drop local clevis role and replace with linux-system-roles.nbde_client

The linux-system-roles.nbde_client does the right things and so one less
thing for us to maintain. It also avoids the problem we have on some
machines now where network interface names are not as the old clevis
role expected, so unlocking didn't work on boot. Hopefully this fixes
all those issues.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>

inventory/group_vars/all

@@ -148,6 +148,15 @@ nagios_Check_Services:
   sshd: true
   swap: true
 nat_rules: []
+# default network block device encryption settings for linux-system-roles/nbde_client
+nbde_client_bindings:
+  - device: /dev/md2
+    encryption_password: "{{ nbde_password }}"
+    password_temporary: no
+    threshold: 1
+    servers:
+      - http://tang01.iad2.fedoraproject.org
+      - http://tang02.iad2.fedoraproject.org
 # usually we do not want to enable nested virt, only on some virthosts
 nested: false
 network_connections:

playbooks/groups/buildhw.yml

@@ -59,7 +59,7 @@
 
   - koji_builder
   - { role: bkernel, when: inventory_hostname.startswith('bkernel') }
-  - { role: clevis, when: "inventory_hostname.startswith(('bkernel', 'buildhw-x86'))" }
+  - { role: linux-system-roles.nbde_client, when: "inventory_hostname.startswith(('bkernel', 'buildhw-x86'))" }
   - { role: serial-console, when: "inventory_hostname.startswith(('bkernel', 'buildhw-x86'))" }
   - hosts
   - ipa/client

playbooks/groups/openqa-workers.yml

@@ -21,7 +21,7 @@
    - { role: collectd/base, tags: ['collectd_base'] }
    - { role: sudo, tags: ['sudo'] }
    - { role: openqa/worker, tags: ['openqa_worker'] }
-   - { role: clevis, tags: ['clevis'], when: datacenter == 'iad2'}
+   - { role: linux-system-roles.nbde_client, tags: ['nbde_client'], when: datacenter = 'iad2' }
    - apache
 
   tasks:

playbooks/groups/virthost.yml

@@ -14,14 +14,6 @@
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
 
-  vars:
-    nbde_client_bindings:
-      - device: /dev/md2
-        encryption_password: "{{ nbde_password }}"
-        servers:
-          - http://tang01.iad2.fedoraproject.org
-          - http://tang02.iad2.fedoraproject.org
-
   pre_tasks:
   - include_vars: dir=/srv/web/infra/ansible/vars/all/ ignore_files=README
   - import_tasks: "{{ tasks_path }}/yumrepos.yml"
@@ -38,8 +30,7 @@
   - { role: iscsi_client, when: "inventory_hostname.startswith(('bvmhost-x86-06', 'bvmhost-x86-07')) and datacenter == 'iad2'" }
   - sudo
   - virthost
-  - { role: clevis, when: datacenter == 'iad2' and not inventory_hostname.startswith('bvmhost-x86-04.stg') }
-  - { role: linux-system-roles.nbde_client, when: inventory_hostname.startswith('bvmhost-x86-04.stg') }
+  - { role: linux-system-roles.nbde_client, when: datacenter = 'iad2' }
   - { role: serial-console, when: datacenter == 'iad2' and not inventory_hostname.startswith('buildvmhost-s390x') }
 
   tasks:

playbooks/manual/autosign.yml

@@ -73,7 +73,7 @@
     owner_user: robosignatory
     owner_group: robosignatory
 
-  - { role: clevis, when: datacenter == 'iad2'}
+  - { role: linux-system-roles.nbde_client, when: datacenter = 'iad2' }
   - { role: serial-console, when: datacenter == 'iad2'}
 
   pre_tasks:

playbooks/manual/sign-vault.yml

@@ -35,7 +35,7 @@
   roles:
   - base
   - rkhunter
-  - { role: clevis, when: datacenter == 'iad2'}
+  - { role: linux-system-roles.nbde_client, when: datacenter = 'iad2' }
   - { role: serial-console, when: datacenter == 'iad2'}
   - sigul/server
 

roles/clevis/files/flush-dracut-network@.service

@@ -1,15 +0,0 @@
-# Remove Dracut's network configuration
-# https://access.redhat.com/solutions/3017441
-# https://unix.stackexchange.com/questions/506331/networkmanager-doesnt-change-ip-address-when-dracut-cmdline-provided-static-ip
-
-[Unit]
-Description=Remove dracut's network configuration for %I
-Before=network-pre.target
-Wants=network-pre.target
-
-[Service]
-ExecStartPre=/usr/sbin/ip address show %i
-ExecStart=/usr/sbin/ip -statistics address flush dev %i
-
-[Install]
-WantedBy=default.target

roles/clevis/tasks/main.yml

@@ -1,40 +0,0 @@
----
-- name: copy in dracut config for clevis
-  template:
-   src: 99-clevis-fix.conf 
-   dest: /etc/dracut.conf.d/99-clevis-fix.conf
-  tags:
-  - clevis
-
-- name: copy in the systemd unit file to wipe dracut networking
-  copy:
-   src=flush-dracut-network@.service
-   dest=/etc/systemd/system/flush-dracut-network@.service
-  notify:
-   reload systemd
-  tags:
-   - clevis
-
-- name: enable the systemd unit to wipe dracut networking (br0)
-  systemd:
-   name: flush-dracut-network@{{ br0_dev }}
-   enabled: true
-  when: br0_dev is defined
-  tags:
-   - clevis
-
-- name: enable the systemd unit to wipe dracut networking (eno1)
-  systemd:
-   name: flush-dracut-network@eno1
-   enabled: true
-  when: eno1_ip is defined
-  tags:
-   - clevis
-
-- name: enable the systemd unit to wipe dracut networking (eth0)
-  systemd:
-   name: flush-dracut-network@eth0
-   enabled: true
-  when: eth0_ip is defined
-  tags:
-   - clevis

roles/clevis/templates/99-clevis-fix.conf

@@ -1,13 +0,0 @@
-# DHCP for talking to tang server
-{% if br0_ip is defined %}
-kernel_cmdline="ip={{ br0_ip }}::{{ br0_gw }}:{{ br0_nm }}::{{ br0_dev }}:none:{{ dns }}"
-{% elif eth0_ip is defined %}
-kernel_cmdline="ip={{ eth0_ip }}::{{ gw }}:{{ nm }}::eth0:none:{{ dns }}"
-{% elif eth0_ipv4 is defined %}
-kernel_cmdline="ip={{ eth0_ipv4 }}::{{ eth0_ipv4_gw }}:{{ eth0_ipv4_nm }}::eth0:none:{{ dns1 }}"
-{% elif eno1_ip is defined %}
-kernel_cmdline="ip={{ eno1_ip }}::{{ gw }}:{{ nm }}::eno1:none:{{ dns }}"
-{% endif %}
-
-# Don't create /etc/sysconfig/network-scripts/ifcfg-* files during boot
-omit_dracutmodules+=" ifcfg "