From 09627eaf0ea3047b4568fd09193649afdd8fc0d6 Mon Sep 17 00:00:00 2001 From: John Gallagher Date: Tue, 30 Apr 2024 14:04:44 -0400 Subject: [PATCH] [wicketd] Pass RSS a /56 rack subnet instead of a raw IP address (/128) (#5668) I think this should fix #5665. I checked a4x2 and it has a `/56`, so I think #5665 is specific to RSS when it's been run via wicket. I'll try this on madrid once a TUF repo is built. I opened #5669 for the fact that our types allow this mistake; e.g., I think both https://github.com/oxidecomputer/omicron/blob/9c90e4b54694e8b4bec1884306d2626dcd062246/common/src/api/internal/shared.rs#L162 and https://github.com/oxidecomputer/omicron/blob/9c90e4b54694e8b4bec1884306d2626dcd062246/nexus/db-model/src/rack.rs#L19 are incorrect in that they allow any network size, and both should probably be `Ipv6Net` instead. Fixing that is not trivial because at least the former is serialized in the bootstore. --- Cargo.lock | 1 + wicketd/Cargo.toml | 1 + wicketd/src/rss_config.rs | 11 ++++++++--- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index e42110f831..1b59329893 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -10984,6 +10984,7 @@ dependencies = [ "omicron-passwords", "omicron-test-utils", "omicron-workspace-hack", + "once_cell", "openapi-lint", "openapiv3", "rand 0.8.5", diff --git a/wicketd/Cargo.toml b/wicketd/Cargo.toml index ef9e0c2378..c440a73397 100644 --- a/wicketd/Cargo.toml +++ b/wicketd/Cargo.toml @@ -29,6 +29,7 @@ illumos-utils.workspace = true ipnetwork.workspace = true internal-dns.workspace = true itertools.workspace = true +once_cell.workspace = true reqwest.workspace = true schemars.workspace = true serde.workspace = true diff --git a/wicketd/src/rss_config.rs b/wicketd/src/rss_config.rs index 8d782754bc..7e66f21b63 100644 --- a/wicketd/src/rss_config.rs +++ b/wicketd/src/rss_config.rs @@ -26,6 +26,9 @@ use gateway_client::types::SpType; use omicron_certificates::CertificateError; use omicron_common::address; use omicron_common::address::Ipv4Range; +use omicron_common::address::Ipv6Subnet; +use omicron_common::address::RACK_PREFIX; +use once_cell::sync::Lazy; use sled_hardware_types::Baseboard; use slog::warn; use std::collections::BTreeSet; @@ -38,8 +41,10 @@ use wicket_common::rack_setup::UserSpecifiedRackNetworkConfig; // TODO-correctness For now, we always use the same rack subnet when running // RSS. When we get to multirack, this will be wrong, but there are many other // RSS-related things that need to change then too. -const RACK_SUBNET: Ipv6Addr = - Ipv6Addr::new(0xfd00, 0x1122, 0x3344, 0x0100, 0, 0, 0, 0); +const RACK_SUBNET: Lazy> = Lazy::new(|| { + let ip = Ipv6Addr::new(0xfd00, 0x1122, 0x3344, 0x0100, 0, 0, 0, 0); + Ipv6Subnet::new(ip) +}); const RECOVERY_SILO_NAME: &str = "recovery"; const RECOVERY_SILO_USERNAME: &str = "recovery"; @@ -498,7 +503,7 @@ fn validate_rack_network_config( // TODO Add more client side checks on `rack_network_config` contents? Ok(bootstrap_agent_client::types::RackNetworkConfigV1 { - rack_subnet: RACK_SUBNET.into(), + rack_subnet: RACK_SUBNET.net(), infra_ip_first: config.infra_ip_first, infra_ip_last: config.infra_ip_last, ports: config