[nexus] Silo IP pools

[david-crespo]

Closes #3926

A lot going on here. I will update this description as I finish things out.

Important background

• [nexus] Silo IP pools schema change #3981 added silo_id and project_id columns to the IP pools table in the hope that that would be sufficient for the rest of the work schema-wise, but it turns out there was more needed.
• Before this change, the concept of a default IP pool was implemented through the name on the IP pool, i.e., the IP pool named default is the one used by default for instance IP allocation if no pool name is specified as part of the instance create POST
• Before this change the concept of an internal IP pool was implemented through a boolean internal column on the ip_pool table

IP pool selection logic

There are two situations where we pick an IP pool to allocate IPs from. For an instance's source NAT, we always use the default pool. Before this change, with only fleet pools, this simply meant picking the one named default (analogous now to the one with is_default == true). With the possibility of silo pools, we now pick the most specific default available. That means that if there is a silo-scoped pool marked default matching the current silo, we use that. If not, we pick the fleet-level pool marked default, which should always exist (see possible todos at the bottom — we might want to take steps to guarantee this).

For instance ephemeral IPs, the instance create POST body takes an optional pool name. If none is specified, we follow the same defaulting logic as above — the most-specific pool marked is_default. We are leaving pool names globally unique (as opposed to per-scope) which IMO makes the following lookup logic easy to understand and implement: given a pool name, look up the pool by name. (That part we were already going.) The difference now with scopes is that we need to make sure that the scope of the selected pool (assuming it exists) does not conflict with the current scope, i.e., the current silo. In this situation, we do not care about what's marked default, and we are not trying to get an exact match on scope. We just need to disallow an instance from using an IP pool reserved for a different silo. We can revisit this, but as implemented here you can, for example, specify a non-default pool scoped to fleet or silo (if one exists) even if there exists a default pool scoped to your silo.

DB migrations on ip_pool table

There are three migrations here based on guidance from @smklein based on CRDB docs about limitations to online schema changes and some conversations he had with them. It's possible they could be made into two. I don't think it can be done in one.

• Add is_default column and a unique index ensuring there is only one default IP pool per "scope" (unique silo_id, including null as a distinct value)
• Populate correct data in new columns
  • Populate is_default = true for any IP pools named default (there should be exactly one, but nothing depends on that)
  • silo_id = INTERNAL_SILO_ID for any IP pools marked internal (there should be exactly one, but nothing depends on that)
• Drop the internal column

Code changes

• Add similar-asserts so we can get a usable diff when the schema migration tests fail. Without this you could get a 20k+ line diff with 4 relevant lines.
• Use silo_id == INTERNAL_SILO_ID everywhere we were previously looking at the internal flag (thanks @luqmana for the suggestion)
• Add silo_id and default to IpPoolCreate (create POST params) and plumb them down the create chain
  • Leave off project_id for now, we can add that later
• Fix index that is failing to prevent multiple default pools for a given scope (see comment [nexus] Silo IP pools #3985 (comment))
• Source NAT IP allocation uses new defaulting logic to get the most specific available default IP Pool
• Instance ephemeral IP allocation uses that default logic if no pool name specified in the create POST, otherwise look up pool by specified name (but can only get pools matching its scope, i.e., its project, silo, or the whole fleet)

Limitations that we might want to turn into to-dos

• You can't update default on a pool, i.e., you can't make a pool default. You have to delete it and make a new one. This one isn't that hard — I would think of it like image promotion, where it's not a regular update pool, it's a special endpoint for making a pool default that can unset the current default if it's a different pool.
• Project-scoped IP pools endpoints are fake — they just return all IP pools. They were made in anticipation of being able to make them real. I'm thinking we should remove them or make them work, but I don't think we have time to make them work.
• Ensure somehow that there is always a fleet-level default pool to fall back to

[david-crespo]

Only 3 tests are failing, which is surprisingly good.

FAIL [   6.275s] nexus-db-queries db::queries::external_ip::tests::test_ensure_pool_exhaustion_does_not_use_other_pool
FAIL [   4.879s] nexus-db-queries db::queries::external_ip::tests::test_next_external_ip_is_restricted_to_pools
FAIL [  28.225s] omicron-nexus::test_all integration_tests::instances::test_instance_create_in_silo

[david-crespo]

Welp, how do we feel about this coalesce @smklein

[smklein]

I think postgres itself has better support here:

https://www.postgresql.org/docs/current/indexes-unique.html

They have a CREATE UNIQUE INDEX ... ON TABLE ... NULLS DISTINCT option, which can specify that NULLS are treated equally.

However, for Cockroachdb:

• https://www.cockroachlabs.com/docs/stable/create-index
• https://www.cockroachlabs.com/docs/stable/null-handling#nulls-and-unique-constraints

I don't see similar support.

So: Translating "NULL" to "The zero UUID" seems a little hacky, but probably fine.

[david-crespo]

Still a bit of work to do, but all the existing tests pass. The biggest thing it needs is tests for instance IP allocation with a specific pool name exercising the scope conflict checks.

[david-crespo]

Interesting TODO. Not sure how to do this auth check given the way perms are set up for IpPool and IpPoolList:

omicron/nexus/db-queries/src/authz/omicron.polar

Lines 368 to 390 in eee942f

	# Describes the policy for accessing "/v1/system/ip-pools" in the API
	resource IpPoolList {
	permissions = [
	"list_children",
	"modify",
	"create_child",
	];
	# Fleet Administrators can create or modify the IP Pools list.
	relations = { parent_fleet: Fleet };
	"modify" if "admin" on "parent_fleet";
	"create_child" if "admin" on "parent_fleet";
	# Fleet Viewers can list IP Pools
	"list_children" if "viewer" on "parent_fleet";
	}
	has_relation(fleet: Fleet, "parent_fleet", ip_pool_list: IpPoolList)
	if ip_pool_list.fleet = fleet;
	# Any authenticated user can create a child of a provided IP Pool.
	# This is necessary to use the pools when provisioning instances.
	has_permission(actor: AuthenticatedActor, "create_child", ip_pool: IpPool)
	if silo in actor.silo and silo.fleet = ip_pool.fleet;

[ahl]

Can we punt on this for now? Alternatively: if we don't do the most restrictive auth check right now are we concerned by the data exposed? Seems like a potentially reasonable punt.

[david-crespo]

Well, right now there is no auth check, at least not on this particular call. We could do something minimal that at least makes us feel better (we are already requiring the user be authenticated with a silo). But this call is made as part of a whole pile of calls that themselves have auth checks, and we're not really leaking info here as far as I can tell.

[luqmana]

Yea, we definitely need to update the auth policy to reflect the fact that ip pools are no longer just a fleet-wide resource. Let's make an issue to track that?

[david-crespo]

#3995

[david-crespo]

Worth noting that while nearly all the plumbing is there for project-scoped IP pools, my plan was to make it for now so you can't create one (there's no project_id param on IpPoolCreate) and you don't get a project_id back on the IpPool view. So it's like it doesn't exist. I would want to be more confident everything was correct.

[ahl]

looking good

[ahl]

Should this be NameOrId? No need to do it now, just asking...

[david-crespo]

Yeah, I'm pretty sure it could be. I think the main reason it was name only was that the name "default" was significant, and now it isn't.

[ahl]

Suggested change

	/// scope, fall back up a level. There should always be a default at fleet
	/// scope, fall back to the next level up. There should always be a default at the fleet

? maybe clearer?

[ahl]

in what situation?

[david-crespo]

Basically you would have to delete the fleet-wide (no silo and no project) IP pool we create by default, which you can't do if it has any IP ranges, and you can't delete those if they have any allocated IPs. So it's pretty hard to do that. Once we add the ability to make something a new default, you could conceivably create a new fleet-level pool, make it the default, and delete it while it's still empty. Then you would have no default. All very contrived situations, obviously. It might be cool to try to ensure that it's always there (maybe, e.g., you can't ever delete a fleet-wide default pool), but on the other hand I don't think it's expected that we can prevent every form of bad configuration here. In fact, we definitely can't because this all ties into customer network config that is outside our control.

[david-crespo]

#4003

[ahl]

Suggested change

	// that themselves have no project.
	// that themselves have no associated project.

... does that mean we'd just get fleet-wide pools?

[david-crespo]

Or silo-scoped pools. The signature here is a little misleading because it only takes project (because we are pulling the current silo off opctx) but the logic does look at both silo and project ID when picking defaults.

[ahl]

Can we punt on this for now? Alternatively: if we don't do the most restrictive auth check right now are we concerned by the data exposed? Seems like a potentially reasonable punt.

[luqmana]

Should this be under dev-dependencies?

[luqmana]

Suggested change

	/// pool is considered a fleet-wide silo and will be used for allocating
	/// pool is considered a fleet-wide pool and will be used for allocating

want to say the pool is fleet-wide right?

[luqmana]

We definitely have this pattern a lot with Option's on the Rust side and DB constraints on the SQL side (#3152). I think with some wrangling we could have something like

enum PoolVisibility {
    Fleet,
    Silo { silo_id: Uuid },
    Project { silo_id: Uuid, project_id: Uuid },
}

Anyways not a blocker for this PR.

[luqmana]

Ah, found the issue #3152

[luqmana]

What's the standard for major vs non-major increments anyways? Is it just a patch bump because we haven't straddled some release yet?

[david-crespo]

I wanted to imply that these are related migrations, though I admit that is not at all what semver patch versions are supposed to mean.

[luqmana]

Yea, we definitely need to update the auth policy to reflect the fact that ip pools are no longer just a fleet-wide resource. Let's make an issue to track that?

[luqmana]

Kinda ties into previous points about how authz is supposed to work now, but should there be some kinda check to ensure the current user can't create an ip pool in a given silo?

[david-crespo]

Only fleet admin has CreateChild on IpPoolList, and we are already checking for that at IP pool create time in the datastore function.

omicron/nexus/db-queries/src/authz/omicron.polar

Lines 369 to 379 in 58e8c67

	resource IpPoolList {
	permissions = [
	"list_children",
	"modify",
	"create_child",
	];
	# Fleet Administrators can create or modify the IP Pools list.
	relations = { parent_fleet: Fleet };
	"modify" if "admin" on "parent_fleet";
	"create_child" if "admin" on "parent_fleet";

omicron/nexus/db-queries/src/db/datastore/ip_pool.rs

Lines 147 to 156 in 58e8c67

	pub async fn ip_pool_create(
	&self,
	opctx: &OpContext,
	new_pool: &params::IpPoolCreate,
	internal: bool,
	) -> CreateResult<IpPool> {
	use db::schema::ip_pool::dsl;
	opctx
	.authorize(authz::Action::CreateChild, &authz::IP_POOL_LIST)
	.await?;

[luqmana]

Should we be changing an existing schema migration?

[smklein]

Good catch, generally, we only want schema migrations (the files themselves) to be additive.

@david-crespo are you relying on the fact that "3.0.0" hasn't been released yet?

[david-crespo]

Yes. I think I mentioned it at control plane huddle but I noted it was a bad idea. There isn't really a reason to do it this way, I can change it to use 3 new migrations.

[david-crespo]

Changed to 3.0.1-3.0.3 instead of modifying 3.0.0 in e3c56c4

[luqmana]

Does it ever make sense to have a non-NULL project_id and silo_id where the silo_id doesn't match the project's silo? If not, I think adjusting this so that at most one of them is non-null might be preferable. A project_id already uniquely identifies a project and therefore the silo it belongs to.

[david-crespo]

True. My initial reaction was that if silo_id wasn't there, the query for the default pool would have to be more complicated.

dsl::ip_pool
    .filter(dsl::silo_id.eq(authz_silo_id).or(dsl::silo_id.is_null()))
    .filter(
        dsl::project_id.eq(project_id).or(dsl::project_id.is_null()),
    )
    .filter(dsl::is_default.eq(true))
    .filter(dsl::time_deleted.is_null())
    // this will sort by most specific first, i.e.,
    //
    //   (silo, project)
    //   (silo, null)
    //   (null, null)
    //
    // then by only taking the first result, we get the most specific one
    .order((
        dsl::project_id.asc().nulls_last(),
        dsl::silo_id.asc().nulls_last(),
    ))
    .select(IpPool::as_select())
    .first_async::<IpPool>(self.pool_authorized(opctx).await?)
    .await
    .map_err(|e| public_error_from_diesel_pool(e, ErrorHandler::Server))

But if at most one of the two was non-null, we could do something like

where default = true and (
  silo_id = authz_silo_id 
  or project_id = input_project_id
  or (silo_id is null and project_id is null)
)

and that should get us the same at-most-3 results. If anything the proposed modification is easier to understand rather than harder.

[david-crespo]

I have a test to add here and it's passing locally. Because it's only test code, I'm going to merge this so we can get things moving on dogfood and make that a second PR.

[luqmana]

a couple nits/questions but looks good overall. Thanks!

[luqmana]

Not a blocker but maybe that's something we should guard against.

[david-crespo]

#4003

[luqmana]

Why get rid of the action arg and hardcode CreateChild here? Makes it a little mislead as the method is named ip_pools_fetch but as you noted, the CreateChild action is for allocating an IP from the pool. So a caller that just wants to retrieve the pool but not allocate from it has a slightly stronger than necessary check.

[david-crespo]

I think the abstraction is just cut the wrong way here. I'm not sure whether I made it worse — it was already weird before. Both this auth check and the check against the silo scope are fundamentally about the use of this function for retrieving an IP pool in order to allocate IPs from it. Despite the name, this isn't a general-purpose function at all. It only has one non-test call site:

omicron/nexus/db-queries/src/db/datastore/external_ip.rs

Lines 47 to 68 in 01e730a

	/// Create an Ephemeral IP address for an instance.
	pub async fn allocate_instance_ephemeral_ip(
	&self,
	opctx: &OpContext,
	ip_id: Uuid,
	instance_id: Uuid,
	pool_name: Option<Name>,
	) -> CreateResult<ExternalIp> {
	// If we have a pool name, look up the pool by name and return it
	// as long as its scopes don't conflict with the current scope.
	// Otherwise, not found.
	let pool = match pool_name {
	Some(name) => self.ip_pools_fetch(&opctx, &name).await?,
	// If no name given, use the default logic
	None => self.ip_pools_fetch_default(&opctx).await?,
	};
	let pool_id = pool.identity.id;
	let data =
	IncompleteExternalIp::for_ephemeral(ip_id, instance_id, pool_id);
	self.allocate_external_ip(opctx, data).await
	}

I'm thinking the thing to do is inline this logic in that call site. ip_pool_fetch_default function involves a DB query so it makes sense as a datastore function, plus the default imples a "relative to what?" that I think makes the silo ID check make more sense. Plus the query needs to know about the silo ID in order to work.

[luqmana]

Suggested change

	// scope, i.e., if it has a silo it is different from your current silo
	// scope, i.e., if it has a silo that is different from your current silo

[luqmana]

check this call didn't fail?

[luqmana]

check for failure here too

[luqmana]

nit: Can just drop that assert since the unwrap would panic. .expect if you want a nice message.

[luqmana]

Is the ordering important here? i.e., is it ok for DROP COLUMN to come before the DROP CONSTRAINT's?

[david-crespo]

The test that applies the migrations and makes sure they produce the right end result didn’t complain, so I think it’s ok.

[luqmana]

would a nested transaction also work? that would get rid of the duplicate schema version checks