oxidecomputer · smklein · Mar 10, 2023 · Feb 28, 2023 · Mar 1, 2023 · Mar 1, 2023
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -182,7 +182,7 @@ omicron-nexus = { path = "nexus" }
 omicron-package = { path = "package" }
 omicron-sled-agent = { path = "sled-agent" }
 omicron-test-utils = { path = "test-utils" }
-omicron-zone-package = "0.5.1"
+omicron-zone-package = "0.8.3"
 oxide-vpc = { git = "https://github.com/oxidecomputer/opte", rev = "41ba1d3fa476284c9cbc5d7eab7539cfad3eeb37", features = [ "api", "std" ] }
 once_cell = "1.17.1"
 openapi-lint = { git = "https://github.com/oxidecomputer/openapi-lint", branch = "main" }
@@ -200,7 +200,7 @@ oximeter-collector = { path = "oximeter/collector" }
 oximeter-instruments = { path = "oximeter/instruments" }
 oximeter-macro-impl = { path = "oximeter/oximeter-macro-impl" }
 oximeter-producer = { path = "oximeter/producer" }
-p256 = "0.9.0"
+p256 = "0.11"
 parse-display = "0.7.0"
 partial-io = { version = "0.5.4", features = ["proptest1", "tokio1"] }
 paste = "1.0.12"
@@ -289,7 +289,7 @@ tufaceous = { path = "tufaceous" }
 tufaceous-lib = { path = "tufaceous-lib" }
 uuid = { version = "1.3.0", features = ["serde", "v4"] }
 usdt = "0.3"
-vsss-rs = { version = "2.0.0", default-features = false, features = ["std"] }
+vsss-rs = { version = "2.7", default-features = false, features = ["std"] }
 walkdir = "2.3"
 wicketd-client = { path = "wicketd-client" }
 zeroize = { version = "1.5.7", features = ["zeroize_derive", "std"] }

diff --git a/deploy/src/bin/thing-flinger.rs b/deploy/src/bin/thing-flinger.rs
@@ -988,6 +988,9 @@ fn main() -> Result<()> {
         SubCommand::Builder(BuildCommand::Package { artifact_dir }) => {
             do_package(&config, artifact_dir)?;
         }
+        SubCommand::Builder(BuildCommand::Stamp { .. }) => {
+            anyhow::bail!("Distributed package stamping not supported")
+        }
         SubCommand::Builder(BuildCommand::Check) => do_check(&config)?,
         SubCommand::Builder(BuildCommand::Dot) => {
             do_dot(&config)?;

diff --git a/nexus/tests/integration_tests/instances.rs b/nexus/tests/integration_tests/instances.rs
@@ -854,9 +854,9 @@ async fn test_instances_invalid_creation_returns_bad_request(
         )
         .await
         .unwrap_err();
-    assert!(error
-        .message
-        .starts_with("unable to parse JSON body: invalid value: integer `-3`"));
+    assert!(error.message.starts_with(
+        "unable to parse JSON body: ncpus: invalid value: integer `-3`"
+    ));
 }
 
 #[nexus_test]

diff --git a/package/Cargo.toml b/package/Cargo.toml
@@ -18,6 +18,7 @@ petgraph.workspace = true
 rayon.workspace = true
 reqwest = { workspace = true, features = [ "rustls-tls" ] }
 ring.workspace = true
+semver.workspace = true
 serde.workspace = true
 serde_derive.workspace = true
 sled-hardware.workspace = true

diff --git a/package/src/bin/omicron-package.rs b/package/src/bin/omicron-package.rs
@@ -162,7 +162,10 @@ async fn do_build(config: &Config) -> Result<()> {
 }
 
 async fn do_dot(config: &Config) -> Result<()> {
-    println!("{}", omicron_package::dot::do_dot(&config.package_config)?);
+    println!(
+        "{}",
+        omicron_package::dot::do_dot(&config.target, &config.package_config)?
+    );
     Ok(())
 }
 
@@ -192,12 +195,13 @@ async fn get_sha256_digest(path: &PathBuf) -> Result<Digest> {
 
 // Ensures a package exists, either by creating it or downloading it.
 async fn get_package(
+    target: &Target,
     ui: &Arc<ProgressUI>,
     package_name: &String,
     package: &Package,
     output_directory: &Path,
 ) -> Result<()> {
-    let total_work = package.get_total_work();
+    let total_work = package.get_total_work_for_target(&target)?;
     let progress = ui.add_package(package_name.to_string(), total_work);
     match &package.source {
         PackageSource::Prebuilt { repo, commit, sha256 } => {
@@ -206,15 +210,15 @@ async fn get_package(
 
             let should_download = if path.exists() {
                 // Re-download the package if the SHA doesn't match.
-                progress.set_message("verifying hash".to_string());
+                progress.set_message("verifying hash".into());
                 let digest = get_sha256_digest(&path).await?;
                 digest.as_ref() != expected_digest
             } else {
                 true
             };
 
             if should_download {
-                progress.set_message("downloading prebuilt".to_string());
+                progress.set_message("downloading prebuilt".into());
                 let url = format!(
                     "https://buildomat.eng.oxide.computer/public/file/oxidecomputer/{}/image/{}/{}",
                     repo,
@@ -267,9 +271,9 @@ async fn get_package(
             }
         }
         PackageSource::Local { .. } | PackageSource::Composite { .. } => {
-            progress.set_message("bundle package".to_string());
+            progress.set_message("bundle package".into());
             package
-                .create_with_progress(&progress, package_name, &output_directory)
+                .create_with_progress_for_target(&progress, &target, package_name, &output_directory)
                 .await
                 .with_context(|| {
                     let msg = format!("failed to create {package_name} in {output_directory:?}");
@@ -315,8 +319,14 @@ async fn do_package(config: &Config, output_directory: &Path) -> Result<()> {
             .try_for_each_concurrent(
                 None,
                 |((package_name, package), ui)| async move {
-                    get_package(&ui, package_name, package, output_directory)
-                        .await
+                    get_package(
+                        &config.target,
+                        &ui,
+                        package_name,
+                        package,
+                        output_directory,
+                    )
+                    .await
                 },
             );
 
@@ -326,6 +336,27 @@ async fn do_package(config: &Config, output_directory: &Path) -> Result<()> {
     Ok(())
 }
 
+async fn do_stamp(
+    config: &Config,
+    output_directory: &Path,
+    package_name: &str,
+    version: &semver::Version,
+) -> Result<()> {
+    // Find the package which should be stamped
+    let (_name, package) = config
+        .package_config
+        .packages_to_deploy(&config.target)
+        .into_iter()
+        .find(|(name, _pkg)| name.as_str() == package_name)
+        .ok_or_else(|| anyhow!("Package {package_name} not found"))?;
+
+    // Stamp it
+    let stamped_path =
+        package.stamp(package_name, output_directory, version).await?;
+    println!("Created: {}", stamped_path.display());
+    Ok(())
+}
+
 async fn do_unpack(
     config: &Config,
     artifact_dir: &Path,
@@ -636,12 +667,8 @@ impl PackageProgress {
 }
 
 impl Progress for PackageProgress {
-    fn set_message(&self, message: impl Into<std::borrow::Cow<'static, str>>) {
-        self.pb.set_message(format!(
-            "{}: {}",
-            self.service_name,
-            message.into()
-        ));
+    fn set_message(&self, message: std::borrow::Cow<'static, str>) {
+        self.pb.set_message(format!("{}: {}", self.service_name, message));
         self.pb.tick();
     }
 
@@ -729,6 +756,13 @@ async fn main() -> Result<()> {
         SubCommand::Build(BuildCommand::Package { artifact_dir }) => {
             do_package(&config, &artifact_dir).await?;
         }
+        SubCommand::Build(BuildCommand::Stamp {
+            artifact_dir,
+            package_name,
+            version,
+        }) => {
+            do_stamp(&config, &artifact_dir, package_name, version).await?;
+        }
         SubCommand::Build(BuildCommand::Check) => do_check(&config).await?,
         SubCommand::Deploy(DeployCommand::Install {
             artifact_dir,

diff --git a/package/src/dot.rs b/package/src/dot.rs
@@ -4,6 +4,7 @@ use anyhow::anyhow;
 use omicron_zone_package::config::Config;
 use omicron_zone_package::package::PackageOutput;
 use omicron_zone_package::package::PackageSource;
+use omicron_zone_package::target::Target;
 use petgraph::dot::Dot;
 use petgraph::graph::EdgeReference;
 use petgraph::graph::NodeIndex;
@@ -69,7 +70,10 @@ impl std::fmt::Display for GraphNode {
 }
 
 // Returns a string that can be passed to dot(1) to visualize a package manifest
-pub fn do_dot(package_config: &Config) -> anyhow::Result<String> {
+pub fn do_dot(
+    target: &Target,
+    package_config: &Config,
+) -> anyhow::Result<String> {
     let packages = &package_config.packages;
 
     // We'll use petgraph's facilities to build a directed acyclic graph that
@@ -200,12 +204,12 @@ pub fn do_dot(package_config: &Config) -> anyhow::Result<String> {
                     let paths = paths
                         .iter()
                         .map(|mapping| {
-                            (
-                                mapping.from.display().to_string(),
-                                mapping.to.display().to_string(),
-                            )
+                            Ok((
+                                mapping.from.interpolate(&target)?,
+                                mapping.to.interpolate(&target)?,
+                            ))
                         })
-                        .collect();
+                        .collect::<anyhow::Result<_>>()?;
                     let path_node = graph.add_node(GraphNode::Paths { paths });
                     graph.add_edge(*pkg_node, path_node, "include");
                 }
@@ -289,13 +293,13 @@ fn node_attributes(
 
 #[cfg(test)]
 mod test {
-    use super::do_dot;
+    use super::*;
     use omicron_zone_package::config::parse_manifest;
 
     fn dot_output_for(raw_toml: &str) -> Result<String, anyhow::Error> {
         let package_config =
             parse_manifest(raw_toml).expect("test toml was invalid");
-        do_dot(&package_config)
+        do_dot(&Target::default(), &package_config)
     }
 
     #[test]

diff --git a/package/src/lib.rs b/package/src/lib.rs
@@ -43,6 +43,20 @@ pub enum BuildCommand {
         #[clap(long = "out", default_value = "out", action)]
         artifact_dir: PathBuf,
     },
+    /// Stamps semver versions onto packages within a manifest
+    Stamp {
+        /// The output directory, where artifacts should be placed.
+        ///
+        /// Defaults to "out".
+        #[clap(long = "out", default_value = "out", action)]
+        artifact_dir: PathBuf,
+
+        /// The name of the artifact to be stamped.
+        package_name: String,
+
+        /// The version to be stamped onto the package.
+        version: semver::Version,
+    },
     /// Checks the packages specified in a manifest, without building them.
     Check,
 }

diff --git a/sled-agent/src/bootstrap/trust_quorum/rack_secret.rs b/sled-agent/src/bootstrap/trust_quorum/rack_secret.rs
@@ -75,7 +75,7 @@ impl RackSecret {
     pub fn new() -> RackSecret {
         let mut rng = OsRng::default();
         let sk = SecretKey::random(&mut rng);
-        RackSecret { secret: sk.to_secret_scalar() }
+        RackSecret { secret: sk.to_nonzero_scalar() }
     }
 
     /// Split a secert into `total_shares` number of shares, where combining
@@ -101,7 +101,7 @@ impl RackSecret {
             .combine_shares::<Scalar>(shares)?;
         let nzs = NonZeroScalar::from_repr(scalar.to_repr()).unwrap();
         let sk = SecretKey::from(nzs);
-        Ok(RackSecret { secret: sk.to_secret_scalar() })
+        Ok(RackSecret { secret: sk.to_nonzero_scalar() })
     }
 }