fix 'change_service_location' misuse and recovery from fencing
First rename the change_service_location method from the environment
to an more fitting name, 'steal_service'.
The 'change_service_location' from the virtual hardware class stays
at it is, because there the name fits (those function have not the
same meaning, so it's good that they named different now).
As we misused the config steal method (former
change_service_location) in the stopped state to process the
services from fenced nodes we need another way now.
This is achieved through the private method 'recover_fenced_service'
which is now the only place who has the right to steal a service
from an node.
When a node was successfully fenced we no longer change its services
state to 'stopped', rather we drop that hack and search a new node
in 'recover_fenced_service', if found we the steal the service and
move it to from the fenced to the new (recovery) node and place it
there in the 'started' state, after that the state machine is able
to handle the rest.
If we do not find a node we try again next round as that is better
then placing it in the error state, because so we have still a
chance to recover, which we do not have with the error state.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>