Want temporary hack to support inbound connections to guest

[rzezeski]

Currently, without the integration of Boundary Services, there is no way for someone to get SSH access into a guest instance (created by Omicron). I was tasked with finding a way to make this work for the interim while we wait for Boundary Services to come into the fold.

The idea behind the hack is to have a global flag in xde.conf that when set will modify the behavior of xde/OPTE in such a way that:

• It will no longer perform IPv6/Geneve encap.
• It will hijack the SNAT config and treat it as an "external" IP configuration, performing 1:1 NAT with said IP.
• The arp layer will Proxy ARP for this external IP, allowing other hosts on the same local (physical) IPv4 network to discover this external IP.

In effect, this allows one to SSH to the guest via some IP that sits in their local IPv4 network.

This hack will not provide outbound access from the guest instance. That can be done, but it requires more work, and the idea is for this hack to have the shortest life possible, being immediately undone the moment Boundary Services is integrated into the typical Omicron deployment.

[rzezeski]

This landed in 14410f9. I left breadcrumbs as various XXX-EXT-IP comments for stuff that needs to be modified/removed.

There was a legit bug fixed in this commit as well, where no promisc handler was being added to the first underlay, thanks to a typo I made in an earlier refactor. That fix will remain when undoing this hack.

[leftwo]

This workaround will limit the number of instances a single system running Omicron can create.

After 13 instances, you will get a message like this (in sled-agent logs) when trying to create any additional instances:

  "error_message_internal": "Error managing instances: Instance error: Failed to set link property \"secondary-macs\" to \"A8:40:25:F6:E8:39,A8:40:25:F6:07:9F,A8:40:25:F4:47:B1,A8:40:25:FC:B5:13,A8:40:25:F1:7B:CA,A8:40:25:FC:87:6F,A8:40:25:F8:D3:04,A8:40:25:F1:71:D0,A8:40:25:F4:4B:95,A8:40:25:F9:9B:8F,A8:40:25:F7:FF:75,A8:40:25:F9:26:E3,A8:40:25:FB:A7:84,A8:40:25:FB:6E:C9\" on vnic net0: Command [/usr/sbin/dladm set-linkprop -t -p secondary-macs=A8:40:25:F6:E8:39,A8:40:25:F6:07:9F,A8:40:25:F4:47:B1,A8:40:25:FC:B5:13,A8:40:25:F1:7B:CA,A8:40:25:FC:87:6F,A8:40:25:F8:D3:04,A8:40:25:F1:71:D0,A8:40:25:F4:4B:95,A8:40:25:F9:9B:8F,A8:40:25:F7:FF:75,A8:40:25:F9:26:E3,A8:40:25:FB:A7:84,A8:40:25:FB:6E:C9 net0] executed and failed with status: exit status: 1. Stdout: , Stderr: dladm: property list too long 'secondary-macs=A8:40:25:F6:E8:39,A8:40:25:F6:07:9F,A8:40:25:F4:47:B1,A8:40:25:FC:B5:13,A8:40:25:F1:7B:CA,A8:40:25:FC:87:6F,A8:40:25:F8:D3:04,A8:40:25:F1:71:D0,A8:40:25:F4:4B:95,A8:40:25:F9:9B:8F,A8:40:25:F7:FF:75,A8:40:25:F9:26:E3,A8:40:25:FB:A7:84,A8:40:'\n",

[leftwo]

And, I totally understand this is a much needed workaround :)
I just wanted to leave a comment in case anyone else sees this issue and goes searching for it.

[rzezeski]

Thanks for the note Alan. Lucky number 13 -- you've been spending too much time in the spooky hallway :).

All the more reason to get Boundary Services working with Omicron and get rid of this hack.