collection: Allow playbooks to be executed using collection

When available in a collection 'playbooks' directory, playbooks can be directly accessed as roles and modules: 'namespace.collection.playbook'. This allows, for example the deployment roles to be executed with the provided ansible-freeipa playbooks requiring minimal effort from the user part. In order to be accessible, though, the playbooks must not use dash ("-") on the file names, as they are replaced by underscorse ("_") during Ansible processing and then, the files are not found. By renaming the playbooks that, currently, do not set any variable as an usage example, replacing "-" by "_", we allow the FreeIPA collection playbooks to be executed without the user having to search for the correct file, like: $ ansible-playbook -i inventory freeipa.ansible_freeipa.install_server
2026-05-06 05:13:08 +00:00 · 2025-03-17 15:39:07 -03:00
28 changed files with 13 additions and 64 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -26,7 +26,7 @@ repos:
  - id: yamllint
    files: \.(yaml|yml)$
 - repo: https://github.com/pycqa/flake8
-  rev: 7.2.0
+  rev: 7.0.0
  hooks:
  - id: flake8
 - repo: https://github.com/pycqa/pylint
--- a/infra/azure/azure-pipelines.yml
+++ b/infra/azure/azure-pipelines.yml
@@ -3,7 +3,7 @@ trigger:
 - master

 pool:
-  vmImage: 'ubuntu-24.04'
+  vmImage: 'ubuntu-20.04'

 variables:
  ansible_version: "-core >=2.16,<2.17"
--- a/infra/azure/nightly.yml
+++ b/infra/azure/nightly.yml
@@ -10,7 +10,7 @@ schedules:
 trigger: none

 pool:
-  vmImage: 'ubuntu-24.04'
+  vmImage: 'ubuntu-20.04'

 variables:
  # We need to have two sets, as c8s is not supported by all ansible versions
--- a/infra/azure/pr-pipeline.yml
+++ b/infra/azure/pr-pipeline.yml
@@ -3,7 +3,7 @@ trigger:
 - master

 pool:
-  vmImage: 'ubuntu-24.04'
+  vmImage: 'ubuntu-20.04'

 variables:
  distros: "fedora-latest,c10s,c9s,c8s,fedora-rawhide"
--- a/infra/image/shcontainer
+++ b/infra/image/shcontainer
@@ -4,20 +4,13 @@
 SCRIPTDIR="$(dirname -- "$(readlink -f "${BASH_SOURCE[0]}")")"
 TOPDIR="$(readlink -f "${SCRIPTDIR}/../..")"

-# shellcheck disable=SC1091
-. "${SCRIPTDIR}/shdefaults"
-
-# shellcheck disable=SC1091
 . "${TOPDIR}/utils/shfun"

 container_create() {
    local name=${1}
    local image=${2}
    shift 2
-    declare -a extra_opts
-    readarray -t extra_opts < \
-        <(sed -e "s/-/--cap-drop=/g" -e "s/+/--cap-add=/g" \
-        <<< "$(printf '%s\n' "${CAP_DEFAULTS[@]}")")
+    declare -a extra_opts=()
    for opt in "$@"
    do
        [ -z "${opt}" ] && continue
@@ -26,7 +19,6 @@ container_create() {
            cpus=*) extra_opts+=("--${opt}") ;;
            memory=*) extra_opts+=("--${opt}") ;;
            capabilities=*) extra_opts+=("--cap-add=${opt##*=}") ;;
-            volume=*) extra_opts+=("--volume=${opt##*=}") ;;
            *) log error "container_create: Invalid option: ${opt}" ;;
        esac
    done
@@ -55,8 +47,6 @@ container_start() {

    log info "= Starting ${name} ="
    podman start "${name}"
-    # Ensure /etc/shadow is readable
-    podman exec "${name}" bash -c "chmod u+r /etc/shadow"
    echo
 }

@@ -205,15 +195,3 @@ container_fetch() {
    podman cp "${name}:${source}" "${destination}"
    echo
 }
-
-container_tee() {
-    local name=${1}
-    local destination=${2}
-    tmpfile=$(mktemp /tmp/container-temp.XXXXXX)
-
-    log info "= Creating ${name}:${destination} from stdin ="
-    cat - > "${tmpfile}"
-    podman cp "${tmpfile}" "${name}:${destination}"
-    rm "${tmpfile}"
-    echo
-}
--- a/infra/image/shdefaults
+++ b/infra/image/shdefaults
@@ -1,9 +0,0 @@
-#!/bin/bash -eu
-# This file is meant to be source'd by other scripts
-
-# Set default capabilities options for freeipa containers.
-# Use +CAP to add the capability and -CAP to drop the capability.
-CAP_DEFAULTS=(
-    "+DAC_READ_SEARCH"  # Required for SSSD
-    "+SYS_PTRACE"       # Required for debugging
-)
--- a/playbooks/backup_server.yml
+++ b/playbooks/backup_server.yml
--- a/playbooks/backup_server_to_controller.yml
+++ b/playbooks/backup_server_to_controller.yml
--- a/playbooks/copy_all_backups_from_server.yml
+++ b/playbooks/copy_all_backups_from_server.yml
--- a/playbooks/install_client.yml
+++ b/playbooks/install_client.yml
--- a/playbooks/install_cluster.yml
+++ b/playbooks/install_cluster.yml
--- a/playbooks/install_replica.yml
+++ b/playbooks/install_replica.yml
--- a/playbooks/install_server.yml
+++ b/playbooks/install_server.yml
--- a/playbooks/install_smartcard_clients.yml
+++ b/playbooks/install_smartcard_clients.yml
--- a/playbooks/install_smartcard_replicas.yml
+++ b/playbooks/install_smartcard_replicas.yml
--- a/playbooks/install_smartcard_server.yml
+++ b/playbooks/install_smartcard_server.yml
--- a/playbooks/install_smartcard_servers.yml
+++ b/playbooks/install_smartcard_servers.yml
--- a/playbooks/remove_all_backups_from_server.yml
+++ b/playbooks/remove_all_backups_from_server.yml
--- a/playbooks/uninstall_client.yml
+++ b/playbooks/uninstall_client.yml
--- a/playbooks/uninstall_cluster.yml
+++ b/playbooks/uninstall_cluster.yml
--- a/playbooks/uninstall_replica.yml
+++ b/playbooks/uninstall_replica.yml
--- a/playbooks/uninstall_server.yml
+++ b/playbooks/uninstall_server.yml
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@@ -1,7 +1,7 @@
 -r requirements-tests.txt
 ipdb==0.13.4
 pre-commit==2.20.0
-flake8
+flake8==7.0.0
 flake8-bugbear
 pylint>=3.2
 wrapt==1.14.1
--- a/roles/ipaclient/library/ipaclient_setup_nss.py
+++ b/roles/ipaclient/library/ipaclient_setup_nss.py
@@ -340,19 +340,17 @@ def main():
                                                      ca_subject)
        ca_certs_trust = [(c, n,
                           certstore.key_policy_to_trust_flags(t, True, u))
-                          for (c, n, t, u) in [x[0:4] for x in ca_certs]]
+                          for (c, n, t, u) in ca_certs]

        if hasattr(paths, "KDC_CA_BUNDLE_PEM"):
            x509.write_certificate_list(
-                [c for c, n, t, u in [x[0:4] for x in ca_certs]
-                    if t is not False],
+                [c for c, n, t, u in ca_certs if t is not False],
                paths.KDC_CA_BUNDLE_PEM,
                # mode=0o644
            )
        if hasattr(paths, "CA_BUNDLE_PEM"):
            x509.write_certificate_list(
-                [c for c, n, t, u in [x[0:4] for x in ca_certs]
-                    if t is not False],
+                [c for c, n, t, u in ca_certs if t is not False],
                paths.CA_BUNDLE_PEM,
                # mode=0o644
            )
--- a/roles/ipaclient/library/ipaclient_setup_sssd.py
+++ b/roles/ipaclient/library/ipaclient_setup_sssd.py
@@ -174,7 +174,6 @@ def main():
    options.no_krb5_offline_passwords = module.params.get(
        'no_krb5_offline_passwords')
    options.krb5_offline_passwords = not options.no_krb5_offline_passwords
-    options.dns_over_tls = False

    fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
    client_domain = hostname[hostname.find(".") + 1:]
--- a/roles/ipaclient/module_utils/ansible_ipa_client.py
+++ b/roles/ipaclient/module_utils/ansible_ipa_client.py
@@ -231,6 +231,8 @@ try:
                        cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
                        filename, client_domain, client_hostname, force=False,
                        configure_sssd=True):
+                    # pylint: disable=global-variable-not-assigned
+                    global options
                    options.force = force
                    options.sssd = configure_sssd
                    return ipa_client_install.configure_krb5_conf(
--- a/roles/ipareplica/module_utils/ansible_ipa_replica.py
+++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py
@@ -80,13 +80,6 @@ except ImportError:
 try:
    from contextlib import contextmanager as contextlib_contextmanager
    from ipapython.version import NUM_VERSION, VERSION
-    try:
-        from ipapython.version import parse_version
-    except ImportError:
-        # In IPA we either need pkg_resources or packaging Version
-        # class to compare versions with check_remote_version, so
-        # we let an exception to be raised if neither is available.
-        from pkg_resources import parse_version

    if NUM_VERSION < 30201:
        # See ipapython/version.py
@@ -106,6 +99,8 @@ try:
        import dns.resolver as dnsresolver
        import dns.reversename as dnsreversename

+        from pkg_resources import parse_version
+
        from ipaclient.install.ipachangeconf import IPAChangeConf
        from ipalib.install import certstore, sysrestore
        from ipapython.ipautil import ipa_generate_password
--- a/utils/setup_test_container.sh
+++ b/utils/setup_test_container.sh
@@ -79,20 +79,6 @@ shift
 prepare_container "${scenario}" "${IMAGE_TAG}"
 start_container "${scenario}"

-log info "Wait till systemd-journald is running"
-max=20
-wait=2
-count=0
-while ! podman exec "${scenario}" ps -x | grep -q "systemd-journald"
-do
-    if [ $count -ge $max ]; then
-        die "Timeout: systemd-journald is not starting up"
-    fi
-    count=$((count+1))
-    log none "Waiting ${wait} seconds .."
-    sleep ${wait}
-done
-
 # wait for FreeIPA services to be available (usually ~45 seconds)
 log info "Wait for container to be initialized."
 wait=15