
 EXTRA_DIST		= README.md			\
 			  cibtr-2.rng			\
 			  context-of.xsl		\
 			  rng-helper			\
 			  ocf-meta2man.xsl		\
 			  upgrade-detail.xsl		\
 			  xslt_cibtr-2.rng
 
 .PHONY: cib-versions
 cib-versions:
 	@echo "Max: $(CIB_max)"
 	@echo "Available: $(CIB_versions)"
 
 .PHONY: api-versions
 api-versions:
 	@echo "Max: $(API_max)"
 	@echo "Available: $(API_versions)"
 
 # Dynamically generated top-level API schema
 api/api-result.rng: api/api-result-$(API_max).rng
 	$(AM_V_at)$(MKDIR_P) api # might not exist in VPATH build
 	$(AM_V_SCHEMA)cp $(top_builddir)/xml/$< $@
 
 api/api-result-%.rng: $(API_build_copies) rng-helper Makefile.am
 	$(AM_V_SCHEMA)$(builddir)/rng-helper build_api_rng "$@" "$*" \
 		$(API_request_base)
 
 crm_mon.rng: api/crm_mon-$(MON_max).rng
 	$(AM_V_at)echo '<?xml version="1.0" encoding="UTF-8"?>' > $@
 	$(AM_V_at)echo '<grammar xmlns="http://relaxng.org/ns/structure/1.0"' >> $@
 	$(AM_V_at)echo '         datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes">' >> $@
 	$(AM_V_at)echo '    <start>' >> $@
 	$(AM_V_at)echo '        <ref name="element-crm_mon-old"/>' >> $@
 	$(AM_V_at)echo '    </start>' >> $@
 	$(AM_V_at)echo '    <define name="element-crm_mon-old">' >> $@
 	$(AM_V_at)echo '        <element name="crm_mon">' >> $@
 	$(AM_V_at)echo '            <attribute name="version"> <text/> </attribute>' >> $@
 	$(AM_V_at)echo '            <externalRef href="$(<)" />' >> $@
 	$(AM_V_at)echo '        </element>' >> $@
 	$(AM_V_at)echo '    </define>' >> $@
 	$(AM_V_SCHEMA)echo '</grammar>' >> $@
 
 # Dynamically generated top-level CIB schema
 pacemaker.rng: pacemaker-$(CIB_max).rng
 	$(AM_V_SCHEMA)cp $(top_builddir)/xml/$< $@
 
 pacemaker-%.rng: $(CIB_build_copies) rng-helper Makefile.am
 	$(AM_V_SCHEMA)$(builddir)/rng-helper build_cib_rng "$@" "$*" \
 		$(CIB_cfg_base)
 
 # Dynamically generated CIB schema listing all pacemaker versions
 #
-# @COMPAT none is deprecated since 2.1.8, as is validate-with being optional
+# @COMPAT "none" is deprecated since 2.1.8
 versions.rng: pacemaker-$(CIB_max).rng Makefile.am
 	$(AM_V_at)echo '<?xml version="1.0" encoding="UTF-8"?>' > $@
 	$(AM_V_at)echo '<grammar xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes">' >> $@
 	$(AM_V_at)echo '  <start>' >> $@
 	$(AM_V_at)echo '   <interleave>' >> $@
-	$(AM_V_at)echo '    <optional>' >> $@
-	$(AM_V_at)echo '      <attribute name="validate-with">' >> $@
-	$(AM_V_at)echo '        <choice>' >> $@
-	$(AM_V_at)echo '          <value>none</value>' >> $@
-	$(AM_V_at)for rng in $(CIB_versions); do echo "          <value>pacemaker-$$rng</value>" >> $@; done
-	$(AM_V_at)echo '        </choice>' >> $@
-	$(AM_V_at)echo '      </attribute>' >> $@
-	$(AM_V_at)echo '    </optional>' >> $@
+	$(AM_V_at)echo '    <attribute name="validate-with">' >> $@
+	$(AM_V_at)echo '      <choice>' >> $@
+	$(AM_V_at)echo '        <value>none</value>' >> $@
+	$(AM_V_at)for rng in $(CIB_versions); do echo "        <value>pacemaker-$$rng</value>" >> $@; done
+	$(AM_V_at)echo '      </choice>' >> $@
+	$(AM_V_at)echo '    </attribute>' >> $@
 	$(AM_V_at)echo '    <attribute name="admin_epoch"><data type="nonNegativeInteger"/></attribute>' >> $@
 	$(AM_V_at)echo '    <attribute name="epoch"><data type="nonNegativeInteger"/></attribute>' >> $@
 	$(AM_V_at)echo '    <attribute name="num_updates"><data type="nonNegativeInteger"/></attribute>' >> $@
 	$(AM_V_at)echo '   </interleave>' >> $@
 	$(AM_V_at)echo '  </start>' >> $@
 	$(AM_V_SCHEMA)echo '</grammar>' >> $@
 
 schemas:
 	@if [ -z "$$SCHEMAS" ]; then \
 		ls *.rng; \
 		ls *.rng | sort -V | awk 'gsub("-[0-9.]+.rng", ""){if (last != $$0) {print; last=$$0} }'; \
 		printf "\nusage: make schemas SCHEMAS=\"<schema1 schema2 ...>\" [NEW_VERSION=\"<new-version>\"]\n \
 			\nNot specifying NEW_VERSION will increase the last field of the newest version of the schema(s).\n"; \
 	else \
 		if [ -z "$$NEW_VERSION" ]; then \
 			OLD_VERSION=$$(ls *[0-9].rng | awk -F'-' 'gsub(".rng$$", "") {print $$NF}' | sort -Vu | tail -1); \
 			lf=$$(echo "$$OLD_VERSION" | awk -F"." '{print $$NF}'); \
 			! echo "$$lf" | grep -q "^[[:digit:]]\+$$" && echo "Unable to detect version. Use NEW_VERSION= to specify version." && exit 1; \
 			lf=$$((lf+1)); \
 			NEW_VERSION=$$(echo "$$OLD_VERSION" | sed "s/[0-9]\+$$/$$lf/"); \
 		fi; \
 		for schema in $$SCHEMAS; do \
 			old_schema=$$(ls $$schema-[0-9]*.rng | sort -V | tail -1); \
 			new_schema=$$schema-$$NEW_VERSION.rng; \
 			echo "Copying $$old_schema to $$new_schema"; \
 			cp -n "$$old_schema" "$$new_schema"; \
 		done \
 	fi
 
 
 .PHONY: diff
 diff: rng-helper
 	@echo "#  Comparing changes in + since $(CIB_max)"
 	@$(builddir)/rng-helper diff ${CIB_version_pairs_last}
 
 .PHONY: fulldiff
 fulldiff: rng-helper
 	@echo "#  Comparing all changes across all the subsequent increments"
 	@$(builddir)/rng-helper diff ${CIB_version_pairs}
 
 CLEANFILES = $(API_generated) \
 	     $(CIB_generated) \
 	     $(MON_generated)
 
 # Remove pacemaker schema files generated by *any* source version. This allows
 # "make -C xml clean" to have the desired effect when checking out an earlier
 # revision in a source tree.
 .PHONY: clean-local
 clean-local:
 	if [ "x$(srcdir)" != "x$(builddir)" ]; then					\
 		rm -f $(API_build_copies) $(CIB_build_copies) $(MON_build_copies);	\
 	fi
 	rm -f $(builddir)/pacemaker-[0-9]*.[0-9]*.rng
 
 # Enable ability to use $@ in prerequisite
 .SECONDEXPANSION:
 
 # For VPATH builds, copy the static schema files into the build tree
 $(API_build_copies) $(CIB_build_copies) $(MON_build_copies): $$(subst $(abs_builddir),$(srcdir),$$(@))
 	$(AM_V_GEN)if [ "x$(srcdir)" != "x$(builddir)" ]; then	\
 		$(MKDIR_P) "$(dir $(@))";			\
 		cp "$(<)" "$(@)";				\
 	fi