Merge pull request #867 from jpclipffel/master

ipaclient: Removed invalid call `logger.info()`

molecule/fedora-rawhide-build/Dockerfile

@@ -0,0 +1,30 @@
+FROM fedora:rawhide
+ENV container=docker
+
+RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
+dnf makecache; \
+dnf --assumeyes install \
+    /usr/bin/python3 \
+    /usr/bin/python3-config \
+    /usr/bin/dnf-3 \
+    sudo \
+    bash \
+    systemd \
+    procps-ng \
+    iproute && \
+dnf clean all; \
+(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
+rm -f /lib/systemd/system/multi-user.target.wants/*;\
+rm -f /etc/systemd/system/*.wants/*;\
+rm -f /lib/systemd/system/local-fs.target.wants/*; \
+rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
+rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
+rm -f /lib/systemd/system/basic.target.wants/*;\
+rm -f /lib/systemd/system/anaconda.target.wants/*; \
+rm -rf /var/cache/dnf/;
+
+STOPSIGNAL RTMIN+3
+
+VOLUME ["/sys/fs/cgroup"]
+
+CMD ["/usr/sbin/init"]

molecule/fedora-rawhide-build/molecule.yml

@@ -0,0 +1,19 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: fedora-rawhide-build
+    image: "fedora:rawhide"
+    dockerfile: Dockerfile
+    hostname: ipaserver.test.local
+    dns_servers:
+      - 8.8.8.8
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    command: /usr/sbin/init
+    privileged: true
+provisioner:
+  name: ansible
+  playbooks:
+    prepare: ../resources/playbooks/prepare-build.yml
+prerun: false

molecule/fedora-rawhide/molecule.yml

@@ -0,0 +1,19 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: fedora-rawhide
+    image: quay.io/ansible-freeipa/upstream-tests:fedora-rawhide
+    pre_build_image: true
+    hostname: ipaserver.test.local
+    dns_servers:
+      - 127.0.0.1
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    command: /usr/sbin/init
+    privileged: true
+provisioner:
+  name: ansible
+  playbooks:
+    prepare: ../resources/playbooks/prepare.yml
+prerun: false

plugins/module_utils/ansible_freeipa_module.py

@@ -28,7 +28,7 @@ __metaclass__ = type
 __all__ = ["gssapi", "netaddr", "api", "ipalib_errors", "Env",
            "DEFAULT_CONFIG", "LDAP_GENERALIZED_TIME_FORMAT",
            "kinit_password", "kinit_keytab", "run", "DN", "VERSION",
-           "paths", "get_credentials_if_valid", "Encoding",
+           "paths", "tasks", "get_credentials_if_valid", "Encoding",
            "load_pem_x509_certificate", "DNSName", "getargspec"]
 
 import sys
@@ -74,30 +74,6 @@ else:
     # ansible-freeipa requires locale to be C, IPA requires utf-8.
     os.environ["LANGUAGE"] = "C"
 
-    try:
-        from packaging import version
-    except ImportError:
-        # If `packaging` not found, split version string for creating version
-        # object. Although it is not PEP 440 compliant, it will work for stable
-        # FreeIPA releases.
-        import re
-
-        class version:  # pylint: disable=invalid-name, too-few-public-methods
-            @staticmethod
-            def parse(version_str):
-                """
-                Split a version string A.B.C, into a tuple.
-
-                This will not work for `rc`, `dev` or similar.
-                """
-                try:
-                    _version = tuple(
-                        (int(x) for x in re.split("[-_.]", version_str))
-                    )
-                except ValueError:
-                    _version = tuple(re.split("[-_.]", version_str))
-                return _version
-
     from ipalib import api
     from ipalib import errors as ipalib_errors  # noqa
     from ipalib.config import Env
@@ -111,6 +87,7 @@ else:
     from ipapython.dn import DN
     from ipapython.version import VERSION
     from ipaplatform.paths import paths
+    from ipaplatform.tasks import tasks
     from ipalib.krb_utils import get_credentials_if_valid
     from ipapython.dnsutil import DNSName
     from ipapython import kerberos
@@ -326,8 +303,8 @@ else:
         operation = oper_map.get(oper)
         if not operation:
             raise NotImplementedError("Invalid operator: %s" % oper)
-        return operation(version.parse(VERSION),
-                         version.parse(requested_version))
+        return operation(tasks.parse_ipa_version(VERSION),
+                         tasks.parse_ipa_version(requested_version))
 
     def date_format(value):
         accepted_date_formats = [

plugins/modules/ipadnsconfig.py

@@ -173,7 +173,10 @@ def gen_args(module, state, action, dnsconfig, forwarders, forward_policy,
         _args['idnsforwardpolicy'] = forward_policy
 
     if allow_sync_ptr is not None:
-        _args['idnsallowsyncptr'] = 'TRUE' if allow_sync_ptr else 'FALSE'
+        if module.ipa_check_version("<", "4.9.10"):
+            _args['idnsallowsyncptr'] = "TRUE" if allow_sync_ptr else "FALSE"
+        else:
+            _args['idnsallowsyncptr'] = allow_sync_ptr
 
     return _args
 
@@ -199,7 +202,8 @@ def main():
                         choices=["member", "dnsconfig"]),
             state=dict(type="str", default="present",
                        choices=["present", "absent"]),
-        )
+        ),
+        supports_check_mode=True,
     )
 
     ansible_module._ansible_debug = True

roles/ipaclient/library/ipaclient_test.py

@@ -880,7 +880,6 @@ def main():
                     is_ipaddr = False
 
             if is_ipaddr:
-                logger.info()
                 logger.warning(
                     "It seems that you are using an IP address "
                     "instead of FQDN as an argument to --server. The "

roles/ipareplica/library/ipareplica_prepare.py

@@ -182,6 +182,9 @@ options:
   skip_conncheck:
     description: Skip connection check to remote master
     required: yes
+  sid_generation_always:
+    description: Enable SID generation always
+    required: yes
 author:
     - Thomas Woerner
 '''
@@ -275,6 +278,8 @@ def main():
             # additional
             server=dict(required=True),
             skip_conncheck=dict(required=False, type='bool'),
+            sid_generation_always=dict(required=False, type='bool',
+                                       default=False),
         ),
         supports_check_mode=True,
     )
@@ -350,6 +355,7 @@ def main():
     #     '_hostname_overridden')
     options.server = ansible_module.params.get('server')
     options.skip_conncheck = ansible_module.params.get('skip_conncheck')
+    sid_generation_always = ansible_module.params.get('sid_generation_always')
 
     # random serial numbers are master_only, therefore setting to False
     options.random_serial_numbers = False
@@ -761,7 +767,7 @@ def main():
 
         ansible_log.debug("-- CHECK ADTRUST --")
 
-        if options.setup_adtrust:
+        if options.setup_adtrust or sid_generation_always:
             adtrust.install_check(False, options, remote_api)
 
     except errors.ACIError:

roles/ipareplica/library/ipareplica_setup_adtrust.py

@@ -71,6 +71,9 @@ options:
   setup_ca:
     description: Configure a dogtag CA
     required: no
+  setup_adtrust:
+    description: Configure AD trust capability
+    required: yes
   config_master_host_name:
     description: The config master_host_name setting
     required: no
@@ -112,6 +115,7 @@ def main():
             ccache=dict(required=True),
             _top_dir=dict(required=True),
             setup_ca=dict(required=True, type='bool'),
+            setup_adtrust=dict(required=True, type='bool'),
             config_master_host_name=dict(required=True),
         ),
         supports_check_mode=True,
@@ -140,6 +144,7 @@ def main():
     os.environ['KRB5CCNAME'] = ccache
     options._top_dir = ansible_module.params.get('_top_dir')
     options.setup_ca = ansible_module.params.get('setup_ca')
+    options.setup_adtrust = ansible_module.params.get('setup_adtrust')
     config_master_host_name = ansible_module.params.get(
         'config_master_host_name')
     adtrust.netbios_name = ansible_module.params.get('adtrust_netbios_name')

roles/ipareplica/library/ipareplica_setup_ca.py

@@ -147,7 +147,7 @@ def main():
             _top_dir=dict(required=True),
             _ca_subject=dict(required=True),
             _subject_base=dict(required=True),
-            _random_serial_numbers=dict(required=True),
+            _random_serial_numbers=dict(required=True, type='bool'),
             dirman_password=dict(required=True, no_log=True),
             config_setup_ca=dict(required=True, type='bool'),
             config_master_host_name=dict(required=True),

roles/ipareplica/library/ipareplica_test.py

@@ -143,7 +143,7 @@ from ansible.module_utils.ansible_ipa_replica import (
     ansible_module_get_parsed_ip_addresses, service,
     redirect_stdout, create_ipa_conf, ipautil,
     x509, validate_domain_name, common_check,
-    IPA_PYTHON_VERSION, getargspec
+    IPA_PYTHON_VERSION, getargspec, adtrustinstance
 )
 
 
@@ -270,6 +270,14 @@ def main():
     #    #  options.setup_adtrust = False
     #    #  ansible_module.warn(msg="adtrust is not supported, disabling")
 
+    sid_generation_always = False
+    if not options.setup_adtrust:
+        # pylint: disable=deprecated-method
+        argspec = getargspec(adtrustinstance.ADTRUSTInstance.__init__)
+        # pylint: enable=deprecated-method
+        if "fulltrust" in argspec.args:
+            sid_generation_always = True
+
     # if options.setup_kra and not kra_imported:
     #    # if "kra" not in options._allow_missing:
     #    ansible_module.fail_json(msg="kra can not be imported")
@@ -471,6 +479,7 @@ def main():
         # additional
         client_enrolled=client_enrolled,
         change_master_for_certmonger=change_master_for_certmonger,
+        sid_generation_always=sid_generation_always
     )
 
 

roles/ipareplica/module_utils/ansible_ipa_replica.py

@@ -46,7 +46,8 @@ __all__ = ["contextlib", "dnsexception", "dnsresolver", "dnsreversename",
            "common_check", "current_domain_level",
            "check_domain_level_is_supported", "promotion_check_ipa_domain",
            "SSSDConfig", "CalledProcessError", "timeconf", "ntpinstance",
-           "dnsname", "kernel_keyring", "krbinstance", "getargspec"]
+           "dnsname", "kernel_keyring", "krbinstance", "getargspec",
+           "adtrustinstance"]
 
 import sys
 
@@ -127,6 +128,7 @@ else:
             adtrust, bindinstance, ca, certs, dns, dsinstance, httpinstance,
             installutils, kra, krbinstance,
             otpdinstance, custodiainstance, service, upgradeinstance)
+        from ipaserver.install import adtrustinstance
         try:
             from ipaserver.masters import (
                 find_providing_servers, find_providing_server)

roles/ipareplica/tasks/install.yml

@@ -749,13 +749,15 @@
       ccache: "{{ result_ipareplica_prepare.ccache }}"
       _top_dir: "{{ result_ipareplica_prepare._top_dir }}"
       setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
+      setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}"
       config_master_host_name:
         "{{ result_ipareplica_prepare.config_master_host_name }}"
       adtrust_netbios_name:
         "{{ result_ipareplica_prepare.adtrust_netbios_name }}"
       adtrust_reset_netbios_name:
         "{{ result_ipareplica_prepare.adtrust_reset_netbios_name }}"
-    when: result_ipareplica_test.setup_adtrust
+    when: result_ipareplica_test.setup_adtrust or
+          result_ipareplica_test.sid_generation_always
 
   - name: Install - Enable IPA
     ipareplica_enable_ipa:

roles/ipaserver/library/ipaserver_prepare.py

@@ -141,6 +141,9 @@ options:
   setup_ca:
     description: Configure a dogtag CA
     required: yes
+  sid_generation_always:
+    description: Enable SID generation always
+    required: yes
   _hostname_overridden:
     description: The installer _hostname_overridden setting
     required: yes
@@ -215,6 +218,8 @@ def main():
             setup_ca=dict(required=False, type='bool', default=False),
             random_serial_numbers=dict(required=False, type='bool',
                                        default=False),
+            sid_generation_always=dict(required=False, type='bool',
+                                       default=False),
             _hostname_overridden=dict(required=False, type='bool',
                                       default=False),
         ),
@@ -231,7 +236,7 @@ def main():
     # in the _setup_ca module and also some others.
     options._subject_base = None
     options._ca_subject = None
-    options._random_serial_numbers = None
+    options._random_serial_numbers = False
 
     # set values ####################################################
 
@@ -285,6 +290,7 @@ def main():
         'random_serial_numbers')
     options._host_name_overridden = ansible_module.params.get(
         '_hostname_overridden')
+    sid_generation_always = ansible_module.params.get('sid_generation_always')
     options.kasp_db_file = None
 
     # init ##################################################################
@@ -377,7 +383,7 @@ def main():
             logger.debug('Starting Directory Server')
             services.knownservices.dirsrv.start(instance_name)
 
-        if options.setup_adtrust:
+        if options.setup_adtrust or sid_generation_always:
             with redirect_stdout(ansible_log):
                 adtrust.install_check(False, options, api)
 

roles/ipaserver/library/ipaserver_setup_ca.py

@@ -207,7 +207,7 @@ def main():
             ca_subject=dict(required=False),
             _ca_subject=dict(required=False),
             ca_signing_algorithm=dict(required=False),
-            _random_serial_numbers=dict(required=True),
+            _random_serial_numbers=dict(required=True, type='bool'),
             # dns
             reverse_zones=dict(required=False, type='list', default=[]),
             no_reverse=dict(required=False, type='bool', default=False),

roles/ipaserver/library/ipaserver_test.py

@@ -225,7 +225,7 @@ from ansible.module_utils.ansible_ipa_server import (
     read_cache, ca, tasks, check_ldap_conf, timeconf, httpinstance,
     check_dirsrv, ScriptError, get_fqdn, verify_fqdn, BadHostError,
     validate_domain_name, load_pkcs12, IPA_PYTHON_VERSION,
-    encode_certificate, check_available_memory, getargspec
+    encode_certificate, check_available_memory, getargspec, adtrustinstance
 )
 from ansible.module_utils import six
 
@@ -394,12 +394,16 @@ def main():
 
     # version specific ######################################################
 
-    if options.setup_adtrust and not adtrust_imported:
-        # if "adtrust" not in options._allow_missing:
-        ansible_module.fail_json(msg="adtrust can not be imported")
-        # else:
-        #   options.setup_adtrust = False
-        #   ansible_module.warn(msg="adtrust is not supported, disabling")
+    sid_generation_always = False
+    if not options.setup_adtrust:
+        # pylint: disable=deprecated-method
+        argspec = getargspec(adtrustinstance.ADTRUSTInstance.__init__)
+        # pylint: enable=deprecated-method
+        if "fulltrust" in argspec.args:
+            sid_generation_always = True
+    else:
+        if not adtrust_imported:
+            ansible_module.fail_json(msg="adtrust can not be imported")
 
     if options.setup_kra and not kra_imported:
         # if "kra" not in options._allow_missing:
@@ -521,7 +525,8 @@ def main():
                     "You cannot specify an --enable-compat option without the "
                     "--setup-adtrust option")
 
-            if self.netbios_name:
+            # Deactivate test for new IPA SID generation
+            if self.netbios_name and not sid_generation_always:
                 raise RuntimeError(
                     "You cannot specify a --netbios-name option without the "
                     "--setup-adtrust option")
@@ -1078,7 +1083,8 @@ def main():
                              ntp_pool=options.ntp_pool,
                              # additional
                              _installation_cleanup=_installation_cleanup,
-                             domainlevel=options.domainlevel)
+                             domainlevel=options.domainlevel,
+                             sid_generation_always=sid_generation_always)
 
 
 if __name__ == '__main__':

roles/ipaserver/tasks/install.yml

@@ -191,6 +191,7 @@
       secondary_rid_base: "{{ ipaserver_secondary_rid_base | default(omit) }}"
       ### additional ###
       setup_ca: "{{ result_ipaserver_test.setup_ca }}"
+      sid_generation_always: "{{ result_ipaserver_test.sid_generation_always }}"
       random_serial_numbers: no
       _hostname_overridden: "{{ result_ipaserver_test._hostname_overridden }}"
     register: result_ipaserver_prepare
@@ -394,7 +395,8 @@
         adtrust_netbios_name: "{{ result_ipaserver_prepare.adtrust_netbios_name }}"
         adtrust_reset_netbios_name:
           "{{ result_ipaserver_prepare.adtrust_reset_netbios_name }}"
-      when: result_ipaserver_test.setup_adtrust
+      when: result_ipaserver_test.setup_adtrust or
+            result_ipaserver_test.sid_generation_always
 
     - name: Install - Set DS password
       ipaserver_set_ds_password:

tests/azure/build-containers.yml

@@ -38,3 +38,9 @@ jobs:
     job_name_suffix: FedoraLatest
     container_name: fedora-latest
     build_scenario_name: fedora-latest-build
+
+- template: templates/build_container.yml
+  parameters:
+    job_name_suffix: FedoraRawhide
+    container_name: fedora-rawhide
+    build_scenario_name: fedora-rawhide-build

tests/azure/nightly.yml

@@ -90,6 +90,44 @@ stages:
       scenario: fedora-latest
       ansible_version: "-core"
 
+# Fedora Rawhide
+
+- stage: FedoraRawhide_Ansible_Core_2_11
+  dependsOn: []
+  jobs:
+  - template: templates/group_tests.yml
+    parameters:
+      build_number: $(Build.BuildNumber)
+      scenario: fedora-rawhide
+      ansible_version: "-core >=2.11,<2.12"
+
+- stage: FedoraRawhide_Ansible_Core_2_12
+  dependsOn: []
+  jobs:
+  - template: templates/group_tests.yml
+    parameters:
+      build_number: $(Build.BuildNumber)
+      scenario: fedora-rawhide
+      ansible_version: "-core >=2.12,<2.13"
+
+- stage: FedoraRawhide_Ansible_latest
+  dependsOn: []
+  jobs:
+  - template: templates/group_tests.yml
+    parameters:
+      build_number: $(Build.BuildNumber)
+      scenario: fedora-rawhide
+      ansible_version: ""
+
+- stage: FedoraRawhide_Ansible_Core_latest
+  dependsOn: []
+  jobs:
+  - template: templates/group_tests.yml
+    parameters:
+      build_number: $(Build.BuildNumber)
+      scenario: fedora-rawhide
+      ansible_version: "-core"
+
 # CentoOS 9 Stream
 
 - stage: c9s_Ansible_Core_2_11

tests/azure/templates/variables.yaml

@@ -16,5 +16,5 @@ variables:
   # ipa_enabled_tests: >-
   ipa_disabled_modules: >-
     dnsconfig,
-    dnsforwardzone,
-  # ipa_disabled_tests: >-
+  ipa_disabled_tests: >-
+    test_dnsconfig_forwarders_ports

tests/dnsconfig/test_dnsconfig.yml

@@ -13,14 +13,11 @@
       forwarders:
         - ip_address: 8.8.8.8
         - ip_address: 8.8.4.4
-        - ip_address: 2001:4860:4860::8888
-        - ip_address: 2001:4860:4860::8888
-          port: 53
       state: absent
       action: member
 
   # Tests.
-  - name: Set config to invalid IPv4.
+  - name: Set forward with invalid IPv4.
     ipadnsconfig:
       ipaadmin_password: SomeADMINpassword
       ipaapi_context: "{{ ipa_context | default(omit) }}"
@@ -54,8 +51,6 @@
       forwarders:
         - ip_address: 8.8.8.8
         - ip_address: 8.8.4.4
-        - ip_address: 2001:4860:4860::8888
-          port: 53
       forward_policy: only
       allow_sync_ptr: yes
     register: result
@@ -68,8 +63,6 @@
       forwarders:
         - ip_address: 8.8.8.8
         - ip_address: 8.8.4.4
-        - ip_address: 2001:4860:4860::8888
-          port: 53
       forward_policy: only
       allow_sync_ptr: yes
     register: result
@@ -97,14 +90,15 @@
     register: result
     failed_when: result.changed or result.failed
 
-  - name: Ensure forwarder 8.8.4.4 is present.
+  - name: Check if forwarder 8.8.4.4 is present.
     ipadnsconfig:
       ipaadmin_password: SomeADMINpassword
       ipaapi_context: "{{ ipa_context | default(omit) }}"
       forwarders:
         - ip_address: 8.8.4.4
+    check_mode: yes
     register: result
-    failed_when: not result.changed or result.failed
+    failed_when: result.changed or result.failed
 
   - name: Ensure forwarder 8.8.8.8 is present.
     ipadnsconfig:
@@ -115,35 +109,16 @@
     register: result
     failed_when: not result.changed or result.failed
 
-  - name: Ensure forwarder 8.8.4.4 is present.
+  - name: Check forwarder 8.8.4.4 is still present.
     ipadnsconfig:
       ipaadmin_password: SomeADMINpassword
       ipaapi_context: "{{ ipa_context | default(omit) }}"
       forwarders:
         - ip_address: 8.8.4.4
+    check_mode: yes
     register: result
     failed_when: not result.changed or result.failed
 
-  - name: Ensure forwarders are absent.
-    ipadnsconfig:
-      ipaadmin_password: SomeADMINpassword
-      ipaapi_context: "{{ ipa_context | default(omit) }}"
-      forwarders:
-        - ip_address: 8.8.4.4
-        - ip_address: 8.8.8.8
-    register: result
-    failed_when: not result.changed or result.failed
-
-  - name: Ensure forwarders are absent, again.
-    ipadnsconfig:
-      ipaadmin_password: SomeADMINpassword
-      ipaapi_context: "{{ ipa_context | default(omit) }}"
-      forwarders:
-        - ip_address: 8.8.4.4
-        - ip_address: 8.8.8.8
-    register: result
-    failed_when: result.changed or result.failed
-
   - name: Disable global forwarders.
     ipadnsconfig:
       ipaadmin_password: SomeADMINpassword
@@ -208,97 +183,6 @@
     register: result
     failed_when: result.changed or result.failed
 
-  - name: Ensure all forwarders are absent.
-    ipadnsconfig:
-      ipaadmin_password: SomeADMINpassword
-      ipaapi_context: "{{ ipa_context | default(omit) }}"
-      forwarders:
-        - ip_address: 8.8.8.8
-        - ip_address: 8.8.4.4
-        - ip_address: 2001:4860:4860::8888
-          port: 53
-      state: absent
-      action: member
-    register: result
-    failed_when: not result.changed or result.failed
-
-  - name: Ensure all forwarders are absent, again.
-    ipadnsconfig:
-      ipaadmin_password: SomeADMINpassword
-      ipaapi_context: "{{ ipa_context | default(omit) }}"
-      forwarders:
-        - ip_address: 8.8.8.8
-        - ip_address: 8.8.4.4
-        - ip_address: 2001:4860:4860::8888
-          port: 53
-      state: absent
-      action: member
-    register: result
-    failed_when: result.changed or result.failed
-
-  - name: Ensure forwarder is present.
-    ipadnsconfig:
-      ipaadmin_password: SomeADMINpassword
-      ipaapi_context: "{{ ipa_context | default(omit) }}"
-      forwarders:
-        - ip_address: 8.8.8.8
-    register: result
-    failed_when: not result.changed or result.failed
-
-  - name: Ensure forwarders is not present.
-    ipadnsconfig:
-      ipaadmin_password: SomeADMINpassword
-      ipaapi_context: "{{ ipa_context | default(omit) }}"
-      forwarders:
-        - ip_address: 8.8.4.4
-    check_mode: yes
-    register: result
-    failed_when: not result.changed or result.failed
-
-  - name: Ensure forwarders are present.
-    ipadnsconfig:
-      ipaadmin_password: SomeADMINpassword
-      ipaapi_context: "{{ ipa_context | default(omit) }}"
-      forwarders:
-        - ip_address: 8.8.4.4
-        - ip_address: 8.8.8.8
-      action: member
-    register: result
-    failed_when: not result.changed or result.failed
-
-  - name: Ensure forwarders are present, again.
-    ipadnsconfig:
-      ipaadmin_password: SomeADMINpassword
-      ipaapi_context: "{{ ipa_context | default(omit) }}"
-      forwarders:
-        - ip_address: 8.8.4.4
-        - ip_address: 8.8.8.8
-      action: member
-    register: result
-    failed_when: result.changed or result.failed
-
-  - name: Ensure another forwarder is present.
-    ipadnsconfig:
-      ipaadmin_password: SomeADMINpassword
-      ipaapi_context: "{{ ipa_context | default(omit) }}"
-      forwarders:
-        - ip_address: 8.8.4.4
-      action: member
-    register: result
-    failed_when: result.changed or result.failed
-
-  - name: Ensure forwarders are present.
-    ipadnsconfig:
-      ipaadmin_password: SomeADMINpassword
-      ipaapi_context: "{{ ipa_context | default(omit) }}"
-      forwarders:
-        - ip_address: 8.8.4.4
-        - ip_address: 8.8.8.8
-      action: member
-    register: result
-    failed_when: result.changed or result.failed
-
-  # Cleanup.
   - name: Ensure forwarders are absent.
     ipadnsconfig:
       ipaadmin_password: SomeADMINpassword
@@ -306,8 +190,5 @@
       forwarders:
         - ip_address: 8.8.8.8
         - ip_address: 8.8.4.4
-        - ip_address: 2001:4860:4860::8888
-        - ip_address: 2001:4860:4860::8888
-          port: 53
       state: absent
       action: member

tests/dnsconfig/test_dnsconfig_forwarders_ports.yml

@@ -0,0 +1,81 @@
+---
+- name: Test dnsconfig forwarders with custom ports
+  hosts: "{{ ipa_test_host | default('ipaserver') }}"
+  become: true
+  gather_facts: no
+
+  tasks:
+  - block:
+    # Setup.
+    - name: Ensure forwarder with custom port is absent.
+      ipadnsconfig:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        forwarders:
+          - ip_address: 2001:4860:4860::8888
+            port: 53
+        state: absent
+        action: member
+
+    # Tests.
+
+    - name: Ensure forwarder with custom port is present.
+      ipadnsconfig:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        forwarders:
+          - ip_address: 2001:4860:4860::8888
+            port: 53
+        state: present
+        action: member
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure forwarder with custom port is present, again.
+      ipadnsconfig:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        forwarders:
+          - ip_address: 2001:4860:4860::8888
+            port: 53
+        state: present
+        action: member
+      register: result
+      failed_when: result.changed or result.failed
+
+    - name: Ensure forwarder with custom port is absent.
+      ipadnsconfig:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        forwarders:
+          - ip_address: 2001:4860:4860::8888
+            port: 53
+        state: absent
+        action: member
+      register: result
+      failed_when: not result.changed or result.failed
+
+    - name: Ensure forwarder with custom port is absent, again.
+      ipadnsconfig:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        forwarders:
+          - ip_address: 2001:4860:4860::8888
+            port: 53
+        state: absent
+        action: member
+      register: result
+      failed_when: result.changed or result.failed
+
+    always:
+
+    # Cleanup.
+    - name: Ensure forwarder with custom port is absent.
+      ipadnsconfig:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        forwarders:
+          - ip_address: 2001:4860:4860::8888
+            port: 53
+        state: absent
+        action: member

tests/sanity/sanity.sh

@@ -1,8 +1,13 @@
 #!/bin/bash
 
+TOPDIR=$(readlink -f "$(dirname "$0")/../..")
+pushd "${TOPDIR}" >/dev/null || exit 1
+
 VENV=/tmp/ansible-test-venv
 ANSIBLE_COLLECTION=freeipa-ansible_freeipa
 
+use_docker=$(which docker >/dev/null 2>&1 && echo "True" || echo "False")
+
 virtualenv "$VENV"
 # shellcheck disable=SC1091
 source "$VENV"/bin/activate
@@ -15,7 +20,8 @@ rm -f importer_result.json
 
 utils/build-galaxy-release.sh
 
-export GALAXY_IMPORTER_CONFIG=tests/sanity/galaxy-importer.cfg
+sed "s/LOCAL_IMAGE_DOCKER = True/LOCAL_IMAGE_DOCKER = ${use_docker}/" < tests/sanity/galaxy-importer.cfg > ${VENV}/galaxy-importer.cfg
+export GALAXY_IMPORTER_CONFIG=${VENV}/galaxy-importer.cfg
 
 collection=$(ls -1 "$ANSIBLE_COLLECTION"-*.tar.gz)
 echo "Running: python -m galaxy_importer.main $collection"
@@ -33,4 +39,6 @@ done < <(python -m galaxy_importer.main "$collection")
 
 rm -rf "$VENV"
 
+popd >/dev/null || exit 1
+
 exit "$error"