From 6b196e70ab0a3cd369ddff5eca82524ec6efada3 Mon Sep 17 00:00:00 2001
From: Adam Williamson <awilliam@redhat.com>
Date: Wed, 24 Jun 2020 16:47:51 -0700
Subject: [PATCH] openqa/worker: set up swtpm service on tap worker hosts

swtpm is a TPM emulator we want to use for testing Clevis on
IoT (and potentially other things in future). We're implementing
this by having os-autoinst just add the qemu args but expect
swtpm itself to be running already - that's counted as the
sysadmin's responsibility. My approach to this is to have openQA
tap worker hosts also be tpm worker hosts, meaning they run one
instance of swtpm per worker instance (as a systemd service) and
are added to a 'tpm' worker class which tests can use to ensure
they run on a suitably-equipped worker. This sets up all of that.
We need a custom SELinux policy module to allow systemd to run
swtpm - this is blocked by default.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
---
 .../openqa/worker/files/openqa-swtpm@.service |  12 ++++++++
 roles/openqa/worker/files/systemd-swtpm.pp    | Bin 0 -> 1101 bytes
 roles/openqa/worker/files/systemd-swtpm.te    |  12 ++++++++
 roles/openqa/worker/tasks/main.yml            |  11 ++++++-
 roles/openqa/worker/tasks/swtpm-setup.yml     |  28 ++++++++++++++++++
 roles/openqa/worker/templates/workers.ini.j2  |   6 ++--
 6 files changed, 65 insertions(+), 4 deletions(-)
 create mode 100644 roles/openqa/worker/files/openqa-swtpm@.service
 create mode 100644 roles/openqa/worker/files/systemd-swtpm.pp
 create mode 100644 roles/openqa/worker/files/systemd-swtpm.te
 create mode 100644 roles/openqa/worker/tasks/swtpm-setup.yml

diff --git a/roles/openqa/worker/files/openqa-swtpm@.service b/roles/openqa/worker/files/openqa-swtpm@.service
new file mode 100644
index 0000000000..583de07b6a
--- /dev/null
+++ b/roles/openqa/worker/files/openqa-swtpm@.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=openQA swtpm service
+
+[Service]
+User=_openqa-worker
+ExecStartPre=-/usr/bin/rm -rf /tmp/mytpm%I
+ExecStartPre=/usr/bin/mkdir -p /tmp/mytpm%I
+ExecStart=/usr/bin/swtpm socket --tpm2 --tpmstate dir=/tmp/mytpm%I --ctrl type=unixio,path=/tmp/mytpm%I/swtpm-sock --log level=20
+ExecReload=/bin/true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/openqa/worker/files/systemd-swtpm.pp b/roles/openqa/worker/files/systemd-swtpm.pp
new file mode 100644
index 0000000000000000000000000000000000000000..095e54a3612c2853eebec8dd25c1bd20a5054159
GIT binary patch
literal 1101
zcmcIj%TB{E5F9Ab9zby5#)1AoEBFI0+~C9qSfMdes>X>DM--{QfcV~?iiYk=D+}M+
zkyf_%H4|t3v)gP>0MKp#eD5~fYXEQ0)0Zj?>*;G#4l92O;8xNm*y9R7|J6rdm$Uve
zw)F_W<NV=C;ucDACQhEu#fXn;<ylUvi*_tje(e`S^sHib=ZlgesYXIBG%j{U=$S)n
zS|5~+O1USR_oZJ%*I9MBy~4)HNxPI)IS8BgcN324T)YteTy7Pr=%TXapw;>%1eNHS
z>@+>=YE=<w9($<Yg7q}srtNhMjyp>%u)0&tR*xdh;S3RJA4Sg3-f6FUDazFx%6};6
ff8%@N-Wp$nz5<;e#&xRg<k~t;@qSXR_doms0pCN8

literal 0
HcmV?d00001

diff --git a/roles/openqa/worker/files/systemd-swtpm.te b/roles/openqa/worker/files/systemd-swtpm.te
new file mode 100644
index 0000000000..6fa8ddc1b5
--- /dev/null
+++ b/roles/openqa/worker/files/systemd-swtpm.te
@@ -0,0 +1,12 @@
+
+module systemd-swtpm 1.0;
+
+require {
+	type init_t;
+	type swtpm_exec_t;
+	class file { execute execute_no_trans map open read };
+}
+
+#============= init_t ==============
+
+allow init_t swtpm_exec_t:file { execute execute_no_trans map open read };
diff --git a/roles/openqa/worker/tasks/main.yml b/roles/openqa/worker/tasks/main.yml
index 2da6077eaf..9ca10c6f37 100644
--- a/roles/openqa/worker/tasks/main.yml
+++ b/roles/openqa/worker/tasks/main.yml
@@ -13,7 +13,7 @@
 
 # Optional vars
 # - openqa_tap
-##      bool - whether this is the tap-enabled host or not
+##      bool - whether this is the tap- and swtpm-enabled host or not
 ##             each deployment should have *one* tap-capable worker host
 # - openqa_rngd
 ##      string - if set to any value, rng-tools package will be
@@ -134,6 +134,15 @@
 - import_tasks: tap-setup.yml
   when: openqa_tap is defined and openqa_tap
 
+# this is kinda lazy - we could have a separate openqa_swtpm var so we
+# we could potentially separate tap worker hosts from swtpm ones - but
+# it makes workers.ini templating annoyingly awkward (we need way more
+# conditionals to account for four possibilities rather than two) and
+# for now it's fine to just assume the tap host(s) is/are also the
+# swtpm host(s)
+- import_tasks: swtpm-setup.yml
+  when: openqa_tap is defined and openqa_tap
+
 - name: openQA client config
   template: src=client.conf.j2 dest=/etc/openqa/client.conf owner=_openqa-worker group=root mode=0600
   tags:
diff --git a/roles/openqa/worker/tasks/swtpm-setup.yml b/roles/openqa/worker/tasks/swtpm-setup.yml
new file mode 100644
index 0000000000..fd59a0cc49
--- /dev/null
+++ b/roles/openqa/worker/tasks/swtpm-setup.yml
@@ -0,0 +1,28 @@
+- name: Install packages
+  package:
+    name: ['swtpm', 'swtpm-tools']
+    state: latest
+    enablerepo: "{{ openqa_repo }}"
+  tags:
+  - packages
+
+- name: Install openqa-swtpm service file
+  copy: src=openqa-swtpm@.service dest=/etc/systemd/system/openqa-swtpm@.service owner=root group=root mode=0644
+
+- name: Create somewhere to stick our custom SELinux module
+  file:
+    path: /usr/local/share/selinux
+    state: directory
+    mode: '0755'
+
+- name: Copy over custom SELinux module allowing systemd to run swtpm
+  copy: src=systemd-swtpm.pp dest=/usr/local/share/selinux/systemd-swtpm.pp owner=root group=root mode=0644
+  register: selinux_module
+
+- name: Load our custom SELinux module
+  command: semodule -i /usr/local/share/selinux/systemd-swtpm.pp
+  when: selinux_module is changed
+
+- name: Enable and start swtpm services
+  service: name=openqa-swtpm@{{ item }} enabled=yes state=started
+  loop: "{{ range(1, openqa_workers + 1)|list }}"
diff --git a/roles/openqa/worker/templates/workers.ini.j2 b/roles/openqa/worker/templates/workers.ini.j2
index 71d753c445..a32ee540ec 100644
--- a/roles/openqa/worker/templates/workers.ini.j2
+++ b/roles/openqa/worker/templates/workers.ini.j2
@@ -4,10 +4,10 @@ HOST = http://{{ openqa_hostname|default('localhost') }}
 WORKER_CLASS = {{ openqa_worker_class }}
 {% elif openqa_tap is defined and openqa_tap %}
 {% if ansible_architecture == 'ppc64' or ansible_architecture == 'ppc64le' %}
-WORKER_CLASS = tap,qemu_ppc64le,qemu_ppc64
+WORKER_CLASS = tap,tpm,qemu_ppc64le,qemu_ppc64
 {% elif ansible_architecture == 'aarch64' %}
-WORKER_CLASS = tap,qemu_aarch64,qemu_arm
+WORKER_CLASS = tap,tpm,qemu_aarch64,qemu_arm
 {% else %}
-WORKER_CLASS = tap,qemu_x86_64,qemu_i686,qemu_i586
+WORKER_CLASS = tap,tpm,qemu_x86_64,qemu_i686,qemu_i586
 {% endif %}
 {% endif %}