[review, ddmd] Address review ~ HostSwitchZonePorts + real ddmd test fixture

We address @jgallagher's review by:

- Replacing the four positional `u16` arguments in `DnsConfigBuilder::host_zone_switch`
  with a `HostSwitchZonePorts` named-fields structure.

- Replacing the dropshot-based stubbed `DdmInstance` in test-utils with a
  fixture that spawns and supervises a real `ddmd` subprocess running with
  `--no-state-machine`, analogous to `MgdInstance` and `mgd --no-bgp-dispatcher`.
  Only the switch-zone `ddmd` is registered in internal DNS, while sled-global-zone
  instances are accessed locally by their own host and don't need DNS registration.

  This **does** require maghemite changes, already PR'ed to oxidecomputer/maghemite#729.

  To make this all work, we wire `ddmd` into the developer xtask toolchain.
  `cargo xtask download maghemite-ddmd` reuses the existing `mg-ddm.tar.gz`
  illumos zone artifact (extracting `ddmd`/`ddmadm`). On Linux it overlays a
  raw `ddmd` binary, and on macOS it builds from source.

Also, we had to bump `oxnet` from 0.1.4 to 0.1.5 to satisfy the new maghemite pin.

Author: zeeshanlakhani

.envrc

@@ -5,6 +5,7 @@ PATH_add out/cockroachdb/bin
 PATH_add out/clickhouse
 PATH_add out/dendrite-stub/bin
 PATH_add out/mgd/root/opt/oxide/mgd/bin
+PATH_add out/mg-ddm/root/opt/oxide/mg-ddm/bin
 
 if [ "$OMICRON_USE_FLAKE" = 1 ] && nix flake show &> /dev/null
 then

Cargo.lock

@@ -604,8 +604,8 @@ ntp-admin-api = { path = "ntp-admin/api" }
 ntp-admin-client = { path = "clients/ntp-admin-client" }
 ntp-admin-types = { path = "ntp-admin/types" }
 ntp-admin-types-versions = { path = "ntp-admin/types/versions" }
-mg-admin-client = { git = "https://github.com/oxidecomputer/maghemite", rev = "7696ee48d5ee29a917dea459e281fe2e8ff20513" }
-ddm-admin-client = { git = "https://github.com/oxidecomputer/maghemite", rev = "7696ee48d5ee29a917dea459e281fe2e8ff20513" }
+mg-admin-client = { git = "https://github.com/oxidecomputer/maghemite", rev = "3b54e1630e6f75cdc09a2580cec2438bfecade22" }
+ddm-admin-client = { git = "https://github.com/oxidecomputer/maghemite", rev = "3b54e1630e6f75cdc09a2580cec2438bfecade22" }
 multimap = "0.10.1"
 nexus-auth = { path = "nexus/auth" }
 nexus-background-task-interface = { path = "nexus/background-task-interface" }
@@ -669,7 +669,7 @@ oxide-client = { path = "clients/oxide-client" }
 oxide-tokio-rt = "0.1.4"
 oxide-vpc = { git = "https://github.com/oxidecomputer/opte", rev = "bae0440c199b3908c12903a9532854936353433b", features = [ "api", "std" ] }
 oxlog = { path = "dev-tools/oxlog" }
-oxnet = "0.1.4"
+oxnet = "0.1.5"
 once_cell = "1.21.3"
 openapi-lint = { git = "https://github.com/oxidecomputer/openapi-lint", branch = "main" }
 openapiv3 = "2.2.0"
@@ -742,7 +742,7 @@ rats-corim = { git = "https://github.com/oxidecomputer/rats-corim.git", rev = "f
 raw-cpuid = { git = "https://github.com/oxidecomputer/rust-cpuid.git", rev = "a4cf01df76f35430ff5d39dc2fe470bcb953503b" }
 rayon = "1.10"
 rcgen = "0.12.1"
-rdb-types = { git = "https://github.com/oxidecomputer/maghemite", rev = "7696ee48d5ee29a917dea459e281fe2e8ff20513" }
+rdb-types = { git = "https://github.com/oxidecomputer/maghemite", rev = "3b54e1630e6f75cdc09a2580cec2438bfecade22" }
 reconfigurator-cli = { path = "dev-tools/reconfigurator-cli" }
 reedline = "0.40.0"
 ref-cast = "1.0"

Cargo.toml

@@ -69,6 +69,9 @@ enum Target {
     /// Maghemite mgd binary
     MaghemiteMgd,
 
+    /// Maghemite ddmd binary
+    MaghemiteDdmd,
+
     /// SoftNPU, an admin program (scadm) and a pre-compiled P4 program.
     Softnpu,
 
@@ -137,6 +140,7 @@ pub async fn run_cmd(args: DownloadArgs) -> Result<()> {
                     Target::Console => downloader.download_console().await,
                     Target::DendriteStub => downloader.download_dendrite_stub().await,
                     Target::MaghemiteMgd => downloader.download_maghemite_mgd().await,
+                    Target::MaghemiteDdmd => downloader.download_maghemite_ddmd().await,
                     Target::Softnpu => downloader.download_softnpu().await,
                     Target::TransceiverControl => {
                         downloader.download_transceiver_control().await
@@ -946,6 +950,84 @@ impl Downloader<'_> {
         Ok(())
     }
 
+    async fn download_maghemite_ddmd(&self) -> Result<()> {
+        let download_dir = self.output_dir.join("downloads");
+        tokio::fs::create_dir_all(&download_dir).await?;
+
+        let checksums_path = self.versions_dir.join("maghemite_mgd_checksums");
+        let [mg_ddm_sha2, ddmd_linux_sha2] = get_values_from_file(
+            ["MG_DDM_SHA256", "DDMD_LINUX_SHA256"],
+            &checksums_path,
+        )
+        .await?;
+        let commit_path =
+            self.versions_dir.join("maghemite_ddm_openapi_version");
+        let [commit] = get_values_from_file(["COMMIT"], &commit_path).await?;
+
+        let repo = "oxidecomputer/maghemite";
+        let base_url = format!("{BUILDOMAT_URL}/{repo}/image/{commit}");
+
+        let filename = "mg-ddm.tar.gz";
+        let tarball_path = download_dir.join(filename);
+        download_file_and_verify(
+            &self.log,
+            &tarball_path,
+            &format!("{base_url}/{filename}"),
+            ChecksumAlgorithm::Sha2,
+            &mg_ddm_sha2,
+        )
+        .await?;
+        unpack_tarball(&self.log, &tarball_path, &download_dir).await?;
+
+        let destination_dir = self.output_dir.join("mg-ddm");
+        let _ = tokio::fs::remove_dir_all(&destination_dir).await;
+        tokio::fs::create_dir_all(&destination_dir).await?;
+        copy_dir_all(
+            &download_dir.join("root"),
+            &destination_dir.join("root"),
+        )?;
+
+        let binary_dir = destination_dir.join("root/opt/oxide/mg-ddm/bin");
+
+        match os_name()? {
+            Os::Linux => {
+                let filename = "ddmd";
+                let path = download_dir.join(filename);
+                download_file_and_verify(
+                    &self.log,
+                    &path,
+                    &format!(
+                        "{BUILDOMAT_URL}/{repo}/linux/{commit}/{filename}"
+                    ),
+                    ChecksumAlgorithm::Sha2,
+                    &ddmd_linux_sha2,
+                )
+                .await?;
+                set_permissions(&path, 0o755).await?;
+                tokio::fs::copy(path, binary_dir.join(filename)).await?;
+            }
+            Os::Mac => {
+                info!(
+                    self.log,
+                    "Building maghemite ddmd from source for macOS"
+                );
+
+                let binaries = [("ddmd", &["--no-default-features"][..])];
+
+                let built_binaries = self
+                    .build_from_git("maghemite", &commit, &binaries)
+                    .await?;
+
+                let dest = binary_dir.join("ddmd");
+                tokio::fs::copy(&built_binaries[0], &dest).await?;
+                set_permissions(&dest, 0o755).await?;
+            }
+            Os::Illumos => (),
+        }
+
+        Ok(())
+    }
+
     async fn download_softnpu(&self) -> Result<()> {
         let destination_dir = self.output_dir.join("npuzone");
         tokio::fs::create_dir_all(&destination_dir).await?;

dev-tools/downloader/src/lib.rs

@@ -12,6 +12,7 @@ export PATH="$OMICRON_WS/out/cockroachdb/bin:$PATH"
 export PATH="$OMICRON_WS/out/clickhouse:$PATH"
 export PATH="$OMICRON_WS/out/dendrite-stub/bin:$PATH"
 export PATH="$OMICRON_WS/out/mgd/root/opt/oxide/mgd/bin:$PATH"
+export PATH="$OMICRON_WS/out/mg-ddm/root/opt/oxide/mg-ddm/bin:$PATH"
 
 # if xtrace was set previously, do not unset it
 case $OLD_SHELL_OPTS in

env.sh

@@ -163,6 +163,20 @@ pub struct DnsConfigBuilder {
     service_instances_sleds: BTreeMap<ServiceName, BTreeMap<Sled, u16>>,
 }
 
+/// Ports for the per-switch services published in internal DNS by
+/// [`DnsConfigBuilder::host_zone_switch`].
+#[derive(Clone, Copy, Debug, PartialEq, Eq)]
+pub struct HostSwitchZonePorts {
+    /// Dendrite (`dpd`) admin API port.
+    pub dendrite: u16,
+    /// Management Gateway Service (`mgs`) port.
+    pub mgs: u16,
+    /// Maghemite `mgd` admin API port.
+    pub mgd: u16,
+    /// Maghemite `ddmd` admin API port.
+    pub ddm: u16,
+}
+
 /// Describes a host of type "sled" in the control plane DNS zone
 #[derive(Clone, Debug, Hash, PartialEq, Eq, PartialOrd, Ord)]
 pub struct Sled(SledUuid);
@@ -396,11 +410,14 @@ impl DnsConfigBuilder {
         &mut self,
         sled_id: SledUuid,
         switch_zone_ip: Ipv6Addr,
-        dendrite_port: u16,
-        mgs_port: u16,
-        mgd_port: u16,
-        ddm_port: u16,
+        ports: HostSwitchZonePorts,
     ) -> anyhow::Result<()> {
+        let HostSwitchZonePorts {
+            dendrite: dendrite_port,
+            mgs: mgs_port,
+            mgd: mgd_port,
+            ddm: ddm_port,
+        } = ports;
         let zone = self.host_dendrite(sled_id, switch_zone_ip)?;
         self.service_backend_zone(ServiceName::Dendrite, &zone, dendrite_port)?;
         self.service_backend_zone(
@@ -733,7 +750,9 @@ impl DnsConfigBuilder {
 
 #[cfg(test)]
 mod test {
-    use super::{DnsConfigBuilder, DnsRecord, Host, ServiceName};
+    use super::{
+        DnsConfigBuilder, DnsRecord, Host, HostSwitchZonePorts, ServiceName,
+    };
     use crate::{config::Zone, names::DNS_ZONE};
     use omicron_common::api::external::Generation;
     use omicron_uuid_kinds::{OmicronZoneUuid, SledUuid};
@@ -818,10 +837,12 @@ mod test {
             .host_zone_switch(
                 sled_uuid,
                 switch_zone_ip,
-                dendrite_port,
-                mgs_port,
-                mgd_port,
-                ddm_port,
+                HostSwitchZonePorts {
+                    dendrite: dendrite_port,
+                    mgs: mgs_port,
+                    mgd: mgd_port,
+                    ddm: ddm_port,
+                },
             )
             .unwrap();
 

internal-dns/types/src/config.rs

@@ -322,7 +322,7 @@ impl<N: NexusServer> ControlPlaneTestContext<N> {
             mgd.cleanup().await.unwrap();
         }
         for (_, mut ddm) in self.ddm {
-            ddm.cleanup().await;
+            ddm.cleanup().await.unwrap();
         }
         self.logctx.cleanup_successful();
     }

nexus/test-utils/src/nexus_test.rs

@@ -23,6 +23,7 @@ use futures::future::BoxFuture;
 use gateway_test_utils::setup::GatewayTestContext;
 use iddqd::IdOrdMap;
 use internal_dns_types::config::DnsConfigBuilder;
+use internal_dns_types::config::HostSwitchZonePorts;
 use internal_dns_types::names::DNS_ZONE_EXTERNAL_TESTING;
 use internal_dns_types::names::ServiceName;
 use nexus_config::Database;
@@ -492,10 +493,18 @@ impl<'a, N: NexusServer> ControlPlaneStarter<'a, N> {
             .host_zone_switch(
                 sled_id,
                 Ipv6Addr::LOCALHOST,
-                self.dendrite.read().unwrap().get(&switch_slot).unwrap().port,
-                self.gateway.get(&switch_slot).unwrap().port,
-                self.mgd.get(&switch_slot).unwrap().port,
-                self.ddm.get(&switch_slot).unwrap().port,
+                HostSwitchZonePorts {
+                    dendrite: self
+                        .dendrite
+                        .read()
+                        .unwrap()
+                        .get(&switch_slot)
+                        .unwrap()
+                        .port,
+                    mgs: self.gateway.get(&switch_slot).unwrap().port,
+                    mgd: self.mgd.get(&switch_slot).unwrap().port,
+                    ddm: self.ddm.get(&switch_slot).unwrap().port,
+                },
             )
             .unwrap()
     }
@@ -1307,7 +1316,7 @@ impl<'a, N: NexusServer> ControlPlaneStarter<'a, N> {
             mgd.cleanup().await.unwrap();
         }
         for (_, mut ddm) in self.ddm {
-            ddm.cleanup().await;
+            ddm.cleanup().await.unwrap();
         }
         self.logctx.cleanup_successful();
     }

nexus/test-utils/src/starter.rs

@@ -155,10 +155,7 @@ pub fn blueprint_internal_dns_config(
         dns_builder.host_zone_switch(
             scrimlet.id(),
             switch_zone_ip,
-            overrides.dendrite_port(scrimlet.id()),
-            overrides.mgs_port(scrimlet.id()),
-            overrides.mgd_port(scrimlet.id()),
-            overrides.ddm_port(scrimlet.id()),
+            overrides.host_switch_zone_ports(scrimlet.id()),
         )?;
     }
 

nexus/types/src/deployment/execution/dns.rs

@@ -2,6 +2,7 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at https://mozilla.org/MPL/2.0/.
 
+use internal_dns_types::config::HostSwitchZonePorts;
 use omicron_common::address::DDMD_PORT;
 use omicron_common::address::DENDRITE_PORT;
 use omicron_common::address::Ipv6Subnet;
@@ -80,6 +81,22 @@ impl Overridables {
         self.ddm_ports.get(&sled_id).copied().unwrap_or(DDMD_PORT)
     }
 
+    /// Returns the per-switch-zone service ports for this sled.
+    ///
+    /// Bundles the four switch-zone admin ports into a single
+    /// [`HostSwitchZonePorts`] so callers cannot swap fields by accident.
+    pub fn host_switch_zone_ports(
+        &self,
+        sled_id: SledUuid,
+    ) -> HostSwitchZonePorts {
+        HostSwitchZonePorts {
+            dendrite: self.dendrite_port(sled_id),
+            mgs: self.mgs_port(sled_id),
+            mgd: self.mgd_port(sled_id),
+            ddm: self.ddm_port(sled_id),
+        }
+    }
+
     /// Specify the IP address of this switch zone
     pub fn override_switch_zone_ip(
         &mut self,