The new container_save and container_load functions can be used to
save and load container images.
container_save
Save a container image to a local file.
Example: container_save "${name}"
container_load
Load a container image from an tar archive.
Example: local_image=$(container_load "${archive}")
The script utils/build-galaxy-release.sh has been renamed to
utils/build-collection.sh, the script provides the same options, but
requires an extra argument now:
build-collection.sh [options] rpm|aah|galaxy
The namespace and name are defined according to the argument:
rpm freeipa.ansible_freeipa - General use and RPMs
galaxy freeipa.ansible_freeipa - Ansible Galaxy
aah redhat.rhel_idm - Ansible AutomationHub
The generated file README-COLLECTION.md is set in galaxy.yml as the
documentation entry point for the collections generated with aah and galaxy
as Ansible AutomationHub and also Ansible Galaxy are not able to render the
documentation README files in the collection properly.
The commit also changes the calls of utils/build-galaxy-release.sh to
utils/build-collection.sh.
The firewalld zone verification tasks in ipaserver, ipareplica, and
ipabackup roles were triggering Ansible warnings due to variable
ipareplica_firewalld_zone not being defined when evaluating the task
name.
This fix remove the Jinja template from the task names and wrap the
tasks in a single block so the variable verification is done only once.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Adding an A/AAAA record to a host fails if there's not a reverse zone
set that the resulting PTR record can be added to, even if
create_reverse is false.
Changing the rule to create the reverse record fixes the issue.
Fixes: #1381
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
There is a new paskeyconfig management module placed in the plugins
folder:
plugins/modules/ipapasskeyconfig.py
The paskeyconfig module allows to retrieve and modify global passkey
configuration attributes.
Here is the documentation of the module:
README-passkeyconfig.md
New example playbooks have been added:
playbooks/passkeyconfig/passkeyconfig-retrieve.yml
playbooks/passkeyconfig/passkeyconfig-present.yml
New tests for the module can be found at:
tests/passkeyconfig/test_passkeyconfig.yml
tests/passkeyconfig/test_passkeyconfig_client_context.yml
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
When testing passkey attributes some version of IPA do not support it,
se we need a fact that states that the support is available for proper
testing.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
sysaccounts can now be used as a member for roles.
Example:
- name: Ensure role my-app role has sysaccount member my-app
iparole:
name: my-app role
sysaccount: my-app
action: member
New tests for the module:
tests/role/test_role_sysaccount_member.yml
The error message for an invalid profile has changes in dogtag. The new
message is "Certificate operation cannot be completed: Unable to get
enrollment template for <profile name>: Profile not found"
Therefore the test is additionally checking for "Profile not found" now.
There is a new sysaccount management module placed in the plugins folder:
plugins/modules/ipasysaccount.py
The sysaccount module allows to ensure presence or absence of system
accounts.
Here is the documentation for the module:
README-sysaccount.md
New sysaccount example playbooks:
playbooks/sysaccount/sysaccount-absent.yml
playbooks/sysaccount/sysaccount-disabled.yml
playbooks/sysaccount/sysaccount-enabled.yml
playbooks/sysaccount/sysaccount-present.yml
playbooks/sysaccount/sysaccount-privileged.yml
playbooks/sysaccount/sysaccount-unprivileged.yml
New tests for the module:
tests/sysaccount/test_sysaccount.yml
tests/sysaccount/test_sysaccount_client_context.yml
As the ansible_version variable may contain a version specification, we
need a version_name to correctly report the job label in Azure.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
By using the 'ansible-version' variable as '<2.17' allows 'pip' to
install the latest version of the 2.16 series, instead of version 2.16.0
in the case '==2.16'. This ensures we run the tests with the latest
supported version for the specific distro.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Modify nigtly pipelines to use the same distro-to-Ansible version map
so that the Ansible version matches the required version for the
specific distro. Nightly pipelines are the same used for Weekly tests.
This was required due to recent updates for Python 3.14 and Ansible
upstream versions.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
ansible-lint version series 24.y is not working with ansible-core 2.19 and
requires versions in series 25.y. Also, other tools were update to more
recent versions.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Although the available ansible-core package version for c9s is 2.14, the
upstream "pip" version of this package has a broken certificate and is
unusable against Galaxy.
This patch fixes the version to 2.16, as it is the same version for c8s
and c10s, and the oldest one available as packages for the CentOS
Streams.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
With Python 3.14, the required pytest version stopped working due to
breaking changes in AST.
This patch changes the test tool versions to the most recent one, by
requiring only the minimal version, but not setting a specific one.
Recent pytest version also requires that the search path for Python
modules is defined.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Pylint 4.0.1 seems to not understand that some of the constants used by
ansible-freeipa roles and modules are constants and not variables, and
complain about the naming style.
By adding these constant names to the "good-names" list avoid pylint
errors and don't require future unnecessary changes.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
A task in 'roles/ipaclient/tasks/install.yml' uses logic that
ansible-lint and jinja are unable to evaluate due to missing type. By
refactoring the task the tools are able to evaluate the task.
With the latest pylint version, an issue is raised by inheriting from
BaseInventoryPlugin, as the class has too many ancestors
(too-many-ancestors). This is caused by a class hierarchy that is too
deep, and is not under ansible-freeipa's control.
In recent Python setups, 'setuptools' may not be readily available, and,
as we depend on it, it should be a requirement.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Older versions of ansible-doc-test are failing due to code errors in the
parsing module. This is fixed by using newer versions.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
ansible-lint is complaining that Python 3.14 requries ansible-core 2.20,
even if other versions work on that Python version.
Woraround implemented is to pin the ansible-lint Python version to 3.13.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
After a PKI update the message returned for 'cert_show' in the case of
an inexistent certificate has changed, causing tests to fail.
The fix is only required for the tests, as the behavior has not changed.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The ansible-core version used in the CI pipelines has been updated
from 2.16 to 2.18 to keep the testing environment current.
Additionally, the pull request pipeline has been enhanced to test
against the specific ansible-core versions that are packaged with the
latest stable distributions. This will help ensure that the roles remain
compatible with the versions users are likely to have installed.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The hostname command is needed to be able to execute fixnet.service. It
has been missing from some docker files and therefore the script failed
in the -base images. The server images have not been affected as
ipa-client has a requirement for hostname.
Fedora 43 and 44 switched to systemd 258 rc4. The dbus-broker service
of systemd 258 does not start any more without enabling the capability
SYS_ADMIN.
The capabilities AUDIT_WRITE, SETUID and SETGID should be enough, but
they are not sufficient to be able to start the service.
With final systemd 258 it should be tested if the capability can be
removed again.
ansible-core 2.19 is not automatically converting empty and non empty lists
to bool values. Conditionals must have a boolean result.
The solution is to evaluate the length of the lists instead.
