InstanceUpdate body: change Option fields to Nullable so they're required to be present
#9046
Conversation
| "boot_disk", | ||
| "cpu_platform", | ||
| "memory", | ||
| "ncpus" |
There was a problem hiding this comment.
This lets the TS client generator mark these fields as nullable but not optional.
There was a problem hiding this comment.
FWIW, the Rust generator doesn't (currently) draw this distinction; I don't know about the go generator.
|
Issue for test flake: #9048 |
ahl
left a comment
ahl
left a comment
There was a problem hiding this comment.
Is PUT the right interface? If I understand correctly, in order to use this interface I need to call instance_view, pull out some subset of those settings (e.g. not hostname), populate a PUT body and then call instance_update. This seems particularly cumbersome in the CLI.
Would we consider using PATCH here and distinguish the three states for a field:
- value = set to that value
null= unset- absent = don't modify
| /// | ||
| /// If not provided, unset the instance's boot disk. | ||
| pub boot_disk: Option<NameOrId>, | ||
| /// A null value unsets the boot disk. |
There was a problem hiding this comment.
What does it mean to have an unset boot disk? That the instance can't boot?
There was a problem hiding this comment.
This is explained painstakingly in the create params. I will give this the same comment.
omicron/nexus/types/src/external_api/params.rs
Lines 1234 to 1250 in 3c97dce
There was a problem hiding this comment.
(the main wrinkle being that not having a fixed boot disk is a meaningful and valid configuration, and that's the only way to let a VM manage its boot settings. it seems pretty frustrating to take that away by requiring an explicit boot disk, though it'd simplify some API questions like this one. it's all complicated and doesn't feel great.)
| let base_update = params::InstanceUpdate { | ||
| auto_restart_policy: Nullable(auto_restart_policy), | ||
| boot_disk: Nullable(boot_disk_nameorid.clone()), | ||
| cpu_platform: Nullable(None), | ||
| ncpus: initial_ncpus, | ||
| memory: initial_memory, | ||
| }; |
There was a problem hiding this comment.
is this to avoid repeating code? For what it's worth, I found the prior structure easier to understand--especially when looking locally. Is your thought that this makes it easier to add new settings in the future? Perhaps this argues for a PATCH interface.
There was a problem hiding this comment.
Yes, this was basically me grumbling about the fact that I would have had to fix a lot fewer lines of code if this had already been in place. But that is a narrow reason and it's easy to change it back.
| "boot_disk", | ||
| "cpu_platform", | ||
| "memory", | ||
| "ncpus" |
There was a problem hiding this comment.
FWIW, the Rust generator doesn't (currently) draw this distinction; I don't know about the go generator.
| check_instance_cpu_memory_sizes(*ncpus, *memory)?; | ||
|
|
||
| let boot_disk_id = match boot_disk { | ||
| let boot_disk_id = match boot_disk.as_ref() { |
There was a problem hiding this comment.
it’s now a Nullable, so you have to pull out the option inside it, but .0 is not sufficient, the compile whines about that
|
#333 is a discussion of making our PUTs standards-compliant since we're not doing PATCH, but I can't find a direct discussion of doing PATCH. I vaguely remember there being one — maybe it was on an RFD. |
|
yes, I was just going to say RFD 4 (!) mentions a bit here. I think conceptually |
I think both provide the opportunity for different kinds of races. A CLI user--for example--will |
…e required to be present (#9046) Optional fields on a request body can be left out completely from the JSON. In the case of instance update (and probably many other endpoints) this is a problem because passing `null` and passing nothing have the same effect, namely unsetting that field if it is already set in the DB. And because the fields are optional, the generated client types do not enforce that they are present (at least when creating the JSON by hand and also in TypeScript, which distinguishes between optional and nullable at the type level). It is easy to do this by accident: while working on [this](oxidecomputer/console#2900), I [discovered a bug](oxidecomputer/console#2900 (comment)) in the console where we accidentally unset the auto restart policy on an instance when you resize an instance. This PR changes `Option` to `Nullable`, which I added in #8214 to fix this problem: `null` remains a valid value, but the client is no longer allowed to leave that field out of the body. If we don't want to do this, I can live with it because in the console, I have [made a helper](oxidecomputer/console@60ca75e) that enforces that all fields are explicitly present. But I do think the status quo is very error-prone. https://github.com/oxidecomputer/omicron/blob/c6989117c72ecf88d4e3dc8a597d9fe703152a93/common/src/api/external/mod.rs#L3564-L3570
Optional fields on a request body can be left out completely from the JSON. In the case of instance update (and probably many other endpoints) this is a problem because passing
nulland passing nothing have the same effect, namely unsetting that field if it is already set in the DB. And because the fields are optional, the generated client types do not enforce that they are present (at least when creating the JSON by hand and also in TypeScript, which distinguishes between optional and nullable at the type level). It is easy to do this by accident: while working on this, I discovered a bug in the console where we accidentally unset the auto restart policy on an instance when you resize an instance.This PR changes
OptiontoNullable, which I added in #8214 to fix this problem:nullremains a valid value, but the client is no longer allowed to leave that field out of the body. If we don't want to do this, I can live with it because in the console, I have made a helper that enforces that all fields are explicitly present. But I do think the status quo is very error-prone.omicron/common/src/api/external/mod.rs
Lines 3564 to 3570 in c698911