From 224e28131d80cb4a822acc57c75f28e9d867a296 Mon Sep 17 00:00:00 2001
From: Adam Williamson <awilliam@redhat.com>
Date: Mon, 6 Dec 2021 10:39:11 -0800
Subject: [PATCH] openQA: prepare for prod deployment of latest releases

This unifies prod and stg onto the ways of doing things for the
latest packages, and rejigs the swtpm stuff a bit to tear down
more (we shouldn't need the custom SELinux policy any more).

Signed-off-by: Adam Williamson <awilliam@redhat.com>
---
 inventory/group_vars/openqa                   |   3 ++
 inventory/group_vars/openqa_lab               |   7 -----
 inventory/group_vars/openqa_lab_workers       |   2 --
 inventory/group_vars/openqa_servers_common    |   7 +++--
 inventory/group_vars/openqa_workers           |   3 ++
 .../openqa/worker/files/openqa-swtpm@.service |  13 --------
 roles/openqa/worker/files/systemd-swtpm.pp    | Bin 1101 -> 0 bytes
 roles/openqa/worker/files/systemd-swtpm.te    |  12 --------
 roles/openqa/worker/tasks/main.yml            |  12 ++++++--
 roles/openqa/worker/tasks/swtpm-setup.yml     |  28 ------------------
 roles/openqa/worker/tasks/swtpm-teardown.yml  |   7 +++++
 11 files changed, 26 insertions(+), 68 deletions(-)
 delete mode 100644 roles/openqa/worker/files/openqa-swtpm@.service
 delete mode 100644 roles/openqa/worker/files/systemd-swtpm.pp
 delete mode 100644 roles/openqa/worker/files/systemd-swtpm.te
 delete mode 100644 roles/openqa/worker/tasks/swtpm-setup.yml

diff --git a/inventory/group_vars/openqa b/inventory/group_vars/openqa
index 4c14ea06f5..262a56bc70 100644
--- a/inventory/group_vars/openqa
+++ b/inventory/group_vars/openqa
@@ -16,6 +16,9 @@ openqa_env_suffix:
 openqa_key: "{{ prod_openqa_apikey }}"
 # all our workers need NFS access
 openqa_nfs_workers: "{{ groups['openqa_workers'] }}"
+# install openQA from updates-testing for now, we want to update to
+# latest builds, don't want to wait for the 7 day threshold
+openqa_repo: updates-testing
 openqa_resultsdb_url: http://resultsdb01.iad2.fedoraproject.org/resultsdb_api/api/v2.0/
 openqa_secret: "{{ prod_openqa_apisecret }}"
 openqa_update_arches: ['x86_64']
diff --git a/inventory/group_vars/openqa_lab b/inventory/group_vars/openqa_lab
index 18a57ee454..dcc7805c79 100644
--- a/inventory/group_vars/openqa_lab
+++ b/inventory/group_vars/openqa_lab
@@ -19,11 +19,6 @@ freezes: false
 # is working again:
 # https://pagure.io/fedora-infrastructure/issue/8381
 openqa_amqp_wiki_reporter_queue:
-# lab-specific until newer openQA is on prod (2021-11)
-openqa_amqp_publisher_exchange: "amq.topic"
-openqa_amqp_publisher_cacertfile: "/etc/fedora-messaging/{{ openqa_env_prefix }}cacert.pem"
-openqa_amqp_publisher_certfile: "/etc/pki/fedora-messaging/openqa{{ openqa_env_suffix }}-cert.pem"
-openqa_amqp_publisher_keyfile: "/etc/pki/fedora-messaging/openqa{{ openqa_env_suffix }}-key.pem"
 openqa_assetsize_ppc: 300
 openqa_compose_arches: x86_64,aarch64,ppc64le
 openqa_dbname: openqa-stg
@@ -42,8 +37,6 @@ openqa_nfs_workers: "{{ groups['openqa_lab_workers'] }}"
 # install openQA from updates-testing - this is staging, we live
 # ON THE EDGE (radical guitar riff)
 openqa_repo: updates-testing
-# 2021-11 scratch builds for testing (plus the updated Mojolicious needed)
-openqa_scratch: ["79442168", "79272379"]
 openqa_resultsdb_url: http://resultsdb01.stg.iad2.fedoraproject.org/resultsdb_api/api/v2.0/
 openqa_secret: "{{ stg_openqa_apisecret }}"
 openqa_update_arches: ['x86_64', 'ppc64le']
diff --git a/inventory/group_vars/openqa_lab_workers b/inventory/group_vars/openqa_lab_workers
index e8b2976e54..2de4f878e1 100644
--- a/inventory/group_vars/openqa_lab_workers
+++ b/inventory/group_vars/openqa_lab_workers
@@ -21,8 +21,6 @@ openqa_nfs_worker: true
 # install openQA and os-autoinst from updates-testing - this is
 # staging, we live ON THE EDGE (radical guitar riff)
 openqa_repo: updates-testing
-# 2021-11 scratch builds for testing (plus the updated Mojolicious needed)
-openqa_scratch: ["79299369", "79442168", "79272379"]
 openqa_secret: "{{ stg_openqa_apisecret }}"
 openqa_workers: 4
 primary_auth_source: ipa
diff --git a/inventory/group_vars/openqa_servers_common b/inventory/group_vars/openqa_servers_common
index 8587e14e88..295ffbbe9d 100644
--- a/inventory/group_vars/openqa_servers_common
+++ b/inventory/group_vars/openqa_servers_common
@@ -16,9 +16,10 @@ openqa_amqp_mailto: ["adamwill@fedoraproject.org", "lruzicka@fedoraproject.org"]
 # we need this for all our fedora-messaging consumers as they are not
 # allowed to create queues on the infra AMQP broker, by broker config
 openqa_amqp_passive: true
-# openQA isn't very ssl-aware here, so we're abusing its URL construction
-# to stuff the cert and key values in here
-openqa_amqp_publisher_exchange: "amq.topic&cacertfile=/etc/fedora-messaging/{{ openqa_env_prefix }}cacert.pem&certfile=/etc/pki/fedora-messaging/openqa{{ openqa_env_suffix }}-cert.pem&keyfile=/etc/pki/fedora-messaging/openqa{{ openqa_env_suffix }}-key.pem"
+openqa_amqp_publisher_exchange: "amq.topic"
+openqa_amqp_publisher_cacertfile: "/etc/fedora-messaging/{{ openqa_env_prefix }}cacert.pem"
+openqa_amqp_publisher_certfile: "/etc/pki/fedora-messaging/openqa{{ openqa_env_suffix }}-cert.pem"
+openqa_amqp_publisher_keyfile: "/etc/pki/fedora-messaging/openqa{{ openqa_env_suffix }}-key.pem"
 # fedora-messaging publisher settings
 openqa_amqp_publisher_prefix: org.fedoraproject.{{ fedmsg_env }}
 openqa_amqp_publisher_url: "amqps://openqa{{ openqa_env_suffix }}:@rabbitmq{{ openqa_env_suffix }}.fedoraproject.org/%2Fpubsub"
diff --git a/inventory/group_vars/openqa_workers b/inventory/group_vars/openqa_workers
index ae6fe400e7..d6142cd96e 100644
--- a/inventory/group_vars/openqa_workers
+++ b/inventory/group_vars/openqa_workers
@@ -18,6 +18,9 @@ openqa_hostname: openqa01.iad2.fedoraproject.org
 openqa_key: "{{ prod_openqa_apikey }}"
 # we are all NFS workers for now at least
 openqa_nfs_worker: true
+# install openQA from updates-testing for now, we want to update to
+# latest builds, don't want to wait for the 7 day threshold
+openqa_repo: updates-testing
 openqa_secret: "{{ prod_openqa_apisecret }}"
 openqa_workers: 4
 primary_auth_source: ipa
diff --git a/roles/openqa/worker/files/openqa-swtpm@.service b/roles/openqa/worker/files/openqa-swtpm@.service
deleted file mode 100644
index e078ba1b9a..0000000000
--- a/roles/openqa/worker/files/openqa-swtpm@.service
+++ /dev/null
@@ -1,13 +0,0 @@
-[Unit]
-Description=openQA swtpm service
-
-[Service]
-User=_openqa-worker
-ExecStartPre=-/usr/bin/rm -rf /tmp/mytpm%I
-ExecStartPre=/usr/bin/mkdir -p /tmp/mytpm%I
-ExecStart=/usr/bin/swtpm socket --tpm2 --tpmstate dir=/tmp/mytpm%I --ctrl type=unixio,path=/tmp/mytpm%I/swtpm-sock --log level=20
-ExecReload=/bin/true
-Restart=on-success
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/openqa/worker/files/systemd-swtpm.pp b/roles/openqa/worker/files/systemd-swtpm.pp
deleted file mode 100644
index 095e54a3612c2853eebec8dd25c1bd20a5054159..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1101
zcmcIj%TB{E5F9Ab9zby5#)1AoEBFI0+~C9qSfMdes>X>DM--{QfcV~?iiYk=D+}M+
zkyf_%H4|t3v)gP>0MKp#eD5~fYXEQ0)0Zj?>*;G#4l92O;8xNm*y9R7|J6rdm$Uve
zw)F_W<NV=C;ucDACQhEu#fXn;<ylUvi*_tje(e`S^sHib=ZlgesYXIBG%j{U=$S)n
zS|5~+O1USR_oZJ%*I9MBy~4)HNxPI)IS8BgcN324T)YteTy7Pr=%TXapw;>%1eNHS
z>@+>=YE=<w9($<Yg7q}srtNhMjyp>%u)0&tR*xdh;S3RJA4Sg3-f6FUDazFx%6};6
ff8%@N-Wp$nz5<;e#&xRg<k~t;@qSXR_doms0pCN8

diff --git a/roles/openqa/worker/files/systemd-swtpm.te b/roles/openqa/worker/files/systemd-swtpm.te
deleted file mode 100644
index 6fa8ddc1b5..0000000000
--- a/roles/openqa/worker/files/systemd-swtpm.te
+++ /dev/null
@@ -1,12 +0,0 @@
-
-module systemd-swtpm 1.0;
-
-require {
-	type init_t;
-	type swtpm_exec_t;
-	class file { execute execute_no_trans map open read };
-}
-
-#============= init_t ==============
-
-allow init_t swtpm_exec_t:file { execute execute_no_trans map open read };
diff --git a/roles/openqa/worker/tasks/main.yml b/roles/openqa/worker/tasks/main.yml
index 47e15f57e1..ecfaa06be5 100644
--- a/roles/openqa/worker/tasks/main.yml
+++ b/roles/openqa/worker/tasks/main.yml
@@ -176,13 +176,19 @@
 # conditionals to account for four possibilities rather than two) and
 # for now it's fine to just assume the tap host(s) is/are also the
 # swtpm host(s)
-- include_tasks: swtpm-setup.yml
-  when: "openqa_tap|bool and (deployment_type is not defined or deployment_type != 'stg')"
+- name: Install swtpm packages
+  package:
+    name: ['swtpm', 'swtpm-tools']
+    state: latest
+    enablerepo: "{{ openqa_repo }}"
+  tags:
+  - packages
+  when: openqa_tap|bool
 
 # teardown swtpm services, since os-autoinst does this for us since
 # 7ae93f9f137b8cf7de22f0494a11ead5b7832e46
 - include_tasks: swtpm-teardown.yml
-  when: "openqa_tap|bool and (deployment_type is defined and deployment_type == 'foo')"
+  when: "openqa_tap|bool and (deployment_type is defined and deployment_type == 'prod')"
 
 - name: openQA client config
   template: src=client.conf.j2 dest=/etc/openqa/client.conf owner=_openqa-worker group=root mode=0600
diff --git a/roles/openqa/worker/tasks/swtpm-setup.yml b/roles/openqa/worker/tasks/swtpm-setup.yml
deleted file mode 100644
index fd59a0cc49..0000000000
--- a/roles/openqa/worker/tasks/swtpm-setup.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-- name: Install packages
-  package:
-    name: ['swtpm', 'swtpm-tools']
-    state: latest
-    enablerepo: "{{ openqa_repo }}"
-  tags:
-  - packages
-
-- name: Install openqa-swtpm service file
-  copy: src=openqa-swtpm@.service dest=/etc/systemd/system/openqa-swtpm@.service owner=root group=root mode=0644
-
-- name: Create somewhere to stick our custom SELinux module
-  file:
-    path: /usr/local/share/selinux
-    state: directory
-    mode: '0755'
-
-- name: Copy over custom SELinux module allowing systemd to run swtpm
-  copy: src=systemd-swtpm.pp dest=/usr/local/share/selinux/systemd-swtpm.pp owner=root group=root mode=0644
-  register: selinux_module
-
-- name: Load our custom SELinux module
-  command: semodule -i /usr/local/share/selinux/systemd-swtpm.pp
-  when: selinux_module is changed
-
-- name: Enable and start swtpm services
-  service: name=openqa-swtpm@{{ item }} enabled=yes state=started
-  loop: "{{ range(1, openqa_workers + 1)|list }}"
diff --git a/roles/openqa/worker/tasks/swtpm-teardown.yml b/roles/openqa/worker/tasks/swtpm-teardown.yml
index 00bf639cdd..5cadc3de12 100644
--- a/roles/openqa/worker/tasks/swtpm-teardown.yml
+++ b/roles/openqa/worker/tasks/swtpm-teardown.yml
@@ -1,6 +1,13 @@
 - name: Stop and disable swtpm services
   service: name=openqa-swtpm@{{ item }} enabled=no state=stopped
   loop: "{{ range(1, openqa_workers + 1)|list }}"
+  when: "deployment_type is defined and deployment_type == 'prod'"
 
 - name: Remove openqa-swtpm service file
   file: path=/etc/systemd/system/openqa-swtpm@.service state=absent
+
+- name: Unload custom SELinux policy
+  command: semodule -l systemd-swtpm
+
+- name: Remove custom SELinux policy file
+  file: path=/usr/local/share/selinux/systemd-swtpm.pp state=absent