[multicast] M2P forwarding, OPTE port subscription, and sled-agent propagation#10070
Open
zeeshanlakhani wants to merge 20 commits into
Open
[multicast] M2P forwarding, OPTE port subscription, and sled-agent propagation#10070zeeshanlakhani wants to merge 20 commits into
zeeshanlakhani wants to merge 20 commits into
Conversation
3efe7fa to
98e9742
Compare
Collaborator
Author
|
Note: Both |
98e9742 to
b510a9f
Compare
jgallagher
reviewed
Mar 24, 2026
b510a9f to
1402d4d
Compare
Collaborator
Author
|
|
102d7fb to
043af28
Compare
FelixMcFelix
left a comment
Contributor
There was a problem hiding this comment.
I'm going to be posting comments in chunks given the apparent size of the PR, so please bear with me there if I miss something that's covered by a later file. Apart from that I'm seeing various changes from main interspersed here, so I don't know if something is up with the branch targeting.
…main builds Bump maghemite and OPTE to versions with the latest multicast support. OPTE now has the option to be installed via p5p package override from buildomat rather than directly downloading xde/opteadm binaries. The override mechanism (tools/opte_version_override) is sourced and packaged for use with install_opte.sh, deploy.sh, releng, and CI to install the unpublished OPTE build until it lands in the helios pkg repo. Note: CI check added to reject OPTE_COMMIT override on PRs targeting main.
043af28 to
9cdf741
Compare
…opagation
This completes the multicast data path by adding per-sled M2P (multicast-to-
physical) mapping, forwarding entry management, and OPTE port subscription
for multicast group members.
## Sled-agent + API update(s)
- Add multicast endpoints at API v33 (MCAST_M2P_FORWARDING) for M2P,
forwarding, and per-VMM subscribe/unsubscribe
- Version v7 join/leave endpoints to v7..v33 with shim conversion
- Move multicast types from omicron-common to sled-agent-types-versions
v33 module (mcast_m2p_forwarding) with re-exports through sled-agent-types
- OPTE port_manager gains set/clear operations for M2P and forwarding
- Port subscription cleanup on PortTicket release
- Consolidate per-port mutable state (eip_gateways, mcast) into PortState
- Seed eip_gateways from global map on port creation to prevent stale
gateway state on newly created ports
- Lock ordering documented for ports, routes, eip_gateways
## Nexus
- New `sled.rs` (MulticastSledClient) encapsulating all sled-agent
multicast interactions: subscribe/unsubscribe, M2P/forwarding
propagation and teardown
- Groups RPW propagates M2P and forwarding entries to all member sleds
after DPD configuration, with convergent retry on failure
- Members RPW uses MemberReconcileCtx to thread shared reconciliation
state. Handles subscribe on join, unsubscribe on leave, and
re-subscribe on migration
- `subscribe_vmm` gracefully handles missing propolis (mirrors unsubscribe)
- `lookup_propolis_id` returns Ok(None) for missing instance
- `lookup_and_update_member_sled_id` surfaces DB errors instead of
swallowing them
- Order-independent forwarding comparison to avoid spurious dataplane churn;
always create forwarding entries for active groups even with empty next-hops
- Dataplane client updated for bifurcated replication groups
## illumos-utils
- Remove CIDR allow rules for multicast (handled by OPTE gateway layer)
- Reject Reserved replication mode in `list_mcast_fwd` with
InvalidMcastForwardingState error
- Consolidate error variants into InvalidMcastUnderlay
## Tests
- Integration tests for M2P/forwarding/subscribe lifecycle
- Instance migration multicast re-convergence
9cdf741 to
18943d0
Compare
FelixMcFelix
left a comment
Contributor
There was a problem hiding this comment.
Thanks Zeeshan; I haven't looked at integration_tests/multicast/networking_integration.rs, but otherwise some thoughts going through the work.
Changes: - Remove global eip_gateways map from PortManagerInner, as the VPC route manager RPW activates after instance start - Refactor member reconciler methods to take &MemberReconcileCtx - Change forwarding next hop from member sleds to a single switch zone IP - Add resolver to MulticastSledClient for switch zone address lookup
ee88e45 to
46eb139
Compare
46eb139 to
6b07a46
Compare
50333e8 to
dfda50f
Compare
…nd per-group source IP caps New nexus external API version 2026_05_16_00 (MULTICAST_SOURCE_LIMITS) splits the multicast group join endpoint to introduce two policy bounds: - MAX_SOURCE_IPS_PER_MEMBER (32): caps a single member's source filter list and rejects duplicate entries explicitly rather than silently deduplicating. - MAX_SOURCE_IPS_PER_GROUP (256): caps the union of source IPs across all active members of a group. Enforced atomically inside the member-attach CTE plus a preflight check at the Nexus app layer for a descriptive 400. Both caps apply whenever a member declares a non-empty source list, covering SSM groups and ASM members using INCLUDE-mode source filtering. This quantifies and qualifies the Oxide policy framing alongside Linux igmp_max_msf and FreeBSD maxsocksrc precedent, while also giving us a threshold to go off on the switch side of things.
…nto m2p-forwarding
FelixMcFelix
approved these changes
May 22, 2026
FelixMcFelix
left a comment
Contributor
There was a problem hiding this comment.
Some nits, but otherwise this looks to be setting up OPTE correctly from what I can understand. Thanks for iterating here Zeeshan.
…actual opte-api check)
Comment on lines
+1139
to
+1146
| # TODO: This patch is a symptom of the broader maghemite -> omicron | ||
| # self-reference loop (maghemite depends on oximeter-producer, which pulls | ||
| # nexus-client -> nexus-types from omicron@main and not a rev). @jgallagher | ||
| # flagged this in review; @bnaecker suggested extracting oximeter-producer | ||
| # out of omicron to break it. When that lands, this patch (and any | ||
| # duplicated path+git entries for illumos-utils, nexus-types, etc.) can be | ||
| # removed. | ||
| oxlog = { path = "dev-tools/oxlog" } |
Contributor
There was a problem hiding this comment.
Putting a comment here so this isn't lost.
06e3d58 to
e328074
Compare
bcf5a6c to
02064d2
Compare
zeeshanlakhani
added a commit
that referenced
this pull request
May 26, 2026
Final, pre-review pass on this work. It stacks atop #10070 and inherits the multicast-to-physical (M2P) underlay forwarding and VMM-keyed instance subscription endpoints. This also builds on and integrates #10381. Above these foundations, this work includes the final pass on mgd-ddmd integration: * Reconciler correctness: * `set_mcast_m2p` rolls back the xde M2P entry on per-NIC join failure, so the reconciler converges on a retry instead of leaving stale state pointing at the wrong underlay address. * `propolis_id` is threaded end-to-end through the sled-agent multicast endpoints to deal with live migration ambiguity. * MRIB advertisement is gated on a flag rather than running unconditionally after the DPD match arm, so that a DPD failure no longer leaves a route advertised via DDM with no programmed forwarding state. * OPTE hardening (illumos-utils): * M2P entries upserted into a `BTreeMap<IpAddr, MulticastUnderlay>` rather than a Vec on the non-illumos mock, eliminating duplicate-key corner cases the production map already avoided. * `MulticastFilterMap` encapsulates the per-NIC filter socket and refcount state previously open-coded inside `PortManagerInner`, concentrating the "join socket per underlay group per NIC" invariant into one singular type. * underlay_nics typed as &[AddrObject] rather than &[String]. * Per-NIC IPV6_JOIN_GROUP calls converted from libc::setsockopt to nix::sys::socket::setsockopt for the typed bind. * Sled-agent (real and sim): * Sim v7 multicast endpoints fall through to the trait defaults instead of overriding with just `unimplemented!()`, matching how other versioned endpoints behave in the sim. * Sim VMM existence check on join/leave restored. * Configuration: * `MulticastGroupReconcilerConfig` gains a group_concurrency_limit and member_concurrency_limit bounding the per-pass fan-out of the RPW's buffer_unordered streams. * Test infra: * `populate_ddm_peers` no longer caches the peer map. The previous cache was keyed by sled-id set, but the synthesized port names embedded each sled's `sp_slot` from inventory, so cache reuse within the same sled set could produce stale port mappings. * Documentation cleanup across the RPW, sled-agent multicast paths, and the new(er) sled-agent types module.
zeeshanlakhani
added a commit
that referenced
this pull request
May 26, 2026
Final, pre-review pass on this work. It stacks atop #10070 and inherits the multicast-to-physical (M2P) underlay forwarding and VMM-keyed instance subscription endpoints. This also builds on and integrates #10381. Above these foundations, this work includes the final pass on mgd-ddmd integration: * Reconciler correctness: * `set_mcast_m2p` rolls back the xde M2P entry on per-NIC join failure, so the reconciler converges on a retry instead of leaving stale state pointing at the wrong underlay address. * `propolis_id` is threaded end-to-end through the sled-agent multicast endpoints to deal with live migration ambiguity. * MRIB advertisement is gated on a flag rather than running unconditionally after the DPD match arm, so that a DPD failure no longer leaves a route advertised via DDM with no programmed forwarding state. * OPTE hardening (illumos-utils): * M2P entries upserted into a `BTreeMap<IpAddr, MulticastUnderlay>` rather than a Vec on the non-illumos mock, eliminating duplicate-key corner cases the production map already avoided. * `MulticastFilterMap` encapsulates the per-NIC filter socket and refcount state previously open-coded inside `PortManagerInner`, concentrating the "join socket per underlay group per NIC" invariant into one singular type. * underlay_nics typed as &[AddrObject] rather than &[String]. * Per-NIC IPV6_JOIN_GROUP calls converted from libc::setsockopt to nix::sys::socket::setsockopt for the typed bind. * Sled-agent (real and sim): * Sim v7 multicast endpoints fall through to the trait defaults instead of overriding with just `unimplemented!()`, matching how other versioned endpoints behave in the sim. * Sim VMM existence check on join/leave restored. * Configuration: * `MulticastGroupReconcilerConfig` gains a group_concurrency_limit and member_concurrency_limit bounding the per-pass fan-out of the RPW's buffer_unordered streams. * Test infra: * `populate_ddm_peers` no longer caches the peer map. The previous cache was keyed by sled-id set, but the synthesized port names embedded each sled's `sp_slot` from inventory, so cache reuse within the same sled set could produce stale port mappings. * Documentation cleanup across the RPW, sled-agent multicast paths, and the new(er) sled-agent types module.
FelixMcFelix
approved these changes
May 26, 2026
FelixMcFelix
left a comment
Contributor
There was a problem hiding this comment.
Re-approved, pending the one open TODO comment.
zeeshanlakhani
added a commit
that referenced
this pull request
May 26, 2026
Final, pre-review pass on this work. It stacks atop #10070 and inherits the multicast-to-physical (M2P) underlay forwarding and VMM-keyed instance subscription endpoints. This also builds on and integrates #10381. Above these foundations, this work includes the final pass on mgd-ddmd integration: * Reconciler correctness: * `set_mcast_m2p` rolls back the xde M2P entry on per-NIC join failure, so the reconciler converges on a retry instead of leaving stale state pointing at the wrong underlay address. * `propolis_id` is threaded end-to-end through the sled-agent multicast endpoints to deal with live migration ambiguity. * MRIB advertisement is gated on a flag rather than running unconditionally after the DPD match arm, so that a DPD failure no longer leaves a route advertised via DDM with no programmed forwarding state. * OPTE hardening (illumos-utils): * M2P entries upserted into a `BTreeMap<IpAddr, MulticastUnderlay>` rather than a Vec on the non-illumos mock, eliminating duplicate-key corner cases the production map already avoided. * `MulticastFilterMap` encapsulates the per-NIC filter socket and refcount state previously open-coded inside `PortManagerInner`, concentrating the "join socket per underlay group per NIC" invariant into one singular type. * underlay_nics typed as &[AddrObject] rather than &[String]. * Per-NIC IPV6_JOIN_GROUP calls converted from libc::setsockopt to nix::sys::socket::setsockopt for the typed bind. * Sled-agent (real and sim): * Sim v7 multicast endpoints fall through to the trait defaults instead of overriding with just `unimplemented!()`, matching how other versioned endpoints behave in the sim. * Sim VMM existence check on join/leave restored. * Configuration: * `MulticastGroupReconcilerConfig` gains a group_concurrency_limit and member_concurrency_limit bounding the per-pass fan-out of the RPW's buffer_unordered streams. * Test infra: * `populate_ddm_peers` no longer caches the peer map. The previous cache was keyed by sled-id set, but the synthesized port names embedded each sled's `sp_slot` from inventory, so cache reuse within the same sled set could produce stale port mappings. * Documentation cleanup across the RPW, sled-agent multicast paths, and the new(er) sled-agent types module.
868c08a to
08d7141
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Complete the multicast data path by adding per-sled M2P (multicast-to- physical) mapping, forwarding entry management, and OPTE port subscription for multicast group members.
Sled-agent:
multicast_subscribe/multicast_unsubscribeendpoints (API v29) that configure M2P, forwarding, and OPTE port subscription for a VMMNexus:
sled.rs(MulticastSledClient) encapsulating all sled-agent multicast interactions: subscribe/unsubscribe, M2P/forwarding propagation and teardownTests: