bfd scaffolding

Author: rcgoodfellow

nexus/src/app/bfd.rs

@@ -0,0 +1,122 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+use std::{
+    net::{IpAddr, Ipv4Addr},
+    sync::Arc,
+};
+
+use crate::external_api::params;
+use mg_admin_client::types::{AddBfdPeerRequest, PeerState};
+use nexus_db_queries::context::OpContext;
+use nexus_types::external_api::shared::{BfdState, BfdStatus};
+use omicron_common::api::{
+    external::{Error, Name},
+    internal::shared::{ParseSwitchLocationError, SwitchLocation},
+};
+
+impl super::Nexus {
+    fn mg_client_for_switch_name(
+        &self,
+        switch: &Name,
+    ) -> Result<Arc<mg_admin_client::Client>, Error> {
+        let switch_location: SwitchLocation = switch.as_str().parse().map_err(
+            |_: ParseSwitchLocationError| {
+                Error::invalid_value("switch", "must be switch0 or switch 1")
+            },
+        )?;
+
+        self.mg_client_for_switch_location(switch_location)
+    }
+
+    fn mg_client_for_switch_location(
+        &self,
+        switch: SwitchLocation,
+    ) -> Result<Arc<mg_admin_client::Client>, Error> {
+        let mg_client: Arc<mg_admin_client::Client> = self
+            .mg_clients
+            .get(&switch)
+            .ok_or_else(|| {
+                Error::not_found_by_name(
+                    omicron_common::api::external::ResourceType::Switch,
+                    &switch.to_string().parse().unwrap(),
+                )
+            })?
+            .clone();
+
+        Ok(mg_client)
+    }
+
+    pub async fn bfd_enable(
+        &self,
+        _opctx: &OpContext,
+        session: params::BfdSessionEnable,
+    ) -> Result<(), Error> {
+        let mg_client = self.mg_client_for_switch_name(&session.switch)?;
+
+        mg_client
+            .inner
+            .add_bfd_peer(&AddBfdPeerRequest {
+                detection_threshold: session.detection_threshold,
+                listen: session.local.unwrap_or(Ipv4Addr::UNSPECIFIED.into()),
+                peer: session.remote,
+                required_rx: session.required_rx,
+            })
+            .await
+            .map_err(|e| {
+                Error::internal_error(&format!("maghemite bfd enable: {e}"))
+            })?;
+
+        Ok(())
+    }
+
+    pub async fn bfd_disable(
+        &self,
+        _opctx: &OpContext,
+        session: params::BfdSessionDisable,
+    ) -> Result<(), Error> {
+        let mg_client = self.mg_client_for_switch_name(&session.switch)?;
+
+        mg_client.inner.remove_bfd_peer(&session.remote).await.map_err(
+            |e| Error::internal_error(&format!("maghemite bfd disable: {e}")),
+        )?;
+
+        Ok(())
+    }
+
+    pub async fn bfd_status(
+        &self,
+        _opctx: &OpContext,
+    ) -> Result<Vec<BfdStatus>, Error> {
+        let mut result = Vec::new();
+        for s in &[SwitchLocation::Switch0, SwitchLocation::Switch1] {
+            let mg_client = self.mg_client_for_switch_location(*s)?;
+            let status = mg_client
+                .inner
+                .get_bfd_peers()
+                .await
+                .map_err(|e| {
+                    Error::internal_error(&format!(
+                        "maghemite get bfd peers: {e}"
+                    ))
+                })?
+                .into_inner();
+
+            for (addr, state) in status.iter() {
+                let addr: IpAddr = addr.parse().unwrap();
+                result.push(BfdStatus {
+                    peer: addr,
+                    state: match state {
+                        PeerState::Up => BfdState::Up,
+                        PeerState::Down => BfdState::Down,
+                        PeerState::Init => BfdState::Init,
+                        PeerState::AdminDown => BfdState::AdminDown,
+                    },
+                    switch: s.to_string().parse().unwrap(),
+                })
+            }
+        }
+        Ok(result)
+    }
+}

nexus/src/app/bgp.rs

@@ -1,3 +1,7 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
 use crate::app::authz;
 use crate::external_api::params;
 use nexus_db_model::{BgpAnnounceSet, BgpAnnouncement, BgpConfig};

nexus/src/app/mod.rs

@@ -35,6 +35,7 @@ use uuid::Uuid;
 // by resource.
 mod address_lot;
 pub(crate) mod background;
+mod bfd;
 mod bgp;
 mod certificate;
 mod deployment;

nexus/src/app/sagas/switch_port_settings_common.rs

@@ -1,3 +1,7 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
 use super::NexusActionContext;
 use crate::app::map_switch_zone_addrs;
 use crate::Nexus;

nexus/src/external_api/http_entrypoints.rs

@@ -41,8 +41,8 @@ use nexus_db_queries::db::identity::Resource;
 use nexus_db_queries::db::lookup::ImageLookup;
 use nexus_db_queries::db::lookup::ImageParentLookup;
 use nexus_db_queries::db::model::Name;
-use nexus_types::external_api::views::SiloQuotas;
 use nexus_types::external_api::views::Utilization;
+use nexus_types::external_api::{shared::BfdStatus, views::SiloQuotas};
 use nexus_types::identity::AssetIdentityMetadata;
 use omicron_common::api::external::http_pagination::data_page_params_for;
 use omicron_common::api::external::http_pagination::marker_for_name;
@@ -270,6 +270,10 @@ pub(crate) fn external_api() -> NexusApiDescription {
         api.register(networking_bgp_announce_set_list)?;
         api.register(networking_bgp_announce_set_delete)?;
 
+        api.register(networking_bfd_enable)?;
+        api.register(networking_bfd_disable)?;
+        api.register(networking_bfd_status)?;
+
         api.register(utilization_view)?;
 
         // Fleet-wide API operations
@@ -3380,6 +3384,68 @@ async fn networking_bgp_announce_set_delete(
     apictx.external_latencies.instrument_dropshot_handler(&rqctx, handler).await
 }
 
+/// Enable a BFD session.
+#[endpoint {
+    method = POST,
+    path = "/v1/system/networking/bfd-enable",
+    tags = ["system/networking"],
+}]
+async fn networking_bfd_enable(
+    rqctx: RequestContext<Arc<ServerContext>>,
+    session: TypedBody<params::BfdSessionEnable>,
+) -> Result<HttpResponseUpdatedNoContent, HttpError> {
+    let apictx = rqctx.context();
+    let handler = async {
+        let nexus = &apictx.nexus;
+        let opctx = crate::context::op_context_for_external_api(&rqctx).await?;
+        opctx.authorize(authz::Action::ListChildren, &authz::FLEET).await?;
+        nexus.bfd_enable(&opctx, session.into_inner()).await?;
+        Ok(HttpResponseUpdatedNoContent {})
+    };
+    apictx.external_latencies.instrument_dropshot_handler(&rqctx, handler).await
+}
+
+/// Disable a BFD session.
+#[endpoint {
+    method = POST,
+    path = "/v1/system/networking/bfd-disable",
+    tags = ["system/networking"],
+}]
+async fn networking_bfd_disable(
+    rqctx: RequestContext<Arc<ServerContext>>,
+    session: TypedBody<params::BfdSessionDisable>,
+) -> Result<HttpResponseUpdatedNoContent, HttpError> {
+    let apictx = rqctx.context();
+    let handler = async {
+        let nexus = &apictx.nexus;
+        let opctx = crate::context::op_context_for_external_api(&rqctx).await?;
+        opctx.authorize(authz::Action::ListChildren, &authz::FLEET).await?;
+        nexus.bfd_disable(&opctx, session.into_inner()).await?;
+        Ok(HttpResponseUpdatedNoContent {})
+    };
+    apictx.external_latencies.instrument_dropshot_handler(&rqctx, handler).await
+}
+
+/// Get BFD status.
+#[endpoint {
+    method = GET,
+    path = "/v1/system/networking/bfd-status",
+    tags = ["system/networking"],
+}]
+async fn networking_bfd_status(
+    rqctx: RequestContext<Arc<ServerContext>>,
+) -> Result<HttpResponseOk<Vec<BfdStatus>>, HttpError> {
+    let apictx = rqctx.context();
+    let handler = async {
+        let nexus = &apictx.nexus;
+        let opctx = crate::context::op_context_for_external_api(&rqctx).await?;
+        opctx.authorize(authz::Action::ListChildren, &authz::FLEET).await?;
+        let status = nexus.bfd_status(&opctx).await?;
+        Ok(HttpResponseOk(status))
+    };
+    apictx.external_latencies.instrument_dropshot_handler(&rqctx, handler).await
+}
+
 // Images
 
 /// List images

nexus/tests/integration_tests/endpoints.rs

@@ -564,6 +564,30 @@ pub const DEMO_BGP_STATUS_URL: &'static str =
 pub const DEMO_BGP_ROUTES_IPV4_URL: &'static str =
     "/v1/system/networking/bgp-routes-ipv4?asn=47";
 
+pub const DEMO_BFD_STATUS_URL: &'static str =
+    "/v1/system/networking/bfd-status";
+
+pub const DEMO_BFD_ENABLE_URL: &'static str =
+    "/v1/system/networking/bfd-enable";
+
+pub const DEMO_BFD_DISABLE_URL: &'static str =
+    "/v1/system/networking/bfd-disable";
+
+pub static DEMO_BFD_ENABLE: Lazy<params::BfdSessionEnable> =
+    Lazy::new(|| params::BfdSessionEnable {
+        local: None,
+        remote: "10.0.0.1".parse().unwrap(),
+        detection_threshold: 3,
+        required_rx: 1000000,
+        switch: "switch0".parse().unwrap(),
+    });
+
+pub static DEMO_BFD_DISABLE: Lazy<params::BfdSessionDisable> =
+    Lazy::new(|| params::BfdSessionDisable {
+        remote: "10.0.0.1".parse().unwrap(),
+        switch: "switch0".parse().unwrap(),
+    });
+
 // Project Images
 pub static DEMO_IMAGE_NAME: Lazy<Name> =
     Lazy::new(|| "demo-image".parse().unwrap());
@@ -2208,6 +2232,37 @@ pub static VERIFY_ENDPOINTS: Lazy<Vec<VerifyEndpoint>> = Lazy::new(|| {
             ],
         },
 
+        VerifyEndpoint {
+            url: &DEMO_BFD_STATUS_URL,
+            visibility: Visibility::Public,
+            unprivileged_access: UnprivilegedAccess::None,
+            allowed_methods: vec![
+                AllowedMethod::GetNonexistent,
+            ],
+        },
+
+        VerifyEndpoint {
+            url: &DEMO_BFD_ENABLE_URL,
+            visibility: Visibility::Public,
+            unprivileged_access: UnprivilegedAccess::None,
+            allowed_methods: vec![
+                AllowedMethod::Post(
+                    serde_json::to_value(&*DEMO_BFD_ENABLE).unwrap()
+                )
+            ],
+        },
+
+        VerifyEndpoint {
+            url: &DEMO_BFD_DISABLE_URL,
+            visibility: Visibility::Public,
+            unprivileged_access: UnprivilegedAccess::None,
+            allowed_methods: vec![
+                AllowedMethod::Post(
+                    serde_json::to_value(&*DEMO_BFD_DISABLE).unwrap()
+                )
+            ],
+        },
+
         // Floating IPs
         VerifyEndpoint {
             url: &DEMO_PROJECT_URL_FIPS,

nexus/tests/output/nexus_tags.txt

@@ -159,6 +159,9 @@ networking_address_lot_block_list        GET      /v1/system/networking/address-
 networking_address_lot_create            POST     /v1/system/networking/address-lot
 networking_address_lot_delete            DELETE   /v1/system/networking/address-lot/{address_lot}
 networking_address_lot_list              GET      /v1/system/networking/address-lot
+networking_bfd_disable                   POST     /v1/system/networking/bfd-disable
+networking_bfd_enable                    POST     /v1/system/networking/bfd-enable
+networking_bfd_status                    GET      /v1/system/networking/bfd-status
 networking_bgp_announce_set_create       POST     /v1/system/networking/bgp-announce
 networking_bgp_announce_set_delete       DELETE   /v1/system/networking/bgp-announce
 networking_bgp_announce_set_list         GET      /v1/system/networking/bgp-announce

nexus/types/src/external_api/params.rs

@@ -1755,6 +1755,39 @@ pub struct BgpStatusSelector {
     pub name_or_id: NameOrId,
 }
 
+/// Information about a bidirectional forwarding detection (BFD) session.
+#[derive(Clone, Debug, Deserialize, Serialize, JsonSchema, PartialEq)]
+pub struct BfdSessionEnable {
+    /// Address the Oxide switch will listen on for BFD traffic. If `None` then
+    /// the unspecified address (0.0.0.0 or ::) is used.
+    pub local: Option<IpAddr>,
+
+    /// Address of the remote peer to establish a BFD session with.
+    pub remote: IpAddr,
+
+    /// The negotiated Control packet transmission interval, multiplied by this
+    /// variable, will be the Detection Time for this session (as seen by the
+    /// remote system)
+    pub detection_threshold: u8,
+
+    /// The minimum interval, in microseconds, between received BFD
+    /// Control packets that this system requires
+    pub required_rx: u64,
+
+    /// The switch to enable this session on. Must be `switch0` or `switch1`.
+    pub switch: Name,
+}
+
+/// Information needed to disable a BFD session
+#[derive(Clone, Debug, Deserialize, Serialize, JsonSchema, PartialEq)]
+pub struct BfdSessionDisable {
+    /// Address of the remote peer to disable a BFD session for.
+    pub remote: IpAddr,
+
+    /// The switch to enable this session on. Must be `switch0` or `switch1`.
+    pub switch: Name,
+}
+
 /// A set of addresses associated with a port configuration.
 #[derive(Clone, Debug, Deserialize, Serialize, JsonSchema)]
 pub struct AddressConfig {