apiserver: add network configure endpoint with netdog integration

Adds POST /actions/network/configure endpoint to write network configuration
content directly to /.bottlerocket/net.toml. Includes error handling for
UTF-8 validation, directory creation, and file writing operations.

The endpoint integrates with netdog commit functionality to apply network
configuration changes.

Signed-off-by: Yutong Sun <yutongsu@amazon.com>
Signed-off-by: Kyle Sessions <kssessio@amazon.com>

Author: ytsssun

sources/api/apiserver/src/server/error.rs

@@ -220,6 +220,18 @@ pub enum Error {
 
     // =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=
 
+    // Network configuration errors
+    #[snafu(display("Network configuration content is not valid UTF-8"))]
+    NetworkConfigContent { source: std::string::FromUtf8Error },
+
+    #[snafu(display("Failed to validate network configuration: {}", source))]
+    NetworkConfigValidation { source: std::io::Error },
+
+    #[snafu(display("Invalid network configuration: {}", stderr))]
+    NetworkConfigInvalid { stderr: String },
+
+    // =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=
+
     // Update related errors
     #[snafu(display("Unable to start the update dispatcher: {} ", source))]
     UpdateDispatcher { source: io::Error },

sources/api/apiserver/src/server/mod.rs

@@ -14,7 +14,7 @@ use actix_web::{
 use datastore::{serialize_scalar, Committed, FilesystemDataStore, Key, KeyType, Value};
 use error::Result;
 use http::StatusCode;
-use log::info;
+use log::{debug, info};
 use model::ephemeral_storage::{Bind, Init};
 use model::generator::{RawSettingsGenerator, Strength};
 use model::{ConfigurationFiles, Model, Report, Services, Settings};
@@ -137,6 +137,7 @@ where
                     .route("/prepare-update", web::post().to(prepare_update))
                     .route("/activate-update", web::post().to(activate_update))
                     .route("/deactivate-update", web::post().to(deactivate_update))
+                    .route("/network/configure", web::post().to(configure_network))
                     .route(
                         "/ephemeral-storage/init",
                         web::post().to(initialize_ephemeral_storage),
@@ -687,6 +688,44 @@ async fn reboot() -> Result<HttpResponse> {
     Ok(HttpResponse::NoContent().finish())
 }
 
+/// Configures network settings by writing invoking netdog commit.
+/// The configuration will be applied at next boot - a reboot is required for changes to take effect.
+async fn configure_network(body: web::Bytes) -> Result<HttpResponse> {
+    debug!("Configuring network settings");
+
+    // Convert the body bytes to a UTF-8 string
+    let content = String::from_utf8(body.to_vec()).context(error::NetworkConfigContentSnafu)?;
+
+    info!("Invoking netdog commit to validate and write network configuration");
+
+    // Validate and write net.toml using netdog commit
+    let validation_result = std::process::Command::new("/usr/bin/netdog")
+        .arg("commit")
+        .stdin(std::process::Stdio::piped())
+        .stdout(std::process::Stdio::piped())
+        .stderr(std::process::Stdio::piped())
+        .spawn()
+        .and_then(|mut child| {
+            use std::io::Write;
+            if let Some(stdin) = child.stdin.as_mut() {
+                stdin.write_all(content.as_bytes())?;
+            }
+            child.wait_with_output()
+        })
+        .context(error::NetworkConfigValidationSnafu)?;
+
+    if !validation_result.status.success() {
+        let stderr = String::from_utf8_lossy(&validation_result.stderr);
+        error!(
+            "netdog commit failed: network configuration validation failed: {}",
+            stderr
+        );
+        return error::NetworkConfigInvalidSnafu { stderr }.fail();
+    }
+
+    Ok(HttpResponse::NoContent().finish())
+}
+
 /// Gets the set of report types supported by this host.
 async fn list_reports() -> Result<ReportListResponse> {
     // Add each report to list response when adding a new handler
@@ -965,6 +1004,9 @@ impl ResponseError for error::Error {
             InvalidPrefix { .. } => StatusCode::BAD_REQUEST,
             DeserializeJson { .. } => StatusCode::BAD_REQUEST,
             InvalidKeyPair { .. } => StatusCode::BAD_REQUEST,
+            NetworkConfigContent { .. } => StatusCode::BAD_REQUEST,
+            NetworkConfigValidation { .. } => StatusCode::BAD_REQUEST,
+            NetworkConfigInvalid { .. } => StatusCode::BAD_REQUEST,
 
             // 404 Not Found
             MissingData { .. } => StatusCode::NOT_FOUND,

sources/api/openapi.yaml

@@ -722,6 +722,30 @@ paths:
         423:
           description: "Update write lock held. Try again in a moment"
 
+  /actions/network/configure:
+    post:
+      summary: "Configure network settings from net.toml content"
+      operationId: "configure_network"
+      requestBody:
+        required: true
+        content:
+          text/plain:
+            schema:
+              type: string
+            example: |
+              version = 2
+
+              [eth0]
+              dhcp4 = true
+              primary = true
+      responses:
+        204:
+          description: "Network configuration successfully written"
+        400:
+          description: "Invalid UTF-8 content or malformed configuration"
+        500:
+          description: "Server error writing configuration"
+
   /updates/status:
     get:
       summary: "Get update status"