[nat64_appliance] Add support for downloading pre-built images

Introduce cifmw_nat64_appliance_image_url parameter to download
pre-built NAT64 images, with optional checksum verification support.

Signed-off-by: Miguel Angel Nieto Jimenez <[email protected]>

Author: mnietoji

docs/dictionary/en-custom.txt

@@ -153,6 +153,7 @@ dib
 dicts
 dirs
 disablecertificateverification
+diskimage
 disksize
 distro
 dlrn

roles/nat64_appliance/README.md

@@ -25,21 +25,38 @@
 * `cifmw_nat64_appliance_memory`: (Integer) Memory in GiB for the nat64 appliance VM. Defaults to: `2`.
 * `cifmw_nat64_appliance_cpus`: (Integer) Virtual CPUs for the nat64 appliance VM. Defaults to: `2`.
 * `cifmw_nat64_appliance_ssh_pub_keys`: (List) List of SSH public key for the nat64 appliance VM. Defaults to: `[]`.
+* `cifmw_nat64_appliance_image_url`: (String) URL to download a pre-built NAT64 appliance image. If empty, the image will be built from source using diskimage-builder. Defaults to: `""`.
+* `cifmw_nat64_appliance_image_checksum`: (String) Optional checksum for the downloaded image in the format `algorithm:hash` (e.g., `sha256:xxxxx`). Only used when `cifmw_nat64_appliance_image_url` is set. Defaults to: undefined.
+* `cifmw_nat64_appliance_download_timeout`: (Integer) Timeout in seconds for image download. Only used when `cifmw_nat64_appliance_image_url` is set. Defaults to: `600`.
 * `cifmw_nat64_ipv6_prefix`: (String) IPv6 prefix for nat64. Defaults to: `fc00:abcd:abcd:fc00::/64`.
 * `cifmw_nat64_ipv6_tayga_address`: (String) Tayga IPv6 address. Defaults to: `fc00:abcd:abcd:fc00::3`.
 
 ## Building the image
 
 Include the `nat64_appliance` role in a playbook. For example:
 
+### Build from source
+
+```yaml
+- name: Build nat64-appliance from source
+  hosts: "{{ cifmw_target_host | default('localhost') }}"
+  roles:
+    - nat64_appliance
 ```
-- name: Build nat64-appliance
+
+### Download pre-built image
+
+```yaml
+- name: Download pre-built nat64-appliance image
   hosts: "{{ cifmw_target_host | default('localhost') }}"
+  vars:
+    cifmw_nat64_appliance_image_url: "http://example.com/nat64-appliance.qcow2"
+    # cifmw_nat64_appliance_image_checksum: "sha256:xxxxx"  # Optional
   roles:
     - nat64_appliance
 ```
 
-The built image will be in: `{{ cifmw_nat64_appliance_workdir }}/nat64-appliance.qcow2`
+The image will be in: `{{ cifmw_nat64_appliance_workdir }}/nat64-appliance.qcow2`
 
 ## Using the nat64-appliance
 

roles/nat64_appliance/defaults/main.yml

@@ -40,6 +40,10 @@ cifmw_nat64_appliance_memory: 2
 cifmw_nat64_appliance_cpus: 2
 cifmw_nat64_appliance_ssh_pub_keys: []
 
+# Image download configuration
+# Set cifmw_nat64_appliance_image_url to download a pre-built image
+cifmw_nat64_appliance_image_url: ""
+cifmw_nat64_appliance_download_timeout: 600  # 10 minutes
 
 cifmw_nat64_ipv6_prefix: "2620:cf:cf:fc00::/64"
 cifmw_nat64_ipv6_tayga_address: "2620:cf:cf:fc00::3"

…4_appliance/molecule/default/cleanup.yml …t64_appliance/molecule/build/cleanup.ymlroles/nat64_appliance/molecule/default/cleanup.yml renamed to roles/nat64_appliance/molecule/build/cleanup.yml roles/nat64_appliance/molecule/default/cleanup.yml renamed to roles/nat64_appliance/molecule/build/cleanup.yml

@@ -0,0 +1,34 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Cleanup
+  hosts: instance
+  vars:
+    cifmw_basedir: "{{ ansible_user_dir }}/ci-framework-data"
+  tasks:
+    - name: Stop HTTP server if running
+      ansible.builtin.shell: |
+        if [ -f /tmp/nat64_http_server.pid ]; then
+          kill $(cat /tmp/nat64_http_server.pid) || true
+          rm -f /tmp/nat64_http_server.pid /tmp/nat64_http_server.log
+        fi
+        pkill -f "python3 -m http.server 8765" || true
+      ignore_errors: true
+
+    - name: Cleanup nat64 appliance
+      ansible.builtin.include_role:
+        name: nat64_appliance
+        tasks_from: cleanup.yml

…_appliance/molecule/default/converge.yml …64_appliance/molecule/build/converge.ymlroles/nat64_appliance/molecule/default/converge.yml renamed to roles/nat64_appliance/molecule/build/converge.yml roles/nat64_appliance/molecule/default/converge.yml renamed to roles/nat64_appliance/molecule/build/converge.yml

@@ -0,0 +1,150 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# This scenario tests BOTH build and download modes:
+# 1. Build image from source
+# 2. Serve the built image via HTTP
+# 3. Download the image using the download feature
+# 4. Test that both images work
+
+- name: Converge - Test build and download modes
+  hosts: instance
+  vars:
+    cifmw_basedir: "{{ ansible_user_dir }}/ci-framework-data"
+    cifmw_nat64_build_dir: "{{ cifmw_basedir }}/nat64_build"
+    cifmw_nat64_download_dir: "{{ cifmw_basedir }}/nat64_download"
+    cifmw_nat64_http_port: 8765
+  tasks:
+    - name: Create SSH keypair
+      register: _test_key
+      community.crypto.openssh_keypair:
+        comment: "test-key"
+        path: "{{ (ansible_user_dir, '.ssh/id_test') | path_join }}"
+        type: "ecdsa"
+
+    - name: Enable forwarding in the libvirt zone
+      become: true
+      ansible.builtin.command:
+        cmd: >-
+          firewall-cmd --permanent --zone libvirt --add-forward
+
+    - name: Restart firewalld.service
+      become: true
+      ansible.builtin.systemd_service:
+        name: firewalld
+        state: restarted
+
+    # =============================================================
+    # PHASE 1: Build image from source
+    # =============================================================
+    - name: "PHASE 1: Build nat64 appliance image from source"
+      vars:
+        cifmw_basedir: "{{ cifmw_nat64_build_dir }}"
+        cifmw_nat64_appliance_run_dib_as_root: true
+      ansible.builtin.include_role:
+        name: nat64_appliance
+
+    - name: Fix permissions on nat64_appliance dir (built as root)
+      become: true
+      ansible.builtin.file:
+        path: "{{ cifmw_nat64_build_dir }}/nat64_appliance"
+        state: directory
+        mode: "0755"
+        recurse: true
+        owner: "{{ ansible_user_id }}"
+        group: "{{ ansible_user_gid }}"
+
+    - name: Verify built image exists
+      ansible.builtin.stat:
+        path: "{{ cifmw_nat64_build_dir }}/nat64_appliance/nat64-appliance.qcow2"
+      register: _built_image
+      failed_when: not _built_image.stat.exists
+
+    - name: Show built image info
+      ansible.builtin.debug:
+        msg: "Built image: {{ _built_image.stat.path }} ({{ _built_image.stat.size }} bytes)"
+
+    # =============================================================
+    # PHASE 2: Serve image via HTTP and download it
+    # =============================================================
+    - name: Start HTTP server to serve the built image
+      ansible.builtin.shell: |
+        cd {{ cifmw_nat64_build_dir }}/nat64_appliance
+        nohup python3 -m http.server {{ cifmw_nat64_http_port }} > /tmp/nat64_http_server.log 2>&1 &
+        echo $! > /tmp/nat64_http_server.pid
+        sleep 2
+
+    - name: Verify HTTP server is running
+      ansible.builtin.uri:
+        url: "http://localhost:{{ cifmw_nat64_http_port }}/nat64-appliance.qcow2"
+        method: HEAD
+      register: _http_check
+      until: _http_check.status == 200
+      retries: 5
+      delay: 2
+
+    - name: "PHASE 2: Download nat64 appliance image from HTTP server"
+      vars:
+        cifmw_basedir: "{{ cifmw_nat64_download_dir }}"
+        cifmw_nat64_appliance_image_url: "http://localhost:{{ cifmw_nat64_http_port }}/nat64-appliance.qcow2"
+      ansible.builtin.include_role:
+        name: nat64_appliance
+
+    - name: Verify downloaded image exists
+      ansible.builtin.stat:
+        path: "{{ cifmw_nat64_download_dir }}/nat64_appliance/nat64-appliance.qcow2"
+      register: _downloaded_image
+      failed_when: not _downloaded_image.stat.exists
+
+    - name: Show downloaded image info
+      ansible.builtin.debug:
+        msg: "Downloaded image: {{ _downloaded_image.stat.path }} ({{ _downloaded_image.stat.size }} bytes)"
+
+    - name: Verify both images have the same size
+      ansible.builtin.assert:
+        that:
+          - _built_image.stat.size == _downloaded_image.stat.size
+        fail_msg: "Image size mismatch! Built: {{ _built_image.stat.size }}, Downloaded: {{ _downloaded_image.stat.size }}"
+        success_msg: "Both images have the same size ({{ _built_image.stat.size }} bytes)"
+
+    # =============================================================
+    # PHASE 3: Test the downloaded image (deploy and verify)
+    # =============================================================
+    - name: "Deploy the nat64 appliance using downloaded image"
+      vars:
+        cifmw_basedir: "{{ cifmw_nat64_download_dir }}"
+        cifmw_nat64_appliance_ssh_pub_keys:
+          - "{{ _test_key.public_key }}"
+      ansible.builtin.include_role:
+        name: nat64_appliance
+        tasks_from: deploy.yml
+
+    - name: Verify nat64-appliance VM is running
+      community.libvirt.virt:
+        command: status
+        name: nat64-appliance
+        uri: 'qemu:///system'
+      register: _vm_status
+      failed_when: _vm_status.status != "running"
+
+  always:
+    - name: Stop HTTP server
+      ansible.builtin.shell: |
+        if [ -f /tmp/nat64_http_server.pid ]; then
+          kill $(cat /tmp/nat64_http_server.pid) || true
+          rm -f /tmp/nat64_http_server.pid
+        fi
+      ignore_errors: true

…_appliance/molecule/default/molecule.yml …64_appliance/molecule/build/molecule.ymlroles/nat64_appliance/molecule/default/molecule.yml renamed to roles/nat64_appliance/molecule/build/molecule.yml roles/nat64_appliance/molecule/default/molecule.yml renamed to roles/nat64_appliance/molecule/build/molecule.yml

@@ -0,0 +1,10 @@
+---
+# Scenario to test both build and download modes
+# 1. Build image from source
+# 2. Serve it via HTTP
+# 3. Download and test it
+log: true
+
+provisioner:
+  name: ansible
+  log: true