ipaconfig: Validate emaildomain

When setting the default email domain, there was no validation on the provide value. Using ipapython.validate.Email applies the same validation method as implemented in IPA. Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Merge pull request #1337 from t-woerner/ipagroup_fix_externalmember_client_context_fail
2026-05-13 21:12:02 +00:00 · 2025-03-05 16:49:11 -03:00 · 2025-02-04 11:54:15 -03:00 · 2025-02-04 12:32:42 +01:00 · 2025-02-03 13:43:35 +01:00 · 2025-02-03 12:58:16 +01:00
273 changed files with 5982 additions and 3394 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -7,7 +7,6 @@ exclude_paths:
  - .tox/
  - .venv/
  - .yamllint
  - molecule/
  - tests/azure/
  - meta/runtime.yml
  - requirements-docker.yml
--- a/.github/workflows/ansible-test.yml
+++ b/.github/workflows/ansible-test.yml
@@ -8,7 +8,7 @@ jobs:
    name: Verify ansible-test sanity
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
        with:
          fetch-depth: 0
      - name: Run ansible-test
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -8,10 +8,10 @@ jobs:
    name: Check Ansible Documentation with ansible-core 2.13.
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
        with:
-          fetch-depth: 0
+          fetch-depth: 1
-      - uses: actions/setup-python@v4.3.0
+      - uses: actions/setup-python@v5.1.0
        with:
          python-version: '3.x'
      - name: Install Ansible 2.13
@@ -25,10 +25,10 @@ jobs:
    name: Check Ansible Documentation with ansible-core 2.14.
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
        with:
-          fetch-depth: 0
+          fetch-depth: 1
-      - uses: actions/setup-python@v4.3.0
+      - uses: actions/setup-python@v5.1.0
        with:
          python-version: '3.x'
      - name: Install Ansible 2.14
@@ -42,10 +42,10 @@ jobs:
    name: Check Ansible Documentation with ansible-core 2.15.
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
        with:
-          fetch-depth: 0
+          fetch-depth: 1
-      - uses: actions/setup-python@v4.3.0
+      - uses: actions/setup-python@v5.1.0
        with:
          python-version: '3.x'
      - name: Install Ansible 2.15
@@ -59,10 +59,10 @@ jobs:
    name: Check Ansible Documentation with latest Ansible version.
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
        with:
-          fetch-depth: 0
+          fetch-depth: 1
-      - uses: actions/setup-python@v4.3.0
+      - uses: actions/setup-python@v5.1.0
        with:
          python-version: '3.x'
      - name: Install Ansible-latest
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -8,15 +8,15 @@ jobs:
    name: Verify ansible-lint
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
        with:
          fetch-depth: 0
-      - uses: actions/setup-python@v4.3.0
+      - uses: actions/setup-python@v5.1.0
        with:
          python-version: "3.x"
      - name: Run ansible-lint
        run: |
-          pip install "ansible-core>=2.16,<2.17" 'ansible-lint>=6.22'
+          pip install "ansible-core>=2.16,<2.17" 'ansible-lint==6.22'
          utils/build-galaxy-release.sh -ki
          cd .galaxy-build
          ansible-lint --profile production --exclude tests/integration/ --exclude tests/unit/ --parseable --nocolor
@@ -25,38 +25,23 @@ jobs:
    name: Verify yamllint
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
        with:
-          fetch-depth: 0
+          fetch-depth: 1
-      - uses: actions/setup-python@v4.3.0
+      - uses: actions/setup-python@v5.1.0
        with:
          python-version: "3.x"
      - name: Run yaml-lint
        uses: ibiqlik/action-yamllint@v3.1.1
  pydocstyle:
    name: Verify pydocstyle
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3.1.0
        with:
          fetch-depth: 0
      - uses: actions/setup-python@v4.3.0
        with:
          python-version: "3.x"
      - name: Run pydocstyle
        run: |
            pip install pydocstyle
            pydocstyle
  flake8:
    name: Verify flake8
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
        with:
-          fetch-depth: 0
+          fetch-depth: 1
-      - uses: actions/setup-python@v4.3.0
+      - uses: actions/setup-python@v5.1.0
        with:
          python-version: "3.x"
      - name: Run flake8
@@ -68,10 +53,10 @@ jobs:
    name: Verify pylint
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
        with:
-          fetch-depth: 0
+          fetch-depth: 1
-      - uses: actions/setup-python@v4.3.0
+      - uses: actions/setup-python@v5.1.0
        with:
          python-version: "3.x"
      - name: Run pylint
@@ -83,8 +68,10 @@ jobs:
    name: Shellcheck
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
        with:
-          fetch-depth: 0
+          fetch-depth: 1
      - name: Run ShellCheck
        uses: ludeeus/action-shellcheck@master
        env:
          SHELLCHECK_OPTS: -x
--- a/.github/workflows/readme.yml
+++ b/.github/workflows/readme.yml
@@ -8,9 +8,9 @@ jobs:
    name: Verify readme
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
        with:
-          fetch-depth: 0
+          fetch-depth: 1
      - name: Run readme test
        run: |
          error=0
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,4 @@ importer_result.json
 /.venv/
 tests/logs/
 TEST*.xml
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,7 +1,7 @@
 ---
 repos:
 - repo: https://github.com/ansible/ansible-lint.git
-  rev: v6.22.0
+  rev: v24.5.0
  hooks:
  - id: ansible-lint
    always_run: false
@@ -21,20 +21,16 @@ repos:
          --parseable
          --nocolor
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.32.0
+  rev: v1.35.1
  hooks:
  - id: yamllint
    files: \.(yaml|yml)$
 - repo: https://github.com/pycqa/flake8
-  rev: 6.0.0
+  rev: 7.0.0
  hooks:
  - id: flake8
 - repo: https://github.com/pycqa/pydocstyle
  rev: 6.0.0
  hooks:
  - id: pydocstyle
 - repo: https://github.com/pycqa/pylint
-  rev: v3.0.2
+  rev: v3.2.2
  hooks:
  - id: pylint
    args:
@@ -54,4 +50,7 @@ repos:
    name: ShellCheck
    language: system
    entry: shellcheck
-    files: \.sh$
+    args: ['-x']
    files: >
      \.sh$
      utils/sh*$
--- a/.yamllint
+++ b/.yamllint
@@ -20,4 +20,9 @@ rules:
    max: 160
  # Disabled rules
  indentation: disable
-  comments: disable
+  comments:
    min-spaces-from-content: 1
  comments-indentation: disable
  octal-values:
    forbid-implicit-octal: true
    forbid-explicit-octal: true
--- a/README-automember.md
+++ b/README-automember.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-automountkey.md
+++ b/README-automountkey.md
@@ -21,7 +21,7 @@ FreeIPA versions 4.4.0 and up are supported by the ipaautomountkey module.
 Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-automountlocation.md
+++ b/README-automountlocation.md
@@ -21,7 +21,7 @@ FreeIPA versions 4.4.0 and up are supported by the ipaautomountlocation module.
 Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-automountmap.md
+++ b/README-automountmap.md
@@ -21,7 +21,7 @@ FreeIPA versions 4.4.0 and up are supported by the ipaautomountmap module.
 Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-cert.md
+++ b/README-cert.md
@@ -25,7 +25,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 * Some tool to generate a certificate signing request (CSR) might be needed, like `openssl`.
 **Node**
--- a/README-config.md
+++ b/README-config.md
@@ -25,7 +25,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-delegation.md
+++ b/README-delegation.md
@@ -23,7 +23,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-dnsconfig.md
+++ b/README-dnsconfig.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-dnsforwardzone.md
+++ b/README-dnsforwardzone.md
@@ -21,7 +21,7 @@ FreeIPA versions 4.4.0 and up are supported by the ipadnsforwardzone module.
 Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-dnsrecord.md
+++ b/README-dnsrecord.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-dnszone.md
+++ b/README-dnszone.md
@@ -23,7 +23,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
@@ -135,7 +135,7 @@ Example playbook to enable a zone:
 Example playbook to allow per-zone privilege delegation:
-``` yaml
+```yaml
 ---
 - name: Playbook to enable per-zone privilege delegation
  hosts: ipaserver
--- a/README-group.md
+++ b/README-group.md
@@ -8,8 +8,12 @@ The group module allows to ensure presence and absence of groups and members of
 The group module is as compatible as possible to the Ansible upstream `ipa_group` module, but additionally offers to add users to a group and also to remove users from a group.
-## Note
+
-Ensuring presence (adding) of several groups with mixed types (`external`, `nonposix` and `posix`) requires a fix in FreeIPA. The module implements a workaround to automatically use `client` context if the fix is not present in the target node FreeIPA and if more than one group is provided to the task using the `groups` parameter. If `ipaapi_context` is forced to be `server`, the module will fail in this case.
+Notes
 -----
 * Ensuring presence (adding) of several groups with mixed types (`external`, `nonposix` and `posix`) requires a fix in FreeIPA. The module implements a workaround to automatically use `client` context if the fix is not present in the target node FreeIPA and if more than one group is provided to the task using the `groups` parameter. If `ipaapi_context` is forced to be `server`, the module will fail in this case.
 * Using `externalmember` or `idoverrideuser` is only supported with `ipaapi_context: server`. With 'client' context, module execution will fail.
 Features
@@ -29,7 +33,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
@@ -158,7 +162,7 @@ Several groups can also be renamed with a single task, as in the example playboo
  gather_facts: false
  tasks:
-  - name Rename group1 to newgroup1 and group2 to newgroup2
+  - name: Rename group1 to newgroup1 and group2 to newgroup2
    ipagroup:
      ipaadmin_password: SomeADMINpassword
      groups:
@@ -213,7 +217,7 @@ Example playbook to add members from a trusted realm to an external group:
 ---
 - name: Playbook to handle groups.
  hosts: ipaserver
-  
+
  tasks:
  - name: Create an external group and add members from a trust to it.
    ipagroup:
@@ -276,6 +280,7 @@ Example playbook to ensure groups are absent:
      state: absent
 ```
 Variables
 =========
@@ -299,8 +304,8 @@ Variable | Description | Required
 `service` | List of service name strings assigned to this group. Only usable with IPA versions 4.7 and up. | no
 `membermanager_user` | List of member manager users assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
 `membermanager_group` | List of member manager groups assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
-`externalmember` \| `ipaexternalmember`  \| `external_member`| List of members of a trusted domain in DOM\\name or name@domain form. | no
+`externalmember` \| `ipaexternalmember`  \| `external_member`| List of members of a trusted domain in DOM\\name or name@domain form. Requires "server" context. | no
-`idoverrideuser` | List of user ID overrides to manage. Only usable with IPA versions 4.8.7 and up.| no
+`idoverrideuser` | List of user ID overrides to manage. Only usable with IPA versions 4.8.7 and up. Requires "server" context. | no
 `rename` \| `new_name` | Rename the user object to the new name string. Only usable with `state: renamed`. | no
 `action` | Work on group or member level. It can be on of `member` or `group` and defaults to `group`. | no
 `state` | The state to ensure. It can be one of `present`, `absent` or `renamed`, default: `present`. | yes
--- a/README-hbacrule.md
+++ b/README-hbacrule.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
@@ -44,7 +44,7 @@ Example playbook to make sure HBAC Rule login exists:
 ```yaml
 ---
 - name: Playbook to handle hbacrules
-  hbacsvcs: ipaserver
+  hosts: ipaserver
  become: true
  tasks:
@@ -60,7 +60,7 @@ Example playbook to make sure HBAC Rule login exists with the only HBAC Service
 ```yaml
 ---
 - name: Playbook to handle hbacrules
-  hbacsvcs: ipaserver
+  hosts: ipaserver
  become: true
  tasks:
@@ -77,7 +77,7 @@ Example playbook to make sure HBAC Service sshd is present in HBAC Rule login:
 ```yaml
 ---
 - name: Playbook to handle hbacrules
-  hbacsvcs: ipaserver
+  hosts: ipaserver
  become: true
  tasks:
@@ -95,7 +95,7 @@ Example playbook to make sure HBAC Service sshd is absent in HBAC Rule login:
 ```yaml
 ---
 - name: Playbook to handle hbacrules
-  hbacsvcs: ipaserver
+  hosts: ipaserver
  become: true
  tasks:
@@ -114,7 +114,7 @@ Example playbook to make sure HBAC Rule login is absent:
 ```yaml
 ---
 - name: Playbook to handle hbacrules
-  hbacsvcs: ipaserver
+  hosts: ipaserver
  become: true
  tasks:
--- a/README-hbacsvc.md
+++ b/README-hbacsvc.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-hbacsvcgroup.md
+++ b/README-hbacsvcgroup.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
@@ -44,7 +44,7 @@ Example playbook to make sure HBAC Service Group login exists:
 ```yaml
 ---
 - name: Playbook to handle hbacsvcgroups
-  hbacsvcs: ipaserver
+  hosts: ipaserver
  become: true
  tasks:
@@ -60,7 +60,7 @@ Example playbook to make sure HBAC Service Group login exists with the only HBAC
 ```yaml
 ---
 - name: Playbook to handle hbacsvcgroups
-  hbacsvcs: ipaserver
+  hosts: ipaserver
  become: true
  tasks:
@@ -77,7 +77,7 @@ Example playbook to make sure HBAC Service sshd is present in HBAC Service Group
 ```yaml
 ---
 - name: Playbook to handle hbacsvcgroups
-  hbacsvcs: ipaserver
+  hosts: ipaserver
  become: true
  tasks:
@@ -95,7 +95,7 @@ Example playbook to make sure HBAC Service sshd is absent in HBAC Service Group
 ```yaml
 ---
 - name: Playbook to handle hbacsvcgroups
-  hbacsvcs: ipaserver
+  hosts: ipaserver
  become: true
  tasks:
@@ -114,7 +114,7 @@ Example playbook to make sure HBAC Service Group login is absent:
 ```yaml
 ---
 - name: Playbook to handle hbacsvcgroups
-  hbacsvcs: ipaserver
+  hosts: ipaserver
  become: true
  tasks:
--- a/README-host.md
+++ b/README-host.md
@@ -24,7 +24,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
@@ -341,7 +341,7 @@ Variable | Description | Required
 `password` \| `user_password` \| `userpassword` | Password used in bulk enrollment for absent or not enrolled hosts. | no
 `random` \| `random_password` |  Initiate the generation of a random password to be used in bulk enrollment for absent or not enrolled hosts. | no
 `certificate` \| `usercertificate` | List of base-64 encoded host certificates | no
-`managedby` \| `principalname` \| `krbprincipalname` | List of hosts that can manage this host | no
+`managedby_host` | List of hosts that can manage this host | no
 `principal` \| `principalname` \| `krbprincipalname` | List of principal aliases for this host | no
 `allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no
 `allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group` | Groups allowed to create a keytab of this host. | no
--- a/README-hostgroup.md
+++ b/README-hostgroup.md
@@ -26,7 +26,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-idoverridegroup.md
+++ b/README-idoverridegroup.md
@@ -29,7 +29,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-idoverrideuser.md
+++ b/README-idoverrideuser.md
@@ -29,7 +29,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-idp.md
+++ b/README-idp.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-idrange.md
+++ b/README-idrange.md
@@ -37,7 +37,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-idview.md
+++ b/README-idview.md
@@ -29,7 +29,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-inventory-plugin-freeipa.md
+++ b/README-inventory-plugin-freeipa.md
@@ -0,0 +1,106 @@
 Inventory plugin
 ================
 Description
 -----------
 The inventory plugin compiles a dynamic inventory from IPA domain. The servers can be filtered by their role(s).
 This plugin is using the Python requests binding, that is only available for Python 3.7 and up.
 Features
 --------
 * Dynamic inventory
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.6.0 and up are supported by the inventory plugin.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
 Configuration
 =============
 The inventory plugin is automatically enabled from the Ansible collection or from the top directory of the git repo if the `plugins` folder is linked to `~/.ansible`.
 If `ansible.cfg` was modified to point to the roles and modules with `roles_path`, `library` and `module_utils` tag, then it is needed to set `inventory_plugins` also:
 ```
 inventory_plugins = /my/dir/ansible-freeipa/plugins/inventory
 ```
 Usage
 =====
 Example inventory file "freeipa.yml":
 ```yml
 ---
 plugin: freeipa
 server: server.ipa.local
 ipaadmin_password: SomeADMINpassword
 ```
 Example inventory file "freeipa.yml" with server TLS certificate verification using local copy of `/etc/ipa/ca.crt` from the server:
 ```yml
 ---
 plugin: freeipa
 server: server.ipa.local
 ipaadmin_password: SomeADMINpassword
 verify: ca.crt
 ```
 How to use the plugin
 ---------------------
 With the `ansible-inventory` command it is possible to show the generated inventorey:
 ```bash
 ansible-inventory -v -i freeipa.yml --graph
 ```
 Example inventory file "freeipa.yml" for use with `playbooks/config/retrieve-config.yml`:
 ```yml
 ---
 plugin: freeipa
 server: server.ipa.local
 ipaadmin_password: SomeADMINpassword
 inventory_group: ipaserver
 ```
 ```bash
 ansible-playbook -u root -i ipa.yml playbooks/config/retrieve-config.yml 
 ```
 Variables
 =========
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `server` | The FQDN of server to start the scan. (string) | yes
 `verify` | The server TLS certificate file for verification (/etc/ipa/ca.crt). Turned off if not set. (string) | yes
 `role` | The role(s) of the server. If several roles are given, only servers that have all the roles are returned. (list of strings) (choices: "IPA master", "CA server", "KRA server", "DNS server", "AD trust controller", "AD trust agent") | no
 `inventory_group` | The inventory group to create. The default group name is "ipaservers". | no
 Authors
 =======
 - Thomas Woerner
--- a/README-location.md
+++ b/README-location.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-netgroup.md
+++ b/README-netgroup.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-permission.md
+++ b/README-permission.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-privilege.md
+++ b/README-privilege.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-pwpolicy.md
+++ b/README-pwpolicy.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-role.md
+++ b/README-role.md
@@ -25,7 +25,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-selfservice.md
+++ b/README-selfservice.md
@@ -23,7 +23,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-server.md
+++ b/README-server.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-service.md
+++ b/README-service.md
@@ -25,7 +25,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FReeIPA version (see above)
@@ -282,6 +282,65 @@ Example playbook to allow users, groups, hosts or hostgroups to retrieve a keyta
 ```
 Example playbook to ensure presence of serveral services in a single task:
 ```yaml
 ---
 - name: Playbook to manage IPA service.
  hosts: ipaserver
  tasks:
  - name: Ensure services are present
    ipaservice:
      ipaadmin_password: SomeADMINpassword
      services:
      - name: HTTP/www.example.com
        principal:
        - host/host1.example.com
      - name: mysvc/www.example.com
        pac_type: NONE
        ok_as_delegate: yes
        ok_to_auth_as_delegate: yes
      - name: HTTP/www.example.com
        allow_create_keytab_user:
        - user01
        - user02
        allow_create_keytab_group:
        - group01
        - group02
        allow_create_keytab_host:
        - host1.example.com
        - host2.example.com
        allow_create_keytab_hostgroup:
        - hostgroup01
        - hostgroup02
      - name: mysvc/host2.example.com
        auth_ind: otp,radius
 ```
 Example playbook to ensure presence of serveral services in a single task with `member` `action`:
 ```yaml
 ---
 - name: Playbook to manage IPA service.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
    - name: Ensure service host members are present
      ipaservice:
        ipaadmin_password: SomeADMINpassword
        services:
        - name: HTTP/www1.example.com
          host: host1.example.com
        - name: HTTP/www2.example.com
          host: host2.example.com
        action: member
 ```
 Variables
 ---------
@@ -291,7 +350,15 @@ Variable | Description | Required
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
 `ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
-`name` \| `service` | The list of service name strings. | yes
+`name` \| `service` | The list of service name strings. `name` with *service variables* or `services` containing *service variables* need to be used. | no
 `action` | Work on service or member level. It can be on of `member` or `service` and defaults to `service`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, or `disabled`, default: `present`. | no
 **Service Variables:**
 Variable | Description | Required
 -------- | ----------- | --------
 `certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
 `pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. Use empty string to reset pac_type to the initial value. | no
 `auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, `hardened`, `idp` or `""`.  An additional check ensures that only types can be used that are supported by the IPA version. Use empty string to reset auth_ind to the initial value. | no
@@ -310,11 +377,9 @@ Variable | Description | Required
 `allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retrieve a keytab of this host. | no
 `allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retrieve a keytab from of host. | no
 `allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retrieve a keytab of this host. | no
 `continue` | Continuous mode: don't stop on errors. Valid only if `state` is `absent`. Default: `no` (bool) | no
 `smb` | Service is an SMB service. If set, `cifs/` will be prefixed to the service name if needed. | no
 `netbiosname` | NETBIOS name for the SMB service. Only with `smb: yes`. | no
-`action` | Work on service or member level. It can be on of `member` or `service` and defaults to `service`. | no
+`continue` \| `delete_continue` | Continuous mode: don't stop on errors. Valid only if `state` is `absent`. Default: `no` (bool) | no
 `state` | The state to ensure. It can be one of `present`, `absent`, or `disabled`, default: `present`. | no
 Authors
--- a/README-servicedelegationrule.md
+++ b/README-servicedelegationrule.md
@@ -24,7 +24,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-servicedelegationtarget.md
+++ b/README-servicedelegationtarget.md
@@ -24,7 +24,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-sudocmd.md
+++ b/README-sudocmd.md
@@ -24,7 +24,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-sudocmdgroup.md
+++ b/README-sudocmdgroup.md
@@ -24,7 +24,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-sudorule.md
+++ b/README-sudorule.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
@@ -129,6 +129,49 @@ Example playbook to make sure Sudo Rule is absent:
      state: absent
 ```
 Example playbook to ensure multiple Sudo Rule are present using batch mode:
 ```yaml
 ---
 - name: Playbook to handle sudorules
  hosts: ipaserver
  become: true
 - name: Ensure multiple Sudo Rules are present using batch mode.
  ipasudorule:
    ipaadmin_password: SomeADMINpassword
    sudorules:
      - name: testrule1
        hostmask:
          - 192.168.122.1/24
      - name: testrule2
        hostcategory: all
 ```
 Example playbook to ensure multiple Sudo Rule members are present using batch mode:
 ```yaml
 ---
 - name: Playbook to handle sudorules
  hosts: ipaserver
  become: true
 - name: Ensure multiple Sudo Rules are present using batch mode.
  ipasudorule:
    ipaadmin_password: SomeADMINpassword
    action: member
    sudorules:
      - name: testrule1
        user:
          - user01
          - user02
        group:
          - group01
      - name: testrule2
        hostgroup:
          - hostgroup01
          - hostgroup02
 ```
 Variables
 =========
@@ -139,7 +182,9 @@ Variable | Description | Required
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
 `ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
-`name` \| `cn` | The list of sudorule name strings. | yes
+`name` \| `cn` | The list of sudorule name strings. | no
 `sudorules` | The list of sudorule dicts. Each `sudorule` dict entry can contain sudorule variables.<br>There is one required option in the `sudorule` dict:| no
 &nbsp; | `name` - The sudorule name string of the entry. | yes
 `description` | The sudorule description string. | no
 `usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
 `hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no
--- a/README-topology.md
+++ b/README-topology.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-trust.md
+++ b/README-trust.md
@@ -21,7 +21,7 @@ Requirements
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
--- a/README-user.md
+++ b/README-user.md
@@ -24,7 +24,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
@@ -311,7 +311,7 @@ Example playbook to rename users:
      ipaadmin_password: SomeADMINpassword
      name: pinky
      rename: reddy
-      state: enabled
+      state: renamed
 ```
 Example playbook to unlock users:
--- a/README-vault.md
+++ b/README-vault.md
@@ -24,7 +24,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README.md
+++ b/README.md
@@ -13,6 +13,7 @@ Features
 * Repair mode for clients
 * Backup and restore, also to and from controller
 * Smartcard setup for servers and clients
 * Inventory plugin freeipa
 * Modules for automembership rule management
 * Modules for automount key management
 * Modules for automount location management
@@ -65,7 +66,7 @@ Supported Distributions
 -----------------------
 * RHEL/CentOS 7.4+
-* Fedora 26+
+* Fedora 40+
 * Ubuntu
 * Debian 10+ (ipaclient only, no server or replica!)
@@ -73,7 +74,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.13+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
@@ -108,9 +109,10 @@ You can use the roles directly within the top directory of the git repo, but to
 You can either adapt ansible.cfg:
 ```
-roles_path   = /my/dir/ansible-freeipa/roles
+roles_path        = /my/dir/ansible-freeipa/roles
-library      = /my/dir/ansible-freeipa/plugins/modules
+library           = /my/dir/ansible-freeipa/plugins/modules
-module_utils = /my/dir/ansible-freeipa/plugins/module_utils
+module_utils      = /my/dir/ansible-freeipa/plugins/module_utils
 inventory_plugins = /my/dir/ansible-freeipa/plugins/inventory
 ```
 Or you can link the directories:
@@ -123,7 +125,7 @@ ansible-freeipa/plugins/module_utils to ~/.ansible/plugins/
 **RPM package**
-There are RPM packages available for Fedora 29+. These are installing the roles and modules into the global Ansible directories for `roles`, `plugins/modules` and `plugins/module_utils` in the `/usr/share/ansible` directory. Therefore is it possible to use the roles and modules without adapting the names like it is done in the example playbooks.
+There are RPM packages available for Fedora. These are installing the roles and modules into the global Ansible directories for `roles`, `plugins/modules` and `plugins/module_utils` in the `/usr/share/ansible` directory. Therefore is it possible to use the roles and modules without adapting the names like it is done in the example playbooks.
 **Ansible Galaxy**
@@ -470,3 +472,8 @@ Modules in plugin/modules
 * [ipavault](README-vault.md)
 If you want to write a new module please read [writing a new module](plugins/modules/README.md).
 Inventory plugins in plugin/inventory
 =====================================
 * [freeipa](README-inventory-plugin-freeipa.md)
--- a/infra/azure/azure-pipelines.yml
+++ b/infra/azure/azure-pipelines.yml
@@ -0,0 +1,73 @@
 ---
 trigger:
 - master
 pool:
  vmImage: 'ubuntu-20.04'
 variables:
  ansible_version: "-core >=2.16,<2.17"
  ansible_latest: "-core"
  ansible_minimum: "-core <2.16"
  distros: "fedora-latest,c9s,c10s,fedora-rawhide"
 stages:
 - stage: fedora_latest_ansible_latest
  dependsOn: []
  jobs:
  - template: templates/group_tests.yml
    parameters:
      build_number: $(Build.BuildNumber)
      distro: fedora-latest
      ansible_version: ${{ variables.ansible_latest }}
      skip_git_test: true
 - stage: fedora_latest_ansible_2_15
  dependsOn: []
  jobs:
  - template: templates/group_tests.yml
    parameters:
      build_number: $(Build.BuildNumber)
      distro: fedora-latest
      ansible_version: ${{ variables.ansbile_minimum }}
      skip_git_test: true
 # Supported distros
 - ${{ each distro in split(variables.distros, ',') }}:
  - stage: ${{ replace(distro, '-', '_') }}_ansible_2_16
    dependsOn: []
    jobs:
    - template: templates/group_tests.yml
      parameters:
        build_number: $(Build.BuildNumber)
        distro: ${{ distro }}
        ansible_version: ${{ variables.ansible_version }}
        skip_git_test: true
        test_galaxy: false
 # Galaxy on Fedora
 - stage: galaxy_fedora_latest_ansible_2_16
  dependsOn: []
  jobs:
  - template: templates/group_tests.yml
    parameters:
      build_number: $(Build.BuildNumber)
      distro: fedora-latest
      ansible_version: ${{ variables.ansible_version }}
      skip_git_test: true
      test_galaxy: true
 # CentOS 8 Stream, latest supported Ansible version.
 - stage: c8s_ansible_2_16
  dependsOn: []
  jobs:
  - template: templates/group_tests.yml
    parameters:
      build_number: $(Build.BuildNumber)
      distro: c8s
      ansible_version: "-core <2.17"
      skip_git_test: true
--- a/infra/azure/build-containers.yml
+++ b/infra/azure/build-containers.yml
@@ -0,0 +1,35 @@
 ---
 schedules:
 - cron: "0 0 * * 0"
  displayName: Weekly Sunday midnight build
  branches:
    include:
    - master
  always: true
 trigger: none
 pool:
  vmImage: 'ubuntu-24.04'
 variables: { distros: "fedora-latest,fedora-rawhide,c9s,c10s" }
 stages:
 - ${{ each distro in split(variables.distros, ',') }}:
  - stage: build_${{ join('_', split(distro, '-')) }}
    dependsOn: []
    jobs:
    - template: templates/build_container.yml
      parameters:
        distro: ${{ distro }}
 # Special case for CentOS 8 Stream
 - stage: CentOS_8_Stream
  dependsOn: []
  jobs:
  - template: templates/build_container.yml
    parameters:
      distro: c8s
      # ansible-core 2.17+ cannot be used to deploy on CentOS 8 Stream.
      ansible_core_version: "<2.17"
--- a/infra/azure/nightly.yml
+++ b/infra/azure/nightly.yml
@@ -0,0 +1,79 @@
 ---
 schedules:
 - cron: "0 19 * * *"
  displayName: Nightly Builds
  branches:
    include:
    - master
  always: true
 trigger: none
 pool:
  vmImage: 'ubuntu-20.04'
 variables:
  # We need to have two sets, as c8s is not supported by all ansible versions
  recent_distros: "fedora-latest,fedora-rawhide,c10s,c9s"
  distros: "fedora-latest,fedora-rawhide,c10s,c9s,c8s"
  ansible_latest: "-core"
  ansible_minimum: "-core <2.16"
  ansible_version: "-core >=2.16,<2.17"
 stages:
 # Minimum ansible
 - ${{ each distro in split(variables.distros, ',') }}:
  - stage: ${{ replace(distro, '-', '_') }}_ansible_2_15
    dependsOn: []
    jobs:
    - template: templates/group_tests.yml
      parameters:
        build_number: $(Build.BuildNumber)
        distro: fedora-latest
        ansible_version: ${{ variables.ansible_minimum }}
        skip_git_test: true
        test_galaxy: false
 # Latest ansible
 - ${{ each distro in split(variables.recent_distros, ',') }}:
  - stage: ${{ replace(distro, '-', '_') }}_ansible_latest
    dependsOn: []
    jobs:
    - template: templates/group_tests.yml
      parameters:
        build_number: $(Build.BuildNumber)
        distro: ${{ distro }}
        ansible_version: ${{ variables.ansible_latest }}
        skip_git_test: true
        test_galaxy: false
 # Selected ansible-core version
 - ${{ each distro in split(variables.distros, ',') }}:
  - stage: ${{ replace(distro, '-', '_') }}_ansible_2_16
    dependsOn: []
    jobs:
    - template: templates/group_tests.yml
      parameters:
        build_number: $(Build.BuildNumber)
        distro: ${{ distro }}
        ansible_version: ${{ variables.ansible_version }}
        skip_git_test: true
        test_galaxy: false
 # Galaxy collection with selected ansible-core version
 - ${{ each distro in split(variables.distros, ',') }}:
  - stage: galaxy_${{ replace(distro, '-', '_') }}_asible_2_16
    dependsOn: []
    jobs:
    - template: templates/group_tests.yml
      parameters:
        build_number: $(Build.BuildNumber)
        distro: ${{ distro }}
        ansible_version: ${{ variables.ansible_version }}
        skip_git_test: true
        test_galaxy: true
--- a/infra/azure/pr-pipeline.yml
+++ b/infra/azure/pr-pipeline.yml
@@ -0,0 +1,39 @@
 ---
 trigger:
 - master
 pool:
  vmImage: 'ubuntu-20.04'
 variables:
  distros: "fedora-latest,c10s,c9s,c8s,fedora-rawhide"
  ansible_version: "-core >=2.15,<2.16"
 stages:
 # Test with repository in all distros
 - ${{ each distro in split(variables.distros, ',') }}:
  - stage: ${{ replace(distro, '-', '_') }}_ansible_2_16
    dependsOn: []
    jobs:
    - template: templates/run_tests.yml
      parameters:
        build_number: $(Build.BuildNumber)
        distro: ${{ distro }}
        ansible_version: ${{ variables.ansible_version }}
        skip_git_test: false
        test_galaxy: false
 # Galaxy on Fedora
 - stage: galaxy_fedora_latest_ansible_2_16
  dependsOn: []
  jobs:
  - template: templates/run_tests.yml
    parameters:
      build_number: $(Build.BuildNumber)
      distro: fedora-latest
      ansible_version: ${{ variables.ansible_version }}
      skip_git_test: false
      test_galaxy: true
--- a/infra/azure/scripts/get_test_modules.py
+++ b/infra/azure/scripts/get_test_modules.py
@@ -159,7 +159,7 @@ def map_test_module_sources(base):
    """Create a map of 'test-modules' to 'plugin-sources', from 'base'."""
    # Find root directory of playbook tests.
    script_dir = os.path.dirname(__file__)
-    test_root = os.path.realpath(os.path.join(script_dir, f"../{base}"))
+    test_root = os.path.realpath(os.path.join(script_dir, f"../../../{base}"))
    # create modules:source_files map
    _result = {}
    for test_module in [d for d in os.scandir(test_root) if d.is_dir()]:
@@ -170,7 +170,7 @@ def map_test_module_sources(base):
 def usage(err=0):
-    print("filter_plugins.py [-h|--help] [-p|--pytest] PY_SRC...")
+    print("get_test_modules.py [-h|--help] [-p|--pytest] PY_SRC...")
    print(
        """
 Print a comma-separated list of modules that should be tested if
--- a/infra/azure/scripts/set_test_modules
+++ b/infra/azure/scripts/set_test_modules
@@ -0,0 +1,67 @@
 #!/bin/bash -eu
 # This file shoud be source'd (. set_test_modules) rather than executed.
 #
 # Set SKIP_GIT_TEST="True" or use -a to prevent git modification comparison.
 #
 RED="\033[31;1m"
 RST="\033[0m"
 die() {
    echo -e "${RED}${*}${RST}" >&2
 }
 BASEDIR="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")")"
 TOPDIR="$(readlink -f "${BASEDIR}/../../..")"
 [ -n "$(command -v python3)" ] && python="$(command -v python3)" || python="$(command -v python2)"
 pushd "${TOPDIR}" >/dev/null 2>&1 || die "Failed to change directory."
 SKIP_GIT_TEST=${SKIP_GIT_TEST:-"False"}
 while getopts ":a" opt
 do
    case "${opt}" in
        a) SKIP_GIT_TEST="True" ;;
        *) ;; # ignore other options
    esac
 done
 files_list=$(mktemp)
 enabled_modules="None"
 enabled_tests="None"
 if [ "${SKIP_GIT_TEST}" != "True" ]
 then
    remote="$(basename "$(mktemp -u remote_XXXXXX)")"
    git remote add "${remote}" https://github.com/freeipa/ansible-freeipa
    git fetch --prune --no-tags --quiet "${remote}"
    git diff "${remote}/master" --name-only > "${files_list}"
    git remote remove "${remote}"
    # shellcheck disable=SC2046
    enabled_modules="$(${python} "${BASEDIR}/get_test_modules.py" $(cat "${files_list}"))"
    [ -z "${enabled_modules}" ] && enabled_modules="None"
    # Get individual tests that should be executed
    mapfile -t tests < <(sed -n 's#.*/\(test_[^/]*\).yml#\1#p' "${files_list}" | tr -d " ")
    [ ${#tests[@]} -gt 0 ] && enabled_tests=$(IFS=, ; echo "${tests[*]}")
    [ -z "${enabled_tests}" ] && enabled_tests="None"
    [ -n "${enabled_tests}" ] && IPA_ENABLED_TESTS="${enabled_tests},${IPA_ENABLED_TESTS}"
    [ -n "${enabled_modules}" ] && IPA_ENABLED_MODULES="${enabled_modules},${IPA_ENABLED_MODULES}"
    rm -f "${files_list}"
 fi
 # Get all modules that should have tests executed
 export IPA_ENABLED_MODULES
 export IPA_ENABLED_TESTS
 echo "IPA_ENABLED_MODULES = [${IPA_ENABLED_MODULES}]"
 echo "IPA_ENABLED_TESTS = [${IPA_ENABLED_TESTS}]"
 popd >/dev/null 2>&1 || die "Failed to change back to original directory."
--- a/infra/azure/templates/build_container.yml
+++ b/infra/azure/templates/build_container.yml
@@ -0,0 +1,45 @@
 ---
 parameters:
  - name: distro
    type: string
  - name: python_version
    type: string
    default: 3.x
  - name: ansible_core_version
    default: ""
 jobs:
 - job: BuildTestImage_${{ join('_', split(parameters.distro, '-')) }}
  displayName: Build ${{ parameters.distro }} test container
  steps:
  - task: UsePythonVersion@0
    inputs:
      versionSpec: '${{ parameters.python_version }}'
  - script: python -m pip install --upgrade pip "ansible-core${{ parameters.ansible_core_version }}"
    retryCountOnTaskFailure: 5
    displayName: Install tools
  - script: ansible-galaxy collection install containers.podman
    displayName: Install Ansible Galaxy collections
  - script: infra/image/build.sh -s ${{ parameters.distro }}
    displayName: Build ${{ parameters.distro }} base image
    env:
      ANSIBLE_ROLES_PATH: "${PWD}/roles"
      ANSIBLE_LIBRARY: "${PWD}/plugins/modules"
      ANSIBLE_MODULE_UTILS: "${PWD}/plugins/module_utils"
  - script: podman login -u="$QUAY_ROBOT_USERNAME" -p="$QUAY_ROBOT_TOKEN" quay.io
    displayName: Registry login
    env:
      # Secrets needs to be mapped as env vars to work properly
      QUAY_ROBOT_TOKEN: $(QUAY_ROBOT_TOKEN)
  - script: |
      podman push quay.io/ansible-freeipa/upstream-tests:${{parameters.distro}}-base quay.io/ansible-freeipa/upstream-tests:${{ parameters.distro }}-base
    displayName: Push base image
  - script: |
      podman push quay.io/ansible-freeipa/upstream-tests:${{ parameters.distro }}-server quay.io/ansible-freeipa/upstream-tests:${{ parameters.distro }}-server
    displayName: Push server image
--- a/infra/azure/templates/group_tests.yml
+++ b/infra/azure/templates/group_tests.yml
@@ -0,0 +1,30 @@
 ---
 parameters:
  - name: distro
    type: string
    default: fedora-latest
  - name: build_number
    type: string
  - name: ansible_version
    type: string
    default: ""
  - name: skip_git_test
    type: boolean
    default: false
  - name: test_galaxy
    type: boolean
    default: false
 jobs:
 - ${{ each group in split('1,2,3', ',') }}:
  - template: run_tests.yml
    parameters:
      group_number: ${{ group }}
      number_of_groups: 3
      build_number: ${{ parameters.build_number }}
      distro: ${{ parameters.distro }}
      ansible_version: ${{ parameters.ansible_version }}
      python_version: '< 3.12'
      skip_git_test: ${{ parameters.skip_git_test }}
      test_galaxy: ${{ parameters.test_galaxy }}
--- a/infra/azure/templates/prepare_environment.yaml
+++ b/infra/azure/templates/prepare_environment.yaml
@@ -0,0 +1,30 @@
 ---
 parameters:
  - name: distro
    type: string
    default: fedora-latest
  - name: ansible_version
    type: string
    default: ""
  - name: python_version
    type: string
    default: 3.x
  - name: build_number
    type: string
 steps:
  - task: UsePythonVersion@0
    inputs:
      versionSpec: '${{ parameters.python_version }}'
  - script: |
      pip install "ansible${{ parameters.ansible_version }}" -r requirements-tests.txt
    retryCountOnTaskFailure: 5
    displayName: Install test dependencies
  - script: ansible-galaxy collection install -r requirements-podman.yml
    retryCountOnTaskFailure: 5
    displayName: Install Ansible collections
  - script: infra/image/start.sh ${{ parameters.distro }}-server
    displayName: Setup target container for ${{ parameters.distro }}
--- a/infra/azure/templates/run_tests.yml
+++ b/infra/azure/templates/run_tests.yml
@@ -0,0 +1,98 @@
 ---
 parameters:
  - name: group_number
    type: number
    default: 1
  - name: number_of_groups
    type: number
    default: 1
  - name: distro
    type: string
    default: fedora-latest
  - name: ansible_version
    type: string
    default: ""
  - name: python_version
    type: string
    default: 3.x
  - name: build_number
    type: string
  - name: skip_git_test
    type: boolean
    default: true
  - name: test_type
    type: string
    default: "playbook"
  - name: test_galaxy
    type: boolean
    default: false
 jobs:
 - job: Test_Group${{ parameters.group_number }}
  displayName: Run playbook tests ${{ parameters.distro }} (${{ parameters.group_number }}/${{ parameters.number_of_groups }})
  timeoutInMinutes: 360
  variables:
  - template: variables.yaml
  - template: variables_${{ parameters.distro }}.yaml
  steps:
  - template: prepare_environment.yaml
    parameters:
      build_number: ${{ parameters.build_number }}
      distro: ${{ parameters.distro }}
      ansible_version: ${{ parameters.ansible_version }}
      python_version: ${{ parameters.python_version }}
  - bash: echo "##vso[task.setvariable variable=TOPDIR]${PWD}"
    displayName: Set repo rootdir
  - script: |
      . "${TOPDIR}/infra/azure/scripts/set_test_modules"
      python3 utils/check_test_configuration.py ${{ parameters.distro }}
    displayName: Check test configuration
    env:
       SKIP_GIT_TEST: ${{ parameters.skip_git_test }}
  - script: |
      git fetch --unshallow
      utils/build-galaxy-release.sh -i
    retryCountOnTaskFailure: 5
    displayName: Build Galaxy release
    condition: ${{ parameters.test_galaxy }}
  - script: |
      echo "PWD: ${PWD}"
      echo "TOPDIR: ${TOPDIR}"
      echo "ROLES: ${ANSIBLE_ROLES_PATH}"
      echo "LIBRARY: ${ANSIBLE_LIBRARY}"
      echo "MODULE_UTILS: ${ANSIBLE_MODULE_UTILS}"
      . "${TOPDIR}/infra/azure/scripts/set_test_modules"
      [ "${{ parameters.test_galaxy }}" == "True"  ] && cd ~/.ansible/collections/ansible_collections/freeipa/ansible_freeipa
      pytest \
          -m "${{ parameters.test_type }}" \
          --verbose \
          --color=yes \
          --splits=${{ parameters.number_of_groups }} \
          --group=${{ parameters.group_number }} \
          --randomly-seed=$(date "+%Y%m%d") \
          --suppress-no-test-exit-code \
          --junit-xml=TEST-results-pr-check.xml
    displayName: Run playbook tests
    env:
      SKIP_GIT_TEST: ${{ parameters.skip_git_test }}
      ${{ if not(parameters.test_galaxy)  }}:
        ANSIBLE_ROLES_PATH: "${PWD}/roles"
        ANSIBLE_LIBRARY: "${PWD}/plugins"
        ANSIBLE_MODULE_UTILS: "${PWD}/plugins/module_utils"
      IPA_SERVER_HOST: ansible-freeipa-tests
      RUN_TESTS_IN_DOCKER: podman
      IPA_DISABLED_MODULES: ${{ variables.ipa_disabled_modules }}
      IPA_DISABLED_TESTS: ${{ variables.ipa_disabled_tests }}
      IPA_ENABLED_MODULES: ${{ variables.ipa_enabled_modules }}
      IPA_ENABLED_TESTS: ${{ variables.ipa_enabled_tests }}
      IPA_VERBOSITY: "-vvv"
  - task: PublishTestResults@2
    inputs:
      mergeTestResults: true
      testRunTitle: PlaybookTests-Build${{ parameters.build_number }}
    condition: succeededOrFailed()
--- a/infra/azure/templates/variables.yaml
+++ b/infra/azure/templates/variables.yaml
--- a/infra/azure/templates/variables_c10s.yaml
+++ b/infra/azure/templates/variables_c10s.yaml
--- a/infra/azure/templates/variables_c8s.yaml
+++ b/infra/azure/templates/variables_c8s.yaml
--- a/infra/azure/templates/variables_c9s.yaml
+++ b/infra/azure/templates/variables_c9s.yaml
@@ -0,0 +1,21 @@
 #
 # Variables must be defined as comma separated lists.
 # For easier management of items to enable/disable,
 # use one test/module on each line, followed by a comma.
 #
 # Example:
 #
 # ipa_disabled_modules: >-
 #   dnsconfig,
 #   group,
 #   hostgroup
 #
 # If no variables are set, set "empty: true" as at least
 # one item is needed in the set.
 ---
 variables:
  empty: true
 #   ipa_enabled_modules: >-
 #   ipa_enabled_tests: >-
 #   ipa_disabled_modules: >-
 #   ipa_disabled_tests: >-
--- a/infra/azure/templates/variables_centos-7.yaml
+++ b/infra/azure/templates/variables_centos-7.yaml
--- a/infra/azure/templates/variables_fedora-latest.yaml
+++ b/infra/azure/templates/variables_fedora-latest.yaml
--- a/infra/azure/templates/variables_fedora-rawhide.yaml
+++ b/infra/azure/templates/variables_fedora-rawhide.yaml
--- a/infra/image/build-inventory
+++ b/infra/image/build-inventory
@@ -0,0 +1,15 @@
 [ipaserver]
 ansible-freeipa-image-builder ansible_connection=podman
 [ipaserver:vars]
 ipaadmin_password=SomeADMINpassword
 ipadm_password=SomeDMpassword
 ipaserver_domain=test.local
 ipaserver_realm=TEST.LOCAL
 ipaserver_setup_dns=true
 ipaserver_auto_forwarders=true
 ipaserver_no_dnssec_validation=true
 ipaserver_auto_reverse=true
 ipaserver_setup_kra=true
 ipaserver_setup_firewalld=false
 ipaclient_no_ntp=true
--- a/infra/image/build.sh
+++ b/infra/image/build.sh
@@ -0,0 +1,137 @@
 #!/bin/bash -eu
 BASEDIR="$(readlink -f "$(dirname "$0")")"
 TOPDIR="$(readlink -f "${BASEDIR}/../..")"
 # shellcheck disable=SC1091
 . "${BASEDIR}/shcontainer"
 # shellcheck disable=SC1091
 . "${TOPDIR}/utils/shfun"
 valid_distro() {
    find "${BASEDIR}/dockerfile" -type f -printf "%f\n" | tr "\n" " "
 }
 usage() {
    local prog="${0##*/}"
    cat << EOF
 usage: ${prog} [-h] [-n HOSTNAME] [-s] distro
    ${prog} build a container image to test ansible-freeipa.
 EOF
 }
 help() {
    cat << EOF
 positional arguments:
    distro    The base distro to build the test container.
              Availble distros: $(valid_distro)
 optional arguments:
    -n HOSTNAME   Container hostname
    -p            Give extended privileges to the container
    -s            Deploy IPA server
 EOF
 }
 name="ansible-freeipa-image-builder"
 hostname="ipaserver.test.local"
 cpus="2"
 memory="3g"
 quayname="quay.io/ansible-freeipa/upstream-tests"
 deploy_server="N"
 deploy_capabilities="SYS_ADMIN,SYSLOG"
 capabilities=""
 while getopts ":hn:s" option
 do
    case "${option}" in
        h) help && exit 0 ;;
        n) hostname="${OPTARG}" ;;
        s) deploy_server="Y" ;;
        *) die -u "Invalid option: ${option}" ;;
    esac
 done
 shift $((OPTIND - 1))
 distro=${1:-}
 [ -n "${distro}" ] || die "Distro needs to be given.\nUse one of: $(valid_distro)"
 [ -f "${BASEDIR}/dockerfile/${distro}" ] \
  || die "${distro} is not a valid distro target.\nUse one of: $(valid_distro)"
 container_check
 if [ "${deploy_server}" == "Y" ]
 then
    capabilities="${deploy_capabilities}"
    [ -n "$(command -v "ansible-playbook")" ] || die "ansible-playbook is required to install FreeIPA."
    deploy_playbook="${TOPDIR}/playbooks/install-server.yml"
    [ -f "${deploy_playbook}" ] || die "Can't find playbook '${deploy_playbook}'"
    inventory_file="${BASEDIR}/build-inventory"
    [ -f "${inventory_file}" ] || die "Can't find inventory '${inventory_file}'"
 fi
 container_state=$(container_get_state "${name}")
 tag="${distro}-base"
 server_tag="${distro}-server"
 container_remove_image_if_exists "${tag}"
 [ "${deploy_server}" == "Y" ] && \
    container_remove_image_if_exists "${server_tag}"
 container_build "${tag}" "${BASEDIR}/dockerfile/${distro}" "${BASEDIR}"
 container_create "${name}" "${tag}" \
    "hostname=${hostname}" \
    "memory=${memory}" \
    "cpus=${cpus}" \
    "${capabilities:+capabilities=$capabilities}"
 container_commit "${name}" "${quayname}:${tag}"
 if [ "${deploy_server}" == "Y" ]
 then
    deployed=false
    # Set path to ansible-freeipa roles
    [ -z "${ANSIBLE_ROLES_PATH:-""}" ] && export ANSIBLE_ROLES_PATH="${TOPDIR}/roles"
    # Install collection containers.podman if not available
    if [ -z "$(ansible-galaxy collection list containers.podman)" ]
    then
        tmpdir="$(mktemp -d)"
        export ANSIBLE_COLLECTIONS_PATH="${tmpdir}"
        ansible-galaxy collection install -p "${tmpdir}" containers.podman
    fi
    [ "${container_state}" != "running" ] && container_start "${name}"
    container_wait_for_journald "${name}"
    log info "= Deploying IPA ="
    if ansible-playbook -u root -i "${inventory_file}" "${deploy_playbook}"
    then
        deployed=true
    fi
    echo
    if $deployed; then
        log info "= Enabling services ="
        container_exec "${name}" systemctl enable fixnet
        container_exec "${name}" systemctl enable fixipaip
        echo
    fi
    container_stop "${name}"
    $deployed || die "Deployment failed"
    container_commit "${name}" "${quayname}:${server_tag}"
 fi
 log info "= DONE: Image created. ="
--- a/infra/image/dockerfile/c10s
+++ b/infra/image/dockerfile/c10s
@@ -0,0 +1,39 @@
 FROM quay.io/centos/centos:stream10
 ENV container=podman
 RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
 dnf makecache; \
 dnf --assumeyes install \
    /usr/bin/dnf-3 \
    sudo \
    bash \
    systemd \
    procps-ng \
    iproute \
    hostname; \
 rm -rf /var/cache/dnf/;
 RUN (cd /lib/systemd/system/; \
    if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
       ln -s dbus-broker.service dbus.service; \
    fi \
 )
 COPY system-service/container-ipa.target /lib/systemd/system/
 RUN systemctl set-default container-ipa.target
 RUN (cd /etc/systemd/system/; \
    rm -rf multi-user.target.wants \
 	&& mkdir container-ipa.target.wants \
 	&& ln -s container-ipa.target.wants multi-user.target.wants \
 )
 COPY system-service/fixnet.sh /root/
 COPY system-service/fixipaip.sh /root/
 COPY system-service/fixnet.service /etc/systemd/system/
 COPY system-service/fixipaip.service /etc/systemd/system/
 RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
 STOPSIGNAL RTMIN+3
 VOLUME ["/sys/fs/cgroup"]
 CMD ["/usr/sbin/init"]
--- a/infra/image/dockerfile/c8s
+++ b/infra/image/dockerfile/c8s
@@ -0,0 +1,43 @@
 FROM quay.io/centos/centos:stream8
 ENV container=podman
 RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
 sed -i s/mirror.centos.org/vault.centos.org/g /etc/yum.repos.d/*.repo; \
 sed -i s/^#.*baseurl=http/baseurl=http/g /etc/yum.repos.d/*.repo; \
 sed -i s/^mirrorlist=http/#mirrorlist=http/g /etc/yum.repos.d/*.repo; \
 dnf makecache; \
 dnf --assumeyes install \
    /usr/bin/dnf-3 \
    sudo \
    bash \
    systemd \
    procps-ng \
    iproute; \
 dnf clean all; \
 rm -rf /var/cache/dnf/;
 RUN (cd /lib/systemd/system/; \
    if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
       ln -s dbus-broker.service dbus.service; \
    fi \
 )
 COPY system-service/container-ipa.target /lib/systemd/system/
 RUN systemctl set-default container-ipa.target
 RUN (cd /etc/systemd/system/; \
    rm -rf multi-user.target.wants \
 	&& mkdir container-ipa.target.wants \
 	&& ln -s container-ipa.target.wants multi-user.target.wants \
 )
 COPY system-service/fixnet.sh /root/
 COPY system-service/fixipaip.sh /root/
 COPY system-service/fixnet.service /etc/systemd/system/
 COPY system-service/fixipaip.service /etc/systemd/system/
 RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
 STOPSIGNAL RTMIN+3
 VOLUME ["/sys/fs/cgroup"]
 CMD ["/usr/sbin/init"]
--- a/infra/image/dockerfile/c9s
+++ b/infra/image/dockerfile/c9s
@@ -0,0 +1,38 @@
 FROM quay.io/centos/centos:stream9
 ENV container=podman
 RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
 dnf makecache; \
 dnf --assumeyes install \
    /usr/bin/dnf-3 \
    sudo \
    bash \
    systemd \
    procps-ng \
    iproute; \
 rm -rf /var/cache/dnf/;
 RUN (cd /lib/systemd/system/; \
    if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
       ln -s dbus-broker.service dbus.service; \
    fi \
 )
 COPY system-service/container-ipa.target /lib/systemd/system/
 RUN systemctl set-default container-ipa.target
 RUN (cd /etc/systemd/system/; \
    rm -rf multi-user.target.wants \
 	&& mkdir container-ipa.target.wants \
 	&& ln -s container-ipa.target.wants multi-user.target.wants \
 )
 COPY system-service/fixnet.sh /root/
 COPY system-service/fixipaip.sh /root/
 COPY system-service/fixnet.service /etc/systemd/system/
 COPY system-service/fixipaip.service /etc/systemd/system/
 RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
 STOPSIGNAL RTMIN+3
 VOLUME ["/sys/fs/cgroup"]
 CMD ["/usr/sbin/init"]
--- a/infra/image/dockerfile/fedora-latest
+++ b/infra/image/dockerfile/fedora-latest
@@ -0,0 +1,41 @@
 FROM fedora:latest
 ENV container=podman
 RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
 dnf makecache; \
 dnf --assumeyes install \
    /usr/bin/python3 \
    /usr/bin/python3-config \
    python3-libdnf5 \
    sudo \
    bash \
    systemd \
    procps-ng \
    iproute; \
 dnf clean all; \
 rm -rf /var/cache/dnf/;
 RUN (cd /lib/systemd/system/; \
    if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
       ln -s dbus-broker.service dbus.service; \
    fi \
 )
 COPY system-service/container-ipa.target /lib/systemd/system/
 RUN systemctl set-default container-ipa.target
 RUN (cd /etc/systemd/system/; \
    rm -rf multi-user.target.wants \
 	&& mkdir container-ipa.target.wants \
 	&& ln -s container-ipa.target.wants multi-user.target.wants \
 )
 COPY system-service/fixnet.sh /root/
 COPY system-service/fixipaip.sh /root/
 COPY system-service/fixnet.service /etc/systemd/system/
 COPY system-service/fixipaip.service /etc/systemd/system/
 RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
 STOPSIGNAL RTMIN+3
 VOLUME ["/sys/fs/cgroup"]
 CMD ["/usr/sbin/init"]
--- a/infra/image/dockerfile/fedora-rawhide
+++ b/infra/image/dockerfile/fedora-rawhide
@@ -0,0 +1,41 @@
 FROM fedora:rawhide
 ENV container=podman
 RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
 dnf makecache; \
 dnf --assumeyes install \
    /usr/bin/python3 \
    /usr/bin/python3-config \
    python3-libdnf5 \
    sudo \
    bash \
    systemd \
    procps-ng \
    iproute; \
 dnf clean all; \
 rm -rf /var/cache/dnf/;
 RUN (cd /lib/systemd/system/; \
    if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
       ln -s dbus-broker.service dbus.service; \
    fi \
 )
 COPY system-service/container-ipa.target /lib/systemd/system/
 RUN systemctl set-default container-ipa.target
 RUN (cd /etc/systemd/system/; \
    rm -rf multi-user.target.wants \
 	&& mkdir container-ipa.target.wants \
 	&& ln -s container-ipa.target.wants multi-user.target.wants \
 )
 COPY system-service/fixnet.sh /root/
 COPY system-service/fixipaip.sh /root/
 COPY system-service/fixnet.service /etc/systemd/system/
 COPY system-service/fixipaip.service /etc/systemd/system/
 RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
 STOPSIGNAL RTMIN+3
 VOLUME ["/sys/fs/cgroup"]
 CMD ["/usr/sbin/init"]
--- a/infra/image/inventory
+++ b/infra/image/inventory
@@ -0,0 +1,6 @@
 [ipaserver]
 ansible-freeipa-tests ansible_connection=podman
 [ipaserver:vars]
 ipaadmin_password=SomeADMINpassword
 ipadm_password=SomeDMpassword
--- a/infra/image/shcontainer
+++ b/infra/image/shcontainer
@@ -0,0 +1,197 @@
 #!/bin/bash -eu
 # This file is meant to be source'd by other scripts
 SCRIPTDIR="$(dirname -- "$(readlink -f "${BASH_SOURCE[0]}")")"
 TOPDIR="$(readlink -f "${SCRIPTDIR}/../..")"
 . "${TOPDIR}/utils/shfun"
 container_create() {
    local name=${1}
    local image=${2}
    shift 2
    declare -a extra_opts=()
    for opt in "$@"
    do
        [ -z "${opt}" ] && continue
        case "${opt}" in
            hostname=*) extra_opts+=("--${opt}") ;;
            cpus=*) extra_opts+=("--${opt}") ;;
            memory=*) extra_opts+=("--${opt}") ;;
            capabilities=*) extra_opts+=("--cap-add=${opt##*=}") ;;
            *) log error "container_create: Invalid option: ${opt}" ;;
        esac
    done
    # ensure default values are set
    [[ " ${extra_opts[*]} " =~ " --cpus=" ]] || extra_opts+=("--cpus=2")
    [[ " ${extra_opts[*]} " =~ " --hostname=" ]] \
        || extra_opts+=("--hostname=ipaserver.test.local")
    log info "= Creating ${name} ="
    podman create \
           --security-opt label=disable \
           --network bridge:interface_name=eth0 \
           --systemd true \
           --name "${name}" \
           --memory-swap -1 \
           --no-hosts \
           --replace \
           "${extra_opts[@]}" \
           "${image}"
    echo
 }
 container_start() {
    local name="${1}"
    log info "= Starting ${name} ="
    podman start "${name}"
    echo
 }
 container_stop() {
    local name="${1}"
    log info "= Stopping ${name} ="
    podman stop "${name}"
    echo
 }
 container_wait_for_journald() {
    local name=${1}
    log info "= Waiting till systemd-journald is running ="
    max=20
    wait=2
    count=0
    while ! podman exec "${name}" ps -x | grep -q "systemd-journald"
    do
        if [ $count -ge $max ]; then
            die "Timeout: systemd-journald is not starting up"
        fi
        count=$((count+1))
        log info "Waiting ${wait} seconds .."
        sleep ${wait}
    done
    log info "done"
    echo
 }
 container_wait_up() {
    local name="${1}"
    log info "= Waiting till all services are started ="
    max=20
    wait=15
    count=0
    while podman exec "${name}" systemctl list-jobs | \
        grep -qvi "no jobs running"
    do
        if [ $count -ge $max ]; then
            die "Timeout: Services are not starting up"
        fi
        count=$((count+1))
        log info "Waiting ${wait} seconds .."
        sleep ${wait}
    done
    log info "done"
    echo
 }
 container_build() {
    local tag="${1}"
    local file="${2}"
    local dir="${3}"
    log info "= Building ${tag} ="
    podman build -t "${tag}" -f "${file}" "${dir}"
    echo
 }
 container_commit() {
    local name="${1}"
    local image="${2}"
    log info "= Committing \"${image}\" ="
    podman commit "${name}" "${image}"
    echo
 }
 container_exec() {
    local name="${1}"
    shift 1
    # "@Q" is only needed for the log output, the exec command is properly
    # working without also for args containing spaces.
    log info "= Executing \"${*@Q}\" ="
    podman exec -t "${name}" "${@}"
    echo
 }
 container_remove_image_if_exists()
 {
    # In older (as in Ubuntu 22.04) podman versions,
    # 'podman image rm --force' fails if the image
    # does not exist.
    local tag_to_remove="${1}"
    if podman image exists "${tag_to_remove}"
    then
        log info "= Cleanup ${tag_to_remove} ="
        podman image rm "${tag_to_remove}" --force
        echo
    fi
 }
 container_get_state()
 {
    local name="${1}"
    state=$(podman ps -q --all --format "{{.State}}" --filter "name=${name}")
    echo "${state}"
 }
 container_pull() {
    local source="${1}"
    image=$(podman pull "${source}")
    echo "${image}"
 }
 container_image_list() {
    local source="${1}"
    # Append "$" for an exact match if the source does not end with ":" to
    # search for the repo only.
    if [[ ${source} != *: ]]; then
        source="${source}$"
    fi
    image=$(podman image list --format "{{ .Repository }}:{{ .Tag }}" | \
                grep "^${source}")
    echo "${image}"
 }
 container_check() {
    [ -n "$(command -v "podman")" ] || die "podman is required."
 }
 container_copy() {
    local name="${1}"
    local source="${2}"
    local destination="${3}"
    log info "= Copying ${source} to ${name}:${destination} ="
    podman cp "${source}" "${name}:${destination}"
    echo
 }
 container_fetch() {
    local name="${1}"
    local source="${2}"
    local destination="${3}"
    log info "= Copying ${name}:${source} to ${destination} ="
    podman cp "${name}:${source}" "${destination}"
    echo
 }
--- a/infra/image/start.sh
+++ b/infra/image/start.sh
@@ -0,0 +1,95 @@
 #!/bin/bash -eu
 BASEDIR="$(readlink -f "$(dirname "$0")")"
 TOPDIR="$(readlink -f "${BASEDIR}/../..")"
 # shellcheck disable=SC1091
 . "${BASEDIR}/shcontainer"
 # shellcheck disable=SC1091
 . "${TOPDIR}/utils/shfun"
 usage() {
    local prog="${0##*/}"
    cat << EOF
 usage: ${prog} [-h] [-l] [-n HOSTNAME ] image
    ${prog} start a prebuilt ansible-freeipa test container image.
 EOF
 }
 help() {
    cat << EOF
 positional arguments:
    image    The image to start, leave empty to get list of images
 optional arguments:
    -h            Show this message
    -l            Try to use local image first, if not found download.
    -n HOSTNAME   Set container hostname
 NOTE:
    - The hostname must be the same as the hostname of the container
      when FreeIPA was deployed. Use only if you built the image and
      defined its hostname.
 EOF
 }
 list_images() {
    local quay_api="https://quay.io/api/v1/repository/ansible-freeipa/upstream-tests/tag"
    log info "Available images on quay:"
    curl --silent -L "${quay_api}" | jq '.tags[]|.name' | tr -d '"'| sort | uniq | sed "s/.*/    &/"
    echo
    log info "Local images (use -l):"
    local_image=$(container_image_list "${repo}:")
    echo "${local_image}" | sed -e "s/.*://" | sed "s/.*/    &/"
    echo
 }
 repo="quay.io/ansible-freeipa/upstream-tests"
 name="ansible-freeipa-tests"
 hostname="ipaserver.test.local"
 try_local_first="N"
 while getopts ":hln:" option
 do
    case "${option}" in
        h) help && exit 0 ;;
        l) try_local_first="Y" ;;
        n) hostname="${OPTARG}" ;;
        *) die -u "Invalid option: ${option}" ;;
    esac
 done
 shift $((OPTIND - 1))
 image=${1:-}
 container_check
 if [ -z "${image}" ]; then
    list_images
    exit 0
 fi
 local_image=
 if [ "${try_local_first}" == "Y" ]; then
    log info "= Trying to use local image first ="
    local_image=$(container_image_list "${repo}:${image}")
    [ -n "${local_image}" ] && log info "Found ${local_image}"
    echo
 fi
 if [ -z "${local_image}" ]; then
    log info "= Downloading from quay ="
    local_image=$(container_pull "${repo}:${image}")
    echo
 fi
 [ -z "${local_image}" ] && die "Image '${image}' is not valid"
 container_create "${name}" "${local_image}" "hostname=${hostname}"
 container_start "${name}"
 container_wait_for_journald "${name}"
 container_wait_up "${name}"
 log info "Container ${name} is ready to be used."
--- a/infra/image/system-service/container-ipa.target
+++ b/infra/image/system-service/container-ipa.target
@@ -0,0 +1,6 @@
 [Unit]
 Description=Minimal target for containerized FreeIPA server
 DefaultDependencies=false
 AllowIsolate=yes
 Requires=systemd-tmpfiles-setup.service systemd-journald.service dbus.service
 After=systemd-tmpfiles-setup.service systemd-journald.service dbus.service
--- a/infra/image/system-service/fixipaip.service
+++ b/infra/image/system-service/fixipaip.service
@@ -0,0 +1,12 @@
 [Unit]
 Description=Fix IPA server IP in IPA Server
 After=ipa.service
 [Service]
 Type=oneshot
 ExecStart=/root/fixipaip.sh
 StandardOutput=journal
 StandardError=journal
 [Install]
 WantedBy=default.target
--- a/infra/image/system-service/fixipaip.sh
+++ b/infra/image/system-service/fixipaip.sh
@@ -0,0 +1,85 @@
 #!/bin/bash -eu
 function valid_fqdn()
 {
    local name="${1}"
    [[ "${name}" =~ [[:space:]] ]] && return 1
    [[ "${name}" =~ \. ]] || return 1
    [[ "${name}" =~ \.\. ]] && return 1
    for i in ${name//./ }; do
        [[ "${i}" =~ ^[a-z0-9_/]+$ ]] || return 1
    done
    [[ "${name}" == "localhost.localdomain" ]] && return 1
    return 0
 }
 function valid_ipv4()
 {
    local ip="${1}"
    local rematch="^([0-9]{1,3}\.){3}[0-9]{1,3}$"
    [[ "${ip}" =~ ${rematch} ]] || return 1
    for i in ${ip//./ }; do
        [[ ${i} -le 255 ]] || return 1
    done
    return 0
 }
 HOSTNAME=$(hostname)
 IP=$(hostname -I | cut -d " " -f 1)
 export KRB5CCNAME=ansible_freeipa_cache
 if [ -z "${HOSTNAME}" ] || ! valid_fqdn "${HOSTNAME}" ; then
    echo "ERROR: Got invalid hostname: '${HOSTNAME}'"
    exit 1
 fi
 if [ -z "${IP}" ] || ! valid_ipv4 "${IP}" ; then
    echo "ERROR: Got invalid IPv4 address: '${IP}'"
    exit 1
 fi
 PTR=$(echo "${IP}" | awk -F"." '{print $4}')
 if [ -z "${PTR}" ] || [ -n "${PTR//[0-9]}" ]; then
    echo "ERROR: Failed to get PTR from IPv4 address: '${PTR}'"
    exit 1
 fi
 FORWARDER=$(grep -s -m 1 ^nameserver /etc/resolv.conf.fixnet | cut -d" " -f 2)
 if [ -z "${FORWARDER}" ] || [ "${FORWARDER}" == "127.0.0.1" ]; then
    FORWARDER="8.8.8.8"
 fi
 echo "Fix IPA:"
 echo "  HOSTNAME: '${HOSTNAME}'"
 echo "  IP: '${IP}'"
 echo "  PTR: '${PTR}'"
 echo "  FORWARDER: '${FORWARDER}'"
 ZONES=$(ipa -e in_server=true dnszone-find --name-from-ip="${HOSTNAME}." \
            --raw --pkey-only | grep "idnsname:" | awk -F": " '{print $2}')
 for zone in ${ZONES}; do
    echo
    if [[ "${zone}" == *".in-addr.arpa."* ]]; then
        echo "Fixing reverse zone ${zone}:"
        OLD_PTR=$(ipa -e in_server=true dnsrecord-find "${zone}" \
                      --ptr-rec="${HOSTNAME}." --raw | grep "idnsname:" | \
                      awk -F": " '{print $2}')
        if [ -z "${OLD_PTR}" ] || [ -n "${OLD_PTR//[0-9]}" ]; then
            echo "ERROR: Failed to get old PTR from '${zone}': '${OLD_PTR}'"
        else
            ipa -e in_server=true dnsrecord-mod "${zone}" "${OLD_PTR}" \
                --ptr-rec="${HOSTNAME}." --rename="${PTR}" || true
        fi
    else
        echo "Fixing forward zone ${zone}:"
        ipa -e in_server=true dnsrecord-mod test.local "${HOSTNAME%%.*}" \
            --a-rec="$IP" || true
        ipa -e in_server=true dnsrecord-mod test.local ipa-ca \
            --a-rec="$IP" || true
    fi
 done
 ipa -e in_server=true dnsserver-mod "${HOSTNAME}" \
    --forwarder="${FORWARDER}" || true
 exit 0
--- a/infra/image/system-service/fixnet.service
+++ b/infra/image/system-service/fixnet.service
@@ -0,0 +1,14 @@
 [Unit]
 Description=Fix server IP in IPA Server
 Wants=network.target
 After=network.target
 Before=ipa.service
 [Service]
 Type=oneshot
 ExecStart=/root/fixnet.sh
 StandardOutput=journal
 StandardError=journal
 [Install]
 WantedBy=ipa.service
--- a/infra/image/system-service/fixnet.sh
+++ b/infra/image/system-service/fixnet.sh
@@ -0,0 +1,66 @@
 #!/bin/bash -eu
 function valid_fqdn()
 {
    local name="${1}"
    [[ "${name}" =~ [[:space:]] ]] && return 1
    [[ "${name}" =~ \. ]] || return 1
    [[ "${name}" =~ \.\. ]] && return 1
    for i in ${name//./ }; do
        [[ "${i}" =~ ^[a-z0-9_/]+$ ]] || return 1
    done
    [[ "${name}" == "localhost.localdomain" ]] && return 1
    return 0
 }
 function valid_ipv4()
 {
    local ip="${1}"
    local rematch="^([0-9]{1,3}\.){3}[0-9]{1,3}$"
    [[ "${ip}" =~ ${rematch} ]] || return 1
    for i in ${ip//./ }; do
        [[ ${i} -le 255 ]] || return 1
    done
    return 0
 }
 HOSTNAME=$(hostname)
 IP=$(hostname -I | cut -d " " -f 1)
 if [ -z "${HOSTNAME}" ] || ! valid_fqdn "${HOSTNAME}" ; then
    echo "ERROR: Failed to retrieve hostname."
    exit 1
 fi
 if [ -z "${IP}" ] || ! valid_ipv4 "${IP}" ; then
    echo "ERROR: Got invalid IPv4 address: '${IP}'"
    exit 1
 fi
 echo "Fix NET:"
 echo "  HOSTNAME: '${HOSTNAME}'"
 echo "  IP: '${IP}'"
 echo
 if grep -qE "^[^(#\s*)][0-9\.]+\s$HOSTNAME(\s|$)" /etc/hosts
 then
    sed -i.bak -e "s/.*${HOSTNAME}/${IP}\t${HOSTNAME}/" /etc/hosts
 else
    echo -e "$IP\t${HOSTNAME} ${HOSTNAME%%.*}" >> /etc/hosts
 fi
 cp -a /etc/resolv.conf /etc/resolv.conf.fixnet
 cat > /etc/resolv.conf <<EOF
 search ${HOSTNAME#*.}
 nameserver 127.0.0.1
 EOF
 echo "/etc/hosts:"
 cat "/etc/hosts"
 echo
 echo "/etc/resolv.conf:"
 cat "/etc/resolv.conf"
 exit 0
--- a/meta/runtime.yml
+++ b/meta/runtime.yml
@@ -1,2 +1,2 @@
 ---
-requires_ansible: ">=2.13"
+requires_ansible: ">=2.14.0"
--- a/molecule/c8s-build/Dockerfile
+++ b/molecule/c8s-build/Dockerfile
@@ -1,30 +0,0 @@
 FROM quay.io/centos/centos:stream8
 ENV container=docker
 RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
 dnf makecache; \
 dnf --assumeyes install \
    /usr/bin/python3 \
    /usr/bin/python3-config \
    /usr/bin/dnf-3 \
    sudo \
    bash \
    systemd \
    procps-ng \
    iproute && \
 dnf clean all; \
 (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
 rm -f /lib/systemd/system/multi-user.target.wants/*;\
 rm -f /etc/systemd/system/*.wants/*;\
 rm -f /lib/systemd/system/local-fs.target.wants/*; \
 rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
 rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
 rm -f /lib/systemd/system/basic.target.wants/*;\
 rm -f /lib/systemd/system/anaconda.target.wants/*; \
 rm -rf /var/cache/dnf/;
 STOPSIGNAL RTMIN+3
 VOLUME ["/sys/fs/cgroup"]
 CMD ["/usr/sbin/init"]
--- a/molecule/c8s-build/molecule.yml
+++ b/molecule/c8s-build/molecule.yml
@@ -1,19 +0,0 @@
 ---
 driver:
  name: docker
 platforms:
  - name: c8s-build
    image: "quay.io/centos/centos:stream8"
    dockerfile: Dockerfile
    hostname: ipaserver.test.local
    dns_servers:
      - 8.8.8.8
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare-build.yml
 prerun: false
--- a/molecule/c8s/molecule.yml
+++ b/molecule/c8s/molecule.yml
@@ -1,19 +0,0 @@
 ---
 driver:
  name: docker
 platforms:
  - name: c8s
    image: quay.io/ansible-freeipa/upstream-tests:c8s
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 127.0.0.1
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare.yml
 prerun: false
--- a/molecule/c9s-build/Dockerfile
+++ b/molecule/c9s-build/Dockerfile
@@ -1,29 +0,0 @@
 FROM quay.io/centos/centos:stream9
 ENV container=docker
 RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
 dnf makecache; \
 dnf --assumeyes install \
    /usr/bin/python3 \
    /usr/bin/dnf-3 \
    sudo \
    bash \
    systemd \
    procps-ng \
    iproute && \
 dnf clean all; \
 (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
 rm -f /lib/systemd/system/multi-user.target.wants/*;\
 rm -f /etc/systemd/system/*.wants/*;\
 rm -f /lib/systemd/system/local-fs.target.wants/*; \
 rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
 rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
 rm -f /lib/systemd/system/basic.target.wants/*;\
 rm -f /lib/systemd/system/anaconda.target.wants/*; \
 rm -rf /var/cache/dnf/;
 STOPSIGNAL RTMIN+3
 VOLUME ["/sys/fs/cgroup"]
 CMD ["/usr/sbin/init"]
--- a/molecule/c9s-build/molecule.yml
+++ b/molecule/c9s-build/molecule.yml
@@ -1,19 +0,0 @@
 ---
 driver:
  name: docker
 platforms:
  - name: c9s-build
    image: "quay.io/centos/centos:stream9"
    dockerfile: Dockerfile
    hostname: ipaserver.test.local
    dns_servers:
      - 8.8.8.8
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare-build.yml
 prerun: false
--- a/molecule/c9s/molecule.yml
+++ b/molecule/c9s/molecule.yml
@@ -1,19 +0,0 @@
 ---
 driver:
  name: docker
 platforms:
  - name: c9s
    image: quay.io/ansible-freeipa/upstream-tests:c9s
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 127.0.0.1
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare.yml
 prerun: false
--- a/molecule/centos-7-build/molecule.yml
+++ b/molecule/centos-7-build/molecule.yml
@@ -1,19 +0,0 @@
 ---
 driver:
  name: docker
 platforms:
  - name: centos-7-build
    image: centos/systemd
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 8.8.8.8
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare-build.yml
 prerun: false
--- a/molecule/centos-7/molecule.yml
+++ b/molecule/centos-7/molecule.yml
@@ -1,19 +0,0 @@
 ---
 driver:
  name: docker
 platforms:
  - name: centos-7
    image: quay.io/ansible-freeipa/upstream-tests:centos-7
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 127.0.0.1
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare.yml
 prerun: false
--- a/molecule/default
+++ b/molecule/default
@@ -1 +0,0 @@
 fedora-latest
--- a/molecule/fedora-latest-build/Dockerfile
+++ b/molecule/fedora-latest-build/Dockerfile
@@ -1,30 +0,0 @@
 FROM fedora:latest
 ENV container=docker
 RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
 dnf makecache; \
 dnf --assumeyes install \
    /usr/bin/python3 \
    /usr/bin/python3-config \
    /usr/bin/dnf-3 \
    sudo \
    bash \
    systemd \
    procps-ng \
    iproute && \
 dnf clean all; \
 (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
 rm -f /lib/systemd/system/multi-user.target.wants/*;\
 rm -f /etc/systemd/system/*.wants/*;\
 rm -f /lib/systemd/system/local-fs.target.wants/*; \
 rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
 rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
 rm -f /lib/systemd/system/basic.target.wants/*;\
 rm -f /lib/systemd/system/anaconda.target.wants/*; \
 rm -rf /var/cache/dnf/;
 STOPSIGNAL RTMIN+3
 VOLUME ["/sys/fs/cgroup"]
 CMD ["/usr/sbin/init"]
--- a/molecule/fedora-latest-build/molecule.yml
+++ b/molecule/fedora-latest-build/molecule.yml
@@ -1,19 +0,0 @@
 ---
 driver:
  name: docker
 platforms:
  - name: fedora-latest-build
    image: "fedora:latest"
    dockerfile: Dockerfile
    hostname: ipaserver.test.local
    dns_servers:
      - 8.8.8.8
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare-build.yml
 prerun: false
--- a/molecule/fedora-latest/molecule.yml
+++ b/molecule/fedora-latest/molecule.yml
@@ -1,19 +0,0 @@
 ---
 driver:
  name: docker
 platforms:
  - name: fedora-latest
    image: quay.io/ansible-freeipa/upstream-tests:fedora-latest
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 127.0.0.1
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare.yml
 prerun: false
--- a/molecule/fedora-rawhide-build/Dockerfile
+++ b/molecule/fedora-rawhide-build/Dockerfile
@@ -1,30 +0,0 @@
 FROM fedora:rawhide
 ENV container=docker
 RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
 dnf makecache; \
 dnf --assumeyes install \
    /usr/bin/python3 \
    /usr/bin/python3-config \
    /usr/bin/dnf-3 \
    sudo \
    bash \
    systemd \
    procps-ng \
    iproute && \
 dnf clean all; \
 (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
 rm -f /lib/systemd/system/multi-user.target.wants/*;\
 rm -f /etc/systemd/system/*.wants/*;\
 rm -f /lib/systemd/system/local-fs.target.wants/*; \
 rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
 rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
 rm -f /lib/systemd/system/basic.target.wants/*;\
 rm -f /lib/systemd/system/anaconda.target.wants/*; \
 rm -rf /var/cache/dnf/;
 STOPSIGNAL RTMIN+3
 VOLUME ["/sys/fs/cgroup"]
 CMD ["/usr/sbin/init"]
--- a/molecule/fedora-rawhide-build/molecule.yml
+++ b/molecule/fedora-rawhide-build/molecule.yml
@@ -1,19 +0,0 @@
 ---
 driver:
  name: docker
 platforms:
  - name: fedora-rawhide-build
    image: "fedora:rawhide"
    dockerfile: Dockerfile
    hostname: ipaserver.test.local
    dns_servers:
      - 8.8.8.8
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare-build.yml
 prerun: false
--- a/molecule/fedora-rawhide/molecule.yml
+++ b/molecule/fedora-rawhide/molecule.yml
@@ -1,19 +0,0 @@
 ---
 driver:
  name: docker
 platforms:
  - name: fedora-rawhide
    image: quay.io/ansible-freeipa/upstream-tests:fedora-rawhide
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 127.0.0.1
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare.yml
 prerun: false
--- a/molecule/resources/playbooks/library
+++ b/molecule/resources/playbooks/library
@@ -1 +0,0 @@
 ../../../plugins/modules/
--- a/molecule/resources/playbooks/module_utils
+++ b/molecule/resources/playbooks/module_utils
@@ -1 +0,0 @@
 ../../../plugins/module_utils/
--- a/Show More
+++ b/Show More
`@@ -1,2 +1,2 @@`
	`---`	`---`
	`requires_ansible: ">=2.13"`	`requires_ansible: ">=2.14.0"`