Merge remote-tracking branch 'origin/main' into iliana/releng

.github/workflows/hakari.yml

@@ -24,7 +24,7 @@ jobs:
         with:
           toolchain: stable
       - name: Install cargo-hakari
-        uses: taiki-e/install-action@c2927f0c5b5adc6a76bc4a7847bc6e0503754bed # v2
+        uses: taiki-e/install-action@2f990e9c484f0590cb76a07296e9677b417493e9 # v2
         with:
           tool: cargo-hakari
       - name: Check workspace-hack Cargo.toml is up-to-date

Cargo.toml

@@ -336,7 +336,7 @@ nexus-test-utils-macros = { path = "nexus/test-utils-macros" }
 nexus-test-utils = { path = "nexus/test-utils" }
 nexus-types = { path = "nexus/types" }
 num-integer = "0.1.46"
-num = { version = "0.4.2", default-features = false, features = [ "libm" ] }
+num = { version = "0.4.3", default-features = false, features = [ "libm" ] }
 omicron-common = { path = "common" }
 omicron-gateway = { path = "gateway" }
 omicron-nexus = { path = "nexus" }
@@ -368,11 +368,11 @@ p256 = "0.13"
 parse-display = "0.9.0"
 partial-io = { version = "0.5.4", features = ["proptest1", "tokio1"] }
 parse-size = "1.0.0"
-paste = "1.0.14"
+paste = "1.0.15"
 percent-encoding = "2.3.1"
 peg = "0.8.3"
 pem = "3.0"
-petgraph = "0.6.4"
+petgraph = "0.6.5"
 postgres-protocol = "0.6.6"
 predicates = "3.1.0"
 pretty_assertions = "1.4.0"

common/src/api/external/mod.rs

@@ -1234,6 +1234,13 @@ impl DiskState {
 pub struct Ipv4Net(pub ipnetwork::Ipv4Network);
 
 impl Ipv4Net {
+    /// Constructs a new `Ipv4Net` representing a single IP.
+    pub fn single(ip: Ipv4Addr) -> Self {
+        Ipv4Net(
+            ipnetwork::Ipv4Network::new(ip, 32).expect("32 is within range"),
+        )
+    }
+
     /// Return `true` if this IPv4 subnetwork is from an RFC 1918 private
     /// address space.
     pub fn is_private(&self) -> bool {
@@ -1301,6 +1308,13 @@ impl Ipv6Net {
     /// The prefix length for all VPC Sunets
     pub const VPC_SUBNET_IPV6_PREFIX_LENGTH: u8 = 64;
 
+    /// Constructs a new `Ipv6Net` representing a single IPv6 address.
+    pub fn single(ip: Ipv6Addr) -> Self {
+        Ipv6Net(
+            ipnetwork::Ipv6Network::new(ip, 128).expect("128 is within range"),
+        )
+    }
+
     /// Return `true` if this subnetwork is in the IPv6 Unique Local Address
     /// range defined in RFC 4193, e.g., `fd00:/8`
     pub fn is_unique_local(&self) -> bool {
@@ -1436,6 +1450,14 @@ pub enum IpNet {
 }
 
 impl IpNet {
+    /// Constructs a new `IpNet` representing a single IP.
+    pub fn single(ip: IpAddr) -> Self {
+        match ip {
+            IpAddr::V4(ip) => IpNet::V4(Ipv4Net::single(ip)),
+            IpAddr::V6(ip) => IpNet::V6(Ipv6Net::single(ip)),
+        }
+    }
+
     /// Return the underlying address.
     pub fn ip(&self) -> IpAddr {
         match self {
@@ -1508,39 +1530,22 @@ impl From<ipnetwork::IpNetwork> for IpNet {
     }
 }
 
+// NOTE: We deliberately do *NOT* implement `From<Ip{v4,v6,}Addr> for IpNet`.
+// This is because there are many ways to convert an address into a network.
+// See https://github.com/oxidecomputer/omicron/issues/5687.
+
 impl From<Ipv4Net> for IpNet {
     fn from(n: Ipv4Net) -> IpNet {
         IpNet::V4(n)
     }
 }
 
-impl From<Ipv4Addr> for IpNet {
-    fn from(n: Ipv4Addr) -> IpNet {
-        IpNet::V4(Ipv4Net(ipnetwork::Ipv4Network::from(n)))
-    }
-}
-
 impl From<Ipv6Net> for IpNet {
     fn from(n: Ipv6Net) -> IpNet {
         IpNet::V6(n)
     }
 }
 
-impl From<Ipv6Addr> for IpNet {
-    fn from(n: Ipv6Addr) -> IpNet {
-        IpNet::V6(Ipv6Net(ipnetwork::Ipv6Network::from(n)))
-    }
-}
-
-impl From<IpAddr> for IpNet {
-    fn from(n: IpAddr) -> IpNet {
-        match n {
-            IpAddr::V4(v4) => IpNet::from(v4),
-            IpAddr::V6(v6) => IpNet::from(v6),
-        }
-    }
-}
-
 impl std::fmt::Display for IpNet {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         match self {

common/src/api/internal/shared.rs

@@ -608,7 +608,7 @@ mod tests {
         assert_eq!(
             parsed,
             AllowedSourceIps::try_from(vec![
-                IpNet::from(Ipv4Addr::LOCALHOST),
+                IpNet::V4(Ipv4Net::single(Ipv4Addr::LOCALHOST)),
                 IpNet::V4(Ipv4Net(
                     Ipv4Network::new(Ipv4Addr::new(10, 0, 0, 0), 24).unwrap()
                 )),

nexus/networking/src/firewall_rules.rs

@@ -353,7 +353,7 @@ pub async fn resolve_firewall_rules_for_sled_agent(
                                 .unwrap_or(&no_interfaces)
                             {
                                 host_addrs.push(
-                                    HostIdentifier::Ip(IpNet::from(
+                                    HostIdentifier::Ip(IpNet::single(
                                         interface.ip,
                                     ))
                                     .into(),
@@ -373,7 +373,7 @@ pub async fn resolve_firewall_rules_for_sled_agent(
                         }
                         external::VpcFirewallRuleHostFilter::Ip(addr) => {
                             host_addrs.push(
-                                HostIdentifier::Ip(IpNet::from(*addr)).into(),
+                                HostIdentifier::Ip(IpNet::single(*addr)).into(),
                             )
                         }
                         external::VpcFirewallRuleHostFilter::IpNet(net) => {

nexus/src/app/disk.rs

@@ -488,10 +488,10 @@ impl super::Nexus {
             // that user's program can act accordingly. In a way, the user's
             // program is an externally driven saga instead.
 
-            let client = crucible_pantry_client::Client::new(&format!(
-                "http://{}",
-                endpoint
-            ));
+            let client = crucible_pantry_client::Client::new_with_client(
+                &format!("http://{}", endpoint),
+                self.reqwest_client.clone(),
+            );
             let request = crucible_pantry_client::types::BulkWriteRequest {
                 offset: param.offset,
                 base64_encoded_data: param.base64_encoded_data,

nexus/src/app/mod.rs

@@ -152,6 +152,13 @@ pub struct Nexus {
     /// The metric producer server from which oximeter collects metric data.
     producer_server: std::sync::Mutex<Option<ProducerServer>>,
 
+    /// Reusable `reqwest::Client`, to be cloned and used with the Progenitor-
+    /// generated `Client::new_with_client`.
+    ///
+    /// (This does not need to be in an `Arc` because `reqwest::Client` uses
+    /// `Arc` internally.)
+    reqwest_client: reqwest::Client,
+
     /// Client to the timeseries database.
     timeseries_client: LazyTimeseriesClient,
 
@@ -343,6 +350,12 @@ impl Nexus {
             }
         }
 
+        let reqwest_client = reqwest::ClientBuilder::new()
+            .connect_timeout(std::time::Duration::from_secs(15))
+            .timeout(std::time::Duration::from_secs(15))
+            .build()
+            .map_err(|e| e.to_string())?;
+
         // Connect to clickhouse - but do so lazily.
         // Clickhouse may not be executing when Nexus starts.
         let timeseries_client = if let Some(address) =
@@ -412,6 +425,7 @@ impl Nexus {
             internal_server: std::sync::Mutex::new(None),
             producer_server: std::sync::Mutex::new(None),
             populate_status,
+            reqwest_client,
             timeseries_client,
             updates_config: config.pkg.updates.clone(),
             tunables: config.pkg.tunables.clone(),

nexus/tests/integration_tests/allow_list.rs

@@ -9,6 +9,7 @@ use nexus_test_utils::http_testing::{AuthnMode, NexusRequest};
 use nexus_test_utils_macros::nexus_test;
 use nexus_types::external_api::{params, views};
 use omicron_common::api::external::AllowedSourceIps;
+use omicron_common::api::external::IpNet;
 use std::net::IpAddr;
 use std::net::Ipv4Addr;
 
@@ -74,16 +75,18 @@ async fn test_allow_list(cptestctx: &ControlPlaneTestContext) {
     }
 
     // Set the list with exactly one IP, make sure it's the same.
-    let allowed_ips = AllowedSourceIps::try_from(vec![our_addr.into()])
+    let allowed_ips = AllowedSourceIps::try_from(vec![IpNet::single(our_addr)])
         .expect("Expected a valid IP list");
     update_list_and_compare(client, allowed_ips).await;
 
     // Add our IP in the front and end, and still make sure that works.
     //
     // This is a regression for
     // https://github.com/oxidecomputer/omicron/issues/5727.
-    let addrs =
-        vec![our_addr.into(), IpAddr::V4(Ipv4Addr::new(10, 0, 0, 1)).into()];
+    let addrs = vec![
+        IpNet::single(our_addr),
+        IpNet::single(IpAddr::V4(Ipv4Addr::new(10, 0, 0, 1))),
+    ];
     let allowed_ips = AllowedSourceIps::try_from(addrs.clone())
         .expect("Expected a valid IP list");
     update_list_and_compare(client, allowed_ips).await;
@@ -98,7 +101,7 @@ async fn test_allow_list(cptestctx: &ControlPlaneTestContext) {
 
     // Check that we cannot make the request with a list that doesn't include
     // us.
-    let addrs = vec![IpAddr::V4(Ipv4Addr::new(1, 1, 1, 1)).into()];
+    let addrs = vec![IpNet::single(IpAddr::V4(Ipv4Addr::new(1, 1, 1, 1)))];
     let allowed_ips = AllowedSourceIps::try_from(addrs.clone())
         .expect("Expected a valid IP list");
     let new_list = params::AllowListUpdate { allowed_ips };

oximeter/db/Cargo.toml

@@ -10,7 +10,7 @@ workspace = true
 
 [dependencies]
 anyhow.workspace = true
-async-recursion = "1.1.0"
+async-recursion = "1.1.1"
 async-trait.workspace = true
 bcs.workspace = true
 camino.workspace = true

workspace-hack/Cargo.toml

@@ -75,12 +75,12 @@ memchr = { version = "2.7.1" }
 nom = { version = "7.1.3" }
 num-bigint = { version = "0.4.4", features = ["rand"] }
 num-integer = { version = "0.1.46", features = ["i128"] }
-num-iter = { version = "0.1.44", default-features = false, features = ["i128"] }
-num-traits = { version = "0.2.18", features = ["i128", "libm"] }
+num-iter = { version = "0.1.45", default-features = false, features = ["i128"] }
+num-traits = { version = "0.2.19", features = ["i128", "libm"] }
 openapiv3 = { version = "2.0.0", default-features = false, features = ["skip_serializing_defaults"] }
 peg-runtime = { version = "0.8.3", default-features = false, features = ["std"] }
 pem-rfc7468 = { version = "0.7.0", default-features = false, features = ["std"] }
-petgraph = { version = "0.6.4", features = ["serde-1"] }
+petgraph = { version = "0.6.5", features = ["serde-1"] }
 postgres-types = { version = "0.2.6", default-features = false, features = ["with-chrono-0_4", "with-serde_json-1", "with-uuid-1"] }
 predicates = { version = "3.1.0" }
 proc-macro2 = { version = "1.0.81" }
@@ -179,12 +179,12 @@ memchr = { version = "2.7.1" }
 nom = { version = "7.1.3" }
 num-bigint = { version = "0.4.4", features = ["rand"] }
 num-integer = { version = "0.1.46", features = ["i128"] }
-num-iter = { version = "0.1.44", default-features = false, features = ["i128"] }
-num-traits = { version = "0.2.18", features = ["i128", "libm"] }
+num-iter = { version = "0.1.45", default-features = false, features = ["i128"] }
+num-traits = { version = "0.2.19", features = ["i128", "libm"] }
 openapiv3 = { version = "2.0.0", default-features = false, features = ["skip_serializing_defaults"] }
 peg-runtime = { version = "0.8.3", default-features = false, features = ["std"] }
 pem-rfc7468 = { version = "0.7.0", default-features = false, features = ["std"] }
-petgraph = { version = "0.6.4", features = ["serde-1"] }
+petgraph = { version = "0.6.5", features = ["serde-1"] }
 postgres-types = { version = "0.2.6", default-features = false, features = ["with-chrono-0_4", "with-serde_json-1", "with-uuid-1"] }
 predicates = { version = "3.1.0" }
 proc-macro2 = { version = "1.0.81" }