upstream CI: Add support for multihost testing.

Use Github hosted macOS runner and Vagrant to spawn multiple hosts
allowing deployment roles and multihost testing.

Milestone: Up to this point, an IPA server can be deployed.

.ansible-lint

@@ -12,6 +12,7 @@ exclude_paths:
   - meta/runtime.yml
   - requirements-docker.yml
   - requirements-podman.yml
+  - tests/multihost/vagrant-inventory.yml
 
 kinds:
   - playbook: '**/tests/**/test_*.yml'

.github/workflows/multihost.yml

@@ -0,0 +1,72 @@
+name: Multihost Testing
+
+on:
+  - push
+  - pull_request
+
+jobs:
+  multihost-testing:
+    name: "Multihost tests"
+    # Only macos provides Vagrant.
+    runs-on: macos-12
+    defaults:
+      run:
+        working-directory: tests/multihost
+
+    steps:
+      - uses: actions/[email protected]
+        with:
+          fetch-depth: 0
+
+      - uses: actions/[email protected]
+        with:
+          python-version: "3.x"
+
+      - name: Install Ansible
+        run: pip install ansible-core
+
+      - name: Ansible version
+        run: ansible --version
+
+      - name: Prepare ansible-freeipa environment
+        working-directory: ../..
+        run: |
+          pwd
+          rm -rf ~/.ansible
+          mkdir ~/.ansible
+          ln -s $(pwd)/roles ~/.ansible/
+          ln -s $(pwd)/plugins ~/.ansible/
+          ls -l ~/.ansible/*
+
+      - name: Show Vagrant version
+        run: |
+          pwd
+          vagrant --version
+
+      - name: Run vagrant up
+        run: vagrant up
+
+      - name: Get vagrant ssh config
+        run: |
+          pwd
+          vagrant ssh-config | tee "vagrant-ssh"
+
+      - name: Hosts IP info
+        run: |
+          pwd
+          vagrant ssh -c "ip addr" server.ipa.test
+          vagrant ssh -c "ip addr" rep-01.ipa.test
+          vagrant ssh -c "ip addr" cli-01.ipa.test
+
+      - name: Ansible ping target hosts.
+        run: |
+          ansible -i vagrant-inventory.yml --ssh-extra-args "-F vagrant-ssh" -m ping all
+
+      # Here is where you add tests...
+      - name: Test IPA server deploy
+        run: ansible-playbook -i vagrant-inventory.yml --ssh-extra-args "-F vagrant-ssh" playbooks/install-server.yml
+
+      # ...
+
+      - name: Stop vagrant
+        run: vagrant destroy -f

.gitignore

@@ -5,4 +5,7 @@
 /.tox/
 /.venv/
 
+# ignore Vagrant data
+/.vagrant/
+
 tests/logs/

tests/multihost/README-vagrant.md

@@ -0,0 +1,35 @@
+Multihost testing with Vagrant
+==============================
+
+To test ipaserver role and ipabackup restore options, it is required that a target node without IPA installed is provided. To test ipareplica and ipacilent roles, it is required that a multihost environvent is available, and at least one target node does not have IPA installed. This environment must have proper networking configuration and some isolation for the tarkget nodes not provided by containers.
+
+By using Vagrant along with Github Workflows we can have nested virtualization, allowing the creation of three virtual machine nodes that will play the roles of primary server, replica and client. The use of Vagrant also allows the use of a similar environment to run the tests in a developer's local machine, if desired.
+
+Github workflows only allows nested vintualization within _macOS_ runners \[[1]\]\[[2]\]. A nice side effect of using macOS runners is that there is some more available memory for the VMs \[[3]\], which might allow the use of a Windows node in the future.
+
+As of this writing, there were some issues running Vagrant on `macos-latest`, and as it is transitioning from `macos-11` to `macos-12`, it was decided that the runner used will be pinned to `mac-12`.
+
+In the current setup there are three nodes:
+
+* Server:
+    * hostname: server.ipa.test
+    * private network ip: 192.168.56.101
+    * RAM: 2048 MB
+* Replica:
+    * hostname: rep-01.ipa.test
+    * private network ip: 192.168.56.102
+    * RAM: 2048 MB
+* Client:
+    * hostname: cli-01.ipa.test
+    * private network ip: 192.168.56.103
+    * RAM: 512 MB
+
+The private network addresses used were selected due to Github Workflow configuration, which only allows addresses for network `192.168.56.0/21`.
+
+Ansible controller is the runner, a macOS host with the latest `ansible-core` version available through `pip`. Connection to the hosts is done through Vagrant `ssh-config` setup.
+
+To execute a playbook, use `ansible-playbook -i vagrant-inventory.yml --ssh-extra-args "-F vagrant-ssh" <path/to/playbook>`. The current directory is `<repo_root>/tests/multihost`.
+
+[1]: https://github.com/actions/runner-images/issues/183
+[2]: https://github.com/actions/runner-images/issues/433
+[3]: https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources

tests/multihost/Vagrantfile

@@ -0,0 +1,48 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure("2") do |config|
+  config.vm.box = "fedora/37-cloud-base"
+  config.vm.synced_folder ".", "/vagrant", disabled: true
+
+  config.vm.provider :libvirt do |libvirt|
+    libvirt.qemu_use_session = false
+    libvirt.memory = 2048
+  end
+  config.vm.provider :virtualbox do |virtualbox|
+    virtualbox.memory = 2048
+  end
+
+  # Prevent SharedFoldersEnableSymlinksCreate errors
+  config.vm.synced_folder ".", "/vagrant", disabled: true
+  # increase boot timeout (8 minutes).
+  config.vm.boot_timeout = 8 * 60
+
+
+  config.vm.define "server.ipa.test" do |server|
+    server.vm.network "private_network", :ip => '192.168.56.101'
+    server.vm.hostname = "server.ipa.test"
+    server.vm.provision "shell",
+      inline: "echo '192.168.56.101 server.ipa.test' >> /etc/hosts"
+  end    
+
+  config.vm.define "rep-01.ipa.test" do |replica|
+    replica.vm.network "private_network", :ip => '192.168.56.102'
+    replica.vm.hostname="rep-01.ipa.test"
+    replica.vm.provision "shell",
+      inline: "echo '192.168.56.102 replica.ipa.test' >> /etc/hosts"
+  end 
+
+  config.vm.define "cli-01.ipa.test" do |client|
+    client.vm.network "private_network", :ip => '192.168.56.103'
+    client.vm.hostname="cli-01.ipa.test"
+    client.vm.provider :libvirt do |cmv|
+      cmv.memory = 512
+    end
+    client.vm.provider :virtualbox do |cmv|
+      cmv.memory = 512
+    end
+  end
+
+end
+

tests/multihost/playbooks

@@ -0,0 +1 @@
+../../playbooks

tests/multihost/vagrant-inventory.yml

@@ -0,0 +1,87 @@
+---
+all:
+  vars:
+    ipa_dm_password: SomeDMpassword
+    ipa_admin_password: SomeADMINpassword
+    ipaserver_domain: ipa.test
+    ipaserver_realm: IPA.TEST
+    ipareplica_realm: IPA.TEST
+    ipadm_password: "{{ ipa_dm_password }}"
+    ipaadmin_password: "{{ ipa_admin_password }}"
+  children:
+    # define cluster
+    ipacluster:
+      children:
+        ipaserver:
+        ipareplicas:
+        ipaclients:
+    # IPA First (CA Renewal) Server
+    ipaserver:
+      hosts:
+        "server.ipa.test":
+          # Ansible connection configuration
+          ansible_ssh_user: vagrant
+          ansible_ssh_private_key_file: ".vagrant/machines/server/libvirt/private_key"
+          ansible_ssh_host_key_checking: no
+          # IPA Configuration.
+      vars:
+        # KRA
+        ipaserver_setup_kra: yes
+        # DNS
+        ipaserver_setup_dns: yes
+        ipaserver_forwarders: 1.1.1.1
+        ipaserver_auto_reverse: yes
+        ipaserver_allow_zone_overlap: yes
+        # this is required for AD trust
+        ipaserver_no_dnssec_validation: yes
+        # trust vars
+        ipaserver_setup_adtrust: yes
+        # disable 'allow all' HBAC rule
+        ipaserver_no_hbac_allow: yes
+        # other vars
+    # IPA Replica Servers
+    ipareplicas:
+      hosts:
+        "rep-01.ipa.test":
+          # Ansible connection configuration
+          ansible_ssh_user: vagrant
+          ansible_ssh_private_key_file: ".vagrant/machines/replica/libvirt/private_key"
+          ansible_ssh_host_key_checking: no
+          # IPA Configuration.
+          # CA backup
+          ipareplica_setup_ca: yes
+          # KRA backup
+          ipareplica_setup_kra: yes
+          # DNS backup
+          ipareplica_setup_dns: yes
+          ipareplica_no_dnssec_validation: yes
+          ipareplica_no_forwarders: yes
+          # Trust backup
+          ipareplica_setup_trust: yes
+      vars:
+        # ipaclient_force_join: yes
+        # Update IP addressess
+        ipaclient_all_ip_addresses: yes
+        # Automatically handle DNS nameservers (v1.9.0+)
+        # ipaclient_configure_dns_resolver: yes
+        # ipaclient_dns_servers:
+        #   - 192.168.56.11
+        #   - 192.168.56.10
+    # IPA Client hosts
+    ipaclients:
+      hosts:
+        "cli-01.ipa.test":
+          # Ansible connection configuration
+          ansible_ssh_user: vagrant
+          ansible_ssh_private_key_file: ".vagrant/machines/client/libvirt/private_key"
+          ansible_ssh_host_key_checking: no
+          # IPA Configuration.
+      vars:
+        ipaclient_mkhomedir: yes
+        # Add client DNS entries
+        ipaclient_all_ip_addresses: yes
+        # Automatically handle DNS nameservers (v1.9.0+)
+        # ipaclient_configure_dns_resolver: yes
+        # ipaclient_dns_servers:
+        #   - 192.168.56.10
+        #   - 192.168.56.11