Option to force primary CARP firewall to lowest priority for upgrades, etc
If you upgrade the secondary first. Reboot secondary. Switch to secondary to test. Upgrade the primary. Reboot primary. The primary can take over before it is fully ready to function. It can take time for packages to re-install and some services just take a lot of time to start fully. This would be downtime for setups that have the squid, haproxy, etc installed if the primary takes over before those packages are installed.
I noticed a bug report made for just normal startup needing a delay if there are packages that take time to just start up. With the info above though I am wondering if that is especially needed for upgrades (or just a full restore) because of package reinstall.
Ideally CARP would never take over unless the system is fully booted, all services are started, and all packages are re-installed if they were triggered to do so during boot. A configurable maximum timeout to wait would be nice too. Some systems install packages very slowly and would need much larger timeouts. It has been recommended going from 1.0.x to 2.0.x though to uninstall packages before upgrading and then install them again afterwards. During those situations this would not help. We would still need a way to keep the primary from taking over carp until we manually install the packages that we removed before the upgrade…
Just having a easy way to force primary to the lowest priority manually and persist over a reboot during times like this would be a big help.