[sled-agent] Plumb new wicketd properties for nexus TCP proxy

oxidecomputer · Oct 6, 2023 · 835b6da · 835b6da
1 parent 4fccf95
commit 835b6da
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 0 deletions.
diff --git a/common/src/address.rs b/common/src/address.rs
@@ -52,6 +52,7 @@ pub const NEXUS_INTERNAL_PORT: u16 = 12221;
 
 /// TODO docs
 pub const NEXUS_TECHPORT_EXTERNAL_PORT: u16 = 12228;
+pub const WICKETD_NEXUS_PROXY_PORT: u16 = 12229;
 
 pub const NTP_PORT: u16 = 123;
 

diff --git a/sled-agent/src/services.rs b/sled-agent/src/services.rs
@@ -73,6 +73,7 @@ use omicron_common::address::DENDRITE_PORT;
 use omicron_common::address::MGS_PORT;
 use omicron_common::address::RACK_PREFIX;
 use omicron_common::address::SLED_PREFIX;
+use omicron_common::address::WICKETD_NEXUS_PROXY_PORT;
 use omicron_common::address::WICKETD_PORT;
 use omicron_common::address::{Ipv6Subnet, NEXUS_TECHPORT_EXTERNAL_PORT};
 use omicron_common::api::external::Generation;
@@ -1697,6 +1698,23 @@ impl ServiceManager {
                         "config/mgs-address",
                         &format!("[::1]:{MGS_PORT}"),
                     )?;
+                    smfh.setprop(
+                        "config/nexus-proxy-address",
+                        &format!("[::1]:{WICKETD_NEXUS_PROXY_PORT}"),
+                    )?;
+                    if let Some(underlay_address) = self
+                        .inner
+                        .sled_info
+                        .get()
+                        .map(|info| info.underlay_address)
+                    {
+                        let rack_subnet =
+                            Ipv6Subnet::<AZ_PREFIX>::new(underlay_address);
+                        smfh.setprop(
+                            "config/rack-subnet",
+                            &rack_subnet.net().ip().to_string(),
+                        )?;
+                    }
 
                     let serialized_baseboard =
                         serde_json::to_string_pretty(&baseboard)?;

diff --git a/wicket/zone-etc/ssh/sshd_config b/wicket/zone-etc/ssh/sshd_config
@@ -37,6 +37,10 @@ Match User wicket
         AuthenticationMethods none
         ForceCommand /opt/oxide/wicket/bin/wicket
 
+        # Allow TCP port forwarding to wicketd's nexus proxy; port number
+        # matches `WICKETD_NEXUS_PROXY_PORT`
+        PermitOpen [::1]:12229
+
 Match User support
         PubkeyAuthentication yes
         AuthenticationMethods publickey