ipaconfig: Validate emaildomain

When setting the default email domain, there was no validation on the
provide value. Using ipapython.validate.Email applies the same
validation method as implemented in IPA.

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>

.ansible-lint

@@ -7,7 +7,6 @@ exclude_paths:
   - .tox/
   - .venv/
   - .yamllint
-  - molecule/
   - tests/azure/
   - meta/runtime.yml
   - requirements-docker.yml

.github/workflows/lint.yml

@@ -34,21 +34,6 @@ jobs:
       - name: Run yaml-lint
         uses: ibiqlik/action-yamllint@v3.1.1
 
-  pydocstyle:
-    name: Verify pydocstyle
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4.1.1
-        with:
-          fetch-depth: 1
-      - uses: actions/setup-python@v5.1.0
-        with:
-          python-version: "3.x"
-      - name: Run pydocstyle
-        run: |
-            pip install pydocstyle
-            pydocstyle
-
   flake8:
     name: Verify flake8
     runs-on: ubuntu-latest
@@ -88,3 +73,5 @@ jobs:
           fetch-depth: 1
       - name: Run ShellCheck
         uses: ludeeus/action-shellcheck@master
+        env:
+          SHELLCHECK_OPTS: -x

.gitignore

@@ -12,3 +12,4 @@ importer_result.json
 /.venv/
 
 tests/logs/
+TEST*.xml

.pre-commit-config.yaml

@@ -29,10 +29,6 @@ repos:
   rev: 7.0.0
   hooks:
   - id: flake8
-- repo: https://github.com/pycqa/pydocstyle
-  rev: 6.3.0
-  hooks:
-  - id: pydocstyle
 - repo: https://github.com/pycqa/pylint
   rev: v3.2.2
   hooks:
@@ -54,4 +50,7 @@ repos:
     name: ShellCheck
     language: system
     entry: shellcheck
-    files: \.sh$
+    args: ['-x']
+    files: >
+      \.sh$
+      utils/sh*$

.yamllint

@@ -20,4 +20,9 @@ rules:
     max: 160
   # Disabled rules
   indentation: disable
-  comments: disable
+  comments:
+    min-spaces-from-content: 1
+  comments-indentation: disable
+  octal-values:
+    forbid-implicit-octal: true
+    forbid-explicit-octal: true

README-automember.md

@@ -22,7 +22,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-automountkey.md

@@ -21,7 +21,7 @@ FreeIPA versions 4.4.0 and up are supported by the ipaautomountkey module.
 Requirements
 ------------
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-automountlocation.md

@@ -21,7 +21,7 @@ FreeIPA versions 4.4.0 and up are supported by the ipaautomountlocation module.
 Requirements
 ------------
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-automountmap.md

@@ -21,7 +21,7 @@ FreeIPA versions 4.4.0 and up are supported by the ipaautomountmap module.
 Requirements
 ------------
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-cert.md

@@ -25,7 +25,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 * Some tool to generate a certificate signing request (CSR) might be needed, like `openssl`.
 
 **Node**

README-config.md

@@ -25,7 +25,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-delegation.md

@@ -23,7 +23,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-dnsconfig.md

@@ -22,7 +22,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-dnsforwardzone.md

@@ -21,7 +21,7 @@ FreeIPA versions 4.4.0 and up are supported by the ipadnsforwardzone module.
 Requirements
 ------------
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-dnsrecord.md

@@ -22,7 +22,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-dnszone.md

@@ -23,7 +23,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 
 **Node**

README-group.md

@@ -8,8 +8,12 @@ The group module allows to ensure presence and absence of groups and members of
 
 The group module is as compatible as possible to the Ansible upstream `ipa_group` module, but additionally offers to add users to a group and also to remove users from a group.
 
-## Note
-Ensuring presence (adding) of several groups with mixed types (`external`, `nonposix` and `posix`) requires a fix in FreeIPA. The module implements a workaround to automatically use `client` context if the fix is not present in the target node FreeIPA and if more than one group is provided to the task using the `groups` parameter. If `ipaapi_context` is forced to be `server`, the module will fail in this case.
+
+Notes
+-----
+
+* Ensuring presence (adding) of several groups with mixed types (`external`, `nonposix` and `posix`) requires a fix in FreeIPA. The module implements a workaround to automatically use `client` context if the fix is not present in the target node FreeIPA and if more than one group is provided to the task using the `groups` parameter. If `ipaapi_context` is forced to be `server`, the module will fail in this case.
+* Using `externalmember` or `idoverrideuser` is only supported with `ipaapi_context: server`. With 'client' context, module execution will fail.
 
 
 Features
@@ -29,7 +33,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)
@@ -213,7 +217,7 @@ Example playbook to add members from a trusted realm to an external group:
 ---
 - name: Playbook to handle groups.
   hosts: ipaserver
-  
+
   tasks:
   - name: Create an external group and add members from a trust to it.
     ipagroup:
@@ -276,6 +280,7 @@ Example playbook to ensure groups are absent:
       state: absent
 ```
 
+
 Variables
 =========
 
@@ -299,8 +304,8 @@ Variable | Description | Required
 `service` | List of service name strings assigned to this group. Only usable with IPA versions 4.7 and up. | no
 `membermanager_user` | List of member manager users assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
 `membermanager_group` | List of member manager groups assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
-`externalmember` \| `ipaexternalmember`  \| `external_member`| List of members of a trusted domain in DOM\\name or name@domain form. | no
-`idoverrideuser` | List of user ID overrides to manage. Only usable with IPA versions 4.8.7 and up.| no
+`externalmember` \| `ipaexternalmember`  \| `external_member`| List of members of a trusted domain in DOM\\name or name@domain form. Requires "server" context. | no
+`idoverrideuser` | List of user ID overrides to manage. Only usable with IPA versions 4.8.7 and up. Requires "server" context. | no
 `rename` \| `new_name` | Rename the user object to the new name string. Only usable with `state: renamed`. | no
 `action` | Work on group or member level. It can be on of `member` or `group` and defaults to `group`. | no
 `state` | The state to ensure. It can be one of `present`, `absent` or `renamed`, default: `present`. | yes

README-hbacrule.md

@@ -22,7 +22,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)
@@ -44,7 +44,7 @@ Example playbook to make sure HBAC Rule login exists:
 ```yaml
 ---
 - name: Playbook to handle hbacrules
-  hbacsvcs: ipaserver
+  hosts: ipaserver
   become: true
 
   tasks:
@@ -60,7 +60,7 @@ Example playbook to make sure HBAC Rule login exists with the only HBAC Service
 ```yaml
 ---
 - name: Playbook to handle hbacrules
-  hbacsvcs: ipaserver
+  hosts: ipaserver
   become: true
 
   tasks:
@@ -77,7 +77,7 @@ Example playbook to make sure HBAC Service sshd is present in HBAC Rule login:
 ```yaml
 ---
 - name: Playbook to handle hbacrules
-  hbacsvcs: ipaserver
+  hosts: ipaserver
   become: true
 
   tasks:
@@ -95,7 +95,7 @@ Example playbook to make sure HBAC Service sshd is absent in HBAC Rule login:
 ```yaml
 ---
 - name: Playbook to handle hbacrules
-  hbacsvcs: ipaserver
+  hosts: ipaserver
   become: true
 
   tasks:
@@ -114,7 +114,7 @@ Example playbook to make sure HBAC Rule login is absent:
 ```yaml
 ---
 - name: Playbook to handle hbacrules
-  hbacsvcs: ipaserver
+  hosts: ipaserver
   become: true
 
   tasks:

README-hbacsvc.md

@@ -22,7 +22,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-hbacsvcgroup.md

@@ -22,7 +22,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)
@@ -44,7 +44,7 @@ Example playbook to make sure HBAC Service Group login exists:
 ```yaml
 ---
 - name: Playbook to handle hbacsvcgroups
-  hbacsvcs: ipaserver
+  hosts: ipaserver
   become: true
 
   tasks:
@@ -60,7 +60,7 @@ Example playbook to make sure HBAC Service Group login exists with the only HBAC
 ```yaml
 ---
 - name: Playbook to handle hbacsvcgroups
-  hbacsvcs: ipaserver
+  hosts: ipaserver
   become: true
 
   tasks:
@@ -77,7 +77,7 @@ Example playbook to make sure HBAC Service sshd is present in HBAC Service Group
 ```yaml
 ---
 - name: Playbook to handle hbacsvcgroups
-  hbacsvcs: ipaserver
+  hosts: ipaserver
   become: true
 
   tasks:
@@ -95,7 +95,7 @@ Example playbook to make sure HBAC Service sshd is absent in HBAC Service Group
 ```yaml
 ---
 - name: Playbook to handle hbacsvcgroups
-  hbacsvcs: ipaserver
+  hosts: ipaserver
   become: true
 
   tasks:
@@ -114,7 +114,7 @@ Example playbook to make sure HBAC Service Group login is absent:
 ```yaml
 ---
 - name: Playbook to handle hbacsvcgroups
-  hbacsvcs: ipaserver
+  hosts: ipaserver
   become: true
 
   tasks:

README-host.md

@@ -24,7 +24,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)
@@ -341,7 +341,7 @@ Variable | Description | Required
 `password` \| `user_password` \| `userpassword` | Password used in bulk enrollment for absent or not enrolled hosts. | no
 `random` \| `random_password` |  Initiate the generation of a random password to be used in bulk enrollment for absent or not enrolled hosts. | no
 `certificate` \| `usercertificate` | List of base-64 encoded host certificates | no
-`managedby` \| `principalname` \| `krbprincipalname` | List of hosts that can manage this host | no
+`managedby_host` | List of hosts that can manage this host | no
 `principal` \| `principalname` \| `krbprincipalname` | List of principal aliases for this host | no
 `allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no
 `allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group` | Groups allowed to create a keytab of this host. | no

README-hostgroup.md

@@ -26,7 +26,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-idoverridegroup.md

@@ -29,7 +29,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-idoverrideuser.md

@@ -29,7 +29,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-idp.md

@@ -22,7 +22,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-idrange.md

@@ -37,7 +37,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-idview.md

@@ -29,7 +29,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-inventory-plugin-freeipa.md

@@ -25,7 +25,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-location.md

@@ -22,7 +22,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-netgroup.md

@@ -22,7 +22,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-permission.md

@@ -22,7 +22,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-privilege.md

@@ -22,7 +22,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-pwpolicy.md

@@ -22,7 +22,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-role.md

@@ -25,7 +25,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-selfservice.md

@@ -23,7 +23,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-server.md

@@ -22,7 +22,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-service.md

@@ -25,7 +25,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FReeIPA version (see above)

README-servicedelegationrule.md

@@ -24,7 +24,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-servicedelegationtarget.md

@@ -24,7 +24,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-sudocmd.md

@@ -24,7 +24,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-sudocmdgroup.md

@@ -24,7 +24,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-sudorule.md

@@ -22,7 +22,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)
@@ -129,6 +129,49 @@ Example playbook to make sure Sudo Rule is absent:
       state: absent
 ```
 
+Example playbook to ensure multiple Sudo Rule are present using batch mode:
+
+```yaml
+---
+- name: Playbook to handle sudorules
+  hosts: ipaserver
+  become: true
+
+- name: Ensure multiple Sudo Rules are present using batch mode.
+  ipasudorule:
+    ipaadmin_password: SomeADMINpassword
+    sudorules:
+      - name: testrule1
+        hostmask:
+          - 192.168.122.1/24
+      - name: testrule2
+        hostcategory: all
+```
+
+Example playbook to ensure multiple Sudo Rule members are present using batch mode:
+
+```yaml
+---
+- name: Playbook to handle sudorules
+  hosts: ipaserver
+  become: true
+
+- name: Ensure multiple Sudo Rules are present using batch mode.
+  ipasudorule:
+    ipaadmin_password: SomeADMINpassword
+    action: member
+    sudorules:
+      - name: testrule1
+        user:
+          - user01
+          - user02
+        group:
+          - group01
+      - name: testrule2
+        hostgroup:
+          - hostgroup01
+          - hostgroup02
+```
 
 Variables
 =========
@@ -139,7 +182,9 @@ Variable | Description | Required
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
 `ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
-`name` \| `cn` | The list of sudorule name strings. | yes
+`name` \| `cn` | The list of sudorule name strings. | no
+`sudorules` | The list of sudorule dicts. Each `sudorule` dict entry can contain sudorule variables.<br>There is one required option in the `sudorule` dict:| no
+&nbsp; | `name` - The sudorule name string of the entry. | yes
 `description` | The sudorule description string. | no
 `usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
 `hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no

README-topology.md

@@ -22,7 +22,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-trust.md

@@ -21,7 +21,7 @@ Requirements
 
 **Controller**
 
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 

README-user.md

@@ -24,7 +24,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README-vault.md

@@ -24,7 +24,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)

README.md

@@ -66,7 +66,7 @@ Supported Distributions
 -----------------------
 
 * RHEL/CentOS 7.4+
-* Fedora 26+
+* Fedora 40+
 * Ubuntu
 * Debian 10+ (ipaclient only, no server or replica!)
 
@@ -74,7 +74,7 @@ Requirements
 ------------
 
 **Controller**
-* Ansible version: 2.15+
+* Ansible version: 2.14+
 
 **Node**
 * Supported FreeIPA version (see above)
@@ -125,7 +125,7 @@ ansible-freeipa/plugins/module_utils to ~/.ansible/plugins/
 
 **RPM package**
 
-There are RPM packages available for Fedora 29+. These are installing the roles and modules into the global Ansible directories for `roles`, `plugins/modules` and `plugins/module_utils` in the `/usr/share/ansible` directory. Therefore is it possible to use the roles and modules without adapting the names like it is done in the example playbooks.
+There are RPM packages available for Fedora. These are installing the roles and modules into the global Ansible directories for `roles`, `plugins/modules` and `plugins/module_utils` in the `/usr/share/ansible` directory. Therefore is it possible to use the roles and modules without adapting the names like it is done in the example playbooks.
 
 **Ansible Galaxy**
 

infra/azure/azure-pipelines.yml

@@ -0,0 +1,73 @@
+---
+trigger:
+- master
+
+pool:
+  vmImage: 'ubuntu-20.04'
+
+variables:
+  ansible_version: "-core >=2.16,<2.17"
+  ansible_latest: "-core"
+  ansible_minimum: "-core <2.16"
+  distros: "fedora-latest,c9s,c10s,fedora-rawhide"
+
+stages:
+
+- stage: fedora_latest_ansible_latest
+  dependsOn: []
+  jobs:
+  - template: templates/group_tests.yml
+    parameters:
+      build_number: $(Build.BuildNumber)
+      distro: fedora-latest
+      ansible_version: ${{ variables.ansible_latest }}
+      skip_git_test: true
+
+- stage: fedora_latest_ansible_2_15
+  dependsOn: []
+  jobs:
+  - template: templates/group_tests.yml
+    parameters:
+      build_number: $(Build.BuildNumber)
+      distro: fedora-latest
+      ansible_version: ${{ variables.ansbile_minimum }}
+      skip_git_test: true
+
+# Supported distros
+
+- ${{ each distro in split(variables.distros, ',') }}:
+  - stage: ${{ replace(distro, '-', '_') }}_ansible_2_16
+    dependsOn: []
+    jobs:
+    - template: templates/group_tests.yml
+      parameters:
+        build_number: $(Build.BuildNumber)
+        distro: ${{ distro }}
+        ansible_version: ${{ variables.ansible_version }}
+        skip_git_test: true
+        test_galaxy: false
+
+# Galaxy on Fedora
+
+- stage: galaxy_fedora_latest_ansible_2_16
+  dependsOn: []
+  jobs:
+  - template: templates/group_tests.yml
+    parameters:
+      build_number: $(Build.BuildNumber)
+      distro: fedora-latest
+      ansible_version: ${{ variables.ansible_version }}
+      skip_git_test: true
+      test_galaxy: true
+
+# CentOS 8 Stream, latest supported Ansible version.
+
+- stage: c8s_ansible_2_16
+  dependsOn: []
+  jobs:
+  - template: templates/group_tests.yml
+    parameters:
+      build_number: $(Build.BuildNumber)
+      distro: c8s
+      ansible_version: "-core <2.17"
+      skip_git_test: true

infra/azure/build-containers.yml

@@ -0,0 +1,35 @@
+---
+schedules:
+- cron: "0 0 * * 0"
+  displayName: Weekly Sunday midnight build
+  branches:
+    include:
+    - master
+  always: true
+
+trigger: none
+
+pool:
+  vmImage: 'ubuntu-24.04'
+
+variables: { distros: "fedora-latest,fedora-rawhide,c9s,c10s" }
+
+stages:
+
+- ${{ each distro in split(variables.distros, ',') }}:
+  - stage: build_${{ join('_', split(distro, '-')) }}
+    dependsOn: []
+    jobs:
+    - template: templates/build_container.yml
+      parameters:
+        distro: ${{ distro }}
+
+# Special case for CentOS 8 Stream
+- stage: CentOS_8_Stream
+  dependsOn: []
+  jobs:
+  - template: templates/build_container.yml
+    parameters:
+      distro: c8s
+      # ansible-core 2.17+ cannot be used to deploy on CentOS 8 Stream.
+      ansible_core_version: "<2.17"

infra/azure/nightly.yml

@@ -0,0 +1,79 @@
+---
+schedules:
+- cron: "0 19 * * *"
+  displayName: Nightly Builds
+  branches:
+    include:
+    - master
+  always: true
+
+trigger: none
+
+pool:
+  vmImage: 'ubuntu-20.04'
+
+variables:
+  # We need to have two sets, as c8s is not supported by all ansible versions
+  recent_distros: "fedora-latest,fedora-rawhide,c10s,c9s"
+  distros: "fedora-latest,fedora-rawhide,c10s,c9s,c8s"
+  ansible_latest: "-core"
+  ansible_minimum: "-core <2.16"
+  ansible_version: "-core >=2.16,<2.17"
+
+stages:
+
+# Minimum ansible
+
+- ${{ each distro in split(variables.distros, ',') }}:
+  - stage: ${{ replace(distro, '-', '_') }}_ansible_2_15
+    dependsOn: []
+    jobs:
+    - template: templates/group_tests.yml
+      parameters:
+        build_number: $(Build.BuildNumber)
+        distro: fedora-latest
+        ansible_version: ${{ variables.ansible_minimum }}
+        skip_git_test: true
+        test_galaxy: false
+
+# Latest ansible
+
+- ${{ each distro in split(variables.recent_distros, ',') }}:
+  - stage: ${{ replace(distro, '-', '_') }}_ansible_latest
+    dependsOn: []
+    jobs:
+    - template: templates/group_tests.yml
+      parameters:
+        build_number: $(Build.BuildNumber)
+        distro: ${{ distro }}
+        ansible_version: ${{ variables.ansible_latest }}
+        skip_git_test: true
+        test_galaxy: false
+
+# Selected ansible-core version
+
+- ${{ each distro in split(variables.distros, ',') }}:
+  - stage: ${{ replace(distro, '-', '_') }}_ansible_2_16
+    dependsOn: []
+    jobs:
+    - template: templates/group_tests.yml
+      parameters:
+        build_number: $(Build.BuildNumber)
+        distro: ${{ distro }}
+        ansible_version: ${{ variables.ansible_version }}
+        skip_git_test: true
+        test_galaxy: false
+
+# Galaxy collection with selected ansible-core version
+
+- ${{ each distro in split(variables.distros, ',') }}:
+  - stage: galaxy_${{ replace(distro, '-', '_') }}_asible_2_16
+    dependsOn: []
+    jobs:
+    - template: templates/group_tests.yml
+      parameters:
+        build_number: $(Build.BuildNumber)
+        distro: ${{ distro }}
+        ansible_version: ${{ variables.ansible_version }}
+        skip_git_test: true
+        test_galaxy: true

infra/azure/pr-pipeline.yml

@@ -0,0 +1,39 @@
+---
+trigger:
+- master
+
+pool:
+  vmImage: 'ubuntu-20.04'
+
+variables:
+  distros: "fedora-latest,c10s,c9s,c8s,fedora-rawhide"
+  ansible_version: "-core >=2.15,<2.16"
+
+stages:
+
+# Test with repository in all distros
+
+- ${{ each distro in split(variables.distros, ',') }}:
+  - stage: ${{ replace(distro, '-', '_') }}_ansible_2_16
+    dependsOn: []
+    jobs:
+    - template: templates/run_tests.yml
+      parameters:
+        build_number: $(Build.BuildNumber)
+        distro: ${{ distro }}
+        ansible_version: ${{ variables.ansible_version }}
+        skip_git_test: false
+        test_galaxy: false
+
+# Galaxy on Fedora
+
+- stage: galaxy_fedora_latest_ansible_2_16
+  dependsOn: []
+  jobs:
+  - template: templates/run_tests.yml
+    parameters:
+      build_number: $(Build.BuildNumber)
+      distro: fedora-latest
+      ansible_version: ${{ variables.ansible_version }}
+      skip_git_test: false
+      test_galaxy: true

infra/azure/scripts/get_test_modules.py

@@ -159,7 +159,7 @@ def map_test_module_sources(base):
     """Create a map of 'test-modules' to 'plugin-sources', from 'base'."""
     # Find root directory of playbook tests.
     script_dir = os.path.dirname(__file__)
-    test_root = os.path.realpath(os.path.join(script_dir, f"../{base}"))
+    test_root = os.path.realpath(os.path.join(script_dir, f"../../../{base}"))
     # create modules:source_files map
     _result = {}
     for test_module in [d for d in os.scandir(test_root) if d.is_dir()]:
@@ -170,7 +170,7 @@ def map_test_module_sources(base):
 
 
 def usage(err=0):
-    print("filter_plugins.py [-h|--help] [-p|--pytest] PY_SRC...")
+    print("get_test_modules.py [-h|--help] [-p|--pytest] PY_SRC...")
     print(
         """
 Print a comma-separated list of modules that should be tested if

infra/azure/scripts/set_test_modules

@@ -0,0 +1,67 @@
+#!/bin/bash -eu
+# This file shoud be source'd (. set_test_modules) rather than executed.
+#
+# Set SKIP_GIT_TEST="True" or use -a to prevent git modification comparison.
+#
+
+RED="\033[31;1m"
+RST="\033[0m"
+
+die() {
+    echo -e "${RED}${*}${RST}" >&2
+}
+
+BASEDIR="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")")"
+TOPDIR="$(readlink -f "${BASEDIR}/../../..")"
+
+[ -n "$(command -v python3)" ] && python="$(command -v python3)" || python="$(command -v python2)"
+
+pushd "${TOPDIR}" >/dev/null 2>&1 || die "Failed to change directory."
+
+SKIP_GIT_TEST=${SKIP_GIT_TEST:-"False"}
+
+while getopts ":a" opt
+do
+    case "${opt}" in
+        a) SKIP_GIT_TEST="True" ;;
+        *) ;; # ignore other options
+    esac
+done
+
+files_list=$(mktemp)
+
+enabled_modules="None"
+enabled_tests="None"
+
+if [ "${SKIP_GIT_TEST}" != "True" ]
+then
+    remote="$(basename "$(mktemp -u remote_XXXXXX)")"
+    git remote add "${remote}" https://github.com/freeipa/ansible-freeipa
+    git fetch --prune --no-tags --quiet "${remote}"
+    git diff "${remote}/master" --name-only > "${files_list}"
+    git remote remove "${remote}"
+
+    # shellcheck disable=SC2046
+    enabled_modules="$(${python} "${BASEDIR}/get_test_modules.py" $(cat "${files_list}"))"
+    [ -z "${enabled_modules}" ] && enabled_modules="None"
+
+    # Get individual tests that should be executed
+    mapfile -t tests < <(sed -n 's#.*/\(test_[^/]*\).yml#\1#p' "${files_list}" | tr -d " ")
+    [ ${#tests[@]} -gt 0 ] && enabled_tests=$(IFS=, ; echo "${tests[*]}")
+    [ -z "${enabled_tests}" ] && enabled_tests="None"
+
+    [ -n "${enabled_tests}" ] && IPA_ENABLED_TESTS="${enabled_tests},${IPA_ENABLED_TESTS}"
+    [ -n "${enabled_modules}" ] && IPA_ENABLED_MODULES="${enabled_modules},${IPA_ENABLED_MODULES}"
+
+    rm -f "${files_list}"
+fi
+
+# Get all modules that should have tests executed
+
+export IPA_ENABLED_MODULES
+export IPA_ENABLED_TESTS
+
+echo "IPA_ENABLED_MODULES = [${IPA_ENABLED_MODULES}]"
+echo "IPA_ENABLED_TESTS = [${IPA_ENABLED_TESTS}]"
+
+popd >/dev/null 2>&1 || die "Failed to change back to original directory."

infra/azure/templates/build_container.yml

@@ -0,0 +1,45 @@
+---
+parameters:
+  - name: distro
+    type: string
+  - name: python_version
+    type: string
+    default: 3.x
+  - name: ansible_core_version
+    default: ""
+
+jobs:
+- job: BuildTestImage_${{ join('_', split(parameters.distro, '-')) }}
+  displayName: Build ${{ parameters.distro }} test container
+  steps:
+  - task: UsePythonVersion@0
+    inputs:
+      versionSpec: '${{ parameters.python_version }}'
+
+  - script: python -m pip install --upgrade pip "ansible-core${{ parameters.ansible_core_version }}"
+    retryCountOnTaskFailure: 5
+    displayName: Install tools
+
+  - script: ansible-galaxy collection install containers.podman
+    displayName: Install Ansible Galaxy collections
+
+  - script: infra/image/build.sh -s ${{ parameters.distro }}
+    displayName: Build ${{ parameters.distro }} base image
+    env:
+      ANSIBLE_ROLES_PATH: "${PWD}/roles"
+      ANSIBLE_LIBRARY: "${PWD}/plugins/modules"
+      ANSIBLE_MODULE_UTILS: "${PWD}/plugins/module_utils"
+
+  - script: podman login -u="$QUAY_ROBOT_USERNAME" -p="$QUAY_ROBOT_TOKEN" quay.io
+    displayName: Registry login
+    env:
+      # Secrets needs to be mapped as env vars to work properly
+      QUAY_ROBOT_TOKEN: $(QUAY_ROBOT_TOKEN)
+
+  - script: |
+      podman push quay.io/ansible-freeipa/upstream-tests:${{parameters.distro}}-base quay.io/ansible-freeipa/upstream-tests:${{ parameters.distro }}-base
+    displayName: Push base image
+
+  - script: |
+      podman push quay.io/ansible-freeipa/upstream-tests:${{ parameters.distro }}-server quay.io/ansible-freeipa/upstream-tests:${{ parameters.distro }}-server
+    displayName: Push server image

infra/azure/templates/group_tests.yml

@@ -0,0 +1,30 @@
+---
+parameters:
+  - name: distro
+    type: string
+    default: fedora-latest
+  - name: build_number
+    type: string
+  - name: ansible_version
+    type: string
+    default: ""
+  - name: skip_git_test
+    type: boolean
+    default: false
+  - name: test_galaxy
+    type: boolean
+    default: false
+
+jobs:
+
+- ${{ each group in split('1,2,3', ',') }}:
+  - template: run_tests.yml
+    parameters:
+      group_number: ${{ group }}
+      number_of_groups: 3
+      build_number: ${{ parameters.build_number }}
+      distro: ${{ parameters.distro }}
+      ansible_version: ${{ parameters.ansible_version }}
+      python_version: '< 3.12'
+      skip_git_test: ${{ parameters.skip_git_test }}
+      test_galaxy: ${{ parameters.test_galaxy }}

infra/azure/templates/prepare_environment.yaml

@@ -0,0 +1,30 @@
+---
+parameters:
+  - name: distro
+    type: string
+    default: fedora-latest
+  - name: ansible_version
+    type: string
+    default: ""
+  - name: python_version
+    type: string
+    default: 3.x
+  - name: build_number
+    type: string
+
+steps:
+  - task: UsePythonVersion@0
+    inputs:
+      versionSpec: '${{ parameters.python_version }}'
+
+  - script: |
+      pip install "ansible${{ parameters.ansible_version }}" -r requirements-tests.txt
+    retryCountOnTaskFailure: 5
+    displayName: Install test dependencies
+
+  - script: ansible-galaxy collection install -r requirements-podman.yml
+    retryCountOnTaskFailure: 5
+    displayName: Install Ansible collections
+
+  - script: infra/image/start.sh ${{ parameters.distro }}-server
+    displayName: Setup target container for ${{ parameters.distro }}

infra/azure/templates/run_tests.yml

@@ -0,0 +1,98 @@
+---
+parameters:
+  - name: group_number
+    type: number
+    default: 1
+  - name: number_of_groups
+    type: number
+    default: 1
+  - name: distro
+    type: string
+    default: fedora-latest
+  - name: ansible_version
+    type: string
+    default: ""
+  - name: python_version
+    type: string
+    default: 3.x
+  - name: build_number
+    type: string
+  - name: skip_git_test
+    type: boolean
+    default: true
+  - name: test_type
+    type: string
+    default: "playbook"
+  - name: test_galaxy
+    type: boolean
+    default: false
+
+jobs:
+- job: Test_Group${{ parameters.group_number }}
+  displayName: Run playbook tests ${{ parameters.distro }} (${{ parameters.group_number }}/${{ parameters.number_of_groups }})
+  timeoutInMinutes: 360
+  variables:
+  - template: variables.yaml
+  - template: variables_${{ parameters.distro }}.yaml
+  steps:
+  - template: prepare_environment.yaml
+    parameters:
+      build_number: ${{ parameters.build_number }}
+      distro: ${{ parameters.distro }}
+      ansible_version: ${{ parameters.ansible_version }}
+      python_version: ${{ parameters.python_version }}
+
+  - bash: echo "##vso[task.setvariable variable=TOPDIR]${PWD}"
+    displayName: Set repo rootdir
+
+  - script: |
+      . "${TOPDIR}/infra/azure/scripts/set_test_modules"
+      python3 utils/check_test_configuration.py ${{ parameters.distro }}
+    displayName: Check test configuration
+    env:
+       SKIP_GIT_TEST: ${{ parameters.skip_git_test }}
+
+  - script: |
+      git fetch --unshallow
+      utils/build-galaxy-release.sh -i
+    retryCountOnTaskFailure: 5
+    displayName: Build Galaxy release
+    condition: ${{ parameters.test_galaxy }}
+
+  - script: |
+      echo "PWD: ${PWD}"
+      echo "TOPDIR: ${TOPDIR}"
+      echo "ROLES: ${ANSIBLE_ROLES_PATH}"
+      echo "LIBRARY: ${ANSIBLE_LIBRARY}"
+      echo "MODULE_UTILS: ${ANSIBLE_MODULE_UTILS}"
+      . "${TOPDIR}/infra/azure/scripts/set_test_modules"
+      [ "${{ parameters.test_galaxy }}" == "True"  ] && cd ~/.ansible/collections/ansible_collections/freeipa/ansible_freeipa
+      pytest \
+          -m "${{ parameters.test_type }}" \
+          --verbose \
+          --color=yes \
+          --splits=${{ parameters.number_of_groups }} \
+          --group=${{ parameters.group_number }} \
+          --randomly-seed=$(date "+%Y%m%d") \
+          --suppress-no-test-exit-code \
+          --junit-xml=TEST-results-pr-check.xml
+    displayName: Run playbook tests
+    env:
+      SKIP_GIT_TEST: ${{ parameters.skip_git_test }}
+      ${{ if not(parameters.test_galaxy)  }}:
+        ANSIBLE_ROLES_PATH: "${PWD}/roles"
+        ANSIBLE_LIBRARY: "${PWD}/plugins"
+        ANSIBLE_MODULE_UTILS: "${PWD}/plugins/module_utils"
+      IPA_SERVER_HOST: ansible-freeipa-tests
+      RUN_TESTS_IN_DOCKER: podman
+      IPA_DISABLED_MODULES: ${{ variables.ipa_disabled_modules }}
+      IPA_DISABLED_TESTS: ${{ variables.ipa_disabled_tests }}
+      IPA_ENABLED_MODULES: ${{ variables.ipa_enabled_modules }}
+      IPA_ENABLED_TESTS: ${{ variables.ipa_enabled_tests }}
+      IPA_VERBOSITY: "-vvv"
+
+  - task: PublishTestResults@2
+    inputs:
+      mergeTestResults: true
+      testRunTitle: PlaybookTests-Build${{ parameters.build_number }}
+    condition: succeededOrFailed()

infra/azure/templates/variables_c9s.yaml

@@ -0,0 +1,21 @@
+#
+# Variables must be defined as comma separated lists.
+# For easier management of items to enable/disable,
+# use one test/module on each line, followed by a comma.
+#
+# Example:
+#
+# ipa_disabled_modules: >-
+#   dnsconfig,
+#   group,
+#   hostgroup
+#
+# If no variables are set, set "empty: true" as at least
+# one item is needed in the set.
+---
+variables:
+  empty: true
+#   ipa_enabled_modules: >-
+#   ipa_enabled_tests: >-
+#   ipa_disabled_modules: >-
+#   ipa_disabled_tests: >-

infra/image/build-inventory

@@ -0,0 +1,15 @@
+[ipaserver]
+ansible-freeipa-image-builder ansible_connection=podman
+
+[ipaserver:vars]
+ipaadmin_password=SomeADMINpassword
+ipadm_password=SomeDMpassword
+ipaserver_domain=test.local
+ipaserver_realm=TEST.LOCAL
+ipaserver_setup_dns=true
+ipaserver_auto_forwarders=true
+ipaserver_no_dnssec_validation=true
+ipaserver_auto_reverse=true
+ipaserver_setup_kra=true
+ipaserver_setup_firewalld=false
+ipaclient_no_ntp=true

infra/image/build.sh

@@ -0,0 +1,137 @@
+#!/bin/bash -eu
+
+BASEDIR="$(readlink -f "$(dirname "$0")")"
+TOPDIR="$(readlink -f "${BASEDIR}/../..")"
+
+# shellcheck disable=SC1091
+. "${BASEDIR}/shcontainer"
+# shellcheck disable=SC1091
+. "${TOPDIR}/utils/shfun"
+
+valid_distro() {
+    find "${BASEDIR}/dockerfile" -type f -printf "%f\n" | tr "\n" " "
+}
+
+usage() {
+    local prog="${0##*/}"
+    cat << EOF
+usage: ${prog} [-h] [-n HOSTNAME] [-s] distro
+    ${prog} build a container image to test ansible-freeipa.
+EOF
+}
+
+help() {
+    cat << EOF
+positional arguments:
+
+    distro    The base distro to build the test container.
+              Availble distros: $(valid_distro)
+
+optional arguments:
+
+    -n HOSTNAME   Container hostname
+    -p            Give extended privileges to the container
+    -s            Deploy IPA server
+EOF
+}
+
+name="ansible-freeipa-image-builder"
+hostname="ipaserver.test.local"
+cpus="2"
+memory="3g"
+quayname="quay.io/ansible-freeipa/upstream-tests"
+deploy_server="N"
+deploy_capabilities="SYS_ADMIN,SYSLOG"
+capabilities=""
+
+while getopts ":hn:s" option
+do
+    case "${option}" in
+        h) help && exit 0 ;;
+        n) hostname="${OPTARG}" ;;
+        s) deploy_server="Y" ;;
+        *) die -u "Invalid option: ${option}" ;;
+    esac
+done
+
+shift $((OPTIND - 1))
+distro=${1:-}
+
+[ -n "${distro}" ] || die "Distro needs to be given.\nUse one of: $(valid_distro)"
+
+[ -f "${BASEDIR}/dockerfile/${distro}" ] \
+  || die "${distro} is not a valid distro target.\nUse one of: $(valid_distro)"
+
+container_check
+
+if [ "${deploy_server}" == "Y" ]
+then
+    capabilities="${deploy_capabilities}"
+
+    [ -n "$(command -v "ansible-playbook")" ] || die "ansible-playbook is required to install FreeIPA."
+
+    deploy_playbook="${TOPDIR}/playbooks/install-server.yml"
+    [ -f "${deploy_playbook}" ] || die "Can't find playbook '${deploy_playbook}'"
+
+    inventory_file="${BASEDIR}/build-inventory"
+    [ -f "${inventory_file}" ] || die "Can't find inventory '${inventory_file}'"
+fi
+
+container_state=$(container_get_state "${name}")
+
+tag="${distro}-base"
+server_tag="${distro}-server"
+
+container_remove_image_if_exists "${tag}"
+[ "${deploy_server}" == "Y" ] && \
+    container_remove_image_if_exists "${server_tag}"
+
+container_build "${tag}" "${BASEDIR}/dockerfile/${distro}" "${BASEDIR}"
+container_create "${name}" "${tag}" \
+    "hostname=${hostname}" \
+    "memory=${memory}" \
+    "cpus=${cpus}" \
+    "${capabilities:+capabilities=$capabilities}"
+container_commit "${name}" "${quayname}:${tag}"
+
+if [ "${deploy_server}" == "Y" ]
+then
+    deployed=false
+
+    # Set path to ansible-freeipa roles
+    [ -z "${ANSIBLE_ROLES_PATH:-""}" ] && export ANSIBLE_ROLES_PATH="${TOPDIR}/roles"
+
+    # Install collection containers.podman if not available
+    if [ -z "$(ansible-galaxy collection list containers.podman)" ]
+    then
+        tmpdir="$(mktemp -d)"
+        export ANSIBLE_COLLECTIONS_PATH="${tmpdir}"
+        ansible-galaxy collection install -p "${tmpdir}" containers.podman
+    fi
+
+    [ "${container_state}" != "running" ] && container_start "${name}"
+
+    container_wait_for_journald "${name}"
+
+    log info "= Deploying IPA ="
+    if ansible-playbook -u root -i "${inventory_file}" "${deploy_playbook}"
+    then
+        deployed=true
+    fi
+    echo
+
+    if $deployed; then
+        log info "= Enabling services ="
+        container_exec "${name}" systemctl enable fixnet
+        container_exec "${name}" systemctl enable fixipaip
+        echo
+    fi
+    
+    container_stop "${name}"
+
+    $deployed || die "Deployment failed"
+
+    container_commit "${name}" "${quayname}:${server_tag}"
+fi
+
+log info "= DONE: Image created. ="

infra/image/dockerfile/c10s

@@ -0,0 +1,39 @@
+FROM quay.io/centos/centos:stream10
+ENV container=podman
+
+RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
+dnf makecache; \
+dnf --assumeyes install \
+    /usr/bin/dnf-3 \
+    sudo \
+    bash \
+    systemd \
+    procps-ng \
+    iproute \
+    hostname; \
+rm -rf /var/cache/dnf/;
+
+RUN (cd /lib/systemd/system/; \
+    if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
+       ln -s dbus-broker.service dbus.service; \
+    fi \
+)
+COPY system-service/container-ipa.target /lib/systemd/system/
+RUN systemctl set-default container-ipa.target
+RUN (cd /etc/systemd/system/; \
+    rm -rf multi-user.target.wants \
+	&& mkdir container-ipa.target.wants \
+	&& ln -s container-ipa.target.wants multi-user.target.wants \
+)
+
+COPY system-service/fixnet.sh /root/
+COPY system-service/fixipaip.sh /root/
+COPY system-service/fixnet.service /etc/systemd/system/
+COPY system-service/fixipaip.service /etc/systemd/system/
+RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
+
+STOPSIGNAL RTMIN+3
+
+VOLUME ["/sys/fs/cgroup"]
+
+CMD ["/usr/sbin/init"]

infra/image/dockerfile/c8s

@@ -0,0 +1,43 @@
+FROM quay.io/centos/centos:stream8
+ENV container=podman
+
+RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
+sed -i s/mirror.centos.org/vault.centos.org/g /etc/yum.repos.d/*.repo; \
+sed -i s/^#.*baseurl=http/baseurl=http/g /etc/yum.repos.d/*.repo; \
+sed -i s/^mirrorlist=http/#mirrorlist=http/g /etc/yum.repos.d/*.repo; \
+dnf makecache; \
+dnf --assumeyes install \
+    /usr/bin/dnf-3 \
+    sudo \
+    bash \
+    systemd \
+    procps-ng \
+    iproute; \
+dnf clean all; \
+rm -rf /var/cache/dnf/;
+
+RUN (cd /lib/systemd/system/; \
+    if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
+       ln -s dbus-broker.service dbus.service; \
+    fi \
+)
+COPY system-service/container-ipa.target /lib/systemd/system/
+RUN systemctl set-default container-ipa.target
+RUN (cd /etc/systemd/system/; \
+    rm -rf multi-user.target.wants \
+	&& mkdir container-ipa.target.wants \
+	&& ln -s container-ipa.target.wants multi-user.target.wants \
+)
+
+COPY system-service/fixnet.sh /root/
+COPY system-service/fixipaip.sh /root/
+COPY system-service/fixnet.service /etc/systemd/system/
+COPY system-service/fixipaip.service /etc/systemd/system/
+RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
+
+STOPSIGNAL RTMIN+3
+
+VOLUME ["/sys/fs/cgroup"]
+
+CMD ["/usr/sbin/init"]
+

infra/image/dockerfile/c9s

@@ -0,0 +1,38 @@
+FROM quay.io/centos/centos:stream9
+ENV container=podman
+
+RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
+dnf makecache; \
+dnf --assumeyes install \
+    /usr/bin/dnf-3 \
+    sudo \
+    bash \
+    systemd \
+    procps-ng \
+    iproute; \
+rm -rf /var/cache/dnf/;
+
+RUN (cd /lib/systemd/system/; \
+    if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
+       ln -s dbus-broker.service dbus.service; \
+    fi \
+)
+COPY system-service/container-ipa.target /lib/systemd/system/
+RUN systemctl set-default container-ipa.target
+RUN (cd /etc/systemd/system/; \
+    rm -rf multi-user.target.wants \
+	&& mkdir container-ipa.target.wants \
+	&& ln -s container-ipa.target.wants multi-user.target.wants \
+)
+
+COPY system-service/fixnet.sh /root/
+COPY system-service/fixipaip.sh /root/
+COPY system-service/fixnet.service /etc/systemd/system/
+COPY system-service/fixipaip.service /etc/systemd/system/
+RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
+
+STOPSIGNAL RTMIN+3
+
+VOLUME ["/sys/fs/cgroup"]
+
+CMD ["/usr/sbin/init"]

infra/image/dockerfile/fedora-latest

@@ -0,0 +1,41 @@
+FROM fedora:latest
+ENV container=podman
+
+RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
+dnf makecache; \
+dnf --assumeyes install \
+    /usr/bin/python3 \
+    /usr/bin/python3-config \
+    python3-libdnf5 \
+    sudo \
+    bash \
+    systemd \
+    procps-ng \
+    iproute; \
+dnf clean all; \
+rm -rf /var/cache/dnf/;
+
+RUN (cd /lib/systemd/system/; \
+    if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
+       ln -s dbus-broker.service dbus.service; \
+    fi \
+)
+COPY system-service/container-ipa.target /lib/systemd/system/
+RUN systemctl set-default container-ipa.target
+RUN (cd /etc/systemd/system/; \
+    rm -rf multi-user.target.wants \
+	&& mkdir container-ipa.target.wants \
+	&& ln -s container-ipa.target.wants multi-user.target.wants \
+)
+
+COPY system-service/fixnet.sh /root/
+COPY system-service/fixipaip.sh /root/
+COPY system-service/fixnet.service /etc/systemd/system/
+COPY system-service/fixipaip.service /etc/systemd/system/
+RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
+
+STOPSIGNAL RTMIN+3
+
+VOLUME ["/sys/fs/cgroup"]
+
+CMD ["/usr/sbin/init"]

infra/image/dockerfile/fedora-rawhide

@@ -0,0 +1,41 @@
+FROM fedora:rawhide
+ENV container=podman
+
+RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
+dnf makecache; \
+dnf --assumeyes install \
+    /usr/bin/python3 \
+    /usr/bin/python3-config \
+    python3-libdnf5 \
+    sudo \
+    bash \
+    systemd \
+    procps-ng \
+    iproute; \
+dnf clean all; \
+rm -rf /var/cache/dnf/;
+
+RUN (cd /lib/systemd/system/; \
+    if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
+       ln -s dbus-broker.service dbus.service; \
+    fi \
+)
+COPY system-service/container-ipa.target /lib/systemd/system/
+RUN systemctl set-default container-ipa.target
+RUN (cd /etc/systemd/system/; \
+    rm -rf multi-user.target.wants \
+	&& mkdir container-ipa.target.wants \
+	&& ln -s container-ipa.target.wants multi-user.target.wants \
+)
+
+COPY system-service/fixnet.sh /root/
+COPY system-service/fixipaip.sh /root/
+COPY system-service/fixnet.service /etc/systemd/system/
+COPY system-service/fixipaip.service /etc/systemd/system/
+RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
+
+STOPSIGNAL RTMIN+3
+
+VOLUME ["/sys/fs/cgroup"]
+
+CMD ["/usr/sbin/init"]

infra/image/inventory

@@ -0,0 +1,6 @@
+[ipaserver]
+ansible-freeipa-tests ansible_connection=podman
+
+[ipaserver:vars]
+ipaadmin_password=SomeADMINpassword
+ipadm_password=SomeDMpassword

infra/image/shcontainer

@@ -0,0 +1,197 @@
+#!/bin/bash -eu
+# This file is meant to be source'd by other scripts
+
+SCRIPTDIR="$(dirname -- "$(readlink -f "${BASH_SOURCE[0]}")")"
+TOPDIR="$(readlink -f "${SCRIPTDIR}/../..")"
+
+. "${TOPDIR}/utils/shfun"
+
+container_create() {
+    local name=${1}
+    local image=${2}
+    shift 2
+    declare -a extra_opts=()
+    for opt in "$@"
+    do
+        [ -z "${opt}" ] && continue
+        case "${opt}" in
+            hostname=*) extra_opts+=("--${opt}") ;;
+            cpus=*) extra_opts+=("--${opt}") ;;
+            memory=*) extra_opts+=("--${opt}") ;;
+            capabilities=*) extra_opts+=("--cap-add=${opt##*=}") ;;
+            *) log error "container_create: Invalid option: ${opt}" ;;
+        esac
+    done
+
+    # ensure default values are set
+    [[ " ${extra_opts[*]} " =~ " --cpus=" ]] || extra_opts+=("--cpus=2")
+    [[ " ${extra_opts[*]} " =~ " --hostname=" ]] \
+        || extra_opts+=("--hostname=ipaserver.test.local")
+
+    log info "= Creating ${name} ="
+    podman create \
+           --security-opt label=disable \
+           --network bridge:interface_name=eth0 \
+           --systemd true \
+           --name "${name}" \
+           --memory-swap -1 \
+           --no-hosts \
+           --replace \
+           "${extra_opts[@]}" \
+           "${image}"
+    echo
+}
+
+container_start() {
+    local name="${1}"
+
+    log info "= Starting ${name} ="
+    podman start "${name}"
+    echo
+}
+
+container_stop() {
+    local name="${1}"
+
+    log info "= Stopping ${name} ="
+    podman stop "${name}"
+    echo
+}
+
+container_wait_for_journald() {
+    local name=${1}
+
+    log info "= Waiting till systemd-journald is running ="
+    max=20
+    wait=2
+    count=0
+    while ! podman exec "${name}" ps -x | grep -q "systemd-journald"
+    do
+        if [ $count -ge $max ]; then
+            die "Timeout: systemd-journald is not starting up"
+        fi
+        count=$((count+1))
+        log info "Waiting ${wait} seconds .."
+        sleep ${wait}
+    done
+    log info "done"
+    echo
+}
+
+container_wait_up() {
+    local name="${1}"
+
+    log info "= Waiting till all services are started ="
+    max=20
+    wait=15
+    count=0
+    while podman exec "${name}" systemctl list-jobs | \
+        grep -qvi "no jobs running"
+    do
+        if [ $count -ge $max ]; then
+            die "Timeout: Services are not starting up"
+        fi
+        count=$((count+1))
+        log info "Waiting ${wait} seconds .."
+        sleep ${wait}
+    done
+    log info "done"
+    echo
+}
+
+container_build() {
+    local tag="${1}"
+    local file="${2}"
+    local dir="${3}"
+
+    log info "= Building ${tag} ="
+    podman build -t "${tag}" -f "${file}" "${dir}"
+    echo
+}
+
+container_commit() {
+    local name="${1}"
+    local image="${2}"
+
+    log info "= Committing \"${image}\" ="
+    podman commit "${name}" "${image}"
+    echo
+}
+
+container_exec() {
+    local name="${1}"
+    shift 1
+
+    # "@Q" is only needed for the log output, the exec command is properly
+    # working without also for args containing spaces.
+    log info "= Executing \"${*@Q}\" ="
+    podman exec -t "${name}" "${@}"
+    echo
+}
+
+container_remove_image_if_exists()
+{
+    # In older (as in Ubuntu 22.04) podman versions,
+    # 'podman image rm --force' fails if the image
+    # does not exist.
+    local tag_to_remove="${1}"
+
+    if podman image exists "${tag_to_remove}"
+    then
+        log info "= Cleanup ${tag_to_remove} ="
+        podman image rm "${tag_to_remove}" --force
+        echo
+    fi
+}
+
+container_get_state()
+{
+    local name="${1}"
+
+    state=$(podman ps -q --all --format "{{.State}}" --filter "name=${name}")
+    echo "${state}"
+}
+
+container_pull() {
+    local source="${1}"
+
+    image=$(podman pull "${source}")
+    echo "${image}"
+}
+
+container_image_list() {
+    local source="${1}"
+
+    # Append "$" for an exact match if the source does not end with ":" to
+    # search for the repo only.
+    if [[ ${source} != *: ]]; then
+        source="${source}$"
+    fi
+    image=$(podman image list --format "{{ .Repository }}:{{ .Tag }}" | \
+                grep "^${source}")
+    echo "${image}"
+}
+
+container_check() {
+    [ -n "$(command -v "podman")" ] || die "podman is required."
+}
+
+container_copy() {
+    local name="${1}"
+    local source="${2}"
+    local destination="${3}"
+
+    log info "= Copying ${source} to ${name}:${destination} ="
+    podman cp "${source}" "${name}:${destination}"
+    echo
+}
+
+container_fetch() {
+    local name="${1}"
+    local source="${2}"
+    local destination="${3}"
+
+    log info "= Copying ${name}:${source} to ${destination} ="
+    podman cp "${name}:${source}" "${destination}"
+    echo
+}

infra/image/start.sh

@@ -0,0 +1,95 @@
+#!/bin/bash -eu
+
+BASEDIR="$(readlink -f "$(dirname "$0")")"
+TOPDIR="$(readlink -f "${BASEDIR}/../..")"
+
+# shellcheck disable=SC1091
+. "${BASEDIR}/shcontainer"
+# shellcheck disable=SC1091
+. "${TOPDIR}/utils/shfun"
+
+usage() {
+    local prog="${0##*/}"
+    cat << EOF
+usage: ${prog} [-h] [-l] [-n HOSTNAME ] image
+    ${prog} start a prebuilt ansible-freeipa test container image.
+EOF
+}
+
+help() {
+    cat << EOF
+positional arguments:
+
+    image    The image to start, leave empty to get list of images
+
+optional arguments:
+
+    -h            Show this message
+    -l            Try to use local image first, if not found download.
+    -n HOSTNAME   Set container hostname
+
+NOTE:
+    - The hostname must be the same as the hostname of the container
+      when FreeIPA was deployed. Use only if you built the image and
+      defined its hostname.
+
+EOF
+}
+
+list_images() {
+    local quay_api="https://quay.io/api/v1/repository/ansible-freeipa/upstream-tests/tag"
+    log info "Available images on quay:"
+    curl --silent -L "${quay_api}" | jq '.tags[]|.name' | tr -d '"'| sort | uniq | sed "s/.*/    &/"
+    echo
+    log info "Local images (use -l):"
+    local_image=$(container_image_list "${repo}:")
+    echo "${local_image}" | sed -e "s/.*://" | sed "s/.*/    &/"
+    echo
+}
+
+repo="quay.io/ansible-freeipa/upstream-tests"
+name="ansible-freeipa-tests"
+hostname="ipaserver.test.local"
+try_local_first="N"
+
+while getopts ":hln:" option
+do
+    case "${option}" in
+        h) help && exit 0 ;;
+        l) try_local_first="Y" ;;
+        n) hostname="${OPTARG}" ;;
+        *) die -u "Invalid option: ${option}" ;;
+    esac
+done
+
+shift $((OPTIND - 1))
+image=${1:-}
+
+container_check
+
+if [ -z "${image}" ]; then
+    list_images
+    exit 0
+fi
+
+local_image=
+if [ "${try_local_first}" == "Y" ]; then
+    log info "= Trying to use local image first ="
+    local_image=$(container_image_list "${repo}:${image}")
+    [ -n "${local_image}" ] && log info "Found ${local_image}"
+    echo
+fi
+if [ -z "${local_image}" ]; then
+    log info "= Downloading from quay ="
+    local_image=$(container_pull "${repo}:${image}")
+    echo
+fi
+
+[ -z "${local_image}" ] && die "Image '${image}' is not valid"
+
+container_create "${name}" "${local_image}" "hostname=${hostname}"
+container_start "${name}"
+container_wait_for_journald "${name}"
+container_wait_up "${name}"
+
+log info "Container ${name} is ready to be used."

infra/image/system-service/container-ipa.target

@@ -0,0 +1,6 @@
+[Unit]
+Description=Minimal target for containerized FreeIPA server
+DefaultDependencies=false
+AllowIsolate=yes
+Requires=systemd-tmpfiles-setup.service systemd-journald.service dbus.service
+After=systemd-tmpfiles-setup.service systemd-journald.service dbus.service

infra/image/system-service/fixipaip.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Fix IPA server IP in IPA Server
+After=ipa.service
+
+[Service]
+Type=oneshot
+ExecStart=/root/fixipaip.sh
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=default.target

infra/image/system-service/fixipaip.sh

@@ -0,0 +1,85 @@
+#!/bin/bash -eu
+
+function valid_fqdn()
+{
+    local name="${1}"
+
+    [[ "${name}" =~ [[:space:]] ]] && return 1
+    [[ "${name}" =~ \. ]] || return 1
+    [[ "${name}" =~ \.\. ]] && return 1
+    for i in ${name//./ }; do
+        [[ "${i}" =~ ^[a-z0-9_/]+$ ]] || return 1
+    done
+    [[ "${name}" == "localhost.localdomain" ]] && return 1
+    return 0
+}
+
+function valid_ipv4()
+{
+    local ip="${1}"
+    local rematch="^([0-9]{1,3}\.){3}[0-9]{1,3}$"
+
+    [[ "${ip}" =~ ${rematch} ]] || return 1
+    for i in ${ip//./ }; do
+        [[ ${i} -le 255 ]] || return 1
+    done
+
+    return 0
+}
+
+HOSTNAME=$(hostname)
+IP=$(hostname -I | cut -d " " -f 1)
+export KRB5CCNAME=ansible_freeipa_cache
+
+if [ -z "${HOSTNAME}" ] || ! valid_fqdn "${HOSTNAME}" ; then
+    echo "ERROR: Got invalid hostname: '${HOSTNAME}'"
+    exit 1
+fi
+if [ -z "${IP}" ] || ! valid_ipv4 "${IP}" ; then
+    echo "ERROR: Got invalid IPv4 address: '${IP}'"
+    exit 1
+fi
+PTR=$(echo "${IP}" | awk -F"." '{print $4}')
+if [ -z "${PTR}" ] || [ -n "${PTR//[0-9]}" ]; then
+    echo "ERROR: Failed to get PTR from IPv4 address: '${PTR}'"
+    exit 1
+fi
+FORWARDER=$(grep -s -m 1 ^nameserver /etc/resolv.conf.fixnet | cut -d" " -f 2)
+if [ -z "${FORWARDER}" ] || [ "${FORWARDER}" == "127.0.0.1" ]; then
+    FORWARDER="8.8.8.8"
+fi
+
+echo "Fix IPA:"
+echo "  HOSTNAME: '${HOSTNAME}'"
+echo "  IP: '${IP}'"
+echo "  PTR: '${PTR}'"
+echo "  FORWARDER: '${FORWARDER}'"
+
+ZONES=$(ipa -e in_server=true dnszone-find --name-from-ip="${HOSTNAME}." \
+            --raw --pkey-only | grep "idnsname:" | awk -F": " '{print $2}')
+for zone in ${ZONES}; do
+    echo
+    if [[ "${zone}" == *".in-addr.arpa."* ]]; then
+        echo "Fixing reverse zone ${zone}:"
+        OLD_PTR=$(ipa -e in_server=true dnsrecord-find "${zone}" \
+                      --ptr-rec="${HOSTNAME}." --raw | grep "idnsname:" | \
+                      awk -F": " '{print $2}')
+        if [ -z "${OLD_PTR}" ] || [ -n "${OLD_PTR//[0-9]}" ]; then
+            echo "ERROR: Failed to get old PTR from '${zone}': '${OLD_PTR}'"
+        else
+            ipa -e in_server=true dnsrecord-mod "${zone}" "${OLD_PTR}" \
+                --ptr-rec="${HOSTNAME}." --rename="${PTR}" || true
+        fi
+    else
+        echo "Fixing forward zone ${zone}:"
+        ipa -e in_server=true dnsrecord-mod test.local "${HOSTNAME%%.*}" \
+            --a-rec="$IP" || true
+        ipa -e in_server=true dnsrecord-mod test.local ipa-ca \
+            --a-rec="$IP" || true
+    fi
+done
+
+ipa -e in_server=true dnsserver-mod "${HOSTNAME}" \
+    --forwarder="${FORWARDER}" || true
+
+exit 0

infra/image/system-service/fixnet.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Fix server IP in IPA Server
+Wants=network.target
+After=network.target
+Before=ipa.service
+
+[Service]
+Type=oneshot
+ExecStart=/root/fixnet.sh
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=ipa.service

infra/image/system-service/fixnet.sh

@@ -0,0 +1,66 @@
+#!/bin/bash -eu
+
+function valid_fqdn()
+{
+    local name="${1}"
+
+    [[ "${name}" =~ [[:space:]] ]] && return 1
+    [[ "${name}" =~ \. ]] || return 1
+    [[ "${name}" =~ \.\. ]] && return 1
+    for i in ${name//./ }; do
+        [[ "${i}" =~ ^[a-z0-9_/]+$ ]] || return 1
+    done
+    [[ "${name}" == "localhost.localdomain" ]] && return 1
+    return 0
+}
+
+function valid_ipv4()
+{
+    local ip="${1}"
+    local rematch="^([0-9]{1,3}\.){3}[0-9]{1,3}$"
+
+    [[ "${ip}" =~ ${rematch} ]] || return 1
+    for i in ${ip//./ }; do
+        [[ ${i} -le 255 ]] || return 1
+    done
+
+    return 0
+}
+
+HOSTNAME=$(hostname)
+IP=$(hostname -I | cut -d " " -f 1)
+
+if [ -z "${HOSTNAME}" ] || ! valid_fqdn "${HOSTNAME}" ; then
+    echo "ERROR: Failed to retrieve hostname."
+    exit 1
+fi
+if [ -z "${IP}" ] || ! valid_ipv4 "${IP}" ; then
+    echo "ERROR: Got invalid IPv4 address: '${IP}'"
+    exit 1
+fi
+
+echo "Fix NET:"
+echo "  HOSTNAME: '${HOSTNAME}'"
+echo "  IP: '${IP}'"
+echo
+
+if grep -qE "^[^(#\s*)][0-9\.]+\s$HOSTNAME(\s|$)" /etc/hosts
+then
+    sed -i.bak -e "s/.*${HOSTNAME}/${IP}\t${HOSTNAME}/" /etc/hosts
+else
+    echo -e "$IP\t${HOSTNAME} ${HOSTNAME%%.*}" >> /etc/hosts
+fi
+
+cp -a /etc/resolv.conf /etc/resolv.conf.fixnet
+cat > /etc/resolv.conf <<EOF
+search ${HOSTNAME#*.}
+nameserver 127.0.0.1
+EOF
+
+echo "/etc/hosts:"
+cat "/etc/hosts"
+echo
+echo "/etc/resolv.conf:"
+cat "/etc/resolv.conf"
+
+exit 0

meta/runtime.yml

@@ -1,2 +1,2 @@
 ---
-requires_ansible: ">=2.15.0"
+requires_ansible: ">=2.14.0"

molecule/c8s-build/Dockerfile

@@ -1,30 +0,0 @@
-FROM quay.io/centos/centos:stream8
-ENV container=docker
-
-RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
-dnf makecache; \
-dnf --assumeyes install \
-    /usr/bin/python3 \
-    /usr/bin/python3-config \
-    /usr/bin/dnf-3 \
-    sudo \
-    bash \
-    systemd \
-    procps-ng \
-    iproute && \
-dnf clean all; \
-(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
-rm -f /lib/systemd/system/multi-user.target.wants/*;\
-rm -f /etc/systemd/system/*.wants/*;\
-rm -f /lib/systemd/system/local-fs.target.wants/*; \
-rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
-rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
-rm -f /lib/systemd/system/basic.target.wants/*;\
-rm -f /lib/systemd/system/anaconda.target.wants/*; \
-rm -rf /var/cache/dnf/;
-
-STOPSIGNAL RTMIN+3
-
-VOLUME ["/sys/fs/cgroup"]
-
-CMD ["/usr/sbin/init"]

molecule/c8s-build/molecule.yml

@@ -1,19 +0,0 @@
----
-driver:
-  name: docker
-platforms:
-  - name: c8s-build
-    image: "quay.io/centos/centos:stream8"
-    dockerfile: Dockerfile
-    hostname: ipaserver.test.local
-    dns_servers:
-      - 8.8.8.8
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    command: /usr/sbin/init
-    privileged: true
-provisioner:
-  name: ansible
-  playbooks:
-    prepare: ../resources/playbooks/prepare-build.yml
-prerun: false

molecule/c8s/molecule.yml

@@ -1,19 +0,0 @@
----
-driver:
-  name: docker
-platforms:
-  - name: c8s
-    image: quay.io/ansible-freeipa/upstream-tests:c8s
-    pre_build_image: true
-    hostname: ipaserver.test.local
-    dns_servers:
-      - 127.0.0.1
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    command: /usr/sbin/init
-    privileged: true
-provisioner:
-  name: ansible
-  playbooks:
-    prepare: ../resources/playbooks/prepare.yml
-prerun: false

molecule/c9s-build/Dockerfile

@@ -1,29 +0,0 @@
-FROM quay.io/centos/centos:stream9
-ENV container=docker
-
-RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
-dnf makecache; \
-dnf --assumeyes install \
-    /usr/bin/python3 \
-    /usr/bin/dnf-3 \
-    sudo \
-    bash \
-    systemd \
-    procps-ng \
-    iproute && \
-dnf clean all; \
-(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
-rm -f /lib/systemd/system/multi-user.target.wants/*;\
-rm -f /etc/systemd/system/*.wants/*;\
-rm -f /lib/systemd/system/local-fs.target.wants/*; \
-rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
-rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
-rm -f /lib/systemd/system/basic.target.wants/*;\
-rm -f /lib/systemd/system/anaconda.target.wants/*; \
-rm -rf /var/cache/dnf/;
-
-STOPSIGNAL RTMIN+3
-
-VOLUME ["/sys/fs/cgroup"]
-
-CMD ["/usr/sbin/init"]

molecule/c9s-build/molecule.yml

@@ -1,19 +0,0 @@
----
-driver:
-  name: docker
-platforms:
-  - name: c9s-build
-    image: "quay.io/centos/centos:stream9"
-    dockerfile: Dockerfile
-    hostname: ipaserver.test.local
-    dns_servers:
-      - 8.8.8.8
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    command: /usr/sbin/init
-    privileged: true
-provisioner:
-  name: ansible
-  playbooks:
-    prepare: ../resources/playbooks/prepare-build.yml
-prerun: false

molecule/c9s/molecule.yml

@@ -1,19 +0,0 @@
----
-driver:
-  name: docker
-platforms:
-  - name: c9s
-    image: quay.io/ansible-freeipa/upstream-tests:c9s
-    pre_build_image: true
-    hostname: ipaserver.test.local
-    dns_servers:
-      - 127.0.0.1
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    command: /usr/sbin/init
-    privileged: true
-provisioner:
-  name: ansible
-  playbooks:
-    prepare: ../resources/playbooks/prepare.yml
-prerun: false

molecule/centos-7-build/molecule.yml

@@ -1,19 +0,0 @@
----
-driver:
-  name: docker
-platforms:
-  - name: centos-7-build
-    image: centos/systemd
-    pre_build_image: true
-    hostname: ipaserver.test.local
-    dns_servers:
-      - 8.8.8.8
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    command: /usr/sbin/init
-    privileged: true
-provisioner:
-  name: ansible
-  playbooks:
-    prepare: ../resources/playbooks/prepare-build.yml
-prerun: false

molecule/centos-7/molecule.yml

@@ -1,19 +0,0 @@
----
-driver:
-  name: docker
-platforms:
-  - name: centos-7
-    image: quay.io/ansible-freeipa/upstream-tests:centos-7
-    pre_build_image: true
-    hostname: ipaserver.test.local
-    dns_servers:
-      - 127.0.0.1
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    command: /usr/sbin/init
-    privileged: true
-provisioner:
-  name: ansible
-  playbooks:
-    prepare: ../resources/playbooks/prepare.yml
-prerun: false

molecule/default

@@ -1 +0,0 @@
-fedora-latest

molecule/fedora-latest-build/Dockerfile

@@ -1,30 +0,0 @@
-FROM fedora:latest
-ENV container=docker
-
-RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
-dnf makecache; \
-dnf --assumeyes install \
-    /usr/bin/python3 \
-    /usr/bin/python3-config \
-    /usr/bin/dnf-3 \
-    sudo \
-    bash \
-    systemd \
-    procps-ng \
-    iproute && \
-dnf clean all; \
-(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
-rm -f /lib/systemd/system/multi-user.target.wants/*;\
-rm -f /etc/systemd/system/*.wants/*;\
-rm -f /lib/systemd/system/local-fs.target.wants/*; \
-rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
-rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
-rm -f /lib/systemd/system/basic.target.wants/*;\
-rm -f /lib/systemd/system/anaconda.target.wants/*; \
-rm -rf /var/cache/dnf/;
-
-STOPSIGNAL RTMIN+3
-
-VOLUME ["/sys/fs/cgroup"]
-
-CMD ["/usr/sbin/init"]

molecule/fedora-latest-build/molecule.yml

@@ -1,19 +0,0 @@
----
-driver:
-  name: docker
-platforms:
-  - name: fedora-latest-build
-    image: "fedora:latest"
-    dockerfile: Dockerfile
-    hostname: ipaserver.test.local
-    dns_servers:
-      - 8.8.8.8
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    command: /usr/sbin/init
-    privileged: true
-provisioner:
-  name: ansible
-  playbooks:
-    prepare: ../resources/playbooks/prepare-build.yml
-prerun: false

molecule/fedora-latest/molecule.yml

@@ -1,19 +0,0 @@
----
-driver:
-  name: docker
-platforms:
-  - name: fedora-latest
-    image: quay.io/ansible-freeipa/upstream-tests:fedora-latest
-    pre_build_image: true
-    hostname: ipaserver.test.local
-    dns_servers:
-      - 127.0.0.1
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    command: /usr/sbin/init
-    privileged: true
-provisioner:
-  name: ansible
-  playbooks:
-    prepare: ../resources/playbooks/prepare.yml
-prerun: false

molecule/fedora-rawhide-build/Dockerfile

@@ -1,30 +0,0 @@
-FROM fedora:rawhide
-ENV container=docker
-
-RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
-dnf makecache; \
-dnf --assumeyes install \
-    /usr/bin/python3 \
-    /usr/bin/python3-config \
-    /usr/bin/dnf-3 \
-    sudo \
-    bash \
-    systemd \
-    procps-ng \
-    iproute && \
-dnf clean all; \
-(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
-rm -f /lib/systemd/system/multi-user.target.wants/*;\
-rm -f /etc/systemd/system/*.wants/*;\
-rm -f /lib/systemd/system/local-fs.target.wants/*; \
-rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
-rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
-rm -f /lib/systemd/system/basic.target.wants/*;\
-rm -f /lib/systemd/system/anaconda.target.wants/*; \
-rm -rf /var/cache/dnf/;
-
-STOPSIGNAL RTMIN+3
-
-VOLUME ["/sys/fs/cgroup"]
-
-CMD ["/usr/sbin/init"]

molecule/fedora-rawhide-build/molecule.yml

@@ -1,19 +0,0 @@
----
-driver:
-  name: docker
-platforms:
-  - name: fedora-rawhide-build
-    image: "fedora:rawhide"
-    dockerfile: Dockerfile
-    hostname: ipaserver.test.local
-    dns_servers:
-      - 8.8.8.8
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    command: /usr/sbin/init
-    privileged: true
-provisioner:
-  name: ansible
-  playbooks:
-    prepare: ../resources/playbooks/prepare-build.yml
-prerun: false

molecule/fedora-rawhide/molecule.yml

@@ -1,19 +0,0 @@
----
-driver:
-  name: docker
-platforms:
-  - name: fedora-rawhide
-    image: quay.io/ansible-freeipa/upstream-tests:fedora-rawhide
-    pre_build_image: true
-    hostname: ipaserver.test.local
-    dns_servers:
-      - 127.0.0.1
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    command: /usr/sbin/init
-    privileged: true
-provisioner:
-  name: ansible
-  playbooks:
-    prepare: ../resources/playbooks/prepare.yml
-prerun: false

molecule/resources/playbooks/library

@@ -1 +0,0 @@
-../../../plugins/modules/

molecule/resources/playbooks/module_utils

@@ -1 +0,0 @@
-../../../plugins/module_utils/

molecule/resources/playbooks/prepare-build.yml

@@ -1,28 +0,0 @@
----
-- name: Converge
-  hosts: all
-  tasks:
-  - include_tasks: prepare-common.yml
-
-  - name: Ensure sudo package is installed
-    package:
-      name: sudo
-
-  - name: Ensure nss package is updated
-    package:
-      name: nss
-      state: latest  # noqa 403
-
-  - include_role:
-      name: ipaserver
-    vars:
-      ipaserver_setup_dns: yes
-      ipaserver_setup_kra: yes
-      ipaserver_auto_forwarders: yes
-      ipaserver_no_dnssec_validation: yes
-      ipaserver_auto_reverse: yes
-      ipaadmin_password: SomeADMINpassword
-      ipadm_password: SomeDMpassword
-      ipaserver_domain: test.local
-      ipaserver_realm: TEST.LOCAL
-      ipaclient_no_ntp: yes

molecule/resources/playbooks/prepare-common.yml

@@ -1,33 +0,0 @@
----
-# IPA depends on IPv6 and without it dirsrv service won't start.
-- name: Ensure IPv6 is ENABLED
-  ansible.posix.sysctl:
-    name: "{{ item.name }}"
-    value: "{{ item.value }}"
-    sysctl_set: yes
-    state: present
-    reload: yes
-  with_items:
-    - name: net.ipv6.conf.all.disable_ipv6
-      value: 0
-    - name: net.ipv6.conf.lo.disable_ipv6
-      value: 0
-    - name: net.ipv6.conf.eth0.disable_ipv6
-      value: 1
-
-# Set fs.protected_regular to 0
-#   This is needed in some IPA versions in order to get KRA enabled.
-#   See https://pagure.io/freeipa/issue/7906 for more information.
-- name: stat protected_regular
-  ansible.builtin.stat:
-    path: /proc/sys/fs/protected_regular
-  register: result
-
-- name: Ensure fs.protected_regular is disabled
-  ansible.posix.sysctl:
-    name: fs.protected_regular
-    value: 0
-    sysctl_set: yes
-    state: present
-    reload: yes
-  when: result.stat.exists

molecule/resources/playbooks/prepare.yml

@@ -1,48 +0,0 @@
----
-- name: Converge
-  hosts: all
-  tasks:
-  - include_tasks: prepare-common.yml
-
-  # In some distros DS won't start up after reboot
-  #   This is due to a problem in 389-ds. See tickets:
-  #   * https://pagure.io/389-ds-base/issue/47429
-  #   * https://pagure.io/389-ds-base/issue/51039
-  #
-  # To avoid this problem we create the directories before starting IPA.
-  - name: Ensure lock dirs for DS exists
-    ansible.builtin.file:
-      state: directory
-      owner: dirsrv
-      group: dirsrv
-      path: "{{ item }}"
-      mode: 0770
-    loop:
-      - /var/lock/dirsrv/
-      - /var/lock/dirsrv/slapd-TEST-LOCAL/
-
-  - name: Ensure IPA server is up an running
-    ansible.builtin.service:
-      name: ipa
-      state: started
-
-  - name: Wait for krb5dkc to be running
-    ansible.builtin.service_facts:
-    no_log: True
-    register: result
-    until: "'krb5kdc.service' in result.ansible_facts.services and \
-            result.ansible_facts.services['krb5kdc.service'].state == 'running'"
-    retries: 30
-    delay: 5
-
-  - name: Check if TGT is available for admin.
-    ansible.builtin.shell:
-      cmd: echo SomeADMINpassword | kinit -c ansible_freeipa_cache admin
-    register: result
-    until: not result.failed
-    retries: 30
-    delay: 5
-
-  - name: Cleanup TGT.
-    ansible.builtin.shell:
-      cmd: kdestroy -c ansible_freeipa_cache -A