[multicast] connect MGD and DDM to Omicron

Wires MGD (MRIB programming) and DDM (live peer topology for
sled-to-switch-port resolution) into the multicast reconciler RPW. The
reconciler resolves sled-to-port mapping via DDM peers (primary, live
source) and falls back to inventory + DPD backplane when DDM is
unavailable. MRIB routes are advertised through MGD and withdrawn when
no "Joined" members remain.

Multicast is *instance networking* under the planned migration of
system-level networking from Nexus RPWs to sled-agent reconcilers
([omicron#10167](#10167
)).

### Sled-side underlay NIC filter programming

- `set_mcast_m2p` / `clear_mcast_m2p` in the OPTE port manager hold UDP
  sockets joined to the underlay multicast group on each underlay NIC.
  Joining the group on a held socket triggers `mac_multicast_add` in the
  kernel, which programs the per-NIC multicast MAC filter so cxgbe
  delivers frames to xde. Workaround for opte#908.
- Eager rehydration at sled-agent startup reopens those filter sockets
  for M2P entries that survive in xde across a restart. Rehydration
  failures clear the surviving M2P entry so convergence retries on the
  next pass instead of black-holing the group.

### Switch-zone integration

- New `MulticastSwitchZoneClient` fans out per-switch MGD and DDM
  clients, discovered via internal DNS SRV records. The reconciler uses
  it for MRIB writes and live peer queries (consuming the
  ddm-admin-client `GET /peers` endpoint that returns `if_name` / port
  info per peer).
- `ServiceName::Ddm` registered in internal DNS via `host_zone_switch`
  (now takes a `ddm_port`) so cross-sled consumers can discover `ddmd`
  in switch zones. RSS, the test starter, and `overridables_for_test`
  thread the new port through. The multicast reconciler is the first
  cross-sled consumer; previously, all `DdmAdminClient` callers were
  sled-local via `DdmAdminClient::localhost`.
- Resolver helper preserves SRV target names alongside resolved sockets,
  enabling per-target correlation when multiple switch zones share an
  address but differ by port.

*Note*: the first reconciler pass after upgrade publishes one new 
`_ddm._tcp` SRV record per switch zone, causing a one-time DNS generation 
bump.

### Instance-scoped multicast subscriptions

- v36 (`VERSION_MCAST_M2P_FORWARDING`) introduces
  `PUT/DELETE /instances/{instance_id}/multicast-group`, replacing the
  earlier VMM-keyed `/vmms/{propolis_id}/multicast-group` shape.
  Sled-agent resolves the active VMM under its instance-state lock and
  dispatches to OPTE atomically, eliminating a Nexus-side lookup-vs-call
  race where a migration commit could land subscriptions on a stale
  propolis.
- v7 endpoints remain on the trait as deprecated shims that perform the
  propolis-to-instance lookup and delegate to the new handler.
- Nexus drops `cached_propolis_id` and `lookup_propolis_id` plumbing
  through the reconciler entirely. `subscribe_vmm` / `unsubscribe_vmm`
  become `subscribe_instance` / `unsubscribe_instance`. 

### Per-pass sled-to-port resolution

Delivers the design captured in the prior TODO: prefer DDM's
authoritative view of sled-to-port reachability over inventory, with
inventory as cross-validation rather than the primary input.

- Replaces the previous TTL'd sled-mapping cache with a single-pass
  amortization built once at the top of the member reconciler pass and
  threaded through the per-pass reconciler context.
- DDM peer topology is the primary source. Inventory + DPD backplane is
  the fallback and supplements partial DDM coverage (per-sled gap-fill)
  rather than being all-or-nothing.
- Parsed peer port IDs are cross-validated against the DPD backplane
  map.
- Sequential per-switch fallback for shared-state DPD reads (backplane
  map, underlay group fetch), so a single unhealthy switch can't fail
  the whole read.

### Saga and RPW interaction

- Saga state guard widened: the DPD-ensure saga accepts "Active" as
  well as "Creating" so crash-recovery re-execution doesn't roll back
  already-applied DPD state.
- `instance_stop` detaches multicast members and activates the
  reconciler only after sled-agent acknowledges the Stop request,
  avoiding M2P / forwarding teardown for a still-running guest if Stop
  fails.

### Test updates

- Integration coverage for MRIB programming, DDM-vs-inventory drift,
  saga idempotent crash-recovery, per-switch invariant checks, and
  underlay MAC filter lifecycle.
- New `populate_ddm_peers` test helper synthesizes DDM peer topology
  from datastore + inventory so tests exercise the production primary
  path instead of the inventory fallback that an empty `DdmInstance`
  would otherwise force. Cache keyed on the in-service sled-set so
  multi-sled fixtures rebuild on sled transitions.

Author: zeeshanlakhani

Cargo.lock

@@ -493,7 +493,7 @@ digest = "0.10.7"
 dns-server = { path = "dns-server" }
 dns-server-api = { path = "dns-server-api" }
 dns-service-client = { path = "clients/dns-service-client" }
-dpd-client = { git = "https://github.com/oxidecomputer/dendrite", rev = "1ddaa5d6b101fbaa2c29eca847111cbef1a272ad" }
+dpd-client = { git = "https://github.com/oxidecomputer/dendrite", rev = "e10e4f5a993fe950ab1b478abb5dcbfa7aa92091" }
 dropshot = { version = "0.16.6", features = [ "usdt-probes" ] }
 dropshot-api-manager = "0.6.0"
 dropshot-api-manager-types = "0.6.0"
@@ -599,8 +599,8 @@ ntp-admin-api = { path = "ntp-admin/api" }
 ntp-admin-client = { path = "clients/ntp-admin-client" }
 ntp-admin-types = { path = "ntp-admin/types" }
 ntp-admin-types-versions = { path = "ntp-admin/types/versions" }
-mg-admin-client = { git = "https://github.com/oxidecomputer/maghemite", rev = "4d1f20f793da102b29b914569725ebc9fdf746dd" }
-ddm-admin-client = { git = "https://github.com/oxidecomputer/maghemite", rev = "4d1f20f793da102b29b914569725ebc9fdf746dd" }
+mg-admin-client = { git = "https://github.com/oxidecomputer/maghemite", rev = "c3c3032f8bdc91d6faf2b36e05b8375a0980765c" }
+ddm-admin-client = { git = "https://github.com/oxidecomputer/maghemite", rev = "c3c3032f8bdc91d6faf2b36e05b8375a0980765c" }
 multimap = "0.10.1"
 nexus-auth = { path = "nexus/auth" }
 nexus-background-task-interface = { path = "nexus/background-task-interface" }
@@ -737,7 +737,7 @@ rats-corim = { git = "https://github.com/oxidecomputer/rats-corim.git", rev = "f
 raw-cpuid = { git = "https://github.com/oxidecomputer/rust-cpuid.git", rev = "a4cf01df76f35430ff5d39dc2fe470bcb953503b" }
 rayon = "1.10"
 rcgen = "0.12.1"
-rdb-types = { git = "https://github.com/oxidecomputer/maghemite", rev = "4d1f20f793da102b29b914569725ebc9fdf746dd" }
+rdb-types = { git = "https://github.com/oxidecomputer/maghemite", rev = "c3c3032f8bdc91d6faf2b36e05b8375a0980765c" }
 reconfigurator-cli = { path = "dev-tools/reconfigurator-cli" }
 reedline = "0.40.0"
 ref-cast = "1.0"

Cargo.toml

@@ -2,7 +2,7 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at https://mozilla.org/MPL/2.0/.
 
-// Copyright 2023 Oxide Computer Company
+// Copyright 2026 Oxide Computer Company
 
 #![allow(clippy::redundant_closure_call)]
 #![allow(clippy::needless_lifetimes)]
@@ -107,6 +107,40 @@ impl Client {
         self.inner.enable_stats(request).await.map(|resp| resp.into_inner())
     }
 
+    /// Returns DDM peer information including interface names.
+    ///
+    /// The `if_name` field on each peer provides a live sled-to-port
+    /// mapping, identifying which switch port a peer sled is connected
+    /// through (e.g., `"tfportrear0_0"`).
+    pub async fn get_peers(
+        &self,
+    ) -> Result<
+        std::collections::HashMap<String, types::PeerInfo>,
+        Error<types::Error>,
+    > {
+        self.inner.get_peers().await.map(|resp| resp.into_inner())
+    }
+
+    /// Returns multicast routes learned from DDM peers.
+    ///
+    /// Each route includes the origin (overlay/underlay mapping),
+    /// the nexthop peer that advertised it, and the path vector.
+    pub async fn get_multicast_groups(
+        &self,
+    ) -> Result<Vec<types::MulticastRoute>, Error<types::Error>> {
+        self.inner.get_multicast_groups().await.map(|resp| resp.into_inner())
+    }
+
+    /// Returns multicast origins that this DDM instance is advertising.
+    pub async fn get_originated_multicast_groups(
+        &self,
+    ) -> Result<Vec<types::MulticastOrigin>, Error<types::Error>> {
+        self.inner
+            .get_originated_multicast_groups()
+            .await
+            .map(|resp| resp.into_inner())
+    }
+
     /// Returns the addresses of connected sleds.
     ///
     /// Note: These sleds have not yet been verified.

clients/ddm-admin-client/src/lib.rs

@@ -2543,6 +2543,8 @@ impl Vni {
     ///
     /// This is a low-numbered VNI to avoid colliding with user VNIs.
     /// However, it is not in the Oxide-reserved range yet.
+    ///
+    /// Should match `oxide_vpc::api::DEFAULT_MULTICAST_VNI`.
     pub const DEFAULT_MULTICAST_VNI: Self = Self(77);
 
     /// Oxide reserves a slice of initial VNIs for its own use.

common/src/api/external/mod.rs

@@ -29,6 +29,7 @@ Crucible Pantry (client: crucible-pantry-client)
 Maghemite DDM Admin (client: ddm-admin-client)
     consumed by: installinator (omicron/installinator) via 1 path
     consumed by: mgd (maghemite/mgd) via 1 path
+    consumed by: omicron-nexus (omicron/nexus) via 1 path
     consumed by: omicron-sled-agent (omicron/sled-agent) via 1 path
     consumed by: wicketd (omicron/wicketd) via 1 path
 

dev-tools/ls-apis/tests/api_dependencies.out

@@ -656,7 +656,7 @@ task: "bfd_manager"
   configured period: every <REDACTED_DURATION>s
   last completed activation: <REDACTED ITERATIONS>, triggered by <TRIGGERED_BY_REDACTED>
     started at <REDACTED_TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
-    last completion reported error: failed to resolve addresses for Dendrite services: proto error: no records found for Query { name: Name("_dendrite._tcp.control-plane.oxide.internal."), query_type: SRV, query_class: IN }
+    last completion reported error: failed to resolve addresses for Dendrite services: proto error: no records found for Query { name: Name("_mgs._tcp.control-plane.oxide.internal."), query_type: SRV, query_class: IN }
 
 task: "blueprint_planner"
   configured period: every <REDACTED_DURATION>m
@@ -1342,7 +1342,7 @@ task: "bfd_manager"
   configured period: every <REDACTED_DURATION>s
   last completed activation: <REDACTED ITERATIONS>, triggered by <TRIGGERED_BY_REDACTED>
     started at <REDACTED_TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
-    last completion reported error: failed to resolve addresses for Dendrite services: proto error: no records found for Query { name: Name("_dendrite._tcp.control-plane.oxide.internal."), query_type: SRV, query_class: IN }
+    last completion reported error: failed to resolve addresses for Dendrite services: proto error: no records found for Query { name: Name("_mgs._tcp.control-plane.oxide.internal."), query_type: SRV, query_class: IN }
 
 task: "blueprint_planner"
   configured period: every <REDACTED_DURATION>m

dev-tools/omdb/tests/successes.out

@@ -41,6 +41,17 @@ use std::net::IpAddr;
 use std::net::Ipv4Addr;
 use std::net::Ipv6Addr;
 
+// `oxide_vpc::api::DEFAULT_MULTICAST_VNI` and
+// `omicron_common::api::external::Vni::DEFAULT_MULTICAST_VNI` live in sibling
+// crates that cannot reference each other's constant. They must stay
+// numerically equal: the MRIB, M2P mappings, and OPTE all route on this
+// value, so any divergence would black-hole multicast traffic.
+const _: () = assert!(
+    oxide_vpc::api::DEFAULT_MULTICAST_VNI
+        == omicron_common::api::external::Vni::DEFAULT_MULTICAST_VNI.as_u32(),
+    "oxide_vpc::api::DEFAULT_MULTICAST_VNI must equal omicron_common Vni::DEFAULT_MULTICAST_VNI",
+);
+
 /// Information about the gateway for an OPTE port
 #[derive(Debug, Clone, Copy)]
 #[allow(dead_code)]