openQA: prepare for prod deployment of latest releases

This unifies prod and stg onto the ways of doing things for the
latest packages, and rejigs the swtpm stuff a bit to tear down
more (we shouldn't need the custom SELinux policy any more).

Signed-off-by: Adam Williamson <awilliam@redhat.com>

inventory/group_vars/openqa

@@ -16,6 +16,9 @@ openqa_env_suffix:
 openqa_key: "{{ prod_openqa_apikey }}"
 # all our workers need NFS access
 openqa_nfs_workers: "{{ groups['openqa_workers'] }}"
+# install openQA from updates-testing for now, we want to update to
+# latest builds, don't want to wait for the 7 day threshold
+openqa_repo: updates-testing
 openqa_resultsdb_url: http://resultsdb01.iad2.fedoraproject.org/resultsdb_api/api/v2.0/
 openqa_secret: "{{ prod_openqa_apisecret }}"
 openqa_update_arches: ['x86_64']

inventory/group_vars/openqa_lab

@@ -19,11 +19,6 @@ freezes: false
 # is working again:
 # https://pagure.io/fedora-infrastructure/issue/8381
 openqa_amqp_wiki_reporter_queue:
-# lab-specific until newer openQA is on prod (2021-11)
-openqa_amqp_publisher_exchange: "amq.topic"
-openqa_amqp_publisher_cacertfile: "/etc/fedora-messaging/{{ openqa_env_prefix }}cacert.pem"
-openqa_amqp_publisher_certfile: "/etc/pki/fedora-messaging/openqa{{ openqa_env_suffix }}-cert.pem"
-openqa_amqp_publisher_keyfile: "/etc/pki/fedora-messaging/openqa{{ openqa_env_suffix }}-key.pem"
 openqa_assetsize_ppc: 300
 openqa_compose_arches: x86_64,aarch64,ppc64le
 openqa_dbname: openqa-stg
@@ -42,8 +37,6 @@ openqa_nfs_workers: "{{ groups['openqa_lab_workers'] }}"
 # install openQA from updates-testing - this is staging, we live
 # ON THE EDGE (radical guitar riff)
 openqa_repo: updates-testing
-# 2021-11 scratch builds for testing (plus the updated Mojolicious needed)
-openqa_scratch: ["79442168", "79272379"]
 openqa_resultsdb_url: http://resultsdb01.stg.iad2.fedoraproject.org/resultsdb_api/api/v2.0/
 openqa_secret: "{{ stg_openqa_apisecret }}"
 openqa_update_arches: ['x86_64', 'ppc64le']

inventory/group_vars/openqa_lab_workers

@@ -21,8 +21,6 @@ openqa_nfs_worker: true
 # install openQA and os-autoinst from updates-testing - this is
 # staging, we live ON THE EDGE (radical guitar riff)
 openqa_repo: updates-testing
-# 2021-11 scratch builds for testing (plus the updated Mojolicious needed)
-openqa_scratch: ["79299369", "79442168", "79272379"]
 openqa_secret: "{{ stg_openqa_apisecret }}"
 openqa_workers: 4
 primary_auth_source: ipa

inventory/group_vars/openqa_servers_common

@@ -16,9 +16,10 @@ openqa_amqp_mailto: ["adamwill@fedoraproject.org", "lruzicka@fedoraproject.org"]
 # we need this for all our fedora-messaging consumers as they are not
 # allowed to create queues on the infra AMQP broker, by broker config
 openqa_amqp_passive: true
-# openQA isn't very ssl-aware here, so we're abusing its URL construction
-# to stuff the cert and key values in here
-openqa_amqp_publisher_exchange: "amq.topic&cacertfile=/etc/fedora-messaging/{{ openqa_env_prefix }}cacert.pem&certfile=/etc/pki/fedora-messaging/openqa{{ openqa_env_suffix }}-cert.pem&keyfile=/etc/pki/fedora-messaging/openqa{{ openqa_env_suffix }}-key.pem"
+openqa_amqp_publisher_exchange: "amq.topic"
+openqa_amqp_publisher_cacertfile: "/etc/fedora-messaging/{{ openqa_env_prefix }}cacert.pem"
+openqa_amqp_publisher_certfile: "/etc/pki/fedora-messaging/openqa{{ openqa_env_suffix }}-cert.pem"
+openqa_amqp_publisher_keyfile: "/etc/pki/fedora-messaging/openqa{{ openqa_env_suffix }}-key.pem"
 # fedora-messaging publisher settings
 openqa_amqp_publisher_prefix: org.fedoraproject.{{ fedmsg_env }}
 openqa_amqp_publisher_url: "amqps://openqa{{ openqa_env_suffix }}:@rabbitmq{{ openqa_env_suffix }}.fedoraproject.org/%2Fpubsub"

inventory/group_vars/openqa_workers

@@ -18,6 +18,9 @@ openqa_hostname: openqa01.iad2.fedoraproject.org
 openqa_key: "{{ prod_openqa_apikey }}"
 # we are all NFS workers for now at least
 openqa_nfs_worker: true
+# install openQA from updates-testing for now, we want to update to
+# latest builds, don't want to wait for the 7 day threshold
+openqa_repo: updates-testing
 openqa_secret: "{{ prod_openqa_apisecret }}"
 openqa_workers: 4
 primary_auth_source: ipa

roles/openqa/worker/files/openqa-swtpm@.service

@@ -1,13 +0,0 @@
-[Unit]
-Description=openQA swtpm service
-
-[Service]
-User=_openqa-worker
-ExecStartPre=-/usr/bin/rm -rf /tmp/mytpm%I
-ExecStartPre=/usr/bin/mkdir -p /tmp/mytpm%I
-ExecStart=/usr/bin/swtpm socket --tpm2 --tpmstate dir=/tmp/mytpm%I --ctrl type=unixio,path=/tmp/mytpm%I/swtpm-sock --log level=20
-ExecReload=/bin/true
-Restart=on-success
-
-[Install]
-WantedBy=multi-user.target

roles/openqa/worker/files/systemd-swtpm.te

@@ -1,12 +0,0 @@
-
-module systemd-swtpm 1.0;
-
-require {
-	type init_t;
-	type swtpm_exec_t;
-	class file { execute execute_no_trans map open read };
-}
-
-#============= init_t ==============
-
-allow init_t swtpm_exec_t:file { execute execute_no_trans map open read };

roles/openqa/worker/tasks/main.yml

@@ -176,13 +176,19 @@
 # conditionals to account for four possibilities rather than two) and
 # for now it's fine to just assume the tap host(s) is/are also the
 # swtpm host(s)
-- include_tasks: swtpm-setup.yml
-  when: "openqa_tap|bool and (deployment_type is not defined or deployment_type != 'stg')"
+- name: Install swtpm packages
+  package:
+    name: ['swtpm', 'swtpm-tools']
+    state: latest
+    enablerepo: "{{ openqa_repo }}"
+  tags:
+  - packages
+  when: openqa_tap|bool
 
 # teardown swtpm services, since os-autoinst does this for us since
 # 7ae93f9f137b8cf7de22f0494a11ead5b7832e46
 - include_tasks: swtpm-teardown.yml
-  when: "openqa_tap|bool and (deployment_type is defined and deployment_type == 'foo')"
+  when: "openqa_tap|bool and (deployment_type is defined and deployment_type == 'prod')"
 
 - name: openQA client config
   template: src=client.conf.j2 dest=/etc/openqa/client.conf owner=_openqa-worker group=root mode=0600

roles/openqa/worker/tasks/swtpm-setup.yml

@@ -1,28 +0,0 @@
-- name: Install packages
-  package:
-    name: ['swtpm', 'swtpm-tools']
-    state: latest
-    enablerepo: "{{ openqa_repo }}"
-  tags:
-  - packages
-
-- name: Install openqa-swtpm service file
-  copy: src=openqa-swtpm@.service dest=/etc/systemd/system/openqa-swtpm@.service owner=root group=root mode=0644
-
-- name: Create somewhere to stick our custom SELinux module
-  file:
-    path: /usr/local/share/selinux
-    state: directory
-    mode: '0755'
-
-- name: Copy over custom SELinux module allowing systemd to run swtpm
-  copy: src=systemd-swtpm.pp dest=/usr/local/share/selinux/systemd-swtpm.pp owner=root group=root mode=0644
-  register: selinux_module
-
-- name: Load our custom SELinux module
-  command: semodule -i /usr/local/share/selinux/systemd-swtpm.pp
-  when: selinux_module is changed
-
-- name: Enable and start swtpm services
-  service: name=openqa-swtpm@{{ item }} enabled=yes state=started
-  loop: "{{ range(1, openqa_workers + 1)|list }}"

roles/openqa/worker/tasks/swtpm-teardown.yml

@@ -1,6 +1,13 @@
 - name: Stop and disable swtpm services
   service: name=openqa-swtpm@{{ item }} enabled=no state=stopped
   loop: "{{ range(1, openqa_workers + 1)|list }}"
+  when: "deployment_type is defined and deployment_type == 'prod'"
 
 - name: Remove openqa-swtpm service file
   file: path=/etc/systemd/system/openqa-swtpm@.service state=absent
+
+- name: Unload custom SELinux policy
+  command: semodule -l systemd-swtpm
+
+- name: Remove custom SELinux policy file
+  file: path=/usr/local/share/selinux/systemd-swtpm.pp state=absent