From 1e6f918ccd52944f6e5a15913ff3e9efa657556b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= <edwin.torok@cloud.com>
Date: Wed, 24 Apr 2024 15:36:48 +0100
Subject: [PATCH] CP-49147: Reduce size of the pool record (uefi_certificates)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This field is very big and part of every pool.get_all_records() call
(done by SM), which is currently >64KiB in size.

TODO: the Changed field needs to match the (future!) tag that this will receive.

Signed-off-by: Edwin Török <edwin.torok@cloud.com>
---
 ocaml/idl/datamodel_common.ml      |  2 +-
 ocaml/idl/datamodel_pool.ml        | 19 ++++++++++++++++++-
 ocaml/idl/json_backend/gen_json.ml |  4 ++--
 ocaml/idl/schematest.ml            |  2 +-
 ocaml/xapi-cli-server/records.ml   |  4 +++-
 ocaml/xapi/helpers.ml              |  3 ++-
 ocaml/xapi/xapi_host.ml            |  2 +-
 ocaml/xapi/xapi_pool.ml            |  5 +++++
 ocaml/xapi/xapi_pool.mli           |  2 ++
 9 files changed, 35 insertions(+), 8 deletions(-)

diff --git a/ocaml/idl/datamodel_common.ml b/ocaml/idl/datamodel_common.ml
index 80c5076fef7..a21e480d80a 100644
--- a/ocaml/idl/datamodel_common.ml
+++ b/ocaml/idl/datamodel_common.ml
@@ -10,7 +10,7 @@ open Datamodel_roles
               to leave a gap for potential hotfixes needing to increment the schema version.*)
 let schema_major_vsn = 5
 
-let schema_minor_vsn = 785
+let schema_minor_vsn = 786
 
 (* Historical schema versions just in case this is useful later *)
 let rio_schema_major_vsn = 5
diff --git a/ocaml/idl/datamodel_pool.ml b/ocaml/idl/datamodel_pool.ml
index ab0d1669788..c7501456b77 100644
--- a/ocaml/idl/datamodel_pool.ml
+++ b/ocaml/idl/datamodel_pool.ml
@@ -1377,6 +1377,18 @@ let disable_repository_proxy =
     ~allowed_roles:(_R_POOL_OP ++ _R_CLIENT_CERT)
     ()
 
+let get_uefi_certificates =
+  call ~name:"get_uefi_certificates"
+    ~result:(String, "The UEFI certificates")
+    ~lifecycle:
+      [
+        (Published, "22.16.0", "")
+      ; (Changed, "24.38.0", "internal type changed to blob")
+      ]
+    ~doc:"Get the UEFI certificates for a pool"
+    ~params:[(Ref _pool, "self", "The pool")]
+    ~allowed_roles:_R_POOL_ADMIN ()
+
 let set_uefi_certificates =
   call ~name:"set_uefi_certificates"
     ~lifecycle:
@@ -1620,6 +1632,7 @@ let t =
       ; disable_client_certificate_auth
       ; configure_repository_proxy
       ; disable_repository_proxy
+      ; get_uefi_certificates
       ; set_uefi_certificates
       ; set_custom_uefi_certificates
       ; set_https_only
@@ -2006,9 +2019,13 @@ let t =
                 , "22.16.0"
                 , "Became StaticRO to be editable through new method"
                 )
+              ; ( Changed
+                , "24.38.0"
+                , "Field converted to internal-only and replaced with a digest"
+                )
               ]
             ~default_value:(Some (VString "")) "uefi_certificates"
-            "The UEFI certificates allowing Secure Boot"
+            ~internal_only:true "The UEFI certificates allowing Secure Boot"
         ; field ~qualifier:StaticRO ~ty:String ~lifecycle:[]
             ~default_value:(Some (VString "")) "custom_uefi_certificates"
             "Custom UEFI certificates allowing Secure Boot"
diff --git a/ocaml/idl/json_backend/gen_json.ml b/ocaml/idl/json_backend/gen_json.ml
index 5c8fc0da0ff..16a860e8775 100644
--- a/ocaml/idl/json_backend/gen_json.ml
+++ b/ocaml/idl/json_backend/gen_json.ml
@@ -613,8 +613,8 @@ module Version = struct
     try Scanf.sscanf name "%d.%d.%d%s" of_chunks
     with _ ->
       failwith
-        (Printf.sprintf "Version schema changed, please change this code %s"
-           __LOC__
+        (Printf.sprintf "Version schema changed, please change this code %s: %s"
+           name __LOC__
         )
 
   let to_name_date (lst, str) =
diff --git a/ocaml/idl/schematest.ml b/ocaml/idl/schematest.ml
index 2c4a87453ba..b3bb0f184a6 100644
--- a/ocaml/idl/schematest.ml
+++ b/ocaml/idl/schematest.ml
@@ -3,7 +3,7 @@ let hash x = Digest.string x |> Digest.to_hex
 (* BEWARE: if this changes, check that schema has been bumped accordingly in
    ocaml/idl/datamodel_common.ml, usually schema_minor_vsn *)
 
-let last_known_schema_hash = "18df8c33434e3df1982e11ec55d1f3f8"
+let last_known_schema_hash = "b868d0553a0f37cede3bc454104d66e1"
 
 let current_schema_hash : string =
   let open Datamodel_types in
diff --git a/ocaml/xapi-cli-server/records.ml b/ocaml/xapi-cli-server/records.ml
index cd7e2f5ae80..8e0b5927fce 100644
--- a/ocaml/xapi-cli-server/records.ml
+++ b/ocaml/xapi-cli-server/records.ml
@@ -1354,7 +1354,9 @@ let pool_record rpc session_id pool =
           )
           ()
       ; make_field ~name:"uefi-certificates" ~hidden:true
-          ~get:(fun () -> (x ()).API.pool_uefi_certificates)
+          ~get:(fun () ->
+            Client.Pool.get_uefi_certificates ~rpc ~session_id ~self:pool
+          )
           ~set:(fun value ->
             Client.Pool.set_uefi_certificates ~rpc ~session_id ~self:pool ~value
           )
diff --git a/ocaml/xapi/helpers.ml b/ocaml/xapi/helpers.ml
index 1175b6aa036..8db8ac9ffb1 100644
--- a/ocaml/xapi/helpers.ml
+++ b/ocaml/xapi/helpers.ml
@@ -2141,7 +2141,8 @@ let get_active_uefi_certificates ~__context ~self =
   in
   match (!Xapi_globs.allow_custom_uefi_certs, custom_uefi_certs) with
   | false, _ | true, "" ->
-      Db.Pool.get_uefi_certificates ~__context ~self
+      let master = Db.Pool.get_master ~__context ~self in
+      Db.Host.get_uefi_certificates ~__context ~self:master
   | true, _ ->
       custom_uefi_certs
 
diff --git a/ocaml/xapi/xapi_host.ml b/ocaml/xapi/xapi_host.ml
index cd6ae3a7d35..4d64311767a 100644
--- a/ocaml/xapi/xapi_host.ml
+++ b/ocaml/xapi/xapi_host.ml
@@ -2778,7 +2778,7 @@ let write_uefi_certificates_to_disk ~__context ~host =
   if Pool_role.is_master () then
     Db.Pool.set_uefi_certificates ~__context
       ~self:(Helpers.get_pool ~__context)
-      ~value:disk_uefi_certs_tar ;
+      ~value:(Digest.string disk_uefi_certs_tar |> Digest.to_hex) ;
   let pool_uefi_certs =
     Db.Pool.get_custom_uefi_certificates ~__context
       ~self:(Helpers.get_pool ~__context)
diff --git a/ocaml/xapi/xapi_pool.ml b/ocaml/xapi/xapi_pool.ml
index 2f471932c14..0d20f5cf66f 100644
--- a/ocaml/xapi/xapi_pool.ml
+++ b/ocaml/xapi/xapi_pool.ml
@@ -3722,6 +3722,11 @@ let disable_repository_proxy ~__context ~self =
         Db.Secret.destroy ~__context ~self:old_secret_ref
     )
 
+let get_uefi_certificates ~__context ~self =
+  (* cyclic dependency with Helpers, do it inline *)
+  let master = Db.Pool.get_master ~__context ~self in
+  Db.Host.get_uefi_certificates ~__context ~self:master
+
 let set_uefi_certificates ~__context ~self:_ ~value:_ =
   let msg =
     "Setting UEFI certificates is deprecated, please use \
diff --git a/ocaml/xapi/xapi_pool.mli b/ocaml/xapi/xapi_pool.mli
index 835a356f782..73a67e42b9c 100644
--- a/ocaml/xapi/xapi_pool.mli
+++ b/ocaml/xapi/xapi_pool.mli
@@ -386,6 +386,8 @@ val configure_repository_proxy :
 
 val disable_repository_proxy : __context:Context.t -> self:API.ref_pool -> unit
 
+val get_uefi_certificates : __context:Context.t -> self:API.ref_pool -> string
+
 val set_uefi_certificates :
   __context:Context.t -> self:API.ref_pool -> value:string -> unit