oxidecomputer · internet-diglett · Jan 10, 2025 · Jan 10, 2025
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/common/src/api/external/mod.rs b/common/src/api/external/mod.rs
@@ -2358,6 +2358,15 @@ pub struct SwitchPortSettings {
     pub identity: IdentityMetadata,
 }
 
+#[derive(Clone, Debug, Deserialize, JsonSchema, Serialize, PartialEq)]
+pub struct SwitchPortSettingsWithChecksum {
+    /// Value of response
+    pub value: SwitchPortSettingsView,
+
+    /// Checksum of value to use for concurrency control
+    pub checksum: String,
+}
+
 /// This structure contains all port settings information in one place. It's a
 /// convenience data structure for getting a complete view of a particular
 /// port's settings.

diff --git a/nexus/db-queries/Cargo.toml b/nexus/db-queries/Cargo.toml
@@ -39,6 +39,7 @@ semver.workspace = true
 serde.workspace = true
 serde_json.workspace = true
 serde_with.workspace = true
+sha2.workspace = true
 sled-agent-client.workspace = true
 slog.workspace = true
 slog-error-chain.workspace = true

diff --git a/nexus/db-queries/src/db/datastore/switch_port.rs b/nexus/db-queries/src/db/datastore/switch_port.rs
diff --git a/nexus/external-api/src/lib.rs b/nexus/external-api/src/lib.rs
@@ -1393,7 +1393,7 @@ pub trait NexusExternalApi {
     async fn networking_switch_port_settings_create(
         rqctx: RequestContext<Self::Context>,
         new_settings: TypedBody<params::SwitchPortSettingsCreate>,
-    ) -> Result<HttpResponseCreated<SwitchPortSettingsView>, HttpError>;
+    ) -> Result<HttpResponseCreated<SwitchPortSettingsWithChecksum>, HttpError>;
 
     /// Delete switch port settings
     #[endpoint {
@@ -1428,7 +1428,7 @@ pub trait NexusExternalApi {
     async fn networking_switch_port_settings_view(
         rqctx: RequestContext<Self::Context>,
         path_params: Path<params::SwitchPortSettingsInfoSelector>,
-    ) -> Result<HttpResponseOk<SwitchPortSettingsView>, HttpError>;
+    ) -> Result<HttpResponseOk<SwitchPortSettingsWithChecksum>, HttpError>;
 
     /// List switch ports
     #[endpoint {

diff --git a/nexus/src/app/background/tasks/sync_switch_configuration.rs b/nexus/src/app/background/tasks/sync_switch_configuration.rs
@@ -182,7 +182,7 @@ impl SwitchPortSettingsManager {
             changes.push((
                 location,
                 port,
-                PortSettingsChange::Apply(Box::new(settings)),
+                PortSettingsChange::Apply(Box::new(settings.0)),
             ));
         }
         Ok(changes)

diff --git a/nexus/src/app/rack.rs b/nexus/src/app/rack.rs
@@ -562,6 +562,7 @@ impl super::Nexus {
                 };
 
             let mut port_settings_params = SwitchPortSettingsCreate {
+                precondition: None,
                 identity,
                 port_config,
                 groups: vec![],

diff --git a/nexus/src/app/switch_port.rs b/nexus/src/app/switch_port.rs
@@ -28,7 +28,7 @@ impl super::Nexus {
         self: &Arc<Self>,
         opctx: &OpContext,
         params: params::SwitchPortSettingsCreate,
-    ) -> CreateResult<SwitchPortSettingsCombinedResult> {
+    ) -> CreateResult<(SwitchPortSettingsCombinedResult, String)> {
         opctx.authorize(authz::Action::Modify, &authz::FLEET).await?;
         Self::switch_port_settings_validate(&params)?;
 
@@ -90,7 +90,7 @@ impl super::Nexus {
         opctx: &OpContext,
         params: params::SwitchPortSettingsCreate,
         id: Option<Uuid>,
-    ) -> CreateResult<SwitchPortSettingsCombinedResult> {
+    ) -> CreateResult<(SwitchPortSettingsCombinedResult, String)> {
         self.db_datastore.switch_port_settings_create(opctx, &params, id).await
     }
 
@@ -99,7 +99,7 @@ impl super::Nexus {
         opctx: &OpContext,
         switch_port_settings_id: Uuid,
         new_settings: params::SwitchPortSettingsCreate,
-    ) -> CreateResult<SwitchPortSettingsCombinedResult> {
+    ) -> CreateResult<(SwitchPortSettingsCombinedResult, String)> {
         let result = self
             .db_datastore
             .switch_port_settings_update(
@@ -153,7 +153,7 @@ impl super::Nexus {
         &self,
         opctx: &OpContext,
         name_or_id: &NameOrId,
-    ) -> LookupResult<SwitchPortSettingsCombinedResult> {
+    ) -> LookupResult<(SwitchPortSettingsCombinedResult, String)> {
         opctx.authorize(authz::Action::Read, &authz::FLEET).await?;
         self.db_datastore.switch_port_settings_get(opctx, name_or_id).await
     }
@@ -189,15 +189,17 @@ impl super::Nexus {
         opctx: &OpContext,
         switch_port_id: Uuid,
         port_settings_id: Option<Uuid>,
-        current_id: UpdatePrecondition<Uuid>,
+        precondition: UpdatePrecondition<
+            params::SwitchPortApplySettingsChecksums,
+        >,
     ) -> UpdateResult<()> {
         opctx.authorize(authz::Action::Modify, &authz::FLEET).await?;
         self.db_datastore
             .switch_port_set_settings_id(
                 opctx,
                 switch_port_id,
                 port_settings_id,
-                current_id,
+                precondition,
             )
             .await
     }
@@ -229,11 +231,16 @@ impl super::Nexus {
             }
         };
 
+        let precondition = match settings.precondition.clone() {
+            Some(v) => UpdatePrecondition::Value(v),
+            None => UpdatePrecondition::Null,
+        };
+
         self.set_switch_port_settings_id(
             &opctx,
             switch_port_id,
             Some(switch_port_settings_id),
-            UpdatePrecondition::DontCare,
+            precondition,
         )
         .await?;
 

diff --git a/nexus/src/external_api/http_entrypoints.rs b/nexus/src/external_api/http_entrypoints.rs
@@ -48,7 +48,6 @@ use nexus_types::{
         shared::{BfdStatus, ProbeInfo},
     },
 };
-use omicron_common::api::external::http_pagination::data_page_params_for;
 use omicron_common::api::external::http_pagination::marker_for_name;
 use omicron_common::api::external::http_pagination::marker_for_name_or_id;
 use omicron_common::api::external::http_pagination::name_or_id_pagination;
@@ -88,6 +87,9 @@ use omicron_common::api::external::TufRepoGetResponse;
 use omicron_common::api::external::TufRepoInsertResponse;
 use omicron_common::api::external::VpcFirewallRuleUpdateParams;
 use omicron_common::api::external::VpcFirewallRules;
+use omicron_common::api::external::{
+    http_pagination::data_page_params_for, SwitchPortSettingsWithChecksum,
+};
 use omicron_common::bail_unless;
 use omicron_uuid_kinds::GenericUuid;
 use propolis_client::support::tungstenite::protocol::frame::coding::CloseCode;
@@ -2805,18 +2807,22 @@ impl NexusExternalApi for NexusExternalApiImpl {
     async fn networking_switch_port_settings_create(
         rqctx: RequestContext<ApiContext>,
         new_settings: TypedBody<params::SwitchPortSettingsCreate>,
-    ) -> Result<HttpResponseCreated<SwitchPortSettingsView>, HttpError> {
+    ) -> Result<HttpResponseCreated<SwitchPortSettingsWithChecksum>, HttpError>
+    {
         let apictx = rqctx.context();
         let handler = async {
             let nexus = &apictx.context.nexus;
             let params = new_settings.into_inner();
             let opctx =
                 crate::context::op_context_for_external_api(&rqctx).await?;
-            let result =
+            let (result, checksum) =
                 nexus.switch_port_settings_post(&opctx, params).await?;
 
             let settings: SwitchPortSettingsView = result.into();
-            Ok(HttpResponseCreated(settings))
+            Ok(HttpResponseCreated(SwitchPortSettingsWithChecksum {
+                value: settings,
+                checksum,
+            }))
         };
         apictx
             .context
@@ -2884,16 +2890,19 @@ impl NexusExternalApi for NexusExternalApiImpl {
     async fn networking_switch_port_settings_view(
         rqctx: RequestContext<ApiContext>,
         path_params: Path<params::SwitchPortSettingsInfoSelector>,
-    ) -> Result<HttpResponseOk<SwitchPortSettingsView>, HttpError> {
+    ) -> Result<HttpResponseOk<SwitchPortSettingsWithChecksum>, HttpError> {
         let apictx = rqctx.context();
         let handler = async {
             let nexus = &apictx.context.nexus;
             let query = path_params.into_inner().port;
             let opctx =
                 crate::context::op_context_for_external_api(&rqctx).await?;
-            let settings =
+            let (settings, checksum) =
                 nexus.switch_port_settings_get(&opctx, &query).await?;
-            Ok(HttpResponseOk(settings.into()))
+            Ok(HttpResponseOk(SwitchPortSettingsWithChecksum {
+                value: settings.into(),
+                checksum,
+            }))
         };
         apictx
             .context

diff --git a/nexus/tests/integration_tests/endpoints.rs b/nexus/tests/integration_tests/endpoints.rs
@@ -578,6 +578,7 @@ pub static DEMO_SWITCH_PORT_SETTINGS_APPLY_URL: Lazy<String> = Lazy::new(
 );
 pub static DEMO_SWITCH_PORT_SETTINGS: Lazy<params::SwitchPortApplySettings> =
     Lazy::new(|| params::SwitchPortApplySettings {
+        precondition: None,
         port_settings: NameOrId::Name("portofino".parse().unwrap()),
     });
 /* TODO requires dpd access

diff --git a/nexus/tests/integration_tests/switch_port.rs b/nexus/tests/integration_tests/switch_port.rs
@@ -335,6 +335,7 @@ async fn test_port_settings_basic_crud(ctx: &ControlPlaneTestContext) {
     // apply port settings
 
     let apply_settings = SwitchPortApplySettings {
+        precondition: None,
         port_settings: NameOrId::Name("portofino".parse().unwrap()),
     };
 

diff --git a/nexus/types/src/external_api/params.rs b/nexus/types/src/external_api/params.rs
@@ -1681,6 +1681,8 @@ pub struct SwitchPortSettingsCreate {
     pub bgp_peers: HashMap<String, BgpPeerConfig>,
     /// Addresses indexed by interface name.
     pub addresses: HashMap<String, AddressConfig>,
+    /// Optional checksum to provide for detecting conflicting concurrent updates
+    pub precondition: Option<String>,
 }
 
 impl SwitchPortSettingsCreate {
@@ -1696,6 +1698,7 @@ impl SwitchPortSettingsCreate {
             routes: HashMap::new(),
             bgp_peers: HashMap::new(),
             addresses: HashMap::new(),
+            precondition: None,
         }
     }
 }
@@ -2016,10 +2019,26 @@ pub struct SwitchPortPageSelector {
 /// Parameters for applying settings to switch ports.
 #[derive(Clone, Debug, Deserialize, Serialize, JsonSchema, PartialEq)]
 pub struct SwitchPortApplySettings {
-    /// A name or id to use when applying switch port settings.
+    pub precondition: Option<SwitchPortApplySettingsChecksums>,
+
+    /// Name or ID of the desired configuration
     pub port_settings: NameOrId,
 }
 
+/// Parameters for applying a precondition to SwitchPortApplySettings
+#[derive(Clone, Debug, Deserialize, Serialize, JsonSchema, PartialEq)]
+pub struct SwitchPortApplySettingsChecksums {
+    /// md5 checksum of current SwitchPortApplySettings body
+    /// This field protects against concurrent modification of `SwitchPortApplySettings`
+    /// Set to `None` if you expect there to not be any settings currently applied.
+    pub current_settings_checksum: Option<String>,
+
+    /// md5 checksum of the desired configuration body
+    /// This field ensures that the port settings you are applying have not been modified
+    /// since you last viewed them
+    pub new_settings_checksum: String,
+}
+
 // IMAGES
 
 /// The source of the underlying image.

diff --git a/openapi/nexus.json b/openapi/nexus.json
@@ -8120,7 +8120,7 @@
             "content": {
               "application/json": {
                 "schema": {
-                  "$ref": "#/components/schemas/SwitchPortSettingsView"
+                  "$ref": "#/components/schemas/SwitchPortSettingsWithChecksum"
                 }
               }
             }
@@ -8186,7 +8186,7 @@
             "content": {
               "application/json": {
                 "schema": {
-                  "$ref": "#/components/schemas/SwitchPortSettingsView"
+                  "$ref": "#/components/schemas/SwitchPortSettingsWithChecksum"
                 }
               }
             }
@@ -20770,18 +20770,44 @@
         "type": "object",
         "properties": {
           "port_settings": {
-            "description": "A name or id to use when applying switch port settings.",
+            "description": "Name or ID of the desired configuration",
             "allOf": [
               {
                 "$ref": "#/components/schemas/NameOrId"
               }
             ]
+          },
+          "precondition": {
+            "nullable": true,
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/SwitchPortApplySettingsChecksums"
+              }
+            ]
           }
         },
         "required": [
           "port_settings"
         ]
       },
+      "SwitchPortApplySettingsChecksums": {
+        "description": "Parameters for applying a precondition to SwitchPortApplySettings",
+        "type": "object",
+        "properties": {
+          "current_settings_checksum": {
+            "nullable": true,
+            "description": "md5 checksum of current SwitchPortApplySettings body This field protects against concurrent modification of `SwitchPortApplySettings` Set to `None` if you expect there to not be any settings currently applied.",
+            "type": "string"
+          },
+          "new_settings_checksum": {
+            "description": "md5 checksum of the desired configuration body This field ensures that the port settings you are applying have not been modified since you last viewed them",
+            "type": "string"
+          }
+        },
+        "required": [
+          "new_settings_checksum"
+        ]
+      },
       "SwitchPortConfig": {
         "description": "A physical port configuration for a port settings object.",
         "type": "object",
@@ -21094,6 +21120,11 @@
           "port_config": {
             "$ref": "#/components/schemas/SwitchPortConfigCreate"
           },
+          "precondition": {
+            "nullable": true,
+            "description": "Optional checksum to provide for detecting conflicting concurrent updates",
+            "type": "string"
+          },
           "routes": {
             "description": "Routes indexed by interface name.",
             "type": "object",
@@ -21258,6 +21289,27 @@
           "vlan_interfaces"
         ]
       },
+      "SwitchPortSettingsWithChecksum": {
+        "type": "object",
+        "properties": {
+          "checksum": {
+            "description": "Checksum of value to use for concurrency control",
+            "type": "string"
+          },
+          "value": {
+            "description": "Value of response",
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/SwitchPortSettingsView"
+              }
+            ]
+          }
+        },
+        "required": [
+          "checksum",
+          "value"
+        ]
+      },
       "SwitchResultsPage": {
         "description": "A single page of results",
         "type": "object",