propolis: improve robustness of VM zone management

jclulow · jclulow · commit 94969cd3d339 · 2024-08-12T10:53:59.000-07:00
diff --git a/factory/propolis/smf/site.xml b/factory/propolis/smf/site.xml
@@ -0,0 +1,50 @@
+<?xml version='1.0'?>
+<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
+<service_bundle type='profile' name='default'>
+  <!-- Disable a bunch of services that we don't need in the VM zone: -->
+  <service name='network/ssh' version='1' type='service'>
+    <instance name='default' enabled='false' />
+  </service>
+  <service name='system/cron' version='1' type='service'>
+    <instance name='default' enabled='false' />
+  </service>
+  <service name='system/filesystem/autofs' version='1' type='service'>
+    <instance name='default' enabled='false' />
+  </service>
+  <service name='network/rpc/bind' version='1' type='service'>
+    <instance name='default' enabled='false' />
+  </service>
+  <service name='network/nfs/status' version='1' type='service'>
+    <instance name='default' enabled='false' />
+  </service>
+  <service name='network/nfs/nlockmgr' version='1' type='service'>
+    <instance name='default' enabled='false' />
+  </service>
+  <service name='network/nfs/client' version='1' type='service'>
+    <instance name='default' enabled='false' />
+  </service>
+  <service name='network/nfs/cbd' version='1' type='service'>
+    <instance name='default' enabled='false' />
+  </service>
+  <service name='network/nfs/mapid' version='1' type='service'>
+    <instance name='default' enabled='false' />
+  </service>
+  <service name='network/nfs/rquota' version='1' type='service'>
+    <instance name='default' enabled='false' />
+  </service>
+  <service name='network/nfs/server' version='1' type='service'>
+    <instance name='default' enabled='false' />
+  </service>
+
+  <!-- See: https://www.illumos.org/issues/14006 -->
+  <service name='network/routing/route' version='1' type='service'>
+    <instance name='default' enabled='false' />
+  </service>
+  <service name='network/routing-setup' version='1' type='service'>
+    <instance name='default'>
+      <property_group name='routeadm' type='application'>
+        <propval name='ipv4-routing-set' type='boolean' value='true' />
+      </property_group>
+    </instance>
+  </service>
+</service_bundle>
diff --git a/factory/propolis/src/main.rs b/factory/propolis/src/main.rs
@@ -1,5 +1,5 @@
 /*
- * Copyright 2023 Oxide Computer Company
+ * Copyright 2024 Oxide Computer Company
  */
 
 use std::{sync::Arc, time::Duration};
@@ -19,6 +19,7 @@ mod serial;
 mod svc;
 mod ucred;
 mod vm;
+mod zones;
 
 struct Central {
     log: Logger,
diff --git a/factory/propolis/src/serial.rs b/factory/propolis/src/serial.rs
@@ -1,19 +1,18 @@
 /*
- * Copyright 2023 Oxide Computer Company
+ * Copyright 2024 Oxide Computer Company
  */
 
 use std::{
     collections::HashMap,
-    ffi::CString,
     os::{fd::AsRawFd, unix::prelude::PermissionsExt},
     path::PathBuf,
     sync::{Arc, Mutex},
     time::Duration,
 };
 
 use crate::ucred::PeerUCred;
+use crate::zones::*;
 use anyhow::{anyhow, bail, Result};
-use libc::zoneid_t;
 use slog::{debug, error, info, o, trace, warn, Logger};
 use tokio::net::UnixListener;
 use tokio::{io::Interest, net::UnixStream};
@@ -181,7 +180,9 @@ impl Serial {
     }
 
     pub fn zone_add(&self, name: &str) -> Result<SerialForZone> {
-        let zoneid = zone_name_to_id(name)?;
+        let Some(zoneid) = zone_name_to_id(name)? else {
+            bail!("zone {name:?} not found!");
+        };
 
         let (tx, rx) = tokio::sync::mpsc::channel(100);
         let (shut_tx, shut_rx) = tokio::sync::watch::channel(false);
@@ -214,23 +215,6 @@ impl Serial {
     }
 }
 
-#[link(name = "c")]
-extern "C" {
-    fn getzoneidbyname(name: *const libc::c_char) -> zoneid_t;
-}
-
-fn zone_name_to_id(name: &str) -> Result<zoneid_t> {
-    let cs = CString::new(name)?;
-
-    let id = unsafe { getzoneidbyname(cs.as_ptr()) };
-    if id < 0 {
-        let e = std::io::Error::last_os_error();
-        bail!("getzoneidbyname({name}): {e}");
-    }
-
-    Ok(id)
-}
-
 fn clean_line(linebuf: &[u8]) -> Option<String> {
     let s = String::from_utf8_lossy(linebuf);
     let s = s.replace('\x1b', "^[");
diff --git a/factory/propolis/src/vm.rs b/factory/propolis/src/vm.rs
@@ -1,5 +1,5 @@
 /*
- * Copyright 2023 Oxide Computer Company
+ * Copyright 2024 Oxide Computer Company
  */
 
 use std::{
@@ -15,6 +15,7 @@ use crate::{
     config::ImageSource,
     db::types::*,
     net::{dladm_create_vnic, dladm_delete_vnic, dladm_vnic_get, Vnic},
+    zones::*,
     Central,
 };
 use anyhow::{anyhow, bail, Result};
@@ -437,6 +438,8 @@ async fn instance_worker_one(
             let vmdir = root.join("vm");
             let smfdir =
                 root.join("var").join("svc").join("manifest").join("site");
+            let siteprofile =
+                root.join("var").join("svc").join("profile").join("site.xml");
 
             info!(log, "add /vm files to zone {zn}...");
             if vmdir.exists() {
@@ -462,6 +465,8 @@ async fn instance_worker_one(
                 std::fs::write(&smfdir.join(format!("{name}.xml")), bundle)?;
             }
 
+            std::fs::write(&siteprofile, include_str!("../smf/site.xml"))?;
+
             info!(log, "make root disk...");
             match targ.source()? {
                 ImageSource::File(image_path) => {
@@ -523,6 +528,17 @@ async fn instance_worker_one(
             Ok(DoNext::Immediate)
         }
         InstanceState::ZoneOnline => {
+            /*
+             * Confirm that the zone exists.  It's possible that the host, which
+             * boots from a ramdisk, has rebooted and taken some partial zones
+             * along with it.
+             */
+            if !zone_exists(&zn)? {
+                warn!(log, "zone {zn}: no longer exists; giving up!");
+                c.db.instance_new_state(&id, InstanceState::Destroying)?;
+                return Ok(DoNext::Immediate);
+            }
+
             let ser = if let Some(ser) = ser.as_mut() {
                 ser
             } else {
diff --git a/factory/propolis/src/zones.rs b/factory/propolis/src/zones.rs
@@ -0,0 +1,38 @@
+/*
+ * Copyright 2024 Oxide Computer Company
+ */
+
+use std::ffi::CString;
+
+use anyhow::{bail, Result};
+pub use libc::zoneid_t;
+
+#[link(name = "c")]
+extern "C" {
+    fn getzoneidbyname(name: *const libc::c_char) -> zoneid_t;
+}
+
+pub fn zone_name_to_id(name: &str) -> Result<Option<zoneid_t>> {
+    let cs = CString::new(name)?;
+
+    let id = unsafe { getzoneidbyname(cs.as_ptr()) };
+    if id < 0 {
+        let e = unsafe { *libc::___errno() };
+        if e == libc::EINVAL {
+            /*
+             * According to the documentation, this actually means the zone does
+             * not exist on the system.
+             */
+            return Ok(None);
+        }
+
+        let e = std::io::Error::from_raw_os_error(e);
+        bail!("getzoneidbyname({name}): {e}");
+    }
+
+    Ok(Some(id))
+}
+
+pub fn zone_exists(name: &str) -> Result<bool> {
+    Ok(zone_name_to_id(name)?.is_some())
+}
