Add IP Pools and contained IP ranges

common/src/api/external/mod.rs

@@ -525,6 +525,7 @@ pub enum ResourceType {
     Disk,
     Image,
     Instance,
+    IpPool,
     NetworkInterface,
     Rack,
     Service,
@@ -1123,6 +1124,51 @@ pub enum IpNet {
     V6(Ipv6Net),
 }
 
+impl IpNet {
+    /// Return the first address in this subnet
+    pub fn first_address(&self) -> IpAddr {
+        match self {
+            IpNet::V4(inner) => IpAddr::from(inner.iter().next().unwrap()),
+            IpNet::V6(inner) => IpAddr::from(inner.iter().next().unwrap()),
+        }
+    }
+
+    /// Return the last address in this subnet.
+    ///
+    /// For a subnet of size 1, e.g., a /32, this is the same as the first
+    /// address.
+    // NOTE: This is a workaround for the fact that the `ipnetwork` crate's
+    // iterator provides only the `Iterator::next()` method. That means that
+    // finding the last address is linear in the size of the subnet, which is
+    // completely untenable and totally avoidable with some addition. In the
+    // long term, we should either put up a patch to the `ipnetwork` crate or
+    // move the `ipnet` crate, which does provide an efficient iterator
+    // implementation.
+    pub fn last_address(&self) -> IpAddr {
+        match self {
+            IpNet::V4(inner) => {
+                let base: u32 = inner.network().into();
+                let size = inner.size() - 1;
+                std::net::IpAddr::V4(std::net::Ipv4Addr::from(base + size))
+            }
+            IpNet::V6(inner) => {
+                let base: u128 = inner.network().into();
+                let size = inner.size() - 1;
+                std::net::IpAddr::V6(std::net::Ipv6Addr::from(base + size))
+            }
+        }
+    }
+}
+
+impl From<ipnetwork::IpNetwork> for IpNet {
+    fn from(n: ipnetwork::IpNetwork) -> Self {
+        match n {
+            ipnetwork::IpNetwork::V4(v4) => IpNet::V4(Ipv4Net(v4)),
+            ipnetwork::IpNetwork::V6(v6) => IpNet::V6(Ipv6Net(v6)),
+        }
+    }
+}
+
 impl From<Ipv4Net> for IpNet {
     fn from(n: Ipv4Net) -> IpNet {
         IpNet::V4(n)
@@ -1234,7 +1280,10 @@ impl JsonSchema for IpNet {
 /// Insert another level of schema indirection in order to provide an
 /// additional title for a subschema. This allows generators to infer a better
 /// variant name for an "untagged" enum.
-fn label_schema(
+// TODO-cleanup: We should move IpNet and this to
+// `omicron_nexus::external_api::shared`. It's public now because `IpRange`,
+// which is defined there, uses it.
+pub fn label_schema(
     label: &str,
     schema: schemars::schema::Schema,
 ) -> schemars::schema::Schema {
@@ -2449,4 +2498,52 @@ mod test {
         let net_des = serde_json::from_str::<IpNet>(&ser).unwrap();
         assert_eq!(net, net_des);
     }
+
+    #[test]
+    fn test_ipnet_first_last_address() {
+        use std::net::IpAddr;
+        use std::net::Ipv4Addr;
+        use std::net::Ipv6Addr;
+        let net: IpNet = "fd00::/128".parse().unwrap();
+        assert_eq!(
+            net.first_address(),
+            IpAddr::from(Ipv6Addr::new(0xfd00, 0, 0, 0, 0, 0, 0, 0)),
+        );
+        assert_eq!(
+            net.last_address(),
+            IpAddr::from(Ipv6Addr::new(0xfd00, 0, 0, 0, 0, 0, 0, 0)),
+        );
+
+        let net: IpNet = "fd00::/64".parse().unwrap();
+        assert_eq!(
+            net.first_address(),
+            IpAddr::from(Ipv6Addr::new(0xfd00, 0, 0, 0, 0, 0, 0, 0)),
+        );
+        assert_eq!(
+            net.last_address(),
+            IpAddr::from(Ipv6Addr::new(
+                0xfd00, 0, 0, 0, 0xffff, 0xffff, 0xffff, 0xffff
+            )),
+        );
+
+        let net: IpNet = "10.0.0.0/16".parse().unwrap();
+        assert_eq!(
+            net.first_address(),
+            IpAddr::from(Ipv4Addr::new(10, 0, 0, 0)),
+        );
+        assert_eq!(
+            net.last_address(),
+            IpAddr::from(Ipv4Addr::new(10, 0, 255, 255)),
+        );
+
+        let net: IpNet = "10.0.0.0/32".parse().unwrap();
+        assert_eq!(
+            net.first_address(),
+            IpAddr::from(Ipv4Addr::new(10, 0, 0, 0)),
+        );
+        assert_eq!(
+            net.last_address(),
+            IpAddr::from(Ipv4Addr::new(10, 0, 0, 0)),
+        );
+    }
 }

common/src/sql/dbinit.sql

@@ -827,32 +827,6 @@ STORING (vpc_id, subnet_id, is_primary)
 WHERE
     time_deleted IS NULL;
 
-
-CREATE TYPE omicron.public.vpc_router_kind AS ENUM (
-    'system',
-    'custom'
-);
-
-CREATE TABLE omicron.public.vpc_router (
-    /* Identity metadata (resource) */
-    id UUID PRIMARY KEY,
-    name STRING(63) NOT NULL,
-    description STRING(512) NOT NULL,
-    time_created TIMESTAMPTZ NOT NULL,
-    time_modified TIMESTAMPTZ NOT NULL,
-    /* Indicates that the object has been deleted */
-    time_deleted TIMESTAMPTZ,
-    kind omicron.public.vpc_router_kind NOT NULL,
-    vpc_id UUID NOT NULL,
-    rcgen INT NOT NULL
-);
-
-CREATE UNIQUE INDEX ON omicron.public.vpc_router (
-    vpc_id,
-    name
-) WHERE
-    time_deleted IS NULL;
-
 CREATE TYPE omicron.public.vpc_firewall_rule_status AS ENUM (
     'disabled',
     'enabled'
@@ -904,6 +878,31 @@ CREATE UNIQUE INDEX ON omicron.public.vpc_firewall_rule (
 ) WHERE
     time_deleted IS NULL;
 
+CREATE TYPE omicron.public.vpc_router_kind AS ENUM (
+    'system',
+    'custom'
+);
+
+CREATE TABLE omicron.public.vpc_router (
+    /* Identity metadata (resource) */
+    id UUID PRIMARY KEY,
+    name STRING(63) NOT NULL,
+    description STRING(512) NOT NULL,
+    time_created TIMESTAMPTZ NOT NULL,
+    time_modified TIMESTAMPTZ NOT NULL,
+    /* Indicates that the object has been deleted */
+    time_deleted TIMESTAMPTZ,
+    kind omicron.public.vpc_router_kind NOT NULL,
+    vpc_id UUID NOT NULL,
+    rcgen INT NOT NULL
+);
+
+CREATE UNIQUE INDEX ON omicron.public.vpc_router (
+    vpc_id,
+    name
+) WHERE
+    time_deleted IS NULL;
+
 CREATE TYPE omicron.public.router_route_kind AS ENUM (
     'default',
     'vpc_subnet',
@@ -933,6 +932,62 @@ CREATE UNIQUE INDEX ON omicron.public.router_route (
 ) WHERE
     time_deleted IS NULL;
 
+/*
+ * An IP Pool, a collection of zero or more IP ranges for external IPs.
+ */
+CREATE TABLE omicron.public.ip_pool (
+    /* Resource identity metadata */
+    id UUID PRIMARY KEY,
+    name STRING(63) NOT NULL,
+    description STRING(512) NOT NULL,
+    time_created TIMESTAMPTZ NOT NULL,
+    time_modified TIMESTAMPTZ NOT NULL,
+    time_deleted TIMESTAMPTZ,
+
+    /* The collection's child-resource generation number */
+    rcgen INT8 NOT NULL
+);
+
+/*
+ * Index ensuring uniqueness of IP Pool names, globally.
+ */
+CREATE UNIQUE INDEX ON omicron.public.ip_pool (
+    name
+) WHERE
+    time_deleted IS NULL;
+
+/*
+ * IP Pools are made up of a set of IP ranges, which are start/stop addresses.
+ * Note that these need not be CIDR blocks or well-behaved subnets with a
+ * specific netmask.
+ */
+CREATE TABLE omicron.public.ip_pool_range (
+    id UUID PRIMARY KEY,
+    time_created TIMESTAMPTZ NOT NULL,
+    time_modified TIMESTAMPTZ NOT NULL,
+    time_deleted TIMESTAMPTZ,
+    first_address INET NOT NULL,
+    /* The range is inclusive of the last address. */
+    last_address INET NOT NULL,
+    ip_pool_id UUID NOT NULL
+);
+
+/* 
+ * These help Nexus enforce that the ranges within an IP Pool do not overlap
+ * with any other ranges. See `nexus/src/db/queries/ip_pool.rs` for the actual
+ * query which does that.
+ */
+CREATE UNIQUE INDEX ON omicron.public.ip_pool_range (
+    first_address
+)
+STORING (last_address)
+WHERE time_deleted IS NULL;
+CREATE UNIQUE INDEX ON omicron.public.ip_pool_range (
+    last_address
+)
+STORING (first_address)
+WHERE time_deleted IS NULL;
+
 /*******************************************************************/
 
 /*

nexus/src/app/ip_pool.rs

@@ -0,0 +1,128 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+//! IP Pools, collections of external IP addresses for guest instances
+
+use crate::authz;
+use crate::context::OpContext;
+use crate::db;
+use crate::db::lookup::LookupPath;
+use crate::db::model::Name;
+use crate::external_api::params;
+use crate::external_api::shared::IpRange;
+use ipnetwork::IpNetwork;
+use omicron_common::api::external::CreateResult;
+use omicron_common::api::external::DataPageParams;
+use omicron_common::api::external::DeleteResult;
+use omicron_common::api::external::ListResultVec;
+use omicron_common::api::external::LookupResult;
+use omicron_common::api::external::UpdateResult;
+use uuid::Uuid;
+
+impl super::Nexus {
+    pub async fn ip_pool_create(
+        &self,
+        opctx: &OpContext,
+        new_pool: &params::IpPoolCreate,
+    ) -> CreateResult<db::model::IpPool> {
+        self.db_datastore.ip_pool_create(opctx, new_pool).await
+    }
+
+    pub async fn ip_pools_list_by_name(
+        &self,
+        opctx: &OpContext,
+        pagparams: &DataPageParams<'_, Name>,
+    ) -> ListResultVec<db::model::IpPool> {
+        self.db_datastore.ip_pools_list_by_name(opctx, pagparams).await
+    }
+
+    pub async fn ip_pools_list_by_id(
+        &self,
+        opctx: &OpContext,
+        pagparams: &DataPageParams<'_, Uuid>,
+    ) -> ListResultVec<db::model::IpPool> {
+        self.db_datastore.ip_pools_list_by_id(opctx, pagparams).await
+    }
+
+    pub async fn ip_pool_fetch(
+        &self,
+        opctx: &OpContext,
+        pool_name: &Name,
+    ) -> LookupResult<db::model::IpPool> {
+        let (.., db_pool) = LookupPath::new(opctx, &self.db_datastore)
+            .ip_pool_name(pool_name)
+            .fetch()
+            .await?;
+        Ok(db_pool)
+    }
+
+    pub async fn ip_pool_delete(
+        &self,
+        opctx: &OpContext,
+        pool_name: &Name,
+    ) -> DeleteResult {
+        let (.., authz_pool, db_pool) =
+            LookupPath::new(opctx, &self.db_datastore)
+                .ip_pool_name(pool_name)
+                .fetch_for(authz::Action::Delete)
+                .await?;
+        self.db_datastore.ip_pool_delete(opctx, &authz_pool, &db_pool).await
+    }
+
+    pub async fn ip_pool_update(
+        &self,
+        opctx: &OpContext,
+        pool_name: &Name,
+        updates: &params::IpPoolUpdate,
+    ) -> UpdateResult<db::model::IpPool> {
+        let (.., authz_pool) = LookupPath::new(opctx, &self.db_datastore)
+            .ip_pool_name(pool_name)
+            .lookup_for(authz::Action::Modify)
+            .await?;
+        self.db_datastore
+            .ip_pool_update(opctx, &authz_pool, updates.clone().into())
+            .await
+    }
+
+    pub async fn ip_pool_list_ranges(
+        &self,
+        opctx: &OpContext,
+        pool_name: &Name,
+        pagparams: &DataPageParams<'_, IpNetwork>,
+    ) -> ListResultVec<db::model::IpPoolRange> {
+        let (.., authz_pool) = LookupPath::new(opctx, &self.db_datastore)
+            .ip_pool_name(pool_name)
+            .lookup_for(authz::Action::ListChildren)
+            .await?;
+        self.db_datastore
+            .ip_pool_list_ranges(opctx, &authz_pool, pagparams)
+            .await
+    }
+
+    pub async fn ip_pool_add_range(
+        &self,
+        opctx: &OpContext,
+        pool_name: &Name,
+        range: &IpRange,
+    ) -> UpdateResult<db::model::IpPoolRange> {
+        let (.., authz_pool) = LookupPath::new(opctx, &self.db_datastore)
+            .ip_pool_name(pool_name)
+            .lookup_for(authz::Action::Modify)
+            .await?;
+        self.db_datastore.ip_pool_add_range(opctx, &authz_pool, range).await
+    }
+
+    pub async fn ip_pool_delete_range(
+        &self,
+        opctx: &OpContext,
+        pool_name: &Name,
+        range: &IpRange,
+    ) -> DeleteResult {
+        let (.., authz_pool) = LookupPath::new(opctx, &self.db_datastore)
+            .ip_pool_name(pool_name)
+            .lookup_for(authz::Action::Modify)
+            .await?;
+        self.db_datastore.ip_pool_delete_range(opctx, &authz_pool, range).await
+    }
+}

nexus/src/app/mod.rs

@@ -24,6 +24,7 @@ mod disk;
 mod iam;
 mod image;
 mod instance;
+mod ip_pool;
 mod organization;
 mod oximeter;
 mod project;