openqa/worker: set up swtpm service on tap worker hosts

swtpm is a TPM emulator we want to use for testing Clevis on
IoT (and potentially other things in future). We're implementing
this by having os-autoinst just add the qemu args but expect
swtpm itself to be running already - that's counted as the
sysadmin's responsibility. My approach to this is to have openQA
tap worker hosts also be tpm worker hosts, meaning they run one
instance of swtpm per worker instance (as a systemd service) and
are added to a 'tpm' worker class which tests can use to ensure
they run on a suitably-equipped worker. This sets up all of that.
We need a custom SELinux policy module to allow systemd to run
swtpm - this is blocked by default.

Signed-off-by: Adam Williamson <awilliam@redhat.com>

roles/openqa/worker/files/openqa-swtpm@.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=openQA swtpm service
+
+[Service]
+User=_openqa-worker
+ExecStartPre=-/usr/bin/rm -rf /tmp/mytpm%I
+ExecStartPre=/usr/bin/mkdir -p /tmp/mytpm%I
+ExecStart=/usr/bin/swtpm socket --tpm2 --tpmstate dir=/tmp/mytpm%I --ctrl type=unixio,path=/tmp/mytpm%I/swtpm-sock --log level=20
+ExecReload=/bin/true
+
+[Install]
+WantedBy=multi-user.target

roles/openqa/worker/files/systemd-swtpm.te

@@ -0,0 +1,12 @@
+
+module systemd-swtpm 1.0;
+
+require {
+	type init_t;
+	type swtpm_exec_t;
+	class file { execute execute_no_trans map open read };
+}
+
+#============= init_t ==============
+
+allow init_t swtpm_exec_t:file { execute execute_no_trans map open read };

roles/openqa/worker/tasks/main.yml

@@ -13,7 +13,7 @@
 
 # Optional vars
 # - openqa_tap
-##      bool - whether this is the tap-enabled host or not
+##      bool - whether this is the tap- and swtpm-enabled host or not
 ##             each deployment should have *one* tap-capable worker host
 # - openqa_rngd
 ##      string - if set to any value, rng-tools package will be
@@ -134,6 +134,15 @@
 - import_tasks: tap-setup.yml
   when: openqa_tap is defined and openqa_tap
 
+# this is kinda lazy - we could have a separate openqa_swtpm var so we
+# we could potentially separate tap worker hosts from swtpm ones - but
+# it makes workers.ini templating annoyingly awkward (we need way more
+# conditionals to account for four possibilities rather than two) and
+# for now it's fine to just assume the tap host(s) is/are also the
+# swtpm host(s)
+- import_tasks: swtpm-setup.yml
+  when: openqa_tap is defined and openqa_tap
+
 - name: openQA client config
   template: src=client.conf.j2 dest=/etc/openqa/client.conf owner=_openqa-worker group=root mode=0600
   tags:

roles/openqa/worker/tasks/swtpm-setup.yml

@@ -0,0 +1,28 @@
+- name: Install packages
+  package:
+    name: ['swtpm', 'swtpm-tools']
+    state: latest
+    enablerepo: "{{ openqa_repo }}"
+  tags:
+  - packages
+
+- name: Install openqa-swtpm service file
+  copy: src=openqa-swtpm@.service dest=/etc/systemd/system/openqa-swtpm@.service owner=root group=root mode=0644
+
+- name: Create somewhere to stick our custom SELinux module
+  file:
+    path: /usr/local/share/selinux
+    state: directory
+    mode: '0755'
+
+- name: Copy over custom SELinux module allowing systemd to run swtpm
+  copy: src=systemd-swtpm.pp dest=/usr/local/share/selinux/systemd-swtpm.pp owner=root group=root mode=0644
+  register: selinux_module
+
+- name: Load our custom SELinux module
+  command: semodule -i /usr/local/share/selinux/systemd-swtpm.pp
+  when: selinux_module is changed
+
+- name: Enable and start swtpm services
+  service: name=openqa-swtpm@{{ item }} enabled=yes state=started
+  loop: "{{ range(1, openqa_workers + 1)|list }}"

roles/openqa/worker/templates/workers.ini.j2

@@ -4,10 +4,10 @@ HOST = http://{{ openqa_hostname|default('localhost') }}
 WORKER_CLASS = {{ openqa_worker_class }}
 {% elif openqa_tap is defined and openqa_tap %}
 {% if ansible_architecture == 'ppc64' or ansible_architecture == 'ppc64le' %}
-WORKER_CLASS = tap,qemu_ppc64le,qemu_ppc64
+WORKER_CLASS = tap,tpm,qemu_ppc64le,qemu_ppc64
 {% elif ansible_architecture == 'aarch64' %}
-WORKER_CLASS = tap,qemu_aarch64,qemu_arm
+WORKER_CLASS = tap,tpm,qemu_aarch64,qemu_arm
 {% else %}
-WORKER_CLASS = tap,qemu_x86_64,qemu_i686,qemu_i586
+WORKER_CLASS = tap,tpm,qemu_x86_64,qemu_i686,qemu_i586
 {% endif %}
 {% endif %}