This has been tested with `python -m pip -r requirements.txt` and has
been proven to build an enviornment sufficient to run the test suite.

Still don't have an interactive VM at this point, I fear it may be
crashing on boot. We will try using the default OVMF firmware images and
see if that solves our problems.

This commit configures a testing environment for the 'uki' role. To run
these tests, libvirt and qemu are required. The machine runs and
configures well, but this commit is still missing configuration
instructions, and tests still do not pass. This is a milestone commit
that accomplishes the environment setup, most future commits will focus
on the tests and the collection themselves.

This commit does not provide a complete testing setup. We are running
into a limitation on ansible-test, where we can't provide a custom
inventory file without using the libvirt inventory plugin, but we can't
use SELinux with that plugn. We need to switch to a Makefile or
something else to generate an inventory file, then we can delegate
properly.

This commit changes the test VM configuration to not require
become or sudo. This only works with SELinux disabled due to a bug in
the passt policy that prevents the user from writing to the passt
socket.

Tests still don't run, we don't inherit the tempdir variable between the
two plays we try to run in setup.yml. This will be fixed by writing it
externally, but we should do our work in a separate temporary directory
instead of the workspace directory to make tracking changes easier.

This is meant to be set by the user and should not have been committed.

This commit changes paths and variable inheritance logic to ensure we
can run make test through 'ansible-test' instead of a raw script.

Currently this has lead to some odd behavior where libvirt is spawning
the qemu, passt and other supporting processes, but then loses track of
the domain entirely. I went from using staff to unconfined, so we may
need to reset the system for this to work properly. This is still a
milestone commit since we have a spawning VM.

This change avoids issues we were having with libvirt-python starting
machine processes but losing track of them. We now have a working
machine that we can authenticate with, and a makefile that has (almost)
perfectly working dependencies. There are still oddities related to the
machine rule, since the name of the machine file is not predictable. But
it mostly works, and this is another WIP commit, since we don't actually
have the role passing yet.

The next step is to copy the MOK files to the test machine, and re-read
the role to ensure we didn't make any mistakes or depend on things we
didn't respect during machine setup.

This commit now uses the PID file of the VM to detect whether it
needs to be created.

We might have found a bug in libvirt? If I template the firmware image
file that is generated by virt-fw-vars, the signature database for the
MokList variable gets mangled somehow, and the certificate fingerprint
changes. If I use the immediate output of virt-fw-vars, everything works
fine.

We now install pip from the ensurepip module, since we were getting some
missing library errors using ansible.builtin.package.

Note there is a bug right now where the openssh server become available
before the python3-libdnf5 package is installed by cloud-init. This
results in the package module failing due to an unmet dependency. The
fix is to wait longer or for a different condition, but we're committing
this as is because it's our first ever successful test run.

This is a dependency for Ansible that isn't included in the image for
some reason.

This commit moves most of the test setup logic out of the makefile and
into a new setup playbook. We still use make, but mostly as a
convenience tool to avoid passing all those arguments to
ansible-playbook. There is now a teardown target that stops machines,
but doesn't remove images and configuration.

The testimage.yml file is now a platforms.yml file that lists platforms,
the url to download a cloud image, and the prefix directory before
shim (fedora, centos, redhat, etc). The looping mechanics in ansible are
used to generate an inventory file using all of these platforms, which
allows us to run tests in parallel.

Add a new teardown rule to Makefile that removes test machines without
removing built files sot hey can quickly be spun up again.

Fix detection of UKI rebuild need. Note we should also inspect whether
the certificate and/or private key changed, not just their file paths
are those will likely be the same. Added conditions to only reboot if
the UKI was rebuilt.

We now verify that key identity is our condition for idempotency, not
key nickname.

Previously unnecessarily inserted uki signature verification tasks
between two postinst script installation tasks.

This adds an additional pre-reboot check: that BootNext is set to the
UKI for the kernel version we installed. We now call kernel-install
directly in case the package for the kernel version we need is not
available, in which case apt will fail silently.

This avoids verification issues with pesigcheck.

pesigcheck is used in favor of osslsigncode since it is available on
CentOS and RHEL. Detection of the BootNext EFI variable was broken on
ubuntu since it apparently doesn't include the 'UKI' tag, so a special
case was added.

This should avoid reusing addresses.

This allows the system to upgrade itself instead of relying on cloning a
repository.

this is a debian-only change

This change aligns the layout of the integration tests directory with
the expected structure of collection tests, even though we don't use
ansible-test. This lays the groundwork for splitting test components
into their own tasks files and reusing more tasks.