Merge feature branch feature/easier-pool-join (#6305)

Author: gangj

ocaml/idl/datamodel.ml

@@ -11016,6 +11016,15 @@ let http_actions =
   ; ( "get_repository"
     , (Get, Constants.get_repository_uri, false, [], _R_LOCAL_ROOT_ONLY, [])
     )
+  ; ( "get_enabled_repository"
+    , ( Get
+      , Constants.get_enabled_repository_uri
+      , false
+      , []
+      , _R_POOL_OP ++ _R_CLIENT_CERT
+      , []
+      )
+    )
   ; ( "get_host_updates"
     , ( Get
       , Constants.get_host_updates_uri
@@ -11059,7 +11068,6 @@ let public_http_actions_with_no_rbac_check =
   ; "post_jsonrpc"
   ; "post_jsonrpc_options"
   ; "get_pool_update_download"
-  ; "get_repository"
   ]
 
 (* permissions not associated with any object message or field *)

ocaml/idl/datamodel_errors.ml

@@ -1924,11 +1924,29 @@ let _ =
   error Api_errors.bundle_repo_not_enabled []
     ~doc:"Cannot sync bundle as the bundle repository is not enabled." () ;
   error Api_errors.can_not_sync_updates []
-    ~doc:"Cannot sync updates as the bundle repository is enabled." () ;
-  error Api_errors.bundle_repo_should_be_single_enabled []
     ~doc:
-      "If the bundle repository is enabled, it should be the only one enabled \
-       repository of the pool."
+      "The currently enabled repositories do not support synchronization of \
+       updates."
+    () ;
+  error Api_errors.can_not_periodic_sync_updates []
+    ~doc:
+      "The currently enabled repositories do not support periodic automatic \
+       updates."
+    () ;
+  error Api_errors.repo_should_be_single_one_enabled []
+    ~doc:
+      "If the bundle repository or remote_pool repository is enabled, it \
+       should be the only enabled repository of the pool."
+    () ;
+  error Api_errors.update_syncing_remote_pool_coordinator_connection_failed []
+    ~doc:
+      "There was an error connecting to the remote pool coordinator while \
+       syncing updates from it."
+    () ;
+  error Api_errors.update_syncing_remote_pool_coordinator_service_failed []
+    ~doc:
+      "There was an error connecting to the server while syncing updates from \
+       it. The service contacted didn't reply properly."
     () ;
   error Api_errors.repository_is_in_use [] ~doc:"The repository is in use." () ;
   error Api_errors.repository_cleanup_failed []

ocaml/idl/datamodel_pool.ml

@@ -1282,6 +1282,20 @@ let sync_updates =
         ; param_release= numbered_release "1.329.0"
         ; param_default= Some (VString "")
         }
+      ; {
+          param_type= String
+        ; param_name= "username"
+        ; param_doc= "The username of the remote pool"
+        ; param_release= numbered_release "25.6.0-next"
+        ; param_default= Some (VString "")
+        }
+      ; {
+          param_type= String
+        ; param_name= "password"
+        ; param_doc= "The password of the remote pool"
+        ; param_release= numbered_release "25.6.0-next"
+        ; param_default= Some (VString "")
+        }
       ]
     ~result:(String, "The SHA256 hash of updateinfo.xml.gz")
     ~allowed_roles:(_R_POOL_OP ++ _R_CLIENT_CERT)

ocaml/idl/datamodel_repository.ml

@@ -24,6 +24,7 @@ let origin =
     , [
         ("remote", "The origin of the repository is a remote one")
       ; ("bundle", "The origin of the repository is a local bundle file")
+      ; ("remote_pool", "The origin of the repository is a remote pool")
       ]
     )
 
@@ -94,6 +95,29 @@ let introduce_bundle =
     ~allowed_roles:(_R_POOL_OP ++ _R_CLIENT_CERT)
     ()
 
+let introduce_remote_pool =
+  call ~name:"introduce_remote_pool" ~in_oss_since:None ~lifecycle:[]
+    ~doc:"Add the configuration for a new remote pool repository"
+    ~params:
+      [
+        (String, "name_label", "The name of the repository")
+      ; (String, "name_description", "The description of the repository")
+      ; ( String
+        , "binary_url"
+        , "Base URL of binary packages in the local repository of this remote \
+           pool in https://<coordinator-ip>"
+          ^ Constants.get_enabled_repository_uri
+          ^ " format"
+        )
+      ; ( String
+        , "certificate"
+        , "The host certificate of the coordinator of the remote pool"
+        )
+      ]
+    ~result:(Ref _repository, "The ref of the created repository record.")
+    ~allowed_roles:(_R_POOL_OP ++ _R_CLIENT_CERT)
+    ()
+
 let forget =
   call ~name:"forget" ~in_oss_since:None
     ~lifecycle:[(Published, "1.301.0", "")]
@@ -173,6 +197,7 @@ let t =
       [
         introduce
       ; introduce_bundle
+      ; introduce_remote_pool
       ; forget
       ; apply
       ; set_gpgkey_path
@@ -223,8 +248,12 @@ let t =
           "The file name of the GPG public key of this repository"
       ; field ~qualifier:StaticRO ~lifecycle:[] ~ty:origin "origin"
           ~default_value:(Some (VEnum "remote"))
-          "The origin of the repository. 'remote' if the origin of the \
+          "The origin of this repository. 'remote' if the origin of the \
            repository is a remote one, 'bundle' if the origin of the \
-           repository is a local bundle file."
+           repository is a local bundle file, 'remote_pool' if the origin of \
+           the repository is a remote pool"
+      ; field ~qualifier:StaticRO ~lifecycle:[] ~ty:String
+          ~default_value:(Some (VString "")) "certificate"
+          "The certificate of the host which hosts this repository"
       ]
     ()

ocaml/idl/schematest.ml

@@ -3,7 +3,7 @@ let hash x = Digest.string x |> Digest.to_hex
 (* BEWARE: if this changes, check that schema has been bumped accordingly in
    ocaml/idl/datamodel_common.ml, usually schema_minor_vsn *)
 
-let last_known_schema_hash = "6f6230f87a92572b68ebd742196ffd0e"
+let last_known_schema_hash = "05ac9223f9c17b07b12e328d5dc3db52"
 
 let current_schema_hash : string =
   let open Datamodel_types in

ocaml/libs/stunnel/stunnel.ml

@@ -157,6 +157,9 @@ let pool =
   ; cert_bundle_path= "/etc/stunnel/xapi-pool-ca-bundle.pem"
   }
 
+let external_host ext_host_cert_file =
+  {sni= None; verify= VerifyPeer; cert_bundle_path= ext_host_cert_file}
+
 let debug_conf_of_bool verbose : string =
   if verbose then "debug=authpriv.7" else "debug=authpriv.5"
 

ocaml/libs/stunnel/stunnel.mli

@@ -59,6 +59,8 @@ val appliance : verification_config
 
 val pool : verification_config
 
+val external_host : string -> verification_config
+
 val with_connect :
      ?unique_id:int
   -> ?use_fork_exec_helper:bool

ocaml/libs/stunnel/stunnel_client.ml

@@ -26,7 +26,12 @@ let set_verify_by_default = function
       D.info "enabling default tls verification" ;
       verify := true
 
-let pool () = match !verify with true -> Some Stunnel.pool | false -> None
+let get_verification_config config =
+  match !verify with true -> Some config | false -> None
 
-let appliance () =
-  match !verify with true -> Some Stunnel.appliance | false -> None
+let pool () = get_verification_config Stunnel.pool
+
+let appliance () = get_verification_config Stunnel.appliance
+
+let external_host cert_file =
+  Stunnel.external_host cert_file |> get_verification_config

ocaml/libs/stunnel/stunnel_client.mli

@@ -19,3 +19,5 @@ val set_verify_by_default : bool -> unit
 val pool : unit -> Stunnel.verification_config option
 
 val appliance : unit -> Stunnel.verification_config option
+
+val external_host : string -> Stunnel.verification_config option

ocaml/tests/test_pool_repository.ml

@@ -14,101 +14,103 @@
 
 module T = Test_common
 
-let test_set_remote_and_bundle_repos () =
+let on_repositories f =
   let __context = T.make_test_database () in
-  let name_label = "remote" in
-  let name_description = "remote" in
-  let binary_url = "https://repo.example.com" in
+  let pool = Helpers.get_pool ~__context in
+  let binary_url_1 = "https://repo.example.com" in
+  let binary_url_2 = "https://1.1.1.1/repository/enabled" in
   let source_url = "https://repo-src.example.com" in
-  let gpgkey_path = "" in
   let ref_remote =
-    Repository.introduce ~__context ~name_label ~name_description ~binary_url
-      ~source_url ~update:true ~gpgkey_path
+    Repository.introduce ~__context ~name_label:"remote"
+      ~name_description:"remote" ~binary_url:binary_url_1 ~source_url
+      ~update:true ~gpgkey_path:""
   in
   let ref_bundle =
     Repository.introduce_bundle ~__context ~name_label:"bundle"
       ~name_description:"bundle"
   in
-  let self = Helpers.get_pool ~__context in
-  Alcotest.check_raises "test_set_remote_and_bundle_repos"
-    Api_errors.(Server_error (bundle_repo_should_be_single_enabled, []))
-    (fun () ->
-      Xapi_pool.set_repositories ~__context ~self
-        ~value:[ref_remote; ref_bundle]
-    )
-
-let test_add_bundle_repo () =
-  let __context = T.make_test_database () in
-  let name_label = "remote" in
-  let name_description = "remote" in
-  let binary_url = "https://repo.example.com" in
-  let source_url = "https://repo-src.example.com" in
-  let gpgkey_path = "" in
-  let ref_remote =
-    Repository.introduce ~__context ~name_label ~name_description ~binary_url
-      ~source_url ~update:true ~gpgkey_path
+  let ref_remote_pool =
+    Repository.introduce_remote_pool ~__context ~name_label:"remote_pool"
+      ~binary_url:binary_url_2 ~name_description:"remote_pool" ~certificate:""
   in
-  let ref_bundle =
-    Repository.introduce_bundle ~__context ~name_label:"bundle"
-      ~name_description:"bundle"
-  in
-  let self = Helpers.get_pool ~__context in
-  Alcotest.check_raises "test_add_bundle_repo"
-    Api_errors.(Server_error (bundle_repo_should_be_single_enabled, []))
-    (fun () ->
-      Xapi_pool.set_repositories ~__context ~self ~value:[ref_remote] ;
-      Xapi_pool.add_repository ~__context ~self ~value:ref_bundle
-    )
+  f __context pool ref_remote ref_bundle ref_remote_pool
 
-let test_add_remote_repo () =
-  let __context = T.make_test_database () in
-  let name_label = "remote" in
-  let name_description = "remote" in
-  let binary_url = "https://repo.example.com" in
-  let source_url = "https://repo-src.example.com" in
-  let gpgkey_path = "" in
-  let ref_remote =
-    Repository.introduce ~__context ~name_label ~name_description ~binary_url
-      ~source_url ~update:true ~gpgkey_path
-  in
-  let ref_bundle =
-    Repository.introduce_bundle ~__context ~name_label:"bundle"
-      ~name_description:"bundle"
-  in
-  let self = Helpers.get_pool ~__context in
-  Alcotest.check_raises "test_add_remote_repo"
-    Api_errors.(Server_error (bundle_repo_should_be_single_enabled, []))
-    (fun () ->
+let test_set_repositories () =
+  on_repositories (fun __context self ref_remote ref_bundle ref_remote_pool ->
+      Xapi_pool.set_repositories ~__context ~self ~value:[ref_remote] ;
       Xapi_pool.set_repositories ~__context ~self ~value:[ref_bundle] ;
-      Xapi_pool.add_repository ~__context ~self ~value:ref_remote
-    )
+      Xapi_pool.set_repositories ~__context ~self ~value:[ref_remote_pool] ;
+      Alcotest.check_raises "test_set_repositories_1"
+        Api_errors.(Server_error (repo_should_be_single_one_enabled, []))
+        (fun () ->
+          Xapi_pool.set_repositories ~__context ~self
+            ~value:[ref_remote; ref_bundle]
+        ) ;
+      Alcotest.check_raises "test_set_repositories_2"
+        Api_errors.(Server_error (repo_should_be_single_one_enabled, []))
+        (fun () ->
+          Xapi_pool.set_repositories ~__context ~self
+            ~value:[ref_remote_pool; ref_bundle]
+        ) ;
+      Alcotest.check_raises "test_set_repositories_3"
+        Api_errors.(Server_error (repo_should_be_single_one_enabled, []))
+        (fun () ->
+          Xapi_pool.set_repositories ~__context ~self
+            ~value:[ref_remote; ref_remote_pool]
+        )
+  )
 
-let test_can_not_enable_bundle_repo_auto_sync () =
-  let __context = T.make_test_database () in
-  let ref_bundle =
-    Repository.introduce_bundle ~__context ~name_label:"bundle"
-      ~name_description:"bundle"
-  in
-  let self = Helpers.get_pool ~__context in
-  Alcotest.check_raises "test_can_not_enable_bundle_repo_auto_sync"
-    Api_errors.(Server_error (can_not_sync_updates, []))
-    (fun () ->
-      Xapi_pool.set_repositories ~__context ~self ~value:[ref_bundle] ;
-      Xapi_pool.set_update_sync_enabled ~__context ~self ~value:true
-    )
+let test_add_repository () =
+  on_repositories (fun __context self ref_remote ref_bundle ref_remote_pool ->
+      Alcotest.check_raises "test_add_repository_1"
+        Api_errors.(Server_error (repo_should_be_single_one_enabled, []))
+        (fun () ->
+          Xapi_pool.set_repositories ~__context ~self ~value:[ref_remote] ;
+          Xapi_pool.add_repository ~__context ~self ~value:ref_bundle
+        ) ;
+      Alcotest.check_raises "test_add_repository_2"
+        Api_errors.(Server_error (repo_should_be_single_one_enabled, []))
+        (fun () ->
+          Xapi_pool.set_repositories ~__context ~self ~value:[ref_remote] ;
+          Xapi_pool.add_repository ~__context ~self ~value:ref_remote_pool
+        ) ;
+      Alcotest.check_raises "test_add_repository_3"
+        Api_errors.(Server_error (repo_should_be_single_one_enabled, []))
+        (fun () ->
+          Xapi_pool.set_repositories ~__context ~self ~value:[ref_remote_pool] ;
+          Xapi_pool.add_repository ~__context ~self ~value:ref_bundle
+        ) ;
+      Alcotest.check_raises "test_add_repository_4"
+        Api_errors.(Server_error (repo_should_be_single_one_enabled, []))
+        (fun () ->
+          Xapi_pool.set_repositories ~__context ~self ~value:[ref_bundle] ;
+          Xapi_pool.add_repository ~__context ~self ~value:ref_remote_pool
+        )
+  )
+
+let test_enable_periodic_repo_sync () =
+  on_repositories (fun __context self ref_remote ref_bundle ref_remote_pool ->
+      Xapi_pool.set_repositories ~__context ~self ~value:[ref_remote] ;
+      Xapi_pool.set_update_sync_enabled ~__context ~self ~value:true ;
+      Alcotest.check_raises "test_enable_periodic_repo_sync_1"
+        Api_errors.(Server_error (can_not_periodic_sync_updates, []))
+        (fun () ->
+          Xapi_pool.set_repositories ~__context ~self ~value:[ref_bundle] ;
+          Xapi_pool.set_update_sync_enabled ~__context ~self ~value:true
+        ) ;
+      Alcotest.check_raises "test_enable_periodic_repo_sync_2"
+        Api_errors.(Server_error (can_not_periodic_sync_updates, []))
+        (fun () ->
+          Xapi_pool.set_repositories ~__context ~self ~value:[ref_remote_pool] ;
+          Xapi_pool.set_update_sync_enabled ~__context ~self ~value:true
+        )
+  )
 
 let test =
   [
-    ( "test_set_remote_and_bundle_repos"
-    , `Quick
-    , test_set_remote_and_bundle_repos
-    )
-  ; ("test_add_bundle_repo", `Quick, test_add_bundle_repo)
-  ; ("test_add_remote_repo", `Quick, test_add_remote_repo)
-  ; ( "test_can_not_enable_bundle_repo_auto_sync"
-    , `Quick
-    , test_can_not_enable_bundle_repo_auto_sync
-    )
+    ("test_set_repositories", `Quick, test_set_repositories)
+  ; ("test_add_repository", `Quick, test_add_repository)
+  ; ("test_enable_periodic_repo_sync", `Quick, test_enable_periodic_repo_sync)
   ]
 
 let () =