Merge branch 'main' into fix/direct-dep-features

Author: jayzhudev

crates/agent/src/ethernet_virtualization.rs

@@ -34,6 +34,7 @@ use carbide_network::ip::prefix::Ipv4Net;
 use carbide_network::virtualization::{VpcVirtualizationType, build_dual_stack_list};
 use eyre::WrapErr;
 use mac_address::MacAddress;
+use nvue_client::client::NvueClientError;
 use nvue_client::{NvueClient, NvueConfig};
 use serde::Deserialize;
 use tokio::process::Command as TokioCommand;
@@ -145,8 +146,54 @@ struct PostAction {
 }
 
 pub enum NvueUpdateFlavor<'a> {
-    StartupFile { hbn_root: &'a Path, skip_post: bool },
-    RestApi { nvue_client: &'a NvueClient },
+    StartupFile {
+        hbn_root: &'a Path,
+        skip_post: bool,
+    },
+    RestApi {
+        nvue_context: &'a mut NvueClientContext,
+    },
+}
+
+/// The NVUE client and other information associated with it.
+pub struct NvueClientContext {
+    pub nvue_client: NvueClient,
+    pub last_applied_hash: Option<u64>,
+}
+
+impl NvueClientContext {
+    pub fn new(nvue_client: NvueClient) -> Self {
+        let last_applied_hash = None;
+        Self {
+            nvue_client,
+            last_applied_hash,
+        }
+    }
+
+    // Wrap the inner nvue_client's `push_config()` and try to avoid re-applying
+    // a configuration we're already using. Returns Ok(Some(revision_id)) on
+    // a change, Ok(None) if the config was unchanged, and otherwise passes
+    // through errors from the inner client.
+    pub async fn update_config(
+        &mut self,
+        config: &NvueConfig,
+    ) -> Result<Option<String>, NvueClientError> {
+        let new_hash = config.u64_hash();
+
+        if let Some(last_applied_hash) = self.last_applied_hash
+            && new_hash == last_applied_hash
+        {
+            Ok(None)
+        } else {
+            self.nvue_client
+                .push_config(config)
+                .await
+                .map(|revision_id| {
+                    self.last_applied_hash.replace(new_hash);
+                    Some(revision_id)
+                })
+        }
+    }
 }
 
 /// Converts an RPC routing profile into the NVUE renderer model.
@@ -197,7 +244,8 @@ pub async fn update_nvue(
 ) -> eyre::Result<bool> {
     let hbn_version = match update_flavor {
         NvueUpdateFlavor::StartupFile { .. } => hbn::read_version().await?,
-        NvueUpdateFlavor::RestApi { nvue_client } => nvue_client
+        NvueUpdateFlavor::RestApi { ref nvue_context } => nvue_context
+            .nvue_client
             .system_build_info()
             .await
             .map_err(|e| eyre::eyre!("Couldn't get HBN version from NVUE: {e}"))
@@ -570,15 +618,19 @@ pub async fn update_nvue(
             }
             Ok(true)
         }
-        NvueUpdateFlavor::RestApi { nvue_client } => {
+        NvueUpdateFlavor::RestApi { nvue_context } => {
             let config = NvueConfig::from_yaml(&next_contents)
                 .map_err(|e| eyre::eyre!("Couldn't parse NVUE config as YAML: {e}"))?;
-            let revision_id = nvue_client
-                .push_config(&config)
+            let revision_id = nvue_context
+                .update_config(&config)
                 .await
                 .map_err(|e| eyre::eyre!("Couldn't push new config to NVUE server: {e}"))?;
-            tracing::debug!(revision_id, "Applied NVUE config via REST API");
-            Ok(true)
+            if let Some(revision_id) = revision_id {
+                tracing::debug!(revision_id, "Applied NVUE config via REST API");
+                Ok(true)
+            } else {
+                Ok(false)
+            }
         }
     }
 }

crates/agent/src/main_loop.rs

@@ -49,7 +49,7 @@ use crate::dpu::interface::Interface;
 use crate::dpu::route::{DpuRoutePlan, IpRoute, Route};
 use crate::duppet::{SummaryFormat, SyncOptions};
 use crate::ethernet_virtualization::{
-    InterfaceTranslationMode, NvueUpdateFlavor, ServiceAddresses,
+    InterfaceTranslationMode, NvueClientContext, NvueUpdateFlavor, ServiceAddresses,
 };
 use crate::fmds_client::FmdsUpdater;
 use crate::health::HealthCheckParams;
@@ -221,11 +221,12 @@ pub async fn setup_and_run(
         // We have eight cores. Letting ovs_vswitchd have one is OK.
     };
 
-    let nvue_client = match options.hbn_config_mode {
+    let nvue_context = match options.hbn_config_mode {
         HbnConfigMode::ContainerExec => None,
         HbnConfigMode::NvueRest => {
             let nvue_client = nvue_client::NvueClient::new_https_from_env()?;
-            Some(nvue_client)
+            let nvue_context = NvueClientContext::new(nvue_client);
+            Some(nvue_context)
         }
     };
 
@@ -376,7 +377,7 @@ pub async fn setup_and_run(
         close_sender,
         network_monitor_handle,
         extension_service_manager,
-        nvue_client,
+        nvue_context,
         dhcp_interface_translation_mode,
     };
 
@@ -409,7 +410,7 @@ struct MainLoop {
     network_monitor_handle: Option<JoinHandle<()>>,
     close_sender: watch::Sender<bool>,
     extension_service_manager: extension_services::ExtensionServiceManager,
-    nvue_client: Option<nvue_client::NvueClient>,
+    nvue_context: Option<NvueClientContext>,
     dhcp_interface_translation_mode: Option<InterfaceTranslationMode>,
 }
 
@@ -558,10 +559,11 @@ impl MainLoop {
                 if self.is_hbn_up {
                     // First thing is to read the existing HBN version and properly set the hbn device names
                     // associated with that version.
-                    let hbn_version = match self.nvue_client.as_mut() {
+                    let hbn_version = match self.nvue_context.as_mut() {
                         None => hbn::read_version().await?,
-                        Some(nvue_client) => {
-                            let nvue_system_build = nvue_client.system_build_info().await?;
+                        Some(nvue_context) => {
+                            let nvue_system_build =
+                                nvue_context.nvue_client.system_build_info().await?;
                             match nvue_system_build.strip_prefix("HBN ") {
                                 Some(hbn_version) => Ok(hbn_version.into()),
                                 None => Err(eyre::format_err!(
@@ -680,8 +682,8 @@ impl MainLoop {
                         };
 
                         if bridging_result.is_ok() {
-                            let update_flavor = match self.nvue_client.as_ref() {
-                                Some(nvue_client) => NvueUpdateFlavor::RestApi { nvue_client },
+                            let update_flavor = match self.nvue_context.as_mut() {
+                                Some(nvue_context) => NvueUpdateFlavor::RestApi { nvue_context },
                                 None => NvueUpdateFlavor::StartupFile {
                                     hbn_root: &self.agent_config.hbn.root_dir,
                                     skip_post: self.agent_config.hbn.skip_reload,
@@ -783,7 +785,7 @@ impl MainLoop {
                             match ethernet_virtualization::interfaces(
                                 &conf,
                                 self.factory_mac_address,
-                                self.nvue_client.as_ref(),
+                                self.nvue_context.as_ref().map(|c| &c.nvue_client),
                             )
                             .await
                             {
@@ -826,7 +828,7 @@ impl MainLoop {
                 current_instance_config_version = status_out.instance_config_version.clone();
                 current_instance_id = status_out.instance_id.as_ref().map(|id| id.to_string());
 
-                let health_report = match self.nvue_client.as_ref() {
+                let health_report = match self.nvue_context.as_ref() {
                     None => {
                         health::health_check(HealthCheckParams {
                             hbn_root: &self.agent_config.hbn.root_dir,
@@ -840,7 +842,7 @@ impl MainLoop {
                         })
                         .await
                     }
-                    Some(nvue_client) => health::nvue_api_health(nvue_client).await,
+                    Some(nvue_context) => health::nvue_api_health(&nvue_context.nvue_client).await,
                 };
                 is_healthy = !health_report.successes.is_empty() && health_report.alerts.is_empty();
                 self.is_hbn_up = health::is_up(&health_report);

crates/api-db/src/attestation/spdm.rs

@@ -220,6 +220,13 @@ pub async fn get_attestation_status_for_machine_id(
         .await
         .map_err(|e| DatabaseError::query(query, e))?;
 
+    if attestation_status_rows.is_empty() {
+        return Err(DatabaseError::NotFoundError {
+            kind: "SPDM Attestation Record",
+            id: machine_id.to_string(),
+        });
+    }
+
     // if all passed - PASSED
     // if all cancelled - CANCELLED
     // if any failed && none not in progress - FAILED

crates/api-model/src/attestation.rs

@@ -54,6 +54,7 @@ pub mod spdm {
     use itertools::Itertools;
     use nras::{NrasError, NrasVerifierClient, ProcessedAttestationOutcome, RawAttestationOutcome};
     use serde::{Deserialize, Serialize};
+    use sha2::{Digest, Sha256};
     use sqlx::Row;
     use sqlx::postgres::PgRow;
 
@@ -96,6 +97,12 @@ pub mod spdm {
         pub completed_at: Option<DateTime<Utc>>,
     }
 
+    impl SpdmDeviceAttestation {
+        pub fn nonce_hex(&self) -> String {
+            hex::encode(Sha256::digest(self.nonce.as_bytes()))
+        }
+    }
+
     /// Major state, associated with Machine.
     #[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
     pub enum SpdmAttestationState {

crates/api-model/src/machine/mod.rs

@@ -2687,7 +2687,7 @@ pub enum HardwareHealthReportsConfig {
 pub fn dpf_based_dpu_provisioning_possible(
     state: &ManagedHostStateSnapshot,
     dpf_enabled_at_site: bool,
-    reprovisioing_case: bool,
+    reprovisioning_case: bool,
 ) -> bool {
     // DPF is disabled at site.
     if !dpf_enabled_at_site {
@@ -2703,11 +2703,19 @@ pub fn dpf_based_dpu_provisioning_possible(
         return false;
     }
 
-    // if it is reprovisioing case, initial ingestion should be done with dpf to continue
-    // reprovision.
-    if reprovisioing_case && !state.host_snapshot.dpf.used_for_ingestion {
+    // if it is reprovisioning case, initial ingestion should be done with dpf
+    // to continue or we should be trying to reprovision all the dpus (switching
+    // to DPF). Reprovisioning only a subset of DPUs cannot flip the host to DPF.
+    if reprovisioning_case
+        && !state.host_snapshot.dpf.used_for_ingestion
+        && !state
+            .dpu_snapshots
+            .iter()
+            .all(|dpu| dpu.reprovision_requested.is_some())
+    {
         tracing::info!(
-            "DPF based DPU reprovisioning is not possible because initial ingestion is not done with DPF - host {}.",
+            "DPF based DPU reprovisioning is not possible for host {} because initial ingestion is not done with DPF \
+            and not all DPUs are being reprovisioned.",
             state.host_snapshot.id
         );
         return false;

crates/api-model/src/machine/slas.rs

@@ -43,7 +43,7 @@ pub const MEASUREMENT_WAIT_FOR_MEASUREMENT: Duration = Duration::from_secs(30 *
 
 pub const SPDM_ATTESTATION_TRIGGER: Duration = Duration::from_secs(30);
 
-pub const SPDM_ATTESTATION_RESULT_POLL: Duration = Duration::from_secs(30 * 60);
+pub const SPDM_ATTESTATION_RESULT_POLL: Duration = Duration::from_secs(10 * 60);
 
 pub const START_ASSIGNMENT_CYCLE: Duration = Duration::from_secs(60);
 

crates/api/src/cfg/file.rs

@@ -643,6 +643,13 @@ pub struct CarbideConfig {
     /// hidden when the list is empty.
     #[serde(default)]
     pub web_ui_sidebar_tools: Vec<ToolLink>,
+
+    /// In-memory log history for the admin web live log viewer
+    /// (`/admin/logs`): how much recent log data to keep for
+    /// replay-on-connect and scrollback, and how many lines to send
+    /// per page to the browser.
+    #[serde(default)]
+    pub log_history: LogHistoryConfig,
 }
 
 impl CarbideConfig {
@@ -678,6 +685,40 @@ pub struct ToolLink {
     pub url: String,
 }
 
+/// In-memory log history for the admin web live log viewer
+/// (`crate::web::logs`). Bounds memory use and the page size served
+/// to the browser.
+#[derive(Clone, Debug, Serialize, Deserialize)]
+pub struct LogHistoryConfig {
+    /// Maximum amount of recent log history to retain in memory, in
+    /// MiB. Oldest lines are evicted once the budget is exceeded.
+    /// Default 128.
+    #[serde(default = "default_log_history_max_megabytes")]
+    pub max_megabytes: usize,
+
+    /// Number of lines sent in the initial view and in each
+    /// scrollback page. Default 500.
+    #[serde(default = "default_log_history_page_size")]
+    pub page_size: usize,
+}
+
+impl Default for LogHistoryConfig {
+    fn default() -> Self {
+        Self {
+            max_megabytes: default_log_history_max_megabytes(),
+            page_size: default_log_history_page_size(),
+        }
+    }
+}
+
+fn default_log_history_max_megabytes() -> usize {
+    128
+}
+
+fn default_log_history_page_size() -> usize {
+    500
+}
+
 #[derive(Clone, Debug, Default, Deserialize, Serialize, PartialEq)]
 pub enum BgpLeafSessionPassword {
     /// Use a defined site-wide password.

crates/api/src/logging/setup.rs

@@ -77,6 +77,7 @@ pub fn setup_logging(
     debug: u8,
     extra_logfmt_event_fields: Vec<String>,
     override_logging_subscriber: Option<impl SubscriberInitExt>,
+    log_history_max_bytes: usize,
 ) -> eyre::Result<Logging> {
     // This configures emission of logs in LogFmt syntax
     // and emission of metrics
@@ -107,7 +108,7 @@ pub fn setup_logging(
 
     // Used as part of a layer for collecting + brodcasting
     // log events to the admin web UI.
-    let log_stream = LogStream::default();
+    let log_stream = LogStream::with_max_bytes(log_history_max_bytes);
 
     // == Dynamic filter for tracing enabled/disabled ==
     // This doesn't track levels but instead just enabled/disabled (when we want tracing enabled, we