add CLI for executing blueprints by hand

[davepacheco]

This adds reconfigurator-exec: a command line tool that can execute a specific blueprint from a reconfigurator save file (output by reconfigurator-cli or omdb reconfigurator export) the system's current target blueprint, as read from a saved blueprint file rather than from the database.

The real reason I made this is to be able to work on / test / demo parts of blueprint execution where we haven't implemented the database serialization yet for that part of the blueprint. That sounds cheesy but it's useful for two different things today (using an artifact for a zone image source and doing RoT updates using #7741). For the latter, the in-memory representation is evolving a fair bit as I work on execution and it would be quite a lot slower (and pointless) if I had to keep the database part in sync in the meantime.

This tool is very a little dangerous because if you use it to execute a blueprint that is neither the system's current target nor a previous one, you could fork what's supposed to be a linear history. Concretely: if this deploys a blueprint that moves some sled's Omicron zones from generation 5 to generation 6, and someone in Nexus also generates a blueprint going from 5 to 6, but it's a different generation 6, that'd be very bad. All kinds of problems are possible. Many of them are fixable but it's still super dangerous if applied to a system you care about. I'd welcome any suggestions for safeties here.

This tool is a little dangerous because it can deploy something to, say, sled agents that's a little different than what Nexus is deploying for the same blueprint. One of these will "win" on a per-sled basis. The other will see blueprint execution errors. This would generally get resolved if ever Nexus had to bump the associated generation for some other reason. The specific behavior and impact would depend on how the blueprint differed between Nexus and this tool.

This is really intended for the development use case above, though we were recently discussing a case where this could be useful in production, which is that if a Scrimlet fails and then the rack cold-starts: currently, Nexus won't come up because it will find two Dendrites in DNS but won't be able to reach one. In this case, if you used omdb to expunge the sled and then used this tool to re-execute the current blueprint (which Nexus can't do because it's down, but this tool should be able to because the database is up), it should allow Nexus to come back up. This tool is really intended for the development use case above. There may be some production use cases it could help with, but those are theoretical (the one crossed-out above does not work because expunge requires Nexus to be running). And this tool is dangerous enough that I don't think we should ship this tool right now. If you want to use it, you have to build it yourself and copy it to the system you want to use it on.

Things that are a few things that are safer than they seem about this:

• by design, it's always safe to execute blueprints concurrently
• by design, it's always fine to execute an older blueprint

[davepacheco]

(edit: I've updated this PR and the description above to reflect the changes described here)

While commenting on the safety bits below, I realized a different way to phrase this tool that could be much safer. Right now, it's phrased as "execute whatever blueprint you want". It could instead be phrased as: "execute the system's current target blueprint, but read it from this file instead of the database". Or even "execute a specific blueprint that was at least at one time a target for this system, but read it from this file instead of the database".

This would still support the use cases I mentioned above:

• for development, it would be fine if you had to use reconfigurator-cli to make your custom blueprint, load it into Nexus, make it the target, and then use this tool
• in the production case I mentioned, we only wanted to execute the system's existing target blueprint anyway
• you could also use this to test execution of older blueprints, which is always supposed to be safe (and you could more easily test that with this tool)

Generally this should be pretty safe because you can't fork the linear history (mostly). That is, you can't execute a blueprint that creates a new generation N on a sled agent that Nexus doesn't know about. It does know about it. But it's still a little dicey in that the contents of generation N on the sled might diverge from the contents that Nexus wants to send it (because this tool and Nexus are interpreting that generation differently). That would produce errors during execution. This would get resolved if ever Nexus had to bump the generation for some other reason. The specific behavior and impact would depend on how the blueprint differed between Nexus and the tool.

At the very least, this seems like a big improvement.

[davepacheco]

Previously, we were using nexus_id in three places:

• as the "creator" field for DNS records
• to assign ourselves sagas and support bundles from any expunged Nexus instances

I've separated these out. Now we use creator for the first one. This must always be specified. We use nexus_id for the other two. You can leave this unspecified, in which case execution will skip these steps (because it makes no sense for this tool to assign itself sagas or support bundles).

I think creator could be a free-form string but I wasn't sure if some stuff might assume it's a uuid so I did what felt like the conservative thing and kept it a uuid.

[davepacheco]

On the latest commit (aa4cca5), I retested the easy cases.

Test case: a blueprint that was previously a target:

root@oxz_switch:~# ./reconfigurator-exec-unsafe eebb0ad3-d29c-4050-852e-65c2734bfc4f.out 
Mar 19 03:53:20.944 INFO setting up resolver
Mar 19 03:53:20.949 INFO setting up database pool
Mar 19 03:53:21.041 INFO setting up arguments for execution
...
Mar 19 03:53:21.130 INFO new DNS resolver, addresses: [[fd00:1122:3344:3::1]:53]
Mar 19 03:53:21.131 INFO loading blueprint file, input_path: eebb0ad3-d29c-4050-852e-65c2734bfc4f.out
error: requested blueprint eebb0ad3-d29c-4050-852e-65c2734bfc4f does not match current target (42d1017f-d2ef-4690-afeb-2d1e241c758b)
root@oxz_switch:~# echo $?
1

Test case: a blueprint that was never a target:

root@oxz_switch:~# ./reconfigurator-exec-unsafe 030976d8-e039-4841-9baa-bd53e9c5bf7e.out 
Mar 19 03:54:21.113 INFO setting up resolver
Mar 19 03:54:21.114 INFO setting up database pool
Mar 19 03:54:21.194 INFO setting up arguments for execution
...
Mar 19 03:54:21.215 INFO new DNS resolver, addresses: [[fd00:1122:3344:3::1]:53]
Mar 19 03:54:21.215 INFO loading blueprint file, input_path: 030976d8-e039-4841-9baa-bd53e9c5bf7e.out
error: requested blueprint 030976d8-e039-4841-9baa-bd53e9c5bf7e does not match current target (42d1017f-d2ef-4690-afeb-2d1e241c758b)
root@oxz_switch:~# echo $?
1
root@

Finally, the current target:

root@oxz_switch:~# ./reconfigurator-exec-unsafe 42d1017f-d2ef-4690-afeb-2d1e241c758b.json 
Mar 19 03:55:03.920 INFO setting up resolver
Mar 19 03:55:03.921 INFO setting up database pool
Mar 19 03:55:04.050 INFO setting up arguments for execution
...
Mar 19 03:55:04.076 INFO new DNS resolver, addresses: [[fd00:1122:3344:3::1]:53]
Mar 19 03:55:04.076 INFO loading blueprint file, input_path: 42d1017f-d2ef-4690-afeb-2d1e241c758b.json
Mar 19 03:55:08.793 INFO beginning execution
Mar 19 03:55:08.797 INFO attempting to realize blueprint, blueprint_id: 42d1017f-d2ef-4690-afeb-2d1e241c758b, comment:
Mar 19 03:55:09.613 INFO found already-allocated external IP, nic: NetworkInterface { id: 6d662400-04d5-40dc-9c56-459ea39cda24, kind: Service { id: 995970da-c138-4d83-948b-5ed9127ae179 }, name: Name("external-dns-995970da-c138-4d83-948b-5ed9127ae179"), ip: 172.30.1.5, mac: MacAddr(MacAddr6([168, 64, 37, 255, 157, 194])), subnet: V4(Ipv4Net { addr: 172.30.1.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Floating(OmicronZoneExternalFloatingIp { id: bb872789-1be4-4819-93f7-3fe7c1a2a217 (external_ip), ip: 198.51.100.20 }), zone_id: 995970da-c138-4d83-948b-5ed9127ae179, zone_kind: external_dns, action: allocate-external-networking, comment:
Mar 19 03:55:09.623 INFO found already-allocated NIC, nic: NetworkInterface { id: 6d662400-04d5-40dc-9c56-459ea39cda24, kind: Service { id: 995970da-c138-4d83-948b-5ed9127ae179 }, name: Name("external-dns-995970da-c138-4d83-948b-5ed9127ae179"), ip: 172.30.1.5, mac: MacAddr(MacAddr6([168, 64, 37, 255, 157, 194])), subnet: V4(Ipv4Net { addr: 172.30.1.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Floating(OmicronZoneExternalFloatingIp { id: bb872789-1be4-4819-93f7-3fe7c1a2a217 (external_ip), ip: 198.51.100.20 }), zone_id: 995970da-c138-4d83-948b-5ed9127ae179, zone_kind: external_dns, action: allocate-external-networking, comment:
Mar 19 03:55:09.627 INFO found already-allocated external IP, nic: NetworkInterface { id: 012318e2-8327-4b11-ac1c-a28efe923d22, kind: Service { id: c6bc048f-bfef-40b0-9ebd-763d0714b9e0 }, name: Name("nexus-c6bc048f-bfef-40b0-9ebd-763d0714b9e0"), ip: 172.30.2.6, mac: MacAddr(MacAddr6([168, 64, 37, 255, 173, 157])), subnet: V4(Ipv4Net { addr: 172.30.2.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Floating(OmicronZoneExternalFloatingIp { id: 6ce33487-d803-402c-9a1d-ec88794fa09b (external_ip), ip: 198.51.100.23 }), zone_id: c6bc048f-bfef-40b0-9ebd-763d0714b9e0, zone_kind: nexus, action: allocate-external-networking, comment:
Mar 19 03:55:09.630 INFO found already-allocated NIC, nic: NetworkInterface { id: 012318e2-8327-4b11-ac1c-a28efe923d22, kind: Service { id: c6bc048f-bfef-40b0-9ebd-763d0714b9e0 }, name: Name("nexus-c6bc048f-bfef-40b0-9ebd-763d0714b9e0"), ip: 172.30.2.6, mac: MacAddr(MacAddr6([168, 64, 37, 255, 173, 157])), subnet: V4(Ipv4Net { addr: 172.30.2.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Floating(OmicronZoneExternalFloatingIp { id: 6ce33487-d803-402c-9a1d-ec88794fa09b (external_ip), ip: 198.51.100.23 }), zone_id: c6bc048f-bfef-40b0-9ebd-763d0714b9e0, zone_kind: nexus, action: allocate-external-networking, comment:
Mar 19 03:55:09.634 INFO found already-allocated external IP, nic: NetworkInterface { id: 9ff7d834-2bff-47c0-b297-7e2f26614923, kind: Service { id: 2200257c-6460-46c4-adad-1899f53d8e42 }, name: Name("ntp-2200257c-6460-46c4-adad-1899f53d8e42"), ip: 172.30.3.5, mac: MacAddr(MacAddr6([168, 64, 37, 255, 253, 138])), subnet: V4(Ipv4Net { addr: 172.30.3.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Snat(OmicronZoneExternalSnatIp { id: a06a0c31-0aa7-41ac-a4ec-e614be1a37cd (external_ip), snat_cfg: SourceNatConfig { ip: 198.51.100.25, first_port: 0, last_port: 16383 } }), zone_id: 2200257c-6460-46c4-adad-1899f53d8e42, zone_kind: boundary_ntp, action: allocate-external-networking, comment:
Mar 19 03:55:09.637 INFO found already-allocated NIC, nic: NetworkInterface { id: 9ff7d834-2bff-47c0-b297-7e2f26614923, kind: Service { id: 2200257c-6460-46c4-adad-1899f53d8e42 }, name: Name("ntp-2200257c-6460-46c4-adad-1899f53d8e42"), ip: 172.30.3.5, mac: MacAddr(MacAddr6([168, 64, 37, 255, 253, 138])), subnet: V4(Ipv4Net { addr: 172.30.3.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Snat(OmicronZoneExternalSnatIp { id: a06a0c31-0aa7-41ac-a4ec-e614be1a37cd (external_ip), snat_cfg: SourceNatConfig { ip: 198.51.100.25, first_port: 0, last_port: 16383 } }), zone_id: 2200257c-6460-46c4-adad-1899f53d8e42, zone_kind: boundary_ntp, action: allocate-external-networking, comment:
Mar 19 03:55:09.643 INFO found already-allocated external IP, nic: NetworkInterface { id: c54a6915-7eb4-47d6-8857-80bd4f308514, kind: Service { id: 7027e26a-0d5d-4ca3-9578-4e7dc16af9a2 }, name: Name("external-dns-7027e26a-0d5d-4ca3-9578-4e7dc16af9a2"), ip: 172.30.1.6, mac: MacAddr(MacAddr6([168, 64, 37, 255, 240, 144])), subnet: V4(Ipv4Net { addr: 172.30.1.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Floating(OmicronZoneExternalFloatingIp { id: 4d8e2279-c623-4664-8488-0af2d1acb80b (external_ip), ip: 198.51.100.21 }), zone_id: 7027e26a-0d5d-4ca3-9578-4e7dc16af9a2, zone_kind: external_dns, action: allocate-external-networking, comment:
Mar 19 03:55:09.647 INFO found already-allocated NIC, nic: NetworkInterface { id: c54a6915-7eb4-47d6-8857-80bd4f308514, kind: Service { id: 7027e26a-0d5d-4ca3-9578-4e7dc16af9a2 }, name: Name("external-dns-7027e26a-0d5d-4ca3-9578-4e7dc16af9a2"), ip: 172.30.1.6, mac: MacAddr(MacAddr6([168, 64, 37, 255, 240, 144])), subnet: V4(Ipv4Net { addr: 172.30.1.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Floating(OmicronZoneExternalFloatingIp { id: 4d8e2279-c623-4664-8488-0af2d1acb80b (external_ip), ip: 198.51.100.21 }), zone_id: 7027e26a-0d5d-4ca3-9578-4e7dc16af9a2, zone_kind: external_dns, action: allocate-external-networking, comment:
Mar 19 03:55:09.653 INFO found already-allocated external IP, nic: NetworkInterface { id: aea04f35-eda0-48df-9912-f32a075532c6, kind: Service { id: ae79633f-feee-48f2-b7ad-f14ce5a54e47 }, name: Name("nexus-ae79633f-feee-48f2-b7ad-f14ce5a54e47"), ip: 172.30.2.7, mac: MacAddr(MacAddr6([168, 64, 37, 255, 133, 137])), subnet: V4(Ipv4Net { addr: 172.30.2.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Floating(OmicronZoneExternalFloatingIp { id: c08a0fa0-40cb-4abd-89ff-ae796a12d384 (external_ip), ip: 198.51.100.24 }), zone_id: ae79633f-feee-48f2-b7ad-f14ce5a54e47, zone_kind: nexus, action: allocate-external-networking, comment:
Mar 19 03:55:09.658 INFO found already-allocated NIC, nic: NetworkInterface { id: aea04f35-eda0-48df-9912-f32a075532c6, kind: Service { id: ae79633f-feee-48f2-b7ad-f14ce5a54e47 }, name: Name("nexus-ae79633f-feee-48f2-b7ad-f14ce5a54e47"), ip: 172.30.2.7, mac: MacAddr(MacAddr6([168, 64, 37, 255, 133, 137])), subnet: V4(Ipv4Net { addr: 172.30.2.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Floating(OmicronZoneExternalFloatingIp { id: c08a0fa0-40cb-4abd-89ff-ae796a12d384 (external_ip), ip: 198.51.100.24 }), zone_id: ae79633f-feee-48f2-b7ad-f14ce5a54e47, zone_kind: nexus, action: allocate-external-networking, comment:
Mar 19 03:55:09.663 INFO found already-allocated external IP, nic: NetworkInterface { id: bfcf9b95-c68b-49fb-86d6-e8501720207e, kind: Service { id: 83bd1f6d-11db-4642-bbc2-a4a4f69755df }, name: Name("nexus-83bd1f6d-11db-4642-bbc2-a4a4f69755df"), ip: 172.30.2.5, mac: MacAddr(MacAddr6([168, 64, 37, 255, 214, 165])), subnet: V4(Ipv4Net { addr: 172.30.2.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Floating(OmicronZoneExternalFloatingIp { id: 335d5824-d637-4ae2-b2c0-62f4e024f6ee (external_ip), ip: 198.51.100.22 }), zone_id: 83bd1f6d-11db-4642-bbc2-a4a4f69755df, zone_kind: nexus, action: allocate-external-networking, comment:
Mar 19 03:55:09.667 INFO found already-allocated NIC, nic: NetworkInterface { id: bfcf9b95-c68b-49fb-86d6-e8501720207e, kind: Service { id: 83bd1f6d-11db-4642-bbc2-a4a4f69755df }, name: Name("nexus-83bd1f6d-11db-4642-bbc2-a4a4f69755df"), ip: 172.30.2.5, mac: MacAddr(MacAddr6([168, 64, 37, 255, 214, 165])), subnet: V4(Ipv4Net { addr: 172.30.2.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Floating(OmicronZoneExternalFloatingIp { id: 335d5824-d637-4ae2-b2c0-62f4e024f6ee (external_ip), ip: 198.51.100.22 }), zone_id: 83bd1f6d-11db-4642-bbc2-a4a4f69755df, zone_kind: nexus, action: allocate-external-networking, comment:
Mar 19 03:55:09.673 INFO found already-allocated external IP, nic: NetworkInterface { id: a83b6ff3-1e83-4b18-8eae-5705c4706e81, kind: Service { id: da0bedf0-33ed-4669-9377-790699b6f610 }, name: Name("ntp-da0bedf0-33ed-4669-9377-790699b6f610"), ip: 172.30.3.6, mac: MacAddr(MacAddr6([168, 64, 37, 255, 181, 206])), subnet: V4(Ipv4Net { addr: 172.30.3.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Snat(OmicronZoneExternalSnatIp { id: b474ab50-1e9c-4ca5-bd7a-c8bf6256febb (external_ip), snat_cfg: SourceNatConfig { ip: 198.51.100.25, first_port: 16384, last_port: 32767 } }), zone_id: da0bedf0-33ed-4669-9377-790699b6f610, zone_kind: boundary_ntp, action: allocate-external-networking, comment:
Mar 19 03:55:09.677 INFO found already-allocated NIC, nic: NetworkInterface { id: a83b6ff3-1e83-4b18-8eae-5705c4706e81, kind: Service { id: da0bedf0-33ed-4669-9377-790699b6f610 }, name: Name("ntp-da0bedf0-33ed-4669-9377-790699b6f610"), ip: 172.30.3.6, mac: MacAddr(MacAddr6([168, 64, 37, 255, 181, 206])), subnet: V4(Ipv4Net { addr: 172.30.3.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Snat(OmicronZoneExternalSnatIp { id: b474ab50-1e9c-4ca5-bd7a-c8bf6256febb (external_ip), snat_cfg: SourceNatConfig { ip: 198.51.100.25, first_port: 16384, last_port: 32767 } }), zone_id: da0bedf0-33ed-4669-9377-790699b6f610, zone_kind: boundary_ntp, action: allocate-external-networking, comment:
Mar 19 03:55:11.607 INFO Successfully deployed config to sled agent, successfully configured datasets: 31, successfully configured disks: 5, generation: 11, sled_id: 243c4209-1720-436d-b229-f95b3a164557, comment:
Mar 19 03:55:11.881 INFO Successfully deployed config to sled agent, successfully configured datasets: 31, successfully configured disks: 5, generation: 5, sled_id: 6017cb64-b50b-461c-a673-35808ae71d20, comment:
Mar 19 03:55:12.090 INFO Successfully deployed config to sled agent, successfully configured datasets: 30, successfully configured disks: 5, generation: 5, sled_id: e41d97c0-2729-4e81-a9f7-233544bae627, comment:
Mar 19 03:55:22.007 INFO no changes, blueprint_execution: dns Internal, comment:
Mar 19 03:55:22.009 INFO no changes, blueprint_execution: dns External, comment:
Mar 19 03:55:22.084 INFO set cockroachdb setting, value: 22.1, setting: cluster.preserve_downgrade_option, comment:
[00:00:00]   Running ( 1/13) Ensure external networking resources
[00:00:00] Completed ( 1/13) Ensure external networking resources: after 871.17ms
[00:00:00]   Running ( 2/13) Fetch sled list
[00:00:02] Completed ( 2/13) Fetch sled list: after 1.16s
[00:00:02]   Running ( 3/13) Deploy sled configs
[00:00:03] Completed ( 3/13) Deploy sled configs: after 1.25s
[00:00:03]   Running ( 4/13) Plumb service firewall rules
[00:00:05] Completed ( 4/13) Plumb service firewall rules: after 2.45s with warning: failed to plumb service firewall rules to sleds: Object (of type ById(001de000-074c-4000-8000-000000000000)) not found: vpc
[00:00:05]   Running ( 5/13) Deploy DNS records
[00:00:13] Completed ( 5/13) Deploy DNS records: after 7.47s
[00:00:13]   Running ( 6/13) Cleanup expunged zones
[00:00:13] Completed ( 6/13) Cleanup expunged zones: after 177.99µs
[00:00:13]   Running ( 7/13) Decommission sleds
[00:00:13] Completed ( 7/13) Decommission sleds: after 23.17µs
[00:00:13]   Running ( 8/13) Decommission expunged disks
[00:00:13] Completed ( 8/13) Decommission expunged disks: after 28.06µs
[00:00:13]   Running ( 9/13) Deploy clickhouse cluster nodes
[00:00:13] Completed ( 9/13) Deploy clickhouse cluster nodes: after 14.92µs
[00:00:13]   Running (10/13) Deploy single-node clickhouse cluster
[00:00:13] Completed (10/13) Deploy single-node clickhouse cluster: after 52.55ms
[00:00:13]   Running (11/13) Mark support bundles as failed if they rely on an expunged disk or sled
[00:00:13]   Skipped (11/13) Mark support bundles as failed if they rely on an expunged disk or sled: not running as Nexus
[00:00:13]   Running (12/13) Reassign sagas
[00:00:13]   Skipped (12/13) Reassign sagas: not running as Nexus
[00:00:13]   Running (13/13) Ensure CockroachDB settings
[00:00:13] Completed (13/13) Ensure CockroachDB settings: after 22.19ms
root@oxz_switch:~# echo $?
0
root@oxz_switch:~#

Note the two steps skipped because "not running as Nexus".

I still plan to retest:

• live tests on a system with Nexus with these bits (to make sure I didn't break saga re-assignment) -- had to fix nexus add/remove live test fails #7822
• using this tool to change the image of a running zone

[davepacheco]

Live tests on an a4x2 built with this change (live tests from #7823):

root@oxz_switch:~# TMPDIR=/var/tmp ./cargo-nextest nextest run --profile=live-tests          --archive-file live-tests-archive/omicron-live-tests.tar.zst          --workspace-remap live-tests-archive --nocapture
  Extracting 1 binary, 1 build script output directory, and 3 linked paths to /var/tmp/nextest-archive-8Ss9DJ
   Extracted 46 files to /var/tmp/nextest-archive-8Ss9DJ in 1.34s
info: experimental features enabled: setup-scripts
------------
 Nextest run ID 39a641ba-9f3c-47ec-a1f4-411b84ded898 with nextest profile: live-tests
    Starting 1 test across 1 binary
       START             omicron-live-tests::test_nexus_add_remove test_nexus_add_remove

running 1 test
log file: /var/tmp/test_nexus_add_remove-3ad37aa113db9b44-test_nexus_add_remove.11769.0.log
note: configured to log to "/var/tmp/test_nexus_add_remove-3ad37aa113db9b44-test_nexus_add_remove.11769.0.log"
note: using DNS server for subnet fd00:1122:3344::/48
        SLOW [> 60.000s] omicron-live-tests::test_nexus_add_remove test_nexus_add_remove
test test_nexus_add_remove has been running for over 60 seconds
test test_nexus_add_remove ... ok

test result: ok. 1 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 110.18s

        PASS [ 110.242s] omicron-live-tests::test_nexus_add_remove test_nexus_add_remove
------------
     Summary [ 110.251s] 1 test run: 1 passed (1 slow), 0 skipped

[davepacheco]

I re-did the same thing I did at Friday's demo, using this tool to change the image of a currently-running pantry zone.

• I applied the workaround for Figure out where to put the TUF root.json so that Nexus can trust it #3578.
• I used curl to upload a TUF repo generated from CI from commit 3802ae4.

Then I generated a blueprint from the current target that points the pantry zone on g0 at its image from this TUF repo:

root@oxz_switch:~# omdb reconfigurator export reconfigurator0.out
note: database URL not specified.  Will search DNS.
note: (override with --db-url or OMDB_DB_URL)
note: using DNS server for subnet fd00:1122:3344::/48
note: (if this is not right, use --dns-server to specify an alternate DNS server)
note: using database URL postgresql://root@[fd00:1122:3344:101::3]:32221,[fd00:1122:3344:103::3]:32221,[fd00:1122:3344:101::4]:32221,[fd00:1122:3344:102::3]:32221,[fd00:1122:3344:102::4]:32221/omicron?sslmode=disable
note: database schema version matches expected (130.0.0)
assembling reconfigurator state ... done
wrote reconfigurator0.out

root@oxz_switch:~# ./reconfigurator-cli
〉load reconfigurator0.out 4d3ce3b9-073d-4f84-8be1-954ff0a60296
loaded data from "reconfigurator0.out"
result:
  system:
    using collection 4d3ce3b9-073d-4f84-8be1-954ff0a60296 as source of sled inventory data
    loaded sleds: ade87960-6c43-4000-bb0d-e3d624663169, bcf635d6-1dad-4278-b4c8-b3ad9b19d4e6, be988b52-b4c5-4cb4-ae81-83b51f36f5c8
    loaded collections: b889b87e-47ff-4b69-88a6-a0387bee6011, 74b962e8-6b3b-49f3-8abc-dd1ce3ac6d22, bbdfc97f-a29f-4971-bf03-87a41ee22e77, 4d3ce3b9-073d-4f84-8be1-954ff0a60296
    loaded blueprints: 39000f8b-c48e-4ea6-877c-f96898eca6bd, 47795568-b31a-4059-b13b-d3c07092fac8, 506d7a3a-b2c2-40b9-8787-39804133291b, 7b84193c-1ca9-4685-b3ff-442631207bcf, a272a45a-c50c-4935-b1f2-efbd51328140, e9c86b72-d10e-487b-877e-cfa1b7174d79
    loaded service IP pool ranges: [V4(Ipv4Range { first: 198.51.100.20, last: 198.51.100.29 })]
    loaded internal DNS generations: (none)
    loaded external DNS generations: (none)
  config:
    configured external DNS zone name: oxide.test
    configured silo names: default-silo, recovery

〉blueprint-list
T ENA ID                                   PARENT                               TIME_CREATED
      506d7a3a-b2c2-40b9-8787-39804133291b <none>                               2025-03-19T14:09:38.205Z
      e9c86b72-d10e-487b-877e-cfa1b7174d79 506d7a3a-b2c2-40b9-8787-39804133291b 2025-03-19T14:36:11.369Z
      a272a45a-c50c-4935-b1f2-efbd51328140 e9c86b72-d10e-487b-877e-cfa1b7174d79 2025-03-19T14:36:50.266Z
      7b84193c-1ca9-4685-b3ff-442631207bcf a272a45a-c50c-4935-b1f2-efbd51328140 2025-03-19T15:23:10.286Z
      47795568-b31a-4059-b13b-d3c07092fac8 7b84193c-1ca9-4685-b3ff-442631207bcf 2025-03-19T15:23:48.785Z
* yes 39000f8b-c48e-4ea6-877c-f96898eca6bd 47795568-b31a-4059-b13b-d3c07092fac8 2025-03-19T15:24:25.960Z

〉blueprint-edit 39000f8b-c48e-4ea6-877c-f96898eca6bd set-zone-image 5d5e2b67-f22a-482d-8a77-68e4b151c974 artifact 1.2.3 4b489fc6c5cf98f88ba252361da68e138c02f3f8b47031f66becddd0996e3a2b
blueprint 6a20d618-fb09-4498-ba71-fbad64fe1826 created from blueprint 39000f8b-c48e-4ea6-877c-f96898eca6bd: set sled ade87960-6c43-4000-bb0d-e3d624663169 zone 5d5e2b67-f22a-482d-8a77-68e4b151c974 image source to artifact: version 1.2.3
warn: no validation is done on the requested image source
〉

〉blueprint-save 6a20d618-fb09-4498-ba71-fbad64fe1826 6a20d618-fb09-4498-ba71-fbad64fe1826.json
saved blueprint 6a20d618-fb09-4498-ba71-fbad64fe1826 to "6a20d618-fb09-4498-ba71-fbad64fe1826.json"

Here's the state of that zone at this point (up a few hours, running bits from the install dataset):

root@g0:~# svcs -z oxz_crucible_pantry_5d5e2b67-f22a-482d-8a77-68e4b151c974
STATE          STIME    FMRI
legacy_run     14:07:42 lrc:/etc/rc2_d/S20sysetup
legacy_run     14:07:43 lrc:/etc/rc2_d/S89PRESERVE
online         14:06:10 svc:/system/svc/restarter:default
online         14:06:15 svc:/system/early-manifest-import:default
online         14:06:21 svc:/network/datalink-management:default
online         14:06:21 svc:/network/netcfg:default
online         14:06:22 svc:/network/ip-interface-management:default
online         14:06:22 svc:/system/filesystem/root:default
online         14:06:26 svc:/system/boot-archive:default
online         14:06:27 svc:/network/loopback:default
online         14:06:27 svc:/system/auditset:default
online         14:06:27 svc:/system/filesystem/usr:default
online         14:06:28 svc:/network/physical:default
online         14:06:28 svc:/system/device/local:default
online         14:06:30 svc:/milestone/devices:default
online         14:06:30 svc:/system/pfexec:default
online         14:06:30 svc:/network/ipsec/ipsecalgs:default
online         14:06:31 svc:/system/device/audio:default
online         14:06:31 svc:/system/identity:node
online         14:06:32 svc:/system/filesystem/minimal:default
online         14:06:32 svc:/network/ipsec/policy:default
online         14:06:32 svc:/system/hostid:default
online         14:06:32 svc:/system/pkgserv:default
online         14:06:32 svc:/system/logadm-upgrade:default
online         14:06:33 svc:/system/rmtmpfiles:default
online         14:06:33 svc:/milestone/network:default
online         14:06:34 svc:/system/fmd:default
online         14:06:34 svc:/network/initial:default
online         14:06:35 svc:/network/iptun:default
online         14:06:35 svc:/network/netmask:default
online         14:06:58 svc:/system/rbac:default
online         14:07:05 svc:/network/service:default
online         14:07:06 svc:/system/cryptosvc:default
online         14:07:07 svc:/system/identity:domain
online         14:07:07 svc:/system/keymap:default
online         14:07:08 svc:/system/name-service-cache:default
online         14:07:18 svc:/milestone/name-services:default
online         14:07:25 svc:/system/manifest-import:default
online         14:07:28 svc:/system/coreadm:default
online         14:07:29 svc:/milestone/single-user:default
online         14:07:30 svc:/milestone/sysconfig:default
online         14:07:31 svc:/system/filesystem/local:default
online         14:07:31 svc:/system/utmp:default
online         14:07:35 svc:/system/system-log:default
online         14:07:35 svc:/system/cron:default
online         14:07:35 svc:/system/boot-archive-update:default
online         14:07:35 svc:/system/console-login:default
online         14:07:37 svc:/network/routing-setup:default
online         14:07:38 svc:/network/shares/group:default
online         14:07:43 svc:/milestone/multi-user:default
online         14:07:45 svc:/system/boot-config:default
online         14:07:46 svc:/milestone/multi-user-server:default
online         14:07:46 svc:/network/shares/group:zfs
online         14:07:46 svc:/network/routing/ndp:default
online         14:08:03 svc:/oxide/zone-network-setup:default
online         14:08:06 svc:/oxide/crucible/pantry:default
online         14:08:55 svc:/system/update-man-index:default
root@g0:~# ls -l /pool/ext/*/crypt/zone/oxz_crucible_pantry*/root/opt/oxide/zone-setup-cli/bin/zone-setup
-rwxr-xr-x   1 root     root     34044200 Mar 19 14:05 /pool/ext/fc0e15a5-6456-438c-b38a-cfb74302a9ab/crypt/zone/oxz_crucible_pantry_5d5e2b67-f22a-482d-8a77-68e4b151c974/root/opt/oxide/zone-setup-cli/bin/zone-setup
root@g0:~# digest -a md5 /pool/ext/*/crypt/zone/oxz_crucible_pantry*/root/opt/oxide/zone-setup-cli/bin/zone-setup
2bbe16adde2eb6450fde03165e5ab4c2
root@g0:~#

Make the change:

root@oxz_switch:~# ./reconfigurator-exec-unsafe 6a20d618-fb09-4498-ba71-fbad64fe1826.json
error: requested blueprint 6a20d618-fb09-4498-ba71-fbad64fe1826 does not match current target (39000f8b-c48e-4ea6-877c-f96898eca6bd)

Good. Now for real:

root@oxz_switch:~# omdb -w nexus blueprints import 6a20d618-fb09-4498-ba71-fbad64fe1826.json
note: Nexus URL not specified.  Will pick one from DNS.
note: using DNS server for subnet fd00:1122:3344::/48
note: (if this is not right, use --dns-server to specify an alternate DNS server)
note: using Nexus URL http://[fd00:1122:3344:101::6]:12221
uploaded new blueprint 6a20d618-fb09-4498-ba71-fbad64fe1826

root@oxz_switch:~# omdb -w nexus blueprints target set 6a20d618-fb09-4498-ba71-fbad64fe1826 disabled
note: Nexus URL not specified.  Will pick one from DNS.
note: using DNS server for subnet fd00:1122:3344::/48
note: (if this is not right, use --dns-server to specify an alternate DNS server)
note: using Nexus URL http://[fd00:1122:3344:101::6]:12221
set target blueprint to 6a20d618-fb09-4498-ba71-fbad64fe1826

root@oxz_switch:~# ./reconfigurator-exec-unsafe 6a20d618-fb09-4498-ba71-fbad64fe1826.json
Mar 19 17:09:57.809 INFO setting up resolver
Mar 19 17:09:57.814 INFO setting up database pool
Mar 19 17:09:58.587 INFO setting up arguments for execution
...
Mar 19 17:09:58.645 INFO full Oso configuration, config: #
...
Mar 19 17:09:58.660 INFO new DNS resolver, addresses: [[fd00:1122:3344:3::1]:53]
Mar 19 17:09:58.660 INFO loading blueprint file, input_path: 6a20d618-fb09-4498-ba71-fbad64fe1826.json
Mar 19 17:09:59.339 INFO beginning execution
Mar 19 17:09:59.341 INFO attempting to realize blueprint, blueprint_id: 6a20d618-fb09-4498-ba71-fbad64fe1826, comment:
Mar 19 17:10:00.928 INFO found already-allocated external IP, nic: NetworkInterface { id: 8700367a-0a57-4afa-9eb2-4c8563371f48, kind: Service { id: 413e062b-0ba5-4fac-a078-cc60857e1c7a }, name: Name("external-dns-413e062b-0ba5-4fac-a078-cc60857e1c7a"), ip: 172.30.1.6, mac: MacAddr(MacAddr6([168, 64, 37, 255, 182, 190])), subnet: V4(Ipv4Net { addr: 172.30.1.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Floating(OmicronZoneExternalFloatingIp { id: 08f78126-5042-4536-8419-de806bda15a6 (external_ip), ip: 198.51.100.21 }), zone_id: 413e062b-0ba5-4fac-a078-cc60857e1c7a, zone_kind: external_dns, action: allocate-external-networking, comment:
Mar 19 17:10:00.933 INFO found already-allocated NIC, nic: NetworkInterface { id: 8700367a-0a57-4afa-9eb2-4c8563371f48, kind: Service { id: 413e062b-0ba5-4fac-a078-cc60857e1c7a }, name: Name("external-dns-413e062b-0ba5-4fac-a078-cc60857e1c7a"), ip: 172.30.1.6, mac: MacAddr(MacAddr6([168, 64, 37, 255, 182, 190])), subnet: V4(Ipv4Net { addr: 172.30.1.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Floating(OmicronZoneExternalFloatingIp { id: 08f78126-5042-4536-8419-de806bda15a6 (external_ip), ip: 198.51.100.21 }), zone_id: 413e062b-0ba5-4fac-a078-cc60857e1c7a, zone_kind: external_dns, action: allocate-external-networking, comment:
Mar 19 17:10:00.938 INFO found already-allocated external IP, nic: NetworkInterface { id: 2cc76e7e-1aad-466f-a89b-ba8135b8ee4a, kind: Service { id: b0b50876-5021-4a82-9eb6-1d834b3d43fb }, name: Name("nexus-b0b50876-5021-4a82-9eb6-1d834b3d43fb"), ip: 172.30.2.7, mac: MacAddr(MacAddr6([168, 64, 37, 255, 236, 111])), subnet: V4(Ipv4Net { addr: 172.30.2.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Floating(OmicronZoneExternalFloatingIp { id: 439809b8-ea81-4dca-b330-f451fbcdea24 (external_ip), ip: 198.51.100.24 }), zone_id: b0b50876-5021-4a82-9eb6-1d834b3d43fb, zone_kind: nexus, action: allocate-external-networking, comment:
Mar 19 17:10:00.943 INFO found already-allocated NIC, nic: NetworkInterface { id: 2cc76e7e-1aad-466f-a89b-ba8135b8ee4a, kind: Service { id: b0b50876-5021-4a82-9eb6-1d834b3d43fb }, name: Name("nexus-b0b50876-5021-4a82-9eb6-1d834b3d43fb"), ip: 172.30.2.7, mac: MacAddr(MacAddr6([168, 64, 37, 255, 236, 111])), subnet: V4(Ipv4Net { addr: 172.30.2.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Floating(OmicronZoneExternalFloatingIp { id: 439809b8-ea81-4dca-b330-f451fbcdea24 (external_ip), ip: 198.51.100.24 }), zone_id: b0b50876-5021-4a82-9eb6-1d834b3d43fb, zone_kind: nexus, action: allocate-external-networking, comment:
Mar 19 17:10:00.947 INFO found already-allocated external IP, nic: NetworkInterface { id: a4c79d66-826f-439d-98fe-37b9f2205f40, kind: Service { id: e0e2531a-796a-4d91-a3cc-2ccbe6b9fafc }, name: Name("ntp-e0e2531a-796a-4d91-a3cc-2ccbe6b9fafc"), ip: 172.30.3.5, mac: MacAddr(MacAddr6([168, 64, 37, 255, 173, 105])), subnet: V4(Ipv4Net { addr: 172.30.3.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Snat(OmicronZoneExternalSnatIp { id: 84313de9-5f17-40de-b0b4-bd9e9f94e075 (external_ip), snat_cfg: SourceNatConfig { ip: 198.51.100.25, first_port: 0, last_port: 16383 } }), zone_id: e0e2531a-796a-4d91-a3cc-2ccbe6b9fafc, zone_kind: boundary_ntp, action: allocate-external-networking, comment:
Mar 19 17:10:00.951 INFO found already-allocated NIC, nic: NetworkInterface { id: a4c79d66-826f-439d-98fe-37b9f2205f40, kind: Service { id: e0e2531a-796a-4d91-a3cc-2ccbe6b9fafc }, name: Name("ntp-e0e2531a-796a-4d91-a3cc-2ccbe6b9fafc"), ip: 172.30.3.5, mac: MacAddr(MacAddr6([168, 64, 37, 255, 173, 105])), subnet: V4(Ipv4Net { addr: 172.30.3.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Snat(OmicronZoneExternalSnatIp { id: 84313de9-5f17-40de-b0b4-bd9e9f94e075 (external_ip), snat_cfg: SourceNatConfig { ip: 198.51.100.25, first_port: 0, last_port: 16383 } }), zone_id: e0e2531a-796a-4d91-a3cc-2ccbe6b9fafc, zone_kind: boundary_ntp, action: allocate-external-networking, comment:
Mar 19 17:10:00.954 INFO found already-allocated external IP, nic: NetworkInterface { id: ba3dc1a3-5fb5-4ca7-a9b3-55daf6cf8ca8, kind: Service { id: bd573f12-af70-4138-ba11-cbdcba10b8ca }, name: Name("external-dns-bd573f12-af70-4138-ba11-cbdcba10b8ca"), ip: 172.30.1.5, mac: MacAddr(MacAddr6([168, 64, 37, 255, 198, 158])), subnet: V4(Ipv4Net { addr: 172.30.1.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Floating(OmicronZoneExternalFloatingIp { id: 8f8265bb-6d4a-4f72-a8c7-b5dec1a2ddd0 (external_ip), ip: 198.51.100.20 }), zone_id: bd573f12-af70-4138-ba11-cbdcba10b8ca, zone_kind: external_dns, action: allocate-external-networking, comment:
Mar 19 17:10:00.959 INFO found already-allocated NIC, nic: NetworkInterface { id: ba3dc1a3-5fb5-4ca7-a9b3-55daf6cf8ca8, kind: Service { id: bd573f12-af70-4138-ba11-cbdcba10b8ca }, name: Name("external-dns-bd573f12-af70-4138-ba11-cbdcba10b8ca"), ip: 172.30.1.5, mac: MacAddr(MacAddr6([168, 64, 37, 255, 198, 158])), subnet: V4(Ipv4Net { addr: 172.30.1.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Floating(OmicronZoneExternalFloatingIp { id: 8f8265bb-6d4a-4f72-a8c7-b5dec1a2ddd0 (external_ip), ip: 198.51.100.20 }), zone_id: bd573f12-af70-4138-ba11-cbdcba10b8ca, zone_kind: external_dns, action: allocate-external-networking, comment:
Mar 19 17:10:00.963 INFO found already-allocated external IP, nic: NetworkInterface { id: 8274d06c-6ae4-4d0d-9c95-889766824b97, kind: Service { id: f19aeebe-2cc8-427f-99ef-ea1ed95c2106 }, name: Name("nexus-f19aeebe-2cc8-427f-99ef-ea1ed95c2106"), ip: 172.30.2.6, mac: MacAddr(MacAddr6([168, 64, 37, 255, 148, 141])), subnet: V4(Ipv4Net { addr: 172.30.2.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Floating(OmicronZoneExternalFloatingIp { id: 8b17b127-d97b-423e-9264-dec75af78ae8 (external_ip), ip: 198.51.100.23 }), zone_id: f19aeebe-2cc8-427f-99ef-ea1ed95c2106, zone_kind: nexus, action: allocate-external-networking, comment:
Mar 19 17:10:00.966 INFO found already-allocated NIC, nic: NetworkInterface { id: 8274d06c-6ae4-4d0d-9c95-889766824b97, kind: Service { id: f19aeebe-2cc8-427f-99ef-ea1ed95c2106 }, name: Name("nexus-f19aeebe-2cc8-427f-99ef-ea1ed95c2106"), ip: 172.30.2.6, mac: MacAddr(MacAddr6([168, 64, 37, 255, 148, 141])), subnet: V4(Ipv4Net { addr: 172.30.2.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Floating(OmicronZoneExternalFloatingIp { id: 8b17b127-d97b-423e-9264-dec75af78ae8 (external_ip), ip: 198.51.100.23 }), zone_id: f19aeebe-2cc8-427f-99ef-ea1ed95c2106, zone_kind: nexus, action: allocate-external-networking, comment:
Mar 19 17:10:00.969 INFO found already-allocated external IP, nic: NetworkInterface { id: 8784f4a1-9b68-4a4e-9dfb-59444ba9f379, kind: Service { id: 02d0a6b7-e865-43de-a181-a9eb2f8a7e31 }, name: Name("nexus-02d0a6b7-e865-43de-a181-a9eb2f8a7e31"), ip: 172.30.2.5, mac: MacAddr(MacAddr6([168, 64, 37, 255, 159, 6])), subnet: V4(Ipv4Net { addr: 172.30.2.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Floating(OmicronZoneExternalFloatingIp { id: 24cefb89-6521-4b86-aaf1-911cdbb03535 (external_ip), ip: 198.51.100.22 }), zone_id: 02d0a6b7-e865-43de-a181-a9eb2f8a7e31, zone_kind: nexus, action: allocate-external-networking, comment:
Mar 19 17:10:00.972 INFO found already-allocated NIC, nic: NetworkInterface { id: 8784f4a1-9b68-4a4e-9dfb-59444ba9f379, kind: Service { id: 02d0a6b7-e865-43de-a181-a9eb2f8a7e31 }, name: Name("nexus-02d0a6b7-e865-43de-a181-a9eb2f8a7e31"), ip: 172.30.2.5, mac: MacAddr(MacAddr6([168, 64, 37, 255, 159, 6])), subnet: V4(Ipv4Net { addr: 172.30.2.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Floating(OmicronZoneExternalFloatingIp { id: 24cefb89-6521-4b86-aaf1-911cdbb03535 (external_ip), ip: 198.51.100.22 }), zone_id: 02d0a6b7-e865-43de-a181-a9eb2f8a7e31, zone_kind: nexus, action: allocate-external-networking, comment:
Mar 19 17:10:00.975 INFO found already-allocated external IP, nic: NetworkInterface { id: c7e3182b-ba99-40f0-8512-3b20652da8f8, kind: Service { id: 4c5fe3b5-d3b6-4823-8328-befa6bf74d8a }, name: Name("ntp-4c5fe3b5-d3b6-4823-8328-befa6bf74d8a"), ip: 172.30.3.6, mac: MacAddr(MacAddr6([168, 64, 37, 255, 211, 84])), subnet: V4(Ipv4Net { addr: 172.30.3.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Snat(OmicronZoneExternalSnatIp { id: 054a0192-da0f-421a-bfd7-8930b1c6a15d (external_ip), snat_cfg: SourceNatConfig { ip: 198.51.100.25, first_port: 16384, last_port: 32767 } }), zone_id: 4c5fe3b5-d3b6-4823-8328-befa6bf74d8a, zone_kind: boundary_ntp, action: allocate-external-networking, comment:
Mar 19 17:10:00.978 INFO found already-allocated NIC, nic: NetworkInterface { id: c7e3182b-ba99-40f0-8512-3b20652da8f8, kind: Service { id: 4c5fe3b5-d3b6-4823-8328-befa6bf74d8a }, name: Name("ntp-4c5fe3b5-d3b6-4823-8328-befa6bf74d8a"), ip: 172.30.3.6, mac: MacAddr(MacAddr6([168, 64, 37, 255, 211, 84])), subnet: V4(Ipv4Net { addr: 172.30.3.0, width: 24 }), vni: Vni(100), primary: true, slot: 0, transit_ips: [] }, ip: Snat(OmicronZoneExternalSnatIp { id: 054a0192-da0f-421a-bfd7-8930b1c6a15d (external_ip), snat_cfg: SourceNatConfig { ip: 198.51.100.25, first_port: 16384, last_port: 32767 } }), zone_id: 4c5fe3b5-d3b6-4823-8328-befa6bf74d8a, zone_kind: boundary_ntp, action: allocate-external-networking, comment:
Mar 19 17:10:29.514 INFO Successfully deployed config to sled agent, successfully configured datasets: 31, successfully configured disks: 5, generation: 10, sled_id: ade87960-6c43-4000-bb0d-e3d624663169, comment:
Mar 19 17:10:29.899 INFO Successfully deployed config to sled agent, successfully configured datasets: 31, successfully configured disks: 5, generation: 5, sled_id: bcf635d6-1dad-4278-b4c8-b3ad9b19d4e6, comment:
Mar 19 17:10:31.713 INFO Successfully deployed config to sled agent, successfully configured datasets: 30, successfully configured disks: 5, generation: 5, sled_id: be988b52-b4c5-4cb4-ae81-83b51f36f5c8, comment:
Mar 19 17:10:36.581 INFO no changes, blueprint_execution: dns Internal, comment:
Mar 19 17:10:36.584 INFO no changes, blueprint_execution: dns External, comment:
Mar 19 17:10:37.512 INFO set cockroachdb setting, value: 22.1, setting: cluster.preserve_downgrade_option, comment:
[00:00:00]   Running ( 1/13) Ensure external networking resources
[00:00:01] Completed ( 1/13) Ensure external networking resources: after 1.64s
[00:00:01]   Running ( 2/13) Fetch sled list
[00:00:02] Completed ( 2/13) Fetch sled list: after 757.55ms
[00:00:02]   Running ( 3/13) Deploy sled configs
[00:00:32] Completed ( 3/13) Deploy sled configs: after 29.98s
[00:00:32]   Running ( 4/13) Plumb service firewall rules
[00:00:33] Completed ( 4/13) Plumb service firewall rules: after 1.29s with warning: failed to plumb service firewall rules to sleds: Object (of type ById(001de000-074c-4000-8000-000000000000)) not found: vpc
[00:00:33]   Running ( 5/13) Deploy DNS records
[00:00:37] Completed ( 5/13) Deploy DNS records: after 3.57s
[00:00:37]   Running ( 6/13) Cleanup expunged zones
[00:00:37] Completed ( 6/13) Cleanup expunged zones: after 3.70ms
[00:00:37]   Running ( 7/13) Decommission sleds
[00:00:37] Completed ( 7/13) Decommission sleds: after 33.31µs
[00:00:37]   Running ( 8/13) Decommission expunged disks
[00:00:37] Completed ( 8/13) Decommission expunged disks: after 52.83µs
[00:00:37]   Running ( 9/13) Deploy clickhouse cluster nodes
[00:00:37] Completed ( 9/13) Deploy clickhouse cluster nodes: after 17.24µs
[00:00:37]   Running (10/13) Deploy single-node clickhouse cluster
[00:00:37] Completed (10/13) Deploy single-node clickhouse cluster: after 55.11ms
[00:00:37]   Running (11/13) Mark support bundles as failed if they rely on an expunged disk or sled
[00:00:37]   Skipped (11/13) Mark support bundles as failed if they rely on an expunged disk or sled: not running as Nexus
[00:00:37]   Running (12/13) Reassign sagas
[00:00:37]   Skipped (12/13) Reassign sagas: not running as Nexus
[00:00:37]   Running (13/13) Ensure CockroachDB settings
[00:00:38] Completed (13/13) Ensure CockroachDB settings: after 867.64ms

After:

root@g0:~# svcs -z oxz_crucible_pantry_5d5e2b67-f22a-482d-8a77-68e4b151c974
STATE          STIME    FMRI
legacy_run     17:10:28 lrc:/etc/rc2_d/S20sysetup
legacy_run     17:10:28 lrc:/etc/rc2_d/S89PRESERVE
online         17:10:20 svc:/system/svc/restarter:default
online         17:10:21 svc:/system/early-manifest-import:default
online         17:10:21 svc:/network/netcfg:default
online         17:10:22 svc:/network/datalink-management:default
online         17:10:22 svc:/system/filesystem/root:default
online         17:10:22 svc:/network/ip-interface-management:default
online         17:10:22 svc:/system/boot-archive:default
online         17:10:22 svc:/network/loopback:default
online         17:10:22 svc:/system/filesystem/usr:default
online         17:10:22 svc:/system/device/local:default
online         17:10:23 svc:/network/physical:default
online         17:10:23 svc:/milestone/devices:default
online         17:10:23 svc:/network/ipsec/ipsecalgs:default
online         17:10:23 svc:/system/identity:node
online         17:10:23 svc:/system/device/audio:default
online         17:10:23 svc:/system/filesystem/minimal:default
online         17:10:23 svc:/system/rmtmpfiles:default
online         17:10:23 svc:/network/ipsec/policy:default
online         17:10:23 svc:/milestone/network:default
online         17:10:23 svc:/network/initial:default
online         17:10:23 svc:/network/netmask:default
online         17:10:23 svc:/network/iptun:default
online         17:10:23 svc:/system/fmd:default
online         17:10:23 svc:/system/pfexec:default
online         17:10:23 svc:/system/hostid:default
online         17:10:23 svc:/system/logadm-upgrade:default
online         17:10:23 svc:/system/auditset:default
online         17:10:23 svc:/system/pkgserv:default
online         17:10:26 svc:/system/rbac:default
online         17:10:27 svc:/network/service:default
online         17:10:27 svc:/system/cryptosvc:default
online         17:10:27 svc:/system/identity:domain
online         17:10:27 svc:/system/keymap:default
online         17:10:27 svc:/system/name-service-cache:default
online         17:10:28 svc:/milestone/name-services:default
online         17:10:28 svc:/system/manifest-import:default
online         17:10:28 svc:/system/coreadm:default
online         17:10:28 svc:/milestone/single-user:default
online         17:10:28 svc:/milestone/sysconfig:default
online         17:10:28 svc:/system/utmp:default
online         17:10:28 svc:/system/filesystem/local:default
online         17:10:28 svc:/system/console-login:default
online         17:10:28 svc:/system/system-log:default
online         17:10:28 svc:/system/cron:default
online         17:10:28 svc:/system/boot-archive-update:default
online         17:10:28 svc:/milestone/multi-user:default
online         17:10:28 svc:/milestone/multi-user-server:default
online         17:10:28 svc:/system/boot-config:default
online         17:10:28 svc:/network/shares/group:default
online         17:10:28 svc:/network/routing-setup:default
online         17:10:28 svc:/network/shares/group:zfs
online         17:10:28 svc:/network/routing/ndp:default
online         17:10:29 svc:/oxide/zone-network-setup:default
online         17:10:29 svc:/oxide/crucible/pantry:default
online         17:10:31 svc:/system/update-man-index:default

root@g0:~# digest -a md5 /pool/ext/*/crypt/zone/oxz_crucible_pantry*/root/opt/oxide/zone-setup-cli/bin/zone-setup
a15ec2e45391ccad30309419f63fb13a
root@g0:~# ls -l /pool/ext/*/crypt/zone/oxz_crucible_pantry*/root/opt/oxide/zone-setup-cli/bin/zone-setup
-rwxr-xr-x   1 root     root     34003648 Mar 19 17:10 /pool/ext/fc0e15a5-6456-438c-b38a-cfb74302a9ab/crypt/zone/oxz_crucible_pantry_5d5e2b67-f22a-482d-8a77-68e4b151c974/root/opt/oxide/zone-setup-cli/bin/zone-setup

That's the right digest for the new image. Great!

Note this is all on an a4x2 with both this PR and #7281.

[jgallagher]

LGTM - 👍 on the binary name change