[internal-dns] fix for clickhouse zone services (#7612)

This commit fixes an issue where the `ClickhouseNative` SRV record was
pointing to both `clickhouse` and `clickhouse_cluster` IPs. This was
causing Oximeter to indiscriminately write to either single node or
cluster when both where running side by side. Additionally, we add a
record for `ClickhouseSingleServerAdmin`.

## Manual testing on a local omicron deployment

### With only single node enabled

```console
coatlicue@centzon:~/src/omicron$ pfexec zlogin oxz_clickhouse_ae7bf43d-8234-4b6f-ab3a-540685f5ba41
[Connected to zone 'oxz_clickhouse_ae7bf43d-8234-4b6f-ab3a-540685f5ba41' pts/3]
The illumos Project     helios-2.0.23078        December 2024
root@oxz_clickhouse_ae7bf43d:~# nslookup -type=SRV _clickhouse-native._tcp.control-plane.oxide.internal
;; Got recursion not available from fd00:1122:3344:1::1, trying next server
;; Got recursion not available from fd00:1122:3344:2::1, trying next server
Server:         fd00:1122:3344:3::1
Address:        fd00:1122:3344:3::1#53

Non-authoritative answer:
_clickhouse-native._tcp.control-plane.oxide.internal    service = 0 0 9000 ae7bf43d-8234-4b6f-ab3a-540685f5ba41.host.control-plane.oxide.internal.

Authoritative answers can be found from:
ae7bf43d-8234-4b6f-ab3a-540685f5ba41.host.control-plane.oxide.internal  has AAAA address fd00:1122:3344:101::e

root@oxz_clickhouse_ae7bf43d:~# nslookup -type=SRV _clickhouse-admin-single-server._tcp.control-plane.oxide.internal
;; Got recursion not available from fd00:1122:3344:1::1, trying next server
;; Got recursion not available from fd00:1122:3344:2::1, trying next server
Server:         fd00:1122:3344:3::1
Address:        fd00:1122:3344:3::1#53

Non-authoritative answer:
_clickhouse-admin-single-server._tcp.control-plane.oxide.internal       service = 0 0 8888 ae7bf43d-8234-4b6f-ab3a-540685f5ba41.host.control-plane.oxide.internal.

Authoritative answers can be found from:
ae7bf43d-8234-4b6f-ab3a-540685f5ba41.host.control-plane.oxide.internal  has AAAA address fd00:1122:3344:101::e
```

### With both single node and cluster enabled

```console
root@oxz_clickhouse_ae7bf43d:~# nslookup -type=SRV _clickhouse-admin-single-server._tcp.control-plane.oxide.internal
;; Got recursion not available from fd00:1122:3344:1::1, trying next server
;; Got recursion not available from fd00:1122:3344:2::1, trying next server
Server:         fd00:1122:3344:3::1
Address:        fd00:1122:3344:3::1#53

Non-authoritative answer:
_clickhouse-admin-single-server._tcp.control-plane.oxide.internal       service = 0 0 8888 ae7bf43d-8234-4b6f-ab3a-540685f5ba41.host.control-plane.oxide.internal.

Authoritative answers can be found from:
ae7bf43d-8234-4b6f-ab3a-540685f5ba41.host.control-plane.oxide.internal  has AAAA address fd00:1122:3344:101::e

root@oxz_clickhouse_ae7bf43d:~# nslookup -type=SRV _clickhouse-native._tcp.control-plane.oxide.internal
;; Got recursion not available from fd00:1122:3344:1::1, trying next server
;; Got recursion not available from fd00:1122:3344:2::1, trying next server
Server:         fd00:1122:3344:3::1
Address:        fd00:1122:3344:3::1#53

Non-authoritative answer:
_clickhouse-native._tcp.control-plane.oxide.internal    service = 0 0 9000 ae7bf43d-8234-4b6f-ab3a-540685f5ba41.host.control-plane.oxide.internal.

Authoritative answers can be found from:
ae7bf43d-8234-4b6f-ab3a-540685f5ba41.host.control-plane.oxide.internal  has AAAA address fd00:1122:3344:101::e

root@oxz_clickhouse_ae7bf43d:~# nslookup -type=SRV _clickhouse-admin-server._tcp.control-plane.oxide.internal
;; Got recursion not available from fd00:1122:3344:1::1, trying next server
;; Got recursion not available from fd00:1122:3344:2::1, trying next server
Server:         fd00:1122:3344:3::1
Address:        fd00:1122:3344:3::1#53

Non-authoritative answer:
_clickhouse-admin-server._tcp.control-plane.oxide.internal      service = 0 0 8888 1ebb94b9-9cc4-4c4a-8402-f758cc3b1173.host.control-plane.oxide.internal.
_clickhouse-admin-server._tcp.control-plane.oxide.internal      service = 0 0 8888 b817f829-383f-402a-be4a-b393c1afdff0.host.control-plane.oxide.internal.
_clickhouse-admin-server._tcp.control-plane.oxide.internal      service = 0 0 8888 bdc23f73-83f9-4029-a749-2375d8cb4033.host.control-plane.oxide.internal.

Authoritative answers can be found from:
1ebb94b9-9cc4-4c4a-8402-f758cc3b1173.host.control-plane.oxide.internal  has AAAA address fd00:1122:3344:101::26
b817f829-383f-402a-be4a-b393c1afdff0.host.control-plane.oxide.internal  has AAAA address fd00:1122:3344:101::27
bdc23f73-83f9-4029-a749-2375d8cb4033.host.control-plane.oxide.internal  has AAAA address fd00:1122:3344:101::28
```

#### single-node

```console
root@oxz_clickhouse_ae7bf43d:~# /opt/oxide/clickhouse/clickhouse client --host fd00:1122:3344:101::e -q "select * from oximeter.fields_string limit 5"
ddm_router:originated_tunnel_endpoints  1927403117836933753     hostname        centzon
ddm_router:originated_tunnel_endpoints  13387177631086028603    hostname        oxz_switch
ddm_router:originated_underlay_prefixes 12164380667314673492    hostname        centzon
ddm_router:originated_underlay_prefixes 9657734132044246100     hostname        oxz_switch
ddm_session:advertisements_received     5533636839163709296     hostname        centzon
```

#### cluster

```console
oximeter_cluster_1 :) select * from oximeter.fields_string limit 5

SELECT *
FROM oximeter.fields_string
LIMIT 5

Query id: c4771ce0-1b36-4f48-aca9-068ec826a67b

Ok.

0 rows in set. Elapsed: 0.002 sec. 
```

Closes: #7577

Author: karencfv

internal-dns/types/src/config.rs

@@ -399,55 +399,90 @@ impl DnsConfigBuilder {
         self.service_backend_zone(ServiceName::Mgd, &zone, mgd_port)
     }
 
-    /// Higher-level shorthand for adding a ClickHouse zone with several
+    /// Higher-level shorthand for adding a ClickHouse single node zone with
+    /// several services.
+    ///
+    /// The ClickHouse single node server exposes several interfaces on the
+    /// network. We use both a simple HTTP interface as well as a lower-level
+    /// protocol over TCP, called the "Native protocol". This method inserts a
+    /// zone and the related records for both of these services.
+    ///
+    /// `http_service` is the `ServiceName` for the HTTP service that belongs in
+    /// this zone, and `http_port` is the associated port for that service. The
+    /// native service is added automatically, using its default port.
+    ///
+    /// We also add a `ClickhouseAdminSingleServer` service.
+    ///
+    /// # Errors
+    ///
+    /// This fails if the provided `http_service` is not for a ClickHouse single
+    /// node server. It also fails if the given zone has already been added
+    /// to the configuration.
+    pub fn host_zone_clickhouse_single_node(
+        &mut self,
+        zone_id: OmicronZoneUuid,
+        http_service: ServiceName,
+        http_address: SocketAddrV6,
+    ) -> anyhow::Result<()> {
+        anyhow::ensure!(
+            http_service == ServiceName::Clickhouse,
+            "This method is only valid for the ClickHouse single node server, \
+            but we were provided the service '{http_service:?}'",
+        );
+        let zone = self.host_zone(zone_id, *http_address.ip())?;
+        self.service_backend_zone(http_service, &zone, http_address.port())?;
+
+        self.service_backend_zone(
+            ServiceName::ClickhouseNative,
+            &zone,
+            CLICKHOUSE_TCP_PORT,
+        )?;
+        self.service_backend_zone(
+            ServiceName::ClickhouseAdminSingleServer,
+            &zone,
+            CLICKHOUSE_ADMIN_PORT,
+        )
+    }
+
+    /// Higher-level shorthand for adding a ClickHouse cluster zone with several
     /// services.
     ///
     /// ClickHouse servers expose several interfaces on the network. We use both
     /// a simple HTTP interface as well as a lower-level protocol over TCP,
     /// called the "Native protocol". This method inserts a zone and the related
     /// records for both of these services.
+    /// (TODO-<https://github.com/oxidecomputer/omicron/issues/7419:> Add Native protocol
+    /// interface)
     ///
     /// `http_service` is the `ServiceName` for the HTTP service that belongs in
     /// this zone, and `http_port` is the associated port for that service. The
     /// native service is added automatically, using its default port.
     ///
-    /// For `ClickhouseServer` zones we also need to add a
-    /// `ClickhouseAdminServer` service.
+    /// We also add a `ClickhouseAdminServer` service.
     ///
     /// # Errors
     ///
-    /// This fails if the provided `http_service` is not for a ClickHouse
+    /// This fails if the provided `http_service` is not for a ClickHouse cluster
     /// replica server. It also fails if the given zone has already been added
     /// to the configuration.
-    pub fn host_zone_clickhouse(
+    pub fn host_zone_clickhouse_cluster(
         &mut self,
         zone_id: OmicronZoneUuid,
         http_service: ServiceName,
         http_address: SocketAddrV6,
     ) -> anyhow::Result<()> {
         anyhow::ensure!(
-            http_service == ServiceName::Clickhouse
-                || http_service == ServiceName::ClickhouseServer,
-            "This method is only valid for ClickHouse replica servers, \
+           http_service == ServiceName::ClickhouseServer,
+            "This method is only valid for ClickHouse cluster replica servers, \
             but we were provided the service '{http_service:?}'",
         );
         let zone = self.host_zone(zone_id, *http_address.ip())?;
         self.service_backend_zone(http_service, &zone, http_address.port())?;
         self.service_backend_zone(
-            ServiceName::ClickhouseNative,
+            ServiceName::ClickhouseAdminServer,
             &zone,
-            CLICKHOUSE_TCP_PORT,
-        )?;
-
-        if http_service == ServiceName::ClickhouseServer {
-            self.service_backend_zone(
-                ServiceName::ClickhouseAdminServer,
-                &zone,
-                CLICKHOUSE_ADMIN_PORT,
-            )?;
-        }
-
-        Ok(())
+            CLICKHOUSE_ADMIN_PORT,
+        )
     }
 
     /// Higher-level shorthand for adding a ClickhouseKeeper zone with several
@@ -687,7 +722,9 @@ mod test {
     use crate::{config::Zone, names::DNS_ZONE};
     use omicron_common::api::external::Generation;
     use omicron_uuid_kinds::{OmicronZoneUuid, SledUuid};
-    use std::{collections::BTreeMap, io::Write, net::Ipv6Addr};
+    use std::{
+        collections::BTreeMap, io::Write, net::Ipv6Addr, net::SocketAddrV6,
+    };
 
     #[test]
     fn display_srv_service() {
@@ -700,10 +737,18 @@ mod test {
             ServiceName::ClickhouseAdminServer.dns_name(),
             "_clickhouse-admin-server._tcp",
         );
+        assert_eq!(
+            ServiceName::ClickhouseAdminSingleServer.dns_name(),
+            "_clickhouse-admin-single-server._tcp",
+        );
         assert_eq!(
             ServiceName::ClickhouseKeeper.dns_name(),
             "_clickhouse-keeper._tcp",
         );
+        assert_eq!(
+            ServiceName::ClickhouseNative.dns_name(),
+            "_clickhouse-native._tcp",
+        );
         assert_eq!(
             ServiceName::ClickhouseServer.dns_name(),
             "_clickhouse-server._tcp",
@@ -756,12 +801,19 @@ mod test {
     const ZONE2_UUID: &'static str = "001de000-c04e-4000-8000-000000000002";
     const ZONE3_UUID: &'static str = "001de000-c04e-4000-8000-000000000003";
     const ZONE4_UUID: &'static str = "001de000-c04e-4000-8000-000000000004";
+    const ZONE_CLICKHOUSE_UUID: &'static str =
+        "001de000-c04e-4000-8000-000000000005";
+    const ZONE_CLICKHOUSE_SERVER_UUID: &'static str =
+        "001de000-c04e-4000-8000-000000000006";
     const SLED1_IP: Ipv6Addr = Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 1);
     const SLED2_IP: Ipv6Addr = Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 2);
     const ZONE1_IP: Ipv6Addr = Ipv6Addr::new(0, 0, 0, 0, 0, 0, 1, 1);
     const ZONE2_IP: Ipv6Addr = Ipv6Addr::new(0, 0, 0, 0, 0, 0, 1, 2);
     const ZONE3_IP: Ipv6Addr = Ipv6Addr::new(0, 0, 0, 0, 0, 0, 1, 3);
     const ZONE4_IP: Ipv6Addr = Ipv6Addr::new(0, 0, 0, 0, 0, 0, 1, 4);
+    const ZONE_CLICKHOUSE_IP: Ipv6Addr = Ipv6Addr::new(0, 0, 0, 0, 0, 0, 1, 5);
+    const ZONE_CLICKHOUSE_SERVER_IP: Ipv6Addr =
+        Ipv6Addr::new(0, 0, 0, 0, 0, 0, 1, 6);
 
     #[test]
     fn test_builder_output() {
@@ -773,6 +825,10 @@ mod test {
         let zone2_uuid: OmicronZoneUuid = ZONE2_UUID.parse().unwrap();
         let zone3_uuid: OmicronZoneUuid = ZONE3_UUID.parse().unwrap();
         let zone4_uuid: OmicronZoneUuid = ZONE4_UUID.parse().unwrap();
+        let zone_clickhouse_uuid: OmicronZoneUuid =
+            ZONE_CLICKHOUSE_UUID.parse().unwrap();
+        let zone_clickhouse_server_uuid: OmicronZoneUuid =
+            ZONE_CLICKHOUSE_SERVER_UUID.parse().unwrap();
 
         let builder_empty = DnsConfigBuilder::new();
 
@@ -818,6 +874,20 @@ mod test {
             b.service_backend_zone(ServiceName::BoundaryNtp, &zone2, 127)
                 .unwrap();
 
+            // Add clickhouse and clickhouse server zones, which have serveral services each
+            b.host_zone_clickhouse_single_node(
+                zone_clickhouse_uuid,
+                ServiceName::Clickhouse,
+                SocketAddrV6::new(ZONE_CLICKHOUSE_IP, 0, 0, 0),
+            )
+            .unwrap();
+            b.host_zone_clickhouse_cluster(
+                zone_clickhouse_server_uuid,
+                ServiceName::ClickhouseServer,
+                SocketAddrV6::new(ZONE_CLICKHOUSE_SERVER_IP, 0, 0, 0),
+            )
+            .unwrap();
+
             // A sharded service
             b.service_backend_sled(
                 ServiceName::SledAgent(sled1_uuid),

internal-dns/types/src/names.rs

@@ -29,6 +29,8 @@ pub enum ServiceName {
     ClickhouseAdminKeeper,
     /// The HTTP interface for managing replicated clickhouse servers
     ClickhouseAdminServer,
+    /// The HTTP interface for managing a single node clickhouse server
+    ClickhouseAdminSingleServer,
     /// The native TCP interface to a ClickHouse server.
     ///
     /// NOTE: This is used for either single-node or a replicated cluster.
@@ -61,6 +63,9 @@ impl ServiceName {
             ServiceName::Clickhouse => "clickhouse",
             ServiceName::ClickhouseAdminKeeper => "clickhouse-admin-keeper",
             ServiceName::ClickhouseAdminServer => "clickhouse-admin-server",
+            ServiceName::ClickhouseAdminSingleServer => {
+                "clickhouse-admin-single-server"
+            }
             ServiceName::ClickhouseNative => "clickhouse-native",
             ServiceName::ClickhouseKeeper => "clickhouse-keeper",
             ServiceName::ClickhouseServer => "clickhouse-server",
@@ -90,6 +95,7 @@ impl ServiceName {
             ServiceName::Clickhouse
             | ServiceName::ClickhouseAdminKeeper
             | ServiceName::ClickhouseAdminServer
+            | ServiceName::ClickhouseAdminSingleServer
             | ServiceName::ClickhouseNative
             | ServiceName::ClickhouseKeeper
             | ServiceName::ClickhouseServer

internal-dns/types/tests/output/internal-dns-zone.txt

@@ -68,6 +68,18 @@ builder: "non_trivial"
       "data": "::1:4"
     }
   ],
+  "001de000-c04e-4000-8000-000000000005.host": [
+    {
+      "type": "AAAA",
+      "data": "::1:5"
+    }
+  ],
+  "001de000-c04e-4000-8000-000000000006.host": [
+    {
+      "type": "AAAA",
+      "data": "::1:6"
+    }
+  ],
   "_boundary-ntp._tcp": [
     {
       "type": "SRV",
@@ -79,6 +91,61 @@ builder: "non_trivial"
       }
     }
   ],
+  "_clickhouse-admin-server._tcp": [
+    {
+      "type": "SRV",
+      "data": {
+        "prio": 0,
+        "weight": 0,
+        "port": 8888,
+        "target": "001de000-c04e-4000-8000-000000000006.host.control-plane.oxide.internal"
+      }
+    }
+  ],
+  "_clickhouse-admin-single-server._tcp": [
+    {
+      "type": "SRV",
+      "data": {
+        "prio": 0,
+        "weight": 0,
+        "port": 8888,
+        "target": "001de000-c04e-4000-8000-000000000005.host.control-plane.oxide.internal"
+      }
+    }
+  ],
+  "_clickhouse-native._tcp": [
+    {
+      "type": "SRV",
+      "data": {
+        "prio": 0,
+        "weight": 0,
+        "port": 9000,
+        "target": "001de000-c04e-4000-8000-000000000005.host.control-plane.oxide.internal"
+      }
+    }
+  ],
+  "_clickhouse-server._tcp": [
+    {
+      "type": "SRV",
+      "data": {
+        "prio": 0,
+        "weight": 0,
+        "port": 0,
+        "target": "001de000-c04e-4000-8000-000000000006.host.control-plane.oxide.internal"
+      }
+    }
+  ],
+  "_clickhouse._tcp": [
+    {
+      "type": "SRV",
+      "data": {
+        "prio": 0,
+        "weight": 0,
+        "port": 0,
+        "target": "001de000-c04e-4000-8000-000000000005.host.control-plane.oxide.internal"
+      }
+    }
+  ],
   "_nexus._tcp": [
     {
       "type": "SRV",

nexus/test-utils/src/lib.rs

@@ -313,7 +313,11 @@ impl RackInitRequestBuilder {
         address: SocketAddrV6,
     ) {
         self.internal_dns_config
-            .host_zone_clickhouse(zone_id, ServiceName::Clickhouse, address)
+            .host_zone_clickhouse_single_node(
+                zone_id,
+                ServiceName::Clickhouse,
+                address,
+            )
             .expect("Failed to setup ClickHouse DNS");
     }
 }

nexus/types/src/deployment/execution/dns.rs

@@ -48,25 +48,28 @@ pub fn blueprint_internal_dns_config(
             ) => (ServiceName::InternalNtp, address),
             BlueprintZoneType::Clickhouse(
                 blueprint_zone_type::Clickhouse { address, .. },
-            )
-            | BlueprintZoneType::ClickhouseServer(
+            ) => {
+                // Add the HTTP and native TCP interfaces for ClickHouse data
+                // replicas. This adds the zone itself, so we need to continue
+                // back up to the loop over all the Omicron zones, rather than
+                // falling through to call `host_zone_with_one_backend()`.
+                dns_builder.host_zone_clickhouse_single_node(
+                    zone.id,
+                    ServiceName::Clickhouse,
+                    *address,
+                )?;
+                continue 'all_zones;
+            }
+            BlueprintZoneType::ClickhouseServer(
                 blueprint_zone_type::ClickhouseServer { address, .. },
             ) => {
                 // Add the HTTP and native TCP interfaces for ClickHouse data
                 // replicas. This adds the zone itself, so we need to continue
                 // back up to the loop over all the Omicron zones, rather than
                 // falling through to call `host_zone_with_one_backend()`.
-                let http_service = if matches!(
-                    &zone.zone_type,
-                    BlueprintZoneType::Clickhouse(_)
-                ) {
-                    ServiceName::Clickhouse
-                } else {
-                    ServiceName::ClickhouseServer
-                };
-                dns_builder.host_zone_clickhouse(
+                dns_builder.host_zone_clickhouse_cluster(
                     zone.id,
-                    http_service,
+                    ServiceName::ClickhouseServer,
                     *address,
                 )?;
                 continue 'all_zones;

sled-agent/src/rack_setup/plan/service.rs

@@ -607,7 +607,11 @@ impl Plan {
             let http_port = omicron_common::address::CLICKHOUSE_HTTP_PORT;
             let http_address = SocketAddrV6::new(ip, http_port, 0, 0);
             dns_builder
-                .host_zone_clickhouse(id, ServiceName::Clickhouse, http_address)
+                .host_zone_clickhouse_single_node(
+                    id,
+                    ServiceName::Clickhouse,
+                    http_address,
+                )
                 .unwrap();
             let dataset_name =
                 sled.alloc_dataset_from_u2s(DatasetKind::Clickhouse)?;