diff --git a/roles/openqa/worker/files/openqa-swtpm@.service b/roles/openqa/worker/files/openqa-swtpm@.service new file mode 100644 index 0000000000..583de07b6a --- /dev/null +++ b/roles/openqa/worker/files/openqa-swtpm@.service @@ -0,0 +1,12 @@ +[Unit] +Description=openQA swtpm service + +[Service] +User=_openqa-worker +ExecStartPre=-/usr/bin/rm -rf /tmp/mytpm%I +ExecStartPre=/usr/bin/mkdir -p /tmp/mytpm%I +ExecStart=/usr/bin/swtpm socket --tpm2 --tpmstate dir=/tmp/mytpm%I --ctrl type=unixio,path=/tmp/mytpm%I/swtpm-sock --log level=20 +ExecReload=/bin/true + +[Install] +WantedBy=multi-user.target diff --git a/roles/openqa/worker/files/systemd-swtpm.pp b/roles/openqa/worker/files/systemd-swtpm.pp new file mode 100644 index 0000000000..095e54a361 Binary files /dev/null and b/roles/openqa/worker/files/systemd-swtpm.pp differ diff --git a/roles/openqa/worker/files/systemd-swtpm.te b/roles/openqa/worker/files/systemd-swtpm.te new file mode 100644 index 0000000000..6fa8ddc1b5 --- /dev/null +++ b/roles/openqa/worker/files/systemd-swtpm.te @@ -0,0 +1,12 @@ + +module systemd-swtpm 1.0; + +require { + type init_t; + type swtpm_exec_t; + class file { execute execute_no_trans map open read }; +} + +#============= init_t ============== + +allow init_t swtpm_exec_t:file { execute execute_no_trans map open read }; diff --git a/roles/openqa/worker/tasks/main.yml b/roles/openqa/worker/tasks/main.yml index 2da6077eaf..9ca10c6f37 100644 --- a/roles/openqa/worker/tasks/main.yml +++ b/roles/openqa/worker/tasks/main.yml @@ -13,7 +13,7 @@ # Optional vars # - openqa_tap -## bool - whether this is the tap-enabled host or not +## bool - whether this is the tap- and swtpm-enabled host or not ## each deployment should have *one* tap-capable worker host # - openqa_rngd ## string - if set to any value, rng-tools package will be @@ -134,6 +134,15 @@ - import_tasks: tap-setup.yml when: openqa_tap is defined and openqa_tap +# this is kinda lazy - we could have a separate openqa_swtpm var so we +# we could potentially separate tap worker hosts from swtpm ones - but +# it makes workers.ini templating annoyingly awkward (we need way more +# conditionals to account for four possibilities rather than two) and +# for now it's fine to just assume the tap host(s) is/are also the +# swtpm host(s) +- import_tasks: swtpm-setup.yml + when: openqa_tap is defined and openqa_tap + - name: openQA client config template: src=client.conf.j2 dest=/etc/openqa/client.conf owner=_openqa-worker group=root mode=0600 tags: diff --git a/roles/openqa/worker/tasks/swtpm-setup.yml b/roles/openqa/worker/tasks/swtpm-setup.yml new file mode 100644 index 0000000000..fd59a0cc49 --- /dev/null +++ b/roles/openqa/worker/tasks/swtpm-setup.yml @@ -0,0 +1,28 @@ +- name: Install packages + package: + name: ['swtpm', 'swtpm-tools'] + state: latest + enablerepo: "{{ openqa_repo }}" + tags: + - packages + +- name: Install openqa-swtpm service file + copy: src=openqa-swtpm@.service dest=/etc/systemd/system/openqa-swtpm@.service owner=root group=root mode=0644 + +- name: Create somewhere to stick our custom SELinux module + file: + path: /usr/local/share/selinux + state: directory + mode: '0755' + +- name: Copy over custom SELinux module allowing systemd to run swtpm + copy: src=systemd-swtpm.pp dest=/usr/local/share/selinux/systemd-swtpm.pp owner=root group=root mode=0644 + register: selinux_module + +- name: Load our custom SELinux module + command: semodule -i /usr/local/share/selinux/systemd-swtpm.pp + when: selinux_module is changed + +- name: Enable and start swtpm services + service: name=openqa-swtpm@{{ item }} enabled=yes state=started + loop: "{{ range(1, openqa_workers + 1)|list }}" diff --git a/roles/openqa/worker/templates/workers.ini.j2 b/roles/openqa/worker/templates/workers.ini.j2 index 71d753c445..a32ee540ec 100644 --- a/roles/openqa/worker/templates/workers.ini.j2 +++ b/roles/openqa/worker/templates/workers.ini.j2 @@ -4,10 +4,10 @@ HOST = http://{{ openqa_hostname|default('localhost') }} WORKER_CLASS = {{ openqa_worker_class }} {% elif openqa_tap is defined and openqa_tap %} {% if ansible_architecture == 'ppc64' or ansible_architecture == 'ppc64le' %} -WORKER_CLASS = tap,qemu_ppc64le,qemu_ppc64 +WORKER_CLASS = tap,tpm,qemu_ppc64le,qemu_ppc64 {% elif ansible_architecture == 'aarch64' %} -WORKER_CLASS = tap,qemu_aarch64,qemu_arm +WORKER_CLASS = tap,tpm,qemu_aarch64,qemu_arm {% else %} -WORKER_CLASS = tap,qemu_x86_64,qemu_i686,qemu_i586 +WORKER_CLASS = tap,tpm,qemu_x86_64,qemu_i686,qemu_i586 {% endif %} {% endif %}