Add resource limits

common/src/api/external/mod.rs

@@ -705,6 +705,7 @@ pub enum ResourceType {
     Silo,
     SiloUser,
     SiloGroup,
+    SiloQuotas,
     IdentityProvider,
     SamlIdentityProvider,
     SshKey,

nexus/db-model/src/lib.rs

@@ -55,6 +55,7 @@ mod system_update;
 // for join-based marker trait generation.
 mod ipv4_nat_entry;
 pub mod queries;
+mod quota;
 mod rack;
 mod region;
 mod region_snapshot;
@@ -139,6 +140,7 @@ pub use physical_disk::*;
 pub use physical_disk_kind::*;
 pub use producer_endpoint::*;
 pub use project::*;
+pub use quota::*;
 pub use rack::*;
 pub use region::*;
 pub use region_snapshot::*;

nexus/db-model/src/queries/virtual_provisioning_collection_update.rs

@@ -8,6 +8,7 @@
 //! for the construction of this query.
 
 use crate::schema::silo;
+use crate::schema::silo_quotas;
 use crate::schema::virtual_provisioning_collection;
 
 table! {
@@ -28,11 +29,32 @@ table! {
     }
 }
 
+table! {
+    quotas (silo_id) {
+        silo_id -> Uuid,
+        cpus -> Int8,
+        memory -> Int8,
+        storage -> Int8,
+    }
+}
+
+table! {
+    silo_provisioned {
+        id -> Uuid,
+        virtual_disk_bytes_provisioned -> Int8,
+        cpus_provisioned -> Int8,
+        ram_provisioned -> Int8,
+    }
+}
+
 diesel::allow_tables_to_appear_in_same_query!(silo, parent_silo,);
 
 diesel::allow_tables_to_appear_in_same_query!(
     virtual_provisioning_collection,
+    silo_quotas,
     parent_silo,
     all_collections,
     do_update,
+    quotas,
+    silo_provisioned
 );

nexus/db-model/src/quota.rs

@@ -0,0 +1,99 @@
+use super::ByteCount;
+use crate::schema::silo_quotas;
+use chrono::{DateTime, Utc};
+use nexus_types::external_api::{params, views};
+use serde::{Deserialize, Serialize};
+use uuid::Uuid;
+
+#[derive(
+    Queryable,
+    Insertable,
+    Debug,
+    Clone,
+    Selectable,
+    Serialize,
+    Deserialize,
+    AsChangeset,
+)]
+#[diesel(table_name = silo_quotas)]
+pub struct SiloQuotas {
+    pub silo_id: Uuid,
+    pub time_created: DateTime<Utc>,
+    pub time_modified: DateTime<Utc>,
+
+    /// The number of CPUs that this silo is allowed to use
+    pub cpus: i64,
+
+    /// The amount of memory (in bytes) that this silo is allowed to use
+    #[diesel(column_name = memory_bytes)]
+    pub memory: ByteCount,
+
+    /// The amount of storage (in bytes) that this silo is allowed to use
+    #[diesel(column_name = storage_bytes)]
+    pub storage: ByteCount,
+}
+
+impl SiloQuotas {
+    pub fn new(
+        silo_id: Uuid,
+        cpus: i64,
+        memory: ByteCount,
+        storage: ByteCount,
+    ) -> Self {
+        Self {
+            silo_id,
+            time_created: Utc::now(),
+            time_modified: Utc::now(),
+            cpus,
+            memory,
+            storage,
+        }
+    }
+}
+
+impl From<SiloQuotas> for views::SiloQuotas {
+    fn from(silo_quotas: SiloQuotas) -> Self {
+        Self {
+            silo_id: silo_quotas.silo_id,
+            cpus: silo_quotas.cpus,
+            memory: silo_quotas.memory.into(),
+            storage: silo_quotas.storage.into(),
+        }
+    }
+}
+
+impl From<views::SiloQuotas> for SiloQuotas {
+    fn from(silo_quotas: views::SiloQuotas) -> Self {
+        Self {
+            silo_id: silo_quotas.silo_id,
+            time_created: Utc::now(),
+            time_modified: Utc::now(),
+            cpus: silo_quotas.cpus,
+            memory: silo_quotas.memory.into(),
+            storage: silo_quotas.storage.into(),
+        }
+    }
+}
+
+// Describes a set of updates for the [`SiloQuotas`] model.
+#[derive(AsChangeset)]
+#[diesel(table_name = silo_quotas)]
+pub struct SiloQuotasUpdate {
+    pub cpus: Option<i64>,
+    #[diesel(column_name = memory_bytes)]
+    pub memory: Option<i64>,
+    #[diesel(column_name = storage_bytes)]
+    pub storage: Option<i64>,
+    pub time_modified: DateTime<Utc>,
+}
+
+impl From<params::SiloQuotasUpdate> for SiloQuotasUpdate {
+    fn from(params: params::SiloQuotasUpdate) -> Self {
+        Self {
+            cpus: params.cpus,
+            memory: params.memory.map(|f| f.into()),
+            storage: params.storage.map(|f| f.into()),
+            time_modified: Utc::now(),
+        }
+    }
+}

nexus/db-model/src/schema.rs

@@ -409,6 +409,17 @@ table! {
     }
 }
 
+table! {
+    silo_quotas(silo_id) {
+        silo_id -> Uuid,
+        time_created -> Timestamptz,
+        time_modified -> Timestamptz,
+        cpus -> Int8,
+        memory_bytes -> Int8,
+        storage_bytes -> Int8,
+    }
+}
+
 table! {
     network_interface (id) {
         id -> Uuid,

nexus/db-queries/src/db/datastore/mod.rs

@@ -68,6 +68,7 @@ mod network_interface;
 mod oximeter;
 mod physical_disk;
 mod project;
+mod quota;
 mod rack;
 mod region;
 mod region_snapshot;

nexus/db-queries/src/db/datastore/quota.rs

@@ -0,0 +1,117 @@
+use super::DataStore;
+use crate::authz;
+use crate::context::OpContext;
+use crate::db;
+use crate::db::error::public_error_from_diesel;
+use crate::db::error::ErrorHandler;
+use crate::db::pagination::paginated;
+use crate::db::pool::DbConnection;
+use crate::db::TransactionError;
+use async_bb8_diesel::AsyncConnection;
+use async_bb8_diesel::AsyncRunQueryDsl;
+use diesel::prelude::*;
+use nexus_db_model::SiloQuotas;
+use nexus_db_model::SiloQuotasUpdate;
+use omicron_common::api::external::DataPageParams;
+use omicron_common::api::external::Error;
+use omicron_common::api::external::ListResultVec;
+use omicron_common::api::external::ResourceType;
+use omicron_common::api::external::UpdateResult;
+use uuid::Uuid;
+
+impl DataStore {
+    /// Creates new quotas for a silo. This is grouped with silo creation
+    /// and shouldn't be called directly by the user.
+    pub async fn silo_quotas_create(
+        &self,
+        opctx: &OpContext,
+        conn: &async_bb8_diesel::Connection<DbConnection>,
+        authz_silo: &authz::Silo,
+        quotas: SiloQuotas,
+    ) -> Result<(), Error> {
+        opctx.authorize(authz::Action::Modify, authz_silo).await?;
+        let silo_id = authz_silo.id();
+        use db::schema::silo_quotas::dsl;
+
+        let result = conn
+            .transaction_async(|c| async move {
+                diesel::insert_into(dsl::silo_quotas)
+                    .values(quotas)
+                    .execute_async(&c)
+                    .await
+                    .map_err(TransactionError::CustomError)
+            })
+            .await;
+
+        match result {
+            Ok(_) => Ok(()),
+            Err(TransactionError::CustomError(e)) => {
+                // TODO: Is this the right error handler?
+                Err(public_error_from_diesel(e, ErrorHandler::Server))
+            }
+            Err(TransactionError::Database(e)) => {
+                Err(public_error_from_diesel(
+                    e,
+                    ErrorHandler::Conflict(
+                        ResourceType::SiloQuotas,
+                        &silo_id.to_string(),
+                    ),
+                ))
+            }
+        }
+    }
+
+    pub async fn silo_update_quota(
+        &self,
+        opctx: &OpContext,
+        authz_silo: &authz::Silo,
+        updates: SiloQuotasUpdate,
+    ) -> UpdateResult<SiloQuotas> {
+        opctx.authorize(authz::Action::Modify, authz_silo).await?;
+        use db::schema::silo_quotas::dsl;
+        let silo_id = authz_silo.id();
+        diesel::update(dsl::silo_quotas)
+            .filter(dsl::silo_id.eq(silo_id))
+            .set(updates)
+            .returning(SiloQuotas::as_returning())
+            .get_result_async(&*self.pool_connection_authorized(opctx).await?)
+            .await
+            .map_err(|e| {
+                public_error_from_diesel(
+                    e,
+                    ErrorHandler::Conflict(
+                        ResourceType::SiloQuotas,
+                        &silo_id.to_string(),
+                    ),
+                )
+            })
+    }
+
+    pub async fn silo_quotas_view(
+        &self,
+        opctx: &OpContext,
+        authz_silo: &authz::Silo,
+    ) -> Result<SiloQuotas, Error> {
+        opctx.authorize(authz::Action::Read, authz_silo).await?;
+        use db::schema::silo_quotas::dsl;
+        dsl::silo_quotas
+            .filter(dsl::silo_id.eq(authz_silo.id()))
+            .first_async(&*self.pool_connection_authorized(opctx).await?)
+            .await
+            .map_err(|e| public_error_from_diesel(e, ErrorHandler::Server))
+    }
+
+    pub async fn fleet_list_quotas(
+        &self,
+        opctx: &OpContext,
+        pagparams: &DataPageParams<'_, Uuid>,
+    ) -> ListResultVec<SiloQuotas> {
+        opctx.authorize(authz::Action::ListChildren, &authz::FLEET).await?;
+        use db::schema::silo_quotas::dsl;
+        paginated(dsl::silo_quotas, dsl::silo_id, pagparams)
+            .select(SiloQuotas::as_select())
+            .load_async(&*self.pool_connection_authorized(opctx).await?)
+            .await
+            .map_err(|e| public_error_from_diesel(e, ErrorHandler::Server))
+    }
+}

nexus/db-queries/src/db/datastore/silo.rs

@@ -28,6 +28,7 @@ use chrono::Utc;
 use diesel::prelude::*;
 use nexus_db_model::Certificate;
 use nexus_db_model::ServiceKind;
+use nexus_db_model::SiloQuotas;
 use nexus_types::external_api::params;
 use nexus_types::external_api::shared;
 use nexus_types::external_api::shared::SiloRole;
@@ -263,6 +264,19 @@ impl DataStore {
 
                 self.dns_update(nexus_opctx, &conn, dns_update).await?;
 
+                self.silo_quotas_create(
+                    opctx,
+                    &conn,
+                    &authz_silo,
+                    SiloQuotas::new(
+                        authz_silo.id(),
+                        new_silo_params.quotas.cpus,
+                        new_silo_params.quotas.memory.into(),
+                        new_silo_params.quotas.storage.into(),
+                    ),
+                )
+                .await?;
+
                 Ok::<Silo, TransactionError<Error>>(silo)
             })
             .await?;

nexus/db-queries/src/db/datastore/virtual_provisioning_collection.rs

@@ -195,7 +195,9 @@ impl DataStore {
             )
             .get_results_async(&*self.pool_connection_authorized(opctx).await?)
             .await
-            .map_err(|e| public_error_from_diesel(e, ErrorHandler::Server))?;
+            .map_err(|e| {
+                crate::db::queries::virtual_provisioning_collection_update::from_diesel(e)
+            })?;
         self.virtual_provisioning_collection_producer
             .append_disk_metrics(&provisions)?;
         Ok(provisions)
@@ -249,7 +251,7 @@ impl DataStore {
             )
             .get_results_async(&*self.pool_connection_authorized(opctx).await?)
             .await
-            .map_err(|e| public_error_from_diesel(e, ErrorHandler::Server))?;
+            .map_err(|e| crate::db::queries::virtual_provisioning_collection_update::from_diesel(e))?;
         self.virtual_provisioning_collection_producer
             .append_disk_metrics(&provisions)?;
         Ok(provisions)
@@ -270,7 +272,7 @@ impl DataStore {
             )
             .get_results_async(&*self.pool_connection_authorized(opctx).await?)
             .await
-            .map_err(|e| public_error_from_diesel(e, ErrorHandler::Server))?;
+            .map_err(|e| crate::db::queries::virtual_provisioning_collection_update::from_diesel(e))?;
         self.virtual_provisioning_collection_producer
             .append_cpu_metrics(&provisions)?;
         Ok(provisions)
@@ -300,7 +302,7 @@ impl DataStore {
             )
             .get_results_async(&*self.pool_connection_authorized(opctx).await?)
             .await
-            .map_err(|e| public_error_from_diesel(e, ErrorHandler::Server))?;
+            .map_err(|e| crate::db::queries::virtual_provisioning_collection_update::from_diesel(e))?;
         self.virtual_provisioning_collection_producer
             .append_cpu_metrics(&provisions)?;
         Ok(provisions)

nexus/db-queries/src/db/fixed_data/silo.rs

@@ -24,6 +24,8 @@ lazy_static! {
                     name: "default-silo".parse().unwrap(),
                     description: "default silo".to_string(),
                 },
+                // TODO: Should the default silo have a quota? If so, what should the defaults be?
+                quotas: params::SiloQuotasCreate::empty(),
                 discoverable: false,
                 identity_mode: shared::SiloIdentityMode::LocalOnly,
                 admin_group_name: None,
@@ -49,6 +51,8 @@ lazy_static! {
                     name: "oxide-internal".parse().unwrap(),
                     description: "Built-in internal Silo.".to_string(),
                 },
+                // The internal silo contains no virtual resources, so it has no allotted capacity.
+                quotas: params::SiloQuotasCreate::empty(),
                 discoverable: false,
                 identity_mode: shared::SiloIdentityMode::LocalOnly,
                 admin_group_name: None,