The new container_save and container_load functions can be used to
save and load container images.
container_save
Save a container image to a local file.
Example: container_save "${name}"
container_load
Load a container image from an tar archive.
Example: local_image=$(container_load "${archive}")
The script utils/build-galaxy-release.sh has been renamed to
utils/build-collection.sh, the script provides the same options, but
requires an extra argument now:
build-collection.sh [options] rpm|aah|galaxy
The namespace and name are defined according to the argument:
rpm freeipa.ansible_freeipa - General use and RPMs
galaxy freeipa.ansible_freeipa - Ansible Galaxy
aah redhat.rhel_idm - Ansible AutomationHub
The generated file README-COLLECTION.md is set in galaxy.yml as the
documentation entry point for the collections generated with aah and galaxy
as Ansible AutomationHub and also Ansible Galaxy are not able to render the
documentation README files in the collection properly.
The commit also changes the calls of utils/build-galaxy-release.sh to
utils/build-collection.sh.
As the ansible_version variable may contain a version specification, we
need a version_name to correctly report the job label in Azure.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
By using the 'ansible-version' variable as '<2.17' allows 'pip' to
install the latest version of the 2.16 series, instead of version 2.16.0
in the case '==2.16'. This ensures we run the tests with the latest
supported version for the specific distro.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Modify nigtly pipelines to use the same distro-to-Ansible version map
so that the Ansible version matches the required version for the
specific distro. Nightly pipelines are the same used for Weekly tests.
This was required due to recent updates for Python 3.14 and Ansible
upstream versions.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Although the available ansible-core package version for c9s is 2.14, the
upstream "pip" version of this package has a broken certificate and is
unusable against Galaxy.
This patch fixes the version to 2.16, as it is the same version for c8s
and c10s, and the oldest one available as packages for the CentOS
Streams.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The ansible-core version used in the CI pipelines has been updated
from 2.16 to 2.18 to keep the testing environment current.
Additionally, the pull request pipeline has been enhanced to test
against the specific ansible-core versions that are packaged with the
latest stable distributions. This will help ensure that the roles remain
compatible with the versions users are likely to have installed.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The hostname command is needed to be able to execute fixnet.service. It
has been missing from some docker files and therefore the script failed
in the -base images. The server images have not been affected as
ipa-client has a requirement for hostname.
Fedora 43 and 44 switched to systemd 258 rc4. The dbus-broker service
of systemd 258 does not start any more without enabling the capability
SYS_ADMIN.
The capabilities AUDIT_WRITE, SETUID and SETGID should be enough, but
they are not sufficient to be able to start the service.
With final systemd 258 it should be tested if the capability can be
removed again.
The services are now active by default and do not need to be activated
after IPA has been deployed.
The fixnet service is always activated and removes all lines containing
the hostname from /etc/hosts and adds a new line with the IP and the
hostname with and without domain. If IPA is deployed with DNS (the
config file /etc/named.conf exists and there is a '^dyndb "ipa"' line
in /etc/named.conf) then /etc/resolv.conf is also changed to use the
local DNS server.
The fixipaip service is now also always activated, but only started IF
IPA has been deployed and the ipa service was started before.
infra/image/build.sh is not actvating the services anymore, the services
are now actiavted in alll dockerfiles.
The management of hosts is deactivated in container_create to not copy
all entries from the host system to the container. The host entry is now
created in container_start to fix IPA deployment using this container.
readarray expects to get an item per line to be added to the array.
Printing one item per line with printf fixes this to get the proper
formatting for "${CAP_DEFAULTS[@]}" as a valid input for readarray.
Debugging is now enabled by default in the containers that are
generated with container_create. "+SYS_PTRACE" has been added to
CAP_DEFAULTS in shdefaults for this.
SSSD 2.10+ runs under non-privileged user 'sssd' and relies on system
capabilities to get access to certain resources like /etc/krb5.keytab.
Not having these capabilities result in SSSD not starting.
Podman has reduced the capabilities granted to containers, and to be
able to start SSSD it is needed to add DAC_READ_SEARCH back.
This patch adds file infra/images/shdefaults to store the defaults used
by ansible-freeipa shell utilities in a contral location.
See: https://github.com/containers/podman/discussions/24904#discussioncomment-11718823
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
This change adds support for volumes to container_create. Now it can be
used like in this example:
container_create "${name}" "${local_image}" "hostname=${hostname}" \
"${capabilities:+capabilities=$capabilities}" \
volume=$PWD:/root/src
The new function container_tee has been added to enable creation of
fiiles with content from stdin like in this example:
cat <<EOF | container_tee "${name}" "/root/.gdbinit"
set debuginfod enabled on
set follow-fork-mode child
EOF
The shadow file in a Fedora or CentOS Stream container is not readable
any more using Ubuntu 24.04.
An extra call to ensure that the shadow file is readable again has been
added to container_start.
This adds the capabilities SYS_ADMIN and SYSLOG to the container_create
call in build.sh as long as server deployment has been enabled.
The privileged option has been removed as it is no longer needed.
The hostnamectl-wrapper for the container has been removed as it is no
longer needed.
The client part deployment fails in the configuration of NIS. The command
/usr/bin/nisdomainname is failing in a container in this task as the
container is not privileged.
The hostnamectl-wrapper is copied from the freeipa-container container
project to replace /usr/bin/nisdomainname in the container.
container_copy can be used to copy a file to the container,
container_fetch can be used to copy a file from the container.
For more information, please have a look at the podman-cp man page.
This patch modify the pipelines to create stages using the 'each'
expression on Azure pipelines, so that the configuration and the list of
distributions can be set using variables.
Testing CentOS 8 Stream and Galaxy collections still need to be handled
in a separate group, although, the pipeline configuration becomes easily
changed, specially when updating Ansible versions.
All scripts related to the Azure CI now reside on inrfa/azure, but the
scripts that evaluate the changes made against ansible-freeipa's main
development branch.
This patch move these scripts to the proper locations.
ansible-core versions 2.15 and 2.16 and used for all pipelines, but
version 2.17 is not used for CentOS 8 Stream, as platform python on
this version is 3.6 which is not supported in this ansible-core version.
Several optimizations have been done to the pipelines, to make them
closer to what can be reproduced, with the existing scripts, in a
development environment:
- Use start.sh and build.sh scripts to build and start containers
- Use variables to configure different stages instead of using separate
files
- Use a commom 'prepare_environment' to create the environment for every
pipeline
- Use a single file defining testing steps (run_tests.yml)
- Remove Centos 7 pipelines
- Reduce the number of pipelines in the test matrix due to the amount of
time that tests were using
- Use Azure "loop" (each) to create test groups
The above changes make the pipelines easier to understand and modify.
When using containers to test ansible-freeipa there's a need to deal
with 'podman' the development environment and the Azure environment. In
the Azure environment, with Ubuntu hosts, using 'cap-add' does not allow
FreeIPA to be installed on the containers, and they need to be executed
with privileged mode. On the other hand, on development environments,
such as recent Fedora hosts, there's no need to run the container with
extra privileges.
This patch modifies the utility function 'container_create' to allow the
usage of key-value argumes such as "cpus=4" and "privileged", that will
be used in the container creation.
The currently available options are "privileged", "cpus", "memory" and
"hostname". By default "cpus=2" and "hostname=ipaserver.test.local".
Also, too make the image build script more self-contained, if the
required Ansible collections are not installed, they will be temporarily
installed so that the image can be built.
The help has been fixed for the -s option and the comments about how to
start the container later on has been removed as there will be a script
that is handling this..
This reduces the number of started services in the container. The
fixipaip.service needed to be adapted to ensure that the service is
started properly.
The dockerfiles have been adapted for this change also.
