`Nexus::instance_start` doesn't check that the target instance is fully created

[gjcolombo]

This was seen in stress testing of PR #5749. That PR seems to hit the problem more often than main does, for reasons we're still investigating, but it looks like it's also a bug on current main so I'm filing a separate issue for it.

This is a regression I introduced in #4194. Nexus::instance_start previously rejected attempts to start a Creating instance:

omicron/nexus/src/app/instance.rs

Lines 483 to 520 in 79fee6a

	// If the instance is already starting or running, succeed immediately
	// for idempotency. If the instance is stopped, try to start it. In all
	// other cases return an error describing the state conflict.
	//
	// The "Creating" state is not permitted here (even though a request to
	// create can include a request to start the instance) because an
	// instance that is still being created may not be ready to start yet
	// (e.g. its disks may not yet be attached).
	//
	// If the instance is stopped, the start saga will try to change the
	// instance's state to Starting and increment the instance's state
	// generation number. If this increment fails (because someone else has
	// changed the state), the saga fails. See the saga comments for more
	// details on how this synchronization works.
	match db_instance.runtime_state.state.0 {
	InstanceState::Starting | InstanceState::Running => {
	return Ok(db_instance)
	}
	InstanceState::Stopped => {}
	_ => {
	return Err(Error::conflict(&format!(
	"instance is in state {} but must be {} to be started",
	db_instance.runtime_state.state.0,
	InstanceState::Stopped
	)))
	}
	}
	let saga_params = sagas::instance_start::Params {
	serialized_authn: authn::saga::Serialized::for_opctx(opctx),
	instance: db_instance,
	ensure_network: true,
	};
	self.execute_saga::<sagas::instance_start::SagaInstanceStart>(
	saga_params,
	)
	.await?;

In 4194 I changed this path so that it checks the state of the instance's VMM but does not pay attention to the state of the instance:

omicron/nexus/src/app/instance.rs

Lines 533 to 581 in acbaf43

	let state = self
	.db_datastore
	.instance_fetch_with_vmm(opctx, &authz_instance)
	.await?;
	let (instance, vmm) = (state.instance(), state.vmm());
	if let Some(vmm) = vmm {
	match vmm.runtime.state.0 {
	InstanceState::Starting
	| InstanceState::Running
	| InstanceState::Rebooting => {
	debug!(self.log, "asked to start an active instance";
	"instance_id" => %authz_instance.id());
	return Ok(state);
	}
	InstanceState::Stopped => {
	let propolis_id = instance
	.runtime()
	.propolis_id
	.expect("needed a VMM ID to fetch a VMM record");
	error!(self.log,
	"instance is stopped but still has an active VMM";
	"instance_id" => %authz_instance.id(),
	"propolis_id" => %propolis_id);
	return Err(Error::internal_error(
	"instance is stopped but still has an active VMM",
	));
	}
	_ => {
	return Err(Error::conflict(&format!(
	"instance is in state {} but must be {} to be started",
	vmm.runtime.state.0,
	InstanceState::Stopped
	)));
	}
	}
	}
	let saga_params = sagas::instance_start::Params {
	serialized_authn: authn::saga::Serialized::for_opctx(opctx),
	db_instance: instance.clone(),
	};
	self.execute_saga::<sagas::instance_start::SagaInstanceStart>(
	saga_params,
	)
	.await?;

The if let Some(vmm) clause should have an else that checks to make sure that the instance is actually in a state where it's ready to be started (i.e. it should be in NoVmm).

At first glance the impact of this seems pretty limited: to hit it, you need to create an instance, then try to start it by name before the create saga is finished. The result that we're seeing is that the start request 500s; the other possible result, I think, is that the VM will start without all the virtual hardware you might expect, which you can recover from by stopping and restarting the instance.

[hawkw]

This issue reproduces on main (as of e4067e1) running on madrid:

2024-08-09T00:22:06.720969Z  WARN actor{name="inst7_3"}:antagonize{instance_name="inst7"}: omicron_stress::actor::instance: 158: instance start request returned result=Err(Error Response: status: 500 Internal Server Error; headers: {"content-type": "application/json", "x-request-id": "61243615-c2bd-434c-b926-e48c3886c24e", "content-length": "124", "date": "Fri, 09 Aug 2024 00:22:06 GMT"}; value: Error { error_code: Some("Internal"), message: "Internal Server Error", request_id: "61243615-c2bd-434c-b926-e48c3886c24e" })
2024-08-09T00:22:06.788471Z ERROR omicron_stress: 191: actor error: Error Response: status: 500 Internal Server Error; headers: {"content-type": "application/json", "x-request-id": "61243615-c2bd-434c-b926-e48c3886c24e", "content-length": "124", "date": "Fri, 09 Aug 2024 00:22:06 GMT"}; value: Error { error_code: Some("Internal"), message: "Internal Server Error", request_id: "61243615-c2bd-434c-b926-e48c3886c24e" }
2024-08-09T00:22:06.788550Z  INFO omicron_stress: 218: Halting actors

root@oxz_switch1:~# pilot host exec -O -c '/opt/oxide/oxlog/oxlog zones | grep nexus | xargs -L 1 /opt/oxide/oxlog/oxlog logs --current --archived | xargs -L 1 cat' 0-31 | looker -c 'r.req_id?.contains("61243615-c2bd-434c-b926-e48c3886c24e")' -l info
00:22:06.693Z INFO 25599db0-0d38-4d8b-a2d5-f9606cb19fb8 (dropshot_external): request completed
    error_message_external = Internal Server Error
    error_message_internal = saga ACTION error at node "ensure_registered": Expected exactly one SNAT IP address for an instance
    file = /home/build/.cargo/git/checkouts/dropshot-a4a923d29dccc492/52d900a/dropshot/src/server.rs:902
    latency_us = 25140133
    local_addr = 172.30.2.6:443
    method = POST
    remote_addr = 172.20.17.202:58106
    req_id = 61243615-c2bd-434c-b926-e48c3886c24e
    response_code = 500
    uri = /v1/instances/inst7/start?project=omicron-stress
root@oxz_switch1:~#

[hawkw]

FWIW, in #5749, I've changed the InstanceAndVmm::effective_state method to determine the externally-visible state based on the rules discussed in the "improving instance lifecycle's foundations" document:

omicron/nexus/db-queries/src/db/datastore/instance.rs

Lines 114 to 174 in 2ea3fe6

	// We want to only report that an instance is `Stopped` when a new
	// `instance-start` saga is able to proceed. That means that:
	match (instance_state, vmm_state) {
	// - If there's an active migration ID for the instance, *always*
	// treat its state as "migration" regardless of the VMM's state.
	//
	// This avoids an issue where an instance whose previous active
	// VMM has been destroyed as a result of a successful migration
	// out will appear to be "stopping" for the time between when that
	// VMM was reported destroyed and when the instance record was
	// updated to reflect the migration's completion.
	//
	// Instead, we'll continue to report the instance's state as
	// "migrating" until an instance-update saga has resolved the
	// outcome of the migration, since only the instance-update saga
	// can complete the migration and update the instance record to
	// point at its new active VMM. No new instance-migrate,
	// instance-stop, or instance-delete saga can be started
	// until this occurs.
	//
	// If the instance actually *has* stopped or failed before a
	// successful migration out, this is fine, because an
	// instance-update saga will come along and remove the active VMM
	// and migration IDs.
	//
	(InstanceState::Vmm, Some(_))
	if instance.runtime_state.migration_id.is_some() =>
	{
	external::InstanceState::Migrating
	}
	// - An instance with a "stopped" or "destroyed" VMM needs to be
	// recast as a "stopping" instance, as the virtual provisioning
	// resources for that instance have not been deallocated until the
	// active VMM ID has been unlinked by an update saga.
	(
	InstanceState::Vmm,
	Some(VmmState::Stopped | VmmState::Destroyed),
	) => external::InstanceState::Stopping,
	// - An instance with a "saga unwound" VMM, on the other hand, can
	// be treated as "stopped", since --- unlike "destroyed" --- a new
	// start saga can run at any time by just clearing out the old VMM
	// ID.
	(InstanceState::Vmm, Some(VmmState::SagaUnwound)) => {
	external::InstanceState::Stopped
	}
	// - An instance with no VMM is always "stopped" (as long as it's
	// not "starting" etc.)
	(InstanceState::NoVmm, _vmm_state) => {
	debug_assert_eq!(_vmm_state, None);
	external::InstanceState::Stopped
	}
	// If there's a VMM state, and none of the above rules apply, use
	// that.
	(_instance_state, Some(vmm_state)) => {
	debug_assert_eq!(_instance_state, InstanceState::Vmm);
	vmm_state.into()
	}
	// If there's no VMM state, use the instance's state.
	(instance_state, None) => instance_state.into(),
	}
	}

I've updated many of the API endpoints to use this logic for determining the instance's state. IMO, it's probably worth considering reusing that logic when solving this issue as well, so that we don't end up in a situation where the instance-start API rejects a start request and claims that the instance is in a particular state, but other APIs suggest it's in a different state. Just a thought.

(I believe the logic I've written here would have avoided this issue, btw --- it will correctly use the instance record's state when there is no active VMM, so we would have gotten Creating)