feat(nns): add UpdateGuestosVersionForSubnets proposal#10423
feat(nns): add UpdateGuestosVersionForSubnets proposal#10423pietrodimarco-dfinity wants to merge 3 commits into
Conversation
Adds a new NNS proposal that upgrades every CloudEngine subnet to a given elected GuestOS version in one shot, instead of submitting one DeployGuestosToAllSubnetNodes proposal per subnet. Registry: new `deploy_guestos_to_all_cloud_engines` endpoint (governance-only) that iterates the subnet list, filters subnets whose subnet_type is CloudEngine, and updates their replica_version_id in a single atomic mutation. Non-CloudEngine subnets are left untouched. The affected set is resolved from the registry at execution time rather than captured in the payload, so the proposal always acts on the CloudEngine fleet as it exists when it runs. Governance: new NnsFunction variant NNS_FUNCTION_DEPLOY_GUESTOS_TO_ALL_CLOUD_ENGINES (= 59), routed to the registry endpoint under the IcOsVersionDeployment topic.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
This pull request changes code owned by the Governance team. Therefore, make sure that
you have considered the following (for Governance-owned code):
-
Update
unreleased_changelog.md(if there are behavior changes, even if they are
non-breaking). -
Are there BREAKING changes?
-
Is a data migration needed?
-
Security review?
How to Satisfy This Automatic Review
-
Go to the bottom of the pull request page.
-
Look for where it says this bot is requesting changes.
-
Click the three dots to the right.
-
Select "Dismiss review".
-
In the text entry box, respond to each of the numbered items in the previous
section, declare one of the following:
-
Done.
-
$REASON_WHY_NO_NEED. E.g. for
unreleased_changelog.md, "No
canister behavior changes.", or for item 2, "Existing APIs
behave as before.".
Brief Guide to "Externally Visible" Changes
"Externally visible behavior change" is very often due to some NEW canister API.
Changes to EXISTING APIs are more likely to be "breaking".
If these changes are breaking, make sure that clients know how to migrate, how to
maintain their continuity of operations.
If your changes are behind a feature flag, then, do NOT add entrie(s) to
unreleased_changelog.md in this PR! But rather, add entrie(s) later, in the PR
that enables these changes in production.
Reference(s)
For a more comprehensive checklist, see here.
GOVERNANCE_CHECKLIST_REMINDER_DEDUP
Reworks the proposal to operate on an explicit list of subnets rather than
implicitly targeting all CloudEngine subnets:
- NnsFunction NNS_FUNCTION_UPDATE_GUESTOS_VERSION_FOR_SUBNETS (= 59) replaces
NNS_FUNCTION_DEPLOY_GUESTOS_TO_ALL_CLOUD_ENGINES.
- Registry endpoint update_guestos_version_for_subnets takes
UpdateGuestosVersionForSubnetsPayload { subnet_ids: Vec<SubnetId>,
replica_version_id } and updates exactly the listed subnets (no subnet_type
gating) in one atomic mutation. Rejects empty/duplicate lists and unknown
subnets; skips subnets already on the requested version.
This makes the affected set explicit and reviewable in the proposal, and
generalizes the batch upgrade beyond CloudEngine subnets.
pietrodimarco-dfinity
changed the title
…for_subnets Adds an integration test (modeled on delete_subnet.rs) covering the governance-only authorization and the end-to-end registry mutation through the canister candid boundary: - anonymous and unauthorized-principal ingress calls are rejected; - a non-governance canister call (via the universal canister) is rejected; - a governance call updates the listed subnet's replica_version_id; - an unelected version is rejected and leaves the subnet record unchanged.
1 participant
Summary
Adds a new NNS proposal —
NNS_FUNCTION_UPDATE_GUESTOS_VERSION_FOR_SUBNETS(id59) — that upgrades an explicit list of subnets to a given elected GuestOS version in a single proposal, instead of submitting oneDeployGuestosToAllSubnetNodesproposal per subnet.The payload is
{ subnet_ids: Vec<SubnetId>, replica_version_id }. The set of affected subnets is therefore explicit and reviewable directly in the proposal, and the feature generalizes batch upgrades beyond any particular subnet type.Behavior
replica_version_idis elected.subnet_idslist, duplicate subnet ids, and unknown subnets.replica_version_idin a single atomic registry mutation (all or nothing). Subnets already on the requested version are skipped to avoid no-op churn.subnet_typegating — the listed subnets are updated as given.Changes
Registry canister
do_update_guestos_version_for_subnets+UpdateGuestosVersionForSubnetsPayload(mutations/do_update_guestos_version_for_subnets.rs).update_guestos_version_for_subnets(canister.rs).registry.didandregistry_test.did.unreleased_changelog.mdentry.Governance
NnsFunctionvariantNNS_FUNCTION_UPDATE_GUESTOS_VERSION_FOR_SUBNETS = 59ingovernance.proto(+ regeneratedsrc/gen/ic_nns_governance.pb.v1.rs).ValidNnsFunction::UpdateGuestosVersionForSubnetsinexecute_nns_function.rs: routing →(REGISTRY_CANISTER_ID, "update_guestos_version_for_subnets"), topicIcOsVersionDeployment,type_name/type_description,allowed_when_resources_are_low, andTryFrom.rs/nns/governance/api/src/types.rsand the api⇄pb conversions.unreleased_changelog.mdentry.Test plan
cargo check:registry-canister,ic-nns-governance,ic-nns-governance-api.do_update_guestos_version_for_subnets::tests): updates only the listed subnets / leaves others untouched, no-op (no version bump) when listed subnets are already on the version, panics on unelected version / empty list / duplicates / unknown subnet.test_update_guestos_version_for_subnets_routing).check_generated_files(governance prost) passes — hand edit matches generator output.tests/update_guestos_version_for_subnets.rs): governance-only auth (anonymous / unauthorized principal / non-governance canister rejected) + governance call mutates the listed subnet + unelected version rejected. Compiles locally; runs in CI (needs PocketIC server + canister wasms).test_implemented_interface_matches_declared_interface_exactlypasses.