diff --git a/inventory/group_vars/openqa b/inventory/group_vars/openqa index 4c14ea06f5..262a56bc70 100644 --- a/inventory/group_vars/openqa +++ b/inventory/group_vars/openqa @@ -16,6 +16,9 @@ openqa_env_suffix: openqa_key: "{{ prod_openqa_apikey }}" # all our workers need NFS access openqa_nfs_workers: "{{ groups['openqa_workers'] }}" +# install openQA from updates-testing for now, we want to update to +# latest builds, don't want to wait for the 7 day threshold +openqa_repo: updates-testing openqa_resultsdb_url: http://resultsdb01.iad2.fedoraproject.org/resultsdb_api/api/v2.0/ openqa_secret: "{{ prod_openqa_apisecret }}" openqa_update_arches: ['x86_64'] diff --git a/inventory/group_vars/openqa_lab b/inventory/group_vars/openqa_lab index 18a57ee454..dcc7805c79 100644 --- a/inventory/group_vars/openqa_lab +++ b/inventory/group_vars/openqa_lab @@ -19,11 +19,6 @@ freezes: false # is working again: # https://pagure.io/fedora-infrastructure/issue/8381 openqa_amqp_wiki_reporter_queue: -# lab-specific until newer openQA is on prod (2021-11) -openqa_amqp_publisher_exchange: "amq.topic" -openqa_amqp_publisher_cacertfile: "/etc/fedora-messaging/{{ openqa_env_prefix }}cacert.pem" -openqa_amqp_publisher_certfile: "/etc/pki/fedora-messaging/openqa{{ openqa_env_suffix }}-cert.pem" -openqa_amqp_publisher_keyfile: "/etc/pki/fedora-messaging/openqa{{ openqa_env_suffix }}-key.pem" openqa_assetsize_ppc: 300 openqa_compose_arches: x86_64,aarch64,ppc64le openqa_dbname: openqa-stg @@ -42,8 +37,6 @@ openqa_nfs_workers: "{{ groups['openqa_lab_workers'] }}" # install openQA from updates-testing - this is staging, we live # ON THE EDGE (radical guitar riff) openqa_repo: updates-testing -# 2021-11 scratch builds for testing (plus the updated Mojolicious needed) -openqa_scratch: ["79442168", "79272379"] openqa_resultsdb_url: http://resultsdb01.stg.iad2.fedoraproject.org/resultsdb_api/api/v2.0/ openqa_secret: "{{ stg_openqa_apisecret }}" openqa_update_arches: ['x86_64', 'ppc64le'] diff --git a/inventory/group_vars/openqa_lab_workers b/inventory/group_vars/openqa_lab_workers index e8b2976e54..2de4f878e1 100644 --- a/inventory/group_vars/openqa_lab_workers +++ b/inventory/group_vars/openqa_lab_workers @@ -21,8 +21,6 @@ openqa_nfs_worker: true # install openQA and os-autoinst from updates-testing - this is # staging, we live ON THE EDGE (radical guitar riff) openqa_repo: updates-testing -# 2021-11 scratch builds for testing (plus the updated Mojolicious needed) -openqa_scratch: ["79299369", "79442168", "79272379"] openqa_secret: "{{ stg_openqa_apisecret }}" openqa_workers: 4 primary_auth_source: ipa diff --git a/inventory/group_vars/openqa_servers_common b/inventory/group_vars/openqa_servers_common index 8587e14e88..295ffbbe9d 100644 --- a/inventory/group_vars/openqa_servers_common +++ b/inventory/group_vars/openqa_servers_common @@ -16,9 +16,10 @@ openqa_amqp_mailto: ["adamwill@fedoraproject.org", "lruzicka@fedoraproject.org"] # we need this for all our fedora-messaging consumers as they are not # allowed to create queues on the infra AMQP broker, by broker config openqa_amqp_passive: true -# openQA isn't very ssl-aware here, so we're abusing its URL construction -# to stuff the cert and key values in here -openqa_amqp_publisher_exchange: "amq.topic&cacertfile=/etc/fedora-messaging/{{ openqa_env_prefix }}cacert.pem&certfile=/etc/pki/fedora-messaging/openqa{{ openqa_env_suffix }}-cert.pem&keyfile=/etc/pki/fedora-messaging/openqa{{ openqa_env_suffix }}-key.pem" +openqa_amqp_publisher_exchange: "amq.topic" +openqa_amqp_publisher_cacertfile: "/etc/fedora-messaging/{{ openqa_env_prefix }}cacert.pem" +openqa_amqp_publisher_certfile: "/etc/pki/fedora-messaging/openqa{{ openqa_env_suffix }}-cert.pem" +openqa_amqp_publisher_keyfile: "/etc/pki/fedora-messaging/openqa{{ openqa_env_suffix }}-key.pem" # fedora-messaging publisher settings openqa_amqp_publisher_prefix: org.fedoraproject.{{ fedmsg_env }} openqa_amqp_publisher_url: "amqps://openqa{{ openqa_env_suffix }}:@rabbitmq{{ openqa_env_suffix }}.fedoraproject.org/%2Fpubsub" diff --git a/inventory/group_vars/openqa_workers b/inventory/group_vars/openqa_workers index ae6fe400e7..d6142cd96e 100644 --- a/inventory/group_vars/openqa_workers +++ b/inventory/group_vars/openqa_workers @@ -18,6 +18,9 @@ openqa_hostname: openqa01.iad2.fedoraproject.org openqa_key: "{{ prod_openqa_apikey }}" # we are all NFS workers for now at least openqa_nfs_worker: true +# install openQA from updates-testing for now, we want to update to +# latest builds, don't want to wait for the 7 day threshold +openqa_repo: updates-testing openqa_secret: "{{ prod_openqa_apisecret }}" openqa_workers: 4 primary_auth_source: ipa diff --git a/roles/openqa/worker/files/openqa-swtpm@.service b/roles/openqa/worker/files/openqa-swtpm@.service deleted file mode 100644 index e078ba1b9a..0000000000 --- a/roles/openqa/worker/files/openqa-swtpm@.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=openQA swtpm service - -[Service] -User=_openqa-worker -ExecStartPre=-/usr/bin/rm -rf /tmp/mytpm%I -ExecStartPre=/usr/bin/mkdir -p /tmp/mytpm%I -ExecStart=/usr/bin/swtpm socket --tpm2 --tpmstate dir=/tmp/mytpm%I --ctrl type=unixio,path=/tmp/mytpm%I/swtpm-sock --log level=20 -ExecReload=/bin/true -Restart=on-success - -[Install] -WantedBy=multi-user.target diff --git a/roles/openqa/worker/files/systemd-swtpm.pp b/roles/openqa/worker/files/systemd-swtpm.pp deleted file mode 100644 index 095e54a361..0000000000 Binary files a/roles/openqa/worker/files/systemd-swtpm.pp and /dev/null differ diff --git a/roles/openqa/worker/files/systemd-swtpm.te b/roles/openqa/worker/files/systemd-swtpm.te deleted file mode 100644 index 6fa8ddc1b5..0000000000 --- a/roles/openqa/worker/files/systemd-swtpm.te +++ /dev/null @@ -1,12 +0,0 @@ - -module systemd-swtpm 1.0; - -require { - type init_t; - type swtpm_exec_t; - class file { execute execute_no_trans map open read }; -} - -#============= init_t ============== - -allow init_t swtpm_exec_t:file { execute execute_no_trans map open read }; diff --git a/roles/openqa/worker/tasks/main.yml b/roles/openqa/worker/tasks/main.yml index 47e15f57e1..ecfaa06be5 100644 --- a/roles/openqa/worker/tasks/main.yml +++ b/roles/openqa/worker/tasks/main.yml @@ -176,13 +176,19 @@ # conditionals to account for four possibilities rather than two) and # for now it's fine to just assume the tap host(s) is/are also the # swtpm host(s) -- include_tasks: swtpm-setup.yml - when: "openqa_tap|bool and (deployment_type is not defined or deployment_type != 'stg')" +- name: Install swtpm packages + package: + name: ['swtpm', 'swtpm-tools'] + state: latest + enablerepo: "{{ openqa_repo }}" + tags: + - packages + when: openqa_tap|bool # teardown swtpm services, since os-autoinst does this for us since # 7ae93f9f137b8cf7de22f0494a11ead5b7832e46 - include_tasks: swtpm-teardown.yml - when: "openqa_tap|bool and (deployment_type is defined and deployment_type == 'foo')" + when: "openqa_tap|bool and (deployment_type is defined and deployment_type == 'prod')" - name: openQA client config template: src=client.conf.j2 dest=/etc/openqa/client.conf owner=_openqa-worker group=root mode=0600 diff --git a/roles/openqa/worker/tasks/swtpm-setup.yml b/roles/openqa/worker/tasks/swtpm-setup.yml deleted file mode 100644 index fd59a0cc49..0000000000 --- a/roles/openqa/worker/tasks/swtpm-setup.yml +++ /dev/null @@ -1,28 +0,0 @@ -- name: Install packages - package: - name: ['swtpm', 'swtpm-tools'] - state: latest - enablerepo: "{{ openqa_repo }}" - tags: - - packages - -- name: Install openqa-swtpm service file - copy: src=openqa-swtpm@.service dest=/etc/systemd/system/openqa-swtpm@.service owner=root group=root mode=0644 - -- name: Create somewhere to stick our custom SELinux module - file: - path: /usr/local/share/selinux - state: directory - mode: '0755' - -- name: Copy over custom SELinux module allowing systemd to run swtpm - copy: src=systemd-swtpm.pp dest=/usr/local/share/selinux/systemd-swtpm.pp owner=root group=root mode=0644 - register: selinux_module - -- name: Load our custom SELinux module - command: semodule -i /usr/local/share/selinux/systemd-swtpm.pp - when: selinux_module is changed - -- name: Enable and start swtpm services - service: name=openqa-swtpm@{{ item }} enabled=yes state=started - loop: "{{ range(1, openqa_workers + 1)|list }}" diff --git a/roles/openqa/worker/tasks/swtpm-teardown.yml b/roles/openqa/worker/tasks/swtpm-teardown.yml index 00bf639cdd..5cadc3de12 100644 --- a/roles/openqa/worker/tasks/swtpm-teardown.yml +++ b/roles/openqa/worker/tasks/swtpm-teardown.yml @@ -1,6 +1,13 @@ - name: Stop and disable swtpm services service: name=openqa-swtpm@{{ item }} enabled=no state=stopped loop: "{{ range(1, openqa_workers + 1)|list }}" + when: "deployment_type is defined and deployment_type == 'prod'" - name: Remove openqa-swtpm service file file: path=/etc/systemd/system/openqa-swtpm@.service state=absent + +- name: Unload custom SELinux policy + command: semodule -l systemd-swtpm + +- name: Remove custom SELinux policy file + file: path=/usr/local/share/selinux/systemd-swtpm.pp state=absent