[wicketd] Pass RSS a /56 rack subnet instead of a raw IP address (/12…

…8) (#5668) I think this should fix #5665. I checked a4x2 and it has a `/56`, so I think #5665 is specific to RSS when it's been run via wicket. I'll try this on madrid once a TUF repo is built. I opened #5669 for the fact that our types allow this mistake; e.g., I think both https://github.com/oxidecomputer/omicron/blob/9c90e4b54694e8b4bec1884306d2626dcd062246/common/src/api/internal/shared.rs#L162 and https://github.com/oxidecomputer/omicron/blob/9c90e4b54694e8b4bec1884306d2626dcd062246/nexus/db-model/src/rack.rs#L19 are incorrect in that they allow any network size, and both should probably be `Ipv6Net<RACK_PREFIX>` instead. Fixing that is not trivial because at least the former is serialized in the bootstore.
oxidecomputer · Apr 30, 2024 · 09627ea · 09627ea
1 parent 9c90e4b
commit 09627ea
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 3 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/wicketd/Cargo.toml b/wicketd/Cargo.toml
@@ -29,6 +29,7 @@ illumos-utils.workspace = true
 ipnetwork.workspace = true
 internal-dns.workspace = true
 itertools.workspace = true
+once_cell.workspace = true
 reqwest.workspace = true
 schemars.workspace = true
 serde.workspace = true

diff --git a/wicketd/src/rss_config.rs b/wicketd/src/rss_config.rs
@@ -26,6 +26,9 @@ use gateway_client::types::SpType;
 use omicron_certificates::CertificateError;
 use omicron_common::address;
 use omicron_common::address::Ipv4Range;
+use omicron_common::address::Ipv6Subnet;
+use omicron_common::address::RACK_PREFIX;
+use once_cell::sync::Lazy;
 use sled_hardware_types::Baseboard;
 use slog::warn;
 use std::collections::BTreeSet;
@@ -38,8 +41,10 @@ use wicket_common::rack_setup::UserSpecifiedRackNetworkConfig;
 // TODO-correctness For now, we always use the same rack subnet when running
 // RSS. When we get to multirack, this will be wrong, but there are many other
 // RSS-related things that need to change then too.
-const RACK_SUBNET: Ipv6Addr =
-    Ipv6Addr::new(0xfd00, 0x1122, 0x3344, 0x0100, 0, 0, 0, 0);
+const RACK_SUBNET: Lazy<Ipv6Subnet<RACK_PREFIX>> = Lazy::new(|| {
+    let ip = Ipv6Addr::new(0xfd00, 0x1122, 0x3344, 0x0100, 0, 0, 0, 0);
+    Ipv6Subnet::new(ip)
+});
 
 const RECOVERY_SILO_NAME: &str = "recovery";
 const RECOVERY_SILO_USERNAME: &str = "recovery";
@@ -498,7 +503,7 @@ fn validate_rack_network_config(
     // TODO Add more client side checks on `rack_network_config` contents?
 
     Ok(bootstrap_agent_client::types::RackNetworkConfigV1 {
-        rack_subnet: RACK_SUBNET.into(),
+        rack_subnet: RACK_SUBNET.net(),
         infra_ip_first: config.infra_ip_first,
         infra_ip_last: config.infra_ip_last,
         ports: config