oxidecomputer · smklein · Dec 20, 2023 · Dec 14, 2023 · Dec 14, 2023 · Dec 20, 2023
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -229,7 +229,6 @@ ipnetwork = { version = "0.20", features = ["schemars"] }
 itertools = "0.12.0"
 key-manager = { path = "key-manager" }
 kstat-rs = "0.2.3"
-lazy_static = "1.4.0"
 libc = "0.2.151"
 linear-map = "1.2.0"
 macaddr = { version = "1.0.1", features = ["serde_std"] }

diff --git a/common/Cargo.toml b/common/Cargo.toml
@@ -17,7 +17,6 @@ hex.workspace = true
 http.workspace = true
 ipnetwork.workspace = true
 macaddr.workspace = true
-lazy_static.workspace = true
 proptest = { workspace = true, optional = true }
 rand.workspace = true
 reqwest = { workspace = true, features = ["rustls-tls", "stream"] }
@@ -38,6 +37,7 @@ uuid.workspace = true
 parse-display.workspace = true
 progenitor.workspace = true
 omicron-workspace-hack.workspace = true
+once_cell.workspace = true
 
 [dev-dependencies]
 camino-tempfile.workspace = true

diff --git a/common/src/address.rs b/common/src/address.rs
@@ -9,6 +9,7 @@
 
 use crate::api::external::{self, Error, Ipv4Net, Ipv6Net};
 use ipnetwork::{Ipv4Network, Ipv6Network};
+use once_cell::sync::Lazy;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddrV6};
@@ -76,65 +77,78 @@ pub const NTP_PORT: u16 = 123;
 // that situation (which may be as soon as allocating ephemeral IPs).
 pub const NUM_SOURCE_NAT_PORTS: u16 = 1 << 14;
 
-lazy_static::lazy_static! {
-    // Services that require external connectivity are given an OPTE port
-    // with a "Service VNIC" record. Like a "Guest VNIC", a service is
-    // placed within a VPC (a built-in services VPC), along with a VPC subnet.
-    // But unlike guest instances which are created at runtime by Nexus, these
-    // services are created by RSS early on. So, we have some fixed values
-    // used to bootstrap service OPTE ports. Each service kind uses a distinct
-    // VPC subnet which RSS will allocate addresses from for those services.
-    // The specific values aren't deployment-specific as they are virtualized
-    // within OPTE.
-
-    /// The IPv6 prefix assigned to the built-in services VPC.
-    // The specific prefix here was randomly chosen from the expected VPC
-    // prefix range (`fd00::/48`). See `random_vpc_ipv6_prefix`.
-    // Furthermore, all the below *_OPTE_IPV6_SUBNET constants are
-    // /64's within this prefix.
-    pub static ref SERVICE_VPC_IPV6_PREFIX: Ipv6Net = Ipv6Net(
+// Services that require external connectivity are given an OPTE port
+// with a "Service VNIC" record. Like a "Guest VNIC", a service is
+// placed within a VPC (a built-in services VPC), along with a VPC subnet.
+// But unlike guest instances which are created at runtime by Nexus, these
+// services are created by RSS early on. So, we have some fixed values
+// used to bootstrap service OPTE ports. Each service kind uses a distinct
+// VPC subnet which RSS will allocate addresses from for those services.
+// The specific values aren't deployment-specific as they are virtualized
+// within OPTE.
+
+/// The IPv6 prefix assigned to the built-in services VPC.
+// The specific prefix here was randomly chosen from the expected VPC
+// prefix range (`fd00::/48`). See `random_vpc_ipv6_prefix`.
+// Furthermore, all the below *_OPTE_IPV6_SUBNET constants are
+// /64's within this prefix.
+pub static SERVICE_VPC_IPV6_PREFIX: Lazy<Ipv6Net> = Lazy::new(|| {
+    Ipv6Net(
         Ipv6Network::new(
             Ipv6Addr::new(0xfd77, 0xe9d2, 0x9cd9, 0, 0, 0, 0, 0),
             Ipv6Net::VPC_IPV6_PREFIX_LENGTH,
-        ).unwrap(),
-    );
-
-    /// The IPv4 subnet for External DNS OPTE ports.
-    pub static ref DNS_OPTE_IPV4_SUBNET: Ipv4Net =
-        Ipv4Net(Ipv4Network::new(Ipv4Addr::new(172, 30, 1, 0), 24).unwrap());
-
-    /// The IPv6 subnet for External DNS OPTE ports.
-    pub static ref DNS_OPTE_IPV6_SUBNET: Ipv6Net = Ipv6Net(
+        )
+        .unwrap(),
+    )
+});
+
+/// The IPv4 subnet for External DNS OPTE ports.
+pub static DNS_OPTE_IPV4_SUBNET: Lazy<Ipv4Net> = Lazy::new(|| {
+    Ipv4Net(Ipv4Network::new(Ipv4Addr::new(172, 30, 1, 0), 24).unwrap())
+});
+
+/// The IPv6 subnet for External DNS OPTE ports.
+pub static DNS_OPTE_IPV6_SUBNET: Lazy<Ipv6Net> = Lazy::new(|| {
+    Ipv6Net(
         Ipv6Network::new(
             Ipv6Addr::new(0xfd77, 0xe9d2, 0x9cd9, 1, 0, 0, 0, 0),
             Ipv6Net::VPC_SUBNET_IPV6_PREFIX_LENGTH,
-        ).unwrap(),
-    );
-
-    /// The IPv4 subnet for Nexus OPTE ports.
-    pub static ref NEXUS_OPTE_IPV4_SUBNET: Ipv4Net =
-        Ipv4Net(Ipv4Network::new(Ipv4Addr::new(172, 30, 2, 0), 24).unwrap());
-
-    /// The IPv6 subnet for Nexus OPTE ports.
-    pub static ref NEXUS_OPTE_IPV6_SUBNET: Ipv6Net = Ipv6Net(
+        )
+        .unwrap(),
+    )
+});
+
+/// The IPv4 subnet for Nexus OPTE ports.
+pub static NEXUS_OPTE_IPV4_SUBNET: Lazy<Ipv4Net> = Lazy::new(|| {
+    Ipv4Net(Ipv4Network::new(Ipv4Addr::new(172, 30, 2, 0), 24).unwrap())
+});
+
+/// The IPv6 subnet for Nexus OPTE ports.
+pub static NEXUS_OPTE_IPV6_SUBNET: Lazy<Ipv6Net> = Lazy::new(|| {
+    Ipv6Net(
         Ipv6Network::new(
             Ipv6Addr::new(0xfd77, 0xe9d2, 0x9cd9, 2, 0, 0, 0, 0),
             Ipv6Net::VPC_SUBNET_IPV6_PREFIX_LENGTH,
-        ).unwrap(),
-    );
-
-    /// The IPv4 subnet for Boundary NTP OPTE ports.
-    pub static ref NTP_OPTE_IPV4_SUBNET: Ipv4Net =
-        Ipv4Net(Ipv4Network::new(Ipv4Addr::new(172, 30, 3, 0), 24).unwrap());
-
-    /// The IPv6 subnet for Boundary NTP OPTE ports.
-    pub static ref NTP_OPTE_IPV6_SUBNET: Ipv6Net = Ipv6Net(
+        )
+        .unwrap(),
+    )
+});
+
+/// The IPv4 subnet for Boundary NTP OPTE ports.
+pub static NTP_OPTE_IPV4_SUBNET: Lazy<Ipv4Net> = Lazy::new(|| {
+    Ipv4Net(Ipv4Network::new(Ipv4Addr::new(172, 30, 3, 0), 24).unwrap())
+});
+
+/// The IPv6 subnet for Boundary NTP OPTE ports.
+pub static NTP_OPTE_IPV6_SUBNET: Lazy<Ipv6Net> = Lazy::new(|| {
+    Ipv6Net(
         Ipv6Network::new(
             Ipv6Addr::new(0xfd77, 0xe9d2, 0x9cd9, 3, 0, 0, 0, 0),
             Ipv6Net::VPC_SUBNET_IPV6_PREFIX_LENGTH,
-        ).unwrap(),
-    );
-}
+        )
+        .unwrap(),
+    )
+});
 
 // Anycast is a mechanism in which a single IP address is shared by multiple
 // devices, and the destination is located based on routing distance.

diff --git a/nexus/Cargo.toml b/nexus/Cargo.toml
@@ -32,7 +32,6 @@ http.workspace = true
 hyper.workspace = true
 internal-dns.workspace = true
 ipnetwork.workspace = true
-lazy_static.workspace = true
 macaddr.workspace = true
 mime_guess.workspace = true
 # Not under "dev-dependencies"; these also need to be implemented for

diff --git a/nexus/db-queries/Cargo.toml b/nexus/db-queries/Cargo.toml
@@ -24,9 +24,9 @@ headers.workspace = true
 http.workspace = true
 hyper.workspace = true
 ipnetwork.workspace = true
-lazy_static.workspace = true
 macaddr.workspace = true
 newtype_derive.workspace = true
+once_cell.workspace = true
 openssl.workspace = true
 oso.workspace = true
 paste.workspace = true

diff --git a/nexus/db-queries/src/authn/external/spoof.rs b/nexus/db-queries/src/authn/external/spoof.rs
@@ -16,7 +16,7 @@ use anyhow::Context;
 use async_trait::async_trait;
 use headers::authorization::{Authorization, Bearer};
 use headers::HeaderMapExt;
-use lazy_static::lazy_static;
+use once_cell::sync::Lazy;
 use uuid::Uuid;
 
 // This scheme is intended for demos, development, and testing until we have a
@@ -54,18 +54,21 @@ const SPOOF_RESERVED_BAD_CREDS: &str = "this-fake-ID-it-is-truly-excellent";
 // subsets of the base64 character set, so we do not bother encoding them.
 const SPOOF_PREFIX: &str = "oxide-spoof-";
 
-lazy_static! {
-    /// Actor (id) used for the special "bad credentials" error
-    static ref SPOOF_RESERVED_BAD_CREDS_ACTOR: Actor = Actor::UserBuiltin {
-        user_builtin_id: "22222222-2222-2222-2222-222222222222".parse().unwrap(),
-    };
-    /// Complete HTTP header value to trigger the "bad actor" error
-    pub static ref SPOOF_HEADER_BAD_ACTOR: Authorization<Bearer> =
-        make_header_value_str(SPOOF_RESERVED_BAD_ACTOR).unwrap();
-    /// Complete HTTP header value to trigger the "bad creds" error
-    pub static ref SPOOF_HEADER_BAD_CREDS: Authorization<Bearer> =
-        make_header_value_str(SPOOF_RESERVED_BAD_CREDS).unwrap();
-}
+/// Actor (id) used for the special "bad credentials" error
+static SPOOF_RESERVED_BAD_CREDS_ACTOR: Lazy<Actor> =
+    Lazy::new(|| Actor::UserBuiltin {
+        user_builtin_id: "22222222-2222-2222-2222-222222222222"
+            .parse()
+            .unwrap(),
+    });
+
+/// Complete HTTP header value to trigger the "bad actor" error
+pub static SPOOF_HEADER_BAD_ACTOR: Lazy<Authorization<Bearer>> =
+    Lazy::new(|| make_header_value_str(SPOOF_RESERVED_BAD_ACTOR).unwrap());
+
+/// Complete HTTP header value to trigger the "bad creds" error
+pub static SPOOF_HEADER_BAD_CREDS: Lazy<Authorization<Bearer>> =
+    Lazy::new(|| make_header_value_str(SPOOF_RESERVED_BAD_CREDS).unwrap());
 
 /// Implements a (test-only) authentication scheme where the client simply
 /// provides the actor information in a custom bearer token and we always trust

diff --git a/nexus/db-queries/src/authz/api_resources.rs b/nexus/db-queries/src/authz/api_resources.rs
@@ -42,9 +42,9 @@ use crate::db::DataStore;
 use authz_macros::authz_resource;
 use futures::future::BoxFuture;
 use futures::FutureExt;
-use lazy_static::lazy_static;
 use nexus_types::external_api::shared::{FleetRole, ProjectRole, SiloRole};
 use omicron_common::api::external::{Error, LookupType, ResourceType};
+use once_cell::sync::Lazy;
 use oso::PolarClass;
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;
@@ -169,9 +169,8 @@ pub struct Fleet;
 /// Singleton representing the [`Fleet`] itself for authz purposes
 pub const FLEET: Fleet = Fleet;
 
-lazy_static! {
-    pub static ref FLEET_LOOKUP: LookupType = LookupType::ById(*FLEET_ID);
-}
+pub static FLEET_LOOKUP: Lazy<LookupType> =
+    Lazy::new(|| LookupType::ById(*FLEET_ID));
 
 impl Eq for Fleet {}
 impl PartialEq for Fleet {

diff --git a/nexus/db-queries/src/db/datastore/silo_user.rs b/nexus/db-queries/src/db/datastore/silo_user.rs
@@ -363,11 +363,11 @@ impl DataStore {
         let builtin_users = [
             // Note: "db_init" is also a builtin user, but that one by necessity
             // is created with the database.
-            &*authn::USER_SERVICE_BALANCER,
-            &*authn::USER_INTERNAL_API,
-            &*authn::USER_INTERNAL_READ,
-            &*authn::USER_EXTERNAL_AUTHN,
-            &*authn::USER_SAGA_RECOVERY,
+            &authn::USER_SERVICE_BALANCER,
+            &authn::USER_INTERNAL_API,
+            &authn::USER_INTERNAL_READ,
+            &authn::USER_EXTERNAL_AUTHN,
+            &authn::USER_SAGA_RECOVERY,
         ]
         .iter()
         .map(|u| {

diff --git a/nexus/db-queries/src/db/fixed_data/mod.rs b/nexus/db-queries/src/db/fixed_data/mod.rs
@@ -31,7 +31,7 @@
 //    001de000-074c   built-in services vpc
 //    001de000-c470   built-in services vpc subnets
 
-use lazy_static::lazy_static;
+use once_cell::sync::Lazy;
 
 pub mod project;
 pub mod role_assignment;
@@ -43,13 +43,12 @@ pub mod vpc;
 pub mod vpc_firewall_rule;
 pub mod vpc_subnet;
 
-lazy_static! {
-    /* See above for where this uuid comes from. */
-    pub static ref FLEET_ID: uuid::Uuid =
-        "001de000-1334-4000-8000-000000000000"
-            .parse()
-            .expect("invalid uuid for builtin fleet id");
-}
+/* See above for where this uuid comes from. */
+pub static FLEET_ID: Lazy<uuid::Uuid> = Lazy::new(|| {
+    "001de000-1334-4000-8000-000000000000"
+        .parse()
+        .expect("invalid uuid for builtin fleet id")
+});
 
 #[cfg(test)]
 fn assert_valid_uuid(id: &uuid::Uuid) {

diff --git a/nexus/db-queries/src/db/fixed_data/project.rs b/nexus/db-queries/src/db/fixed_data/project.rs
@@ -4,18 +4,20 @@
 
 use crate::db;
 use crate::db::datastore::SERVICES_DB_NAME;
-use lazy_static::lazy_static;
 use nexus_types::external_api::params;
 use omicron_common::api::external::IdentityMetadataCreateParams;
+use once_cell::sync::Lazy;
 
-lazy_static! {
-    /// UUID of built-in project for internal services on the rack.
-    pub static ref SERVICES_PROJECT_ID: uuid::Uuid = "001de000-4401-4000-8000-000000000000"
+/// UUID of built-in project for internal services on the rack.
+pub static SERVICES_PROJECT_ID: Lazy<uuid::Uuid> = Lazy::new(|| {
+    "001de000-4401-4000-8000-000000000000"
         .parse()
-        .expect("invalid uuid for builtin services project id");
+        .expect("invalid uuid for builtin services project id")
+});
 
-    /// Built-in Project for internal services on the rack.
-    pub static ref SERVICES_PROJECT: db::model::Project = db::model::Project::new_with_id(
+/// Built-in Project for internal services on the rack.
+pub static SERVICES_PROJECT: Lazy<db::model::Project> = Lazy::new(|| {
+    db::model::Project::new_with_id(
         *SERVICES_PROJECT_ID,
         *super::silo::INTERNAL_SILO_ID,
         params::ProjectCreate {
@@ -24,5 +26,5 @@ lazy_static! {
                 description: "Built-in project for Oxide Services".to_string(),
             },
         },
-    );
-}
+    )
+});