Zone network configuration service (oxidecomputer#4677)

As part of the work for [self assembling
zones](oxidecomputer#1898), it was
[suggested](oxidecomputer#4534 (comment))
to break the network configuration out into a separate service.

## Implementation

This PR introduces a new SMF service `oxide/zone-network-setup`, which
sets up the common initial zone networking configuration for each self
assembled zone.

Each of the "self assembled zone" services will now depend on this new
service to run, and all properties relating to zone network
configuration have been removed from these services.

The executable which does the actual zone networking setup, is built as
a tiny CLI. It takes advantage of clap's parsing validation to make sure
we have all of the properties present, and in the format they are
intended to be.

## Caveats

There are two remaining self assembled zones that don't depend on this
new service yet (crucible and crucible-pantry). As these two zones need
coordinated PRs with the crucible repo, I'd like to implement these in a
follow up PR once this one is approved and merged.

Cargo.toml

@@ -69,6 +69,7 @@ members = [
     "wicket",
     "wicketd",
     "workspace-hack",
+    "zone-network-setup",
 ]
 
 default-members = [
@@ -137,6 +138,7 @@ default-members = [
     "wicket-dbg",
     "wicket",
     "wicketd",
+    "zone-network-setup",
 ]
 resolver = "2"
 
@@ -167,7 +169,7 @@ chacha20poly1305 = "0.10.1"
 ciborium = "0.2.1"
 cfg-if = "1.0"
 chrono = { version = "0.4", features = [ "serde" ] }
-clap = { version = "4.4", features = ["derive", "env", "wrap_help"] }
+clap = { version = "4.4", features = ["cargo", "derive", "env", "wrap_help"] }
 cookie = "0.18"
 criterion = { version = "0.5.1", features = [ "async_tokio" ] }
 crossbeam = "0.8"

illumos-utils/src/ipadm.rs

@@ -0,0 +1,110 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+//! Utilities for managing IP interfaces.
+
+use crate::zone::IPADM;
+use crate::{execute, ExecutionError, PFEXEC};
+use std::net::Ipv6Addr;
+
+/// Wraps commands for interacting with interfaces.
+pub struct Ipadm {}
+
+#[cfg_attr(any(test, feature = "testing"), mockall::automock)]
+impl Ipadm {
+    // Remove current IP interface and create a new temporary one.
+    pub fn set_temp_interface_for_datalink(
+        datalink: &str,
+    ) -> Result<(), ExecutionError> {
+        let mut cmd = std::process::Command::new(PFEXEC);
+        let cmd = cmd.args(&[IPADM, "delete-if", datalink]);
+        // First we remove IP interface if it already exists. If it doesn't
+        // exist and the command returns an error we continue anyway as
+        // the next step is to create it.
+        let _ = execute(cmd);
+
+        let mut cmd = std::process::Command::new(PFEXEC);
+        let cmd = cmd.args(&[IPADM, "create-if", "-t", datalink]);
+        execute(cmd)?;
+        Ok(())
+    }
+
+    // Set MTU to 9000 on both IPv4 and IPv6
+    pub fn set_interface_mtu(datalink: &str) -> Result<(), ExecutionError> {
+        let mut cmd = std::process::Command::new(PFEXEC);
+        let cmd = cmd.args(&[
+            IPADM,
+            "set-ifprop",
+            "-t",
+            "-p",
+            "mtu=9000",
+            "-m",
+            "ipv4",
+            datalink,
+        ]);
+        execute(cmd)?;
+
+        let mut cmd = std::process::Command::new(PFEXEC);
+        let cmd = cmd.args(&[
+            IPADM,
+            "set-ifprop",
+            "-t",
+            "-p",
+            "mtu=9000",
+            "-m",
+            "ipv6",
+            datalink,
+        ]);
+        execute(cmd)?;
+        Ok(())
+    }
+
+    pub fn create_static_and_autoconfigured_addrs(
+        datalink: &str,
+        listen_addr: &Ipv6Addr,
+    ) -> Result<(), ExecutionError> {
+        // Create auto-configured address on the IP interface if it doesn't already exist
+        let addrobj = format!("{}/ll", datalink);
+        let mut cmd = std::process::Command::new(PFEXEC);
+        let cmd = cmd.args(&[IPADM, "show-addr", &addrobj]);
+        match execute(cmd) {
+            Err(_) => {
+                let mut cmd = std::process::Command::new(PFEXEC);
+                let cmd = cmd.args(&[
+                    IPADM,
+                    "create-addr",
+                    "-t",
+                    "-T",
+                    "addrconf",
+                    &addrobj,
+                ]);
+                execute(cmd)?;
+            }
+            Ok(_) => (),
+        };
+
+        // Create static address on the IP interface if it doesn't already exist
+        let addrobj = format!("{}/omicron6", datalink);
+        let mut cmd = std::process::Command::new(PFEXEC);
+        let cmd = cmd.args(&[IPADM, "show-addr", &addrobj]);
+        match execute(cmd) {
+            Err(_) => {
+                let mut cmd = std::process::Command::new(PFEXEC);
+                let cmd = cmd.args(&[
+                    IPADM,
+                    "create-addr",
+                    "-t",
+                    "-T",
+                    "static",
+                    "-a",
+                    &listen_addr.to_string(),
+                    &addrobj,
+                ]);
+                execute(cmd)?;
+            }
+            Ok(_) => (),
+        };
+        Ok(())
+    }
+}

illumos-utils/src/lib.rs

@@ -16,9 +16,11 @@ pub mod dkio;
 pub mod dladm;
 pub mod dumpadm;
 pub mod fstyp;
+pub mod ipadm;
 pub mod libc;
 pub mod link;
 pub mod opte;
+pub mod route;
 pub mod running_zone;
 pub mod scf;
 pub mod svc;
@@ -70,7 +72,7 @@ pub enum ExecutionError {
 mod inner {
     use super::*;
 
-    fn to_string(command: &mut std::process::Command) -> String {
+    pub fn to_string(command: &mut std::process::Command) -> String {
         command
             .get_args()
             .map(|s| s.to_string_lossy().into())

illumos-utils/src/route.rs

@@ -0,0 +1,59 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+//! Utilities for manipulating the routing tables.
+
+use crate::zone::ROUTE;
+use crate::{execute, inner, output_to_exec_error, ExecutionError, PFEXEC};
+use libc::ESRCH;
+use std::net::Ipv6Addr;
+
+/// Wraps commands for interacting with routing tables.
+pub struct Route {}
+
+#[cfg_attr(any(test, feature = "testing"), mockall::automock)]
+impl Route {
+    pub fn ensure_default_route_with_gateway(
+        gateway: &Ipv6Addr,
+    ) -> Result<(), ExecutionError> {
+        // Add the desired route if it doesn't already exist
+        let destination = "default";
+        let mut cmd = std::process::Command::new(PFEXEC);
+        let cmd = cmd.args(&[
+            ROUTE,
+            "-n",
+            "get",
+            "-inet6",
+            destination,
+            "-inet6",
+            &gateway.to_string(),
+        ]);
+
+        let out =
+            cmd.output().map_err(|err| ExecutionError::ExecutionStart {
+                command: inner::to_string(cmd),
+                err,
+            })?;
+        match out.status.code() {
+            Some(0) => (),
+            // If the entry is not found in the table,
+            // the exit status of the command will be 3 (ESRCH).
+            // When that is the case, we'll add the route.
+            Some(ESRCH) => {
+                let mut cmd = std::process::Command::new(PFEXEC);
+                let cmd = cmd.args(&[
+                    ROUTE,
+                    "add",
+                    "-inet6",
+                    destination,
+                    "-inet6",
+                    &gateway.to_string(),
+                ]);
+                execute(cmd)?;
+            }
+            Some(_) | None => return Err(output_to_exec_error(cmd, &out)),
+        };
+        Ok(())
+    }
+}

illumos-utils/src/zone.rs

@@ -22,6 +22,7 @@ pub const IPADM: &str = "/usr/sbin/ipadm";
 pub const SVCADM: &str = "/usr/sbin/svcadm";
 pub const SVCCFG: &str = "/usr/sbin/svccfg";
 pub const ZLOGIN: &str = "/usr/sbin/zlogin";
+pub const ROUTE: &str = "/usr/sbin/route";
 
 // TODO: These could become enums
 pub const ZONE_PREFIX: &str = "oxz_";

package-manifest.toml

@@ -132,7 +132,7 @@ output.type = "zone"
 service_name = "clickhouse"
 only_for_targets.image = "standard"
 source.type = "composite"
-source.packages = [ "clickhouse_svc.tar.gz", "internal-dns-cli.tar.gz" ]
+source.packages = [ "clickhouse_svc.tar.gz", "internal-dns-cli.tar.gz", "zone-network-setup.tar.gz" ]
 output.type = "zone"
 
 [package.clickhouse_svc]
@@ -153,7 +153,7 @@ setup_hint = "Run `./tools/ci_download_clickhouse` to download the necessary bin
 service_name = "clickhouse_keeper"
 only_for_targets.image = "standard"
 source.type = "composite"
-source.packages = [ "clickhouse_keeper_svc.tar.gz", "internal-dns-cli.tar.gz" ]
+source.packages = [ "clickhouse_keeper_svc.tar.gz", "internal-dns-cli.tar.gz", "zone-network-setup.tar.gz" ]
 output.type = "zone"
 
 [package.clickhouse_keeper_svc]
@@ -174,7 +174,7 @@ setup_hint = "Run `./tools/ci_download_clickhouse` to download the necessary bin
 service_name = "cockroachdb"
 only_for_targets.image = "standard"
 source.type = "composite"
-source.packages = [ "cockroachdb-service.tar.gz", "internal-dns-cli.tar.gz" ]
+source.packages = [ "cockroachdb-service.tar.gz", "internal-dns-cli.tar.gz", "zone-network-setup.tar.gz" ]
 output.type = "zone"
 
 [package.cockroachdb-service]
@@ -613,3 +613,15 @@ source.packages = [
   "sp-sim-softnpu.tar.gz"
 ]
 output.type = "zone"
+
+[package.zone-network-setup]
+service_name = "zone-network-setup"
+only_for_targets.image = "standard"
+source.type = "local"
+source.rust.binary_names = ["zone-networking"]
+source.rust.release = true
+source.paths = [
+    { from = "smf/zone-network-setup/manifest.xml", to = "/var/svc/manifest/site/zone-network-setup/manifest.xml" },
+]
+output.type = "zone"
+output.intermediate_only = true