puppet¶
Puppet module.
-
class
spicerack.puppet.
PuppetHosts
(remote_hosts)[source]¶ Bases:
spicerack.remote.RemoteHostsAdapter
Class to manage Puppet on the target hosts.
-
__init__
(remote_hosts)¶ static
inherited
Initialize the instance.Parameters: remote_hosts (spicerack.remote.RemoteHosts) -- the instance to act on the remote hosts.
-
disable
(reason)[source]¶ Disable puppet with a specific reason.
If Puppet was already disabled on a host with a different reason, the reason will not be overriden, allowing to leave Puppet disabled when re-enabling it if it was already disabled.
Parameters: reason (spicerack.administrative.Reason) -- the reason to set for the Puppet disable.
-
disabled
(reason)[source]¶ Context manager to perform actions while puppet is disabled.
Parameters: reason (spicerack.administrative.Reason) -- the reason to set for the Puppet disable and to use for the Puppet enable.
-
enable
(reason)[source]¶ Enable Puppet with a specific reason, it must be the same used to disable it.
Puppet will be re-enabled only if it was disable with the same reason. If it was disable with a different reason it will keep being disabled.
Parameters: reason (spicerack.administrative.Reason) -- the reason to use for the Puppet enable.
-
first_run
(has_systemd=True)[source]¶ Perform the first Puppet run on a clean host without using custom wrappers.
Parameters: has_systemd (bool, optional) -- if the host has systemd as init system.
-
regenerate_certificate
()[source]¶ Delete the local Puppet certificate and generate a new CSR.
Returns: a dictionary with hostnames as keys and CSR fingerprint as values. Return type: dict
-
run
(timeout=300, enable_reason=None, quiet=False, failed_only=False, force=False, attempts=0, batch_size=10)[source]¶ Run Puppet.
Parameters: - timeout (int, optional) -- the timeout in seconds to set in Cumin for the execution of the command.
- enable_reason (spicerack.administrative.Reason, optional) -- the reason to use to contestually re-enable Puppet if it was disabled.
- quiet (bool, optional) -- suppress Puppet output if True.
- failed_only (bool, optional) -- run Puppet only if the last run failed.
- force (bool, optional) -- forcely re-enable Puppet if it was disabled with ANY message.
- attempts (int, optional) -- override the default number of attempts waiting that an in-flight Puppet run completes before timing out as set in run-puppet-agent.
- batch_size (int, optional) -- how many concurrent Puppet runs to perform. The default value is tailored to not overload the Puppet masters.
-
wait_since
(start)[source]¶ Wait until a successful Puppet run is completed after the start time.
Parameters: start (datetime.datetime) -- wait until a Puppet run is completed after this time. Raises: spicerack.puppet.PuppetHostsCheckError
-- if unable to get a successful Puppet run within the timeout.
-
-
exception
spicerack.puppet.
PuppetHostsCheckError
[source]¶ Bases:
spicerack.exceptions.SpicerackError
Custom base exception class for check errors in the PuppetHosts class.
-
exception
spicerack.puppet.
PuppetHostsError
[source]¶ Bases:
spicerack.exceptions.SpicerackError
Custom base exception class for errors in the PuppetHosts class.
-
class
spicerack.puppet.
PuppetMaster
(master_host)[source]¶ Bases:
object
Class to manage nodes and certificates on a Puppet master and Puppet CA server.
-
__init__
(master_host)[source]¶ Initialize the instance.
Parameters: master_host (spicerack.remote.RemoteHosts) -- the remote hosts instance for the Puppetmaster and Puppet CA server. It must have only one target host. Raises: spicerack.puppet.PuppetMasterError
-- if the master_host doesn't have only one target host.
-
_run_json_command
(command)[source]¶ Execute and parse a Puppet CLI command that output JSON format.
The commands run are assumed to be safe as the JSON format is useful for read-only operations only.
Parameters: command (str) -- the command to execute on the Puppet master that returns JSON output. Returns: the parsed JSON object. Return type: dict, list Raises: spicerack.puppet.PuppetMasterError
-- if unable to get or parse the command output.
-
destroy
(hostname)[source]¶ Remove the certificate for the given hostname.
If there is no certificate to remove it doesn't raise exception as the Puppet CA just outputs 'Nothing was deleted'.
Parameters: hostname (str) -- the FQDN of the host for which to remove the certificate.
-
get_certificate_metadata
(hostname)[source]¶ Return the metadata of the certificate of the given hostname in the Puppet CA.
Parameters: hostname (str) -- the FQDN of the host for which to verify the certificate.
Returns: as returned by the Puppet CA CLI with the render as JSON option set. As example:
{'dns_alt_names': ['DNS:service.example.com'], 'fingerprint': '00:FF:...', 'fingerprints': { 'SHA1': '00:FF:...', 'SHA256': '00:FF:...', 'SHA512': '00:FF:...', 'default': '00:FF:...'}, 'name': 'host.example.com', 'state': 'signed'}
Return type: Raises: spicerack.puppet.PuppetMasterCheckError
-- if no certificate is found.spicerack.puppet.PuppetMasterError
-- if more than one certificate is found or it has invalid data.
-
sign
(hostname, fingerprint, allow_alt_names=False)[source]¶ Sign a CSR on the Puppet CA for the given host checking its fingerprint.
Parameters: Raises: spicerack.puppet.PuppetMasterError
-- if the certificate is in an unexpected state.
-
verify
(hostname)[source]¶ Verify that there is a valid certificate signed by the Puppet CA for the given hostname.
Parameters: hostname (str) -- the FQDN of the host for which to verify the certificate. Raises: spicerack.puppet.PuppetMasterError
-- if the certificate is not valid.
-
wait_for_csr
(hostname)[source]¶ Poll until a CSR appears for the given hostname or the timeout is reached.
Parameters: hostname (str) -- the FQDN of the host for which to check a CSR.
Raises: spicerack.puppet.PuppetMasterError
-- if the certificate is in an unexpected state.spicerack.puppet.PuppetMasterCheckError
-- if within the timeout no CSR is found.
-
-
exception
spicerack.puppet.
PuppetMasterCheckError
[source]¶ Bases:
spicerack.exceptions.SpicerackCheckError
Custom exception class for check errors in the PuppetMaster class.
-
exception
spicerack.puppet.
PuppetMasterError
[source]¶ Bases:
spicerack.exceptions.SpicerackError
Custom base exception class for errors in the PuppetMaster class.
-
spicerack.puppet.
get_puppet_ca_hostname
()[source]¶ Return the FQDN of the current Puppet CA server.
Raises: spicerack.puppet.PuppetMasterError
-- if unable to get the configured Puppet CA server.Returns: the hostname of the Puppet Certification Authority server. Return type: str