puppet

Puppet module.

class spicerack.puppet.PuppetHosts(remote_hosts)[source]

Bases: spicerack.remote.RemoteHostsAdapter

Class to manage Puppet on the target hosts.

__init__(remote_hosts)

static inherited Initialize the instance.

Parameters:remote_hosts (spicerack.remote.RemoteHosts) -- the instance to act on the remote hosts.
disable(reason)[source]

Disable puppet with a specific reason.

If Puppet was already disabled on a host with a different reason, the reason will not be overriden, allowing to leave Puppet disabled when re-enabling it if it was already disabled.

Parameters:reason (spicerack.administrative.Reason) -- the reason to set for the Puppet disable.
disabled(reason)[source]

Context manager to perform actions while puppet is disabled.

Parameters:reason (spicerack.administrative.Reason) -- the reason to set for the Puppet disable and to use for the Puppet enable.
enable(reason)[source]

Enable Puppet with a specific reason, it must be the same used to disable it.

Puppet will be re-enabled only if it was disable with the same reason. If it was disable with a different reason it will keep being disabled.

Parameters:reason (spicerack.administrative.Reason) -- the reason to use for the Puppet enable.
first_run(has_systemd=True)[source]

Perform the first Puppet run on a clean host without using custom wrappers.

Parameters:has_systemd (bool, optional) -- if the host has systemd as init system.
regenerate_certificate()[source]

Delete the local Puppet certificate and generate a new CSR.

Returns:a dictionary with hostnames as keys and CSR fingerprint as values.
Return type:dict
run(timeout=300, enable_reason=None, quiet=False, failed_only=False, force=False, attempts=0, batch_size=10)[source]

Run Puppet.

Parameters:
  • timeout (int, optional) -- the timeout in seconds to set in Cumin for the execution of the command.
  • enable_reason (spicerack.administrative.Reason, optional) -- the reason to use to contestually re-enable Puppet if it was disabled.
  • quiet (bool, optional) -- suppress Puppet output if True.
  • failed_only (bool, optional) -- run Puppet only if the last run failed.
  • force (bool, optional) -- forcely re-enable Puppet if it was disabled with ANY message.
  • attempts (int, optional) -- override the default number of attempts waiting that an in-flight Puppet run completes before timing out as set in run-puppet-agent.
  • batch_size (int, optional) -- how many concurrent Puppet runs to perform. The default value is tailored to not overload the Puppet masters.
wait()[source]

Wait until the next successful Puppet run is completed.

wait_since(start)[source]

Wait until a successful Puppet run is completed after the start time.

Parameters:start (datetime.datetime) -- wait until a Puppet run is completed after this time.
Raises:spicerack.puppet.PuppetHostsCheckError -- if unable to get a successful Puppet run within the timeout.
exception spicerack.puppet.PuppetHostsCheckError[source]

Bases: spicerack.exceptions.SpicerackError

Custom base exception class for check errors in the PuppetHosts class.

exception spicerack.puppet.PuppetHostsError[source]

Bases: spicerack.exceptions.SpicerackError

Custom base exception class for errors in the PuppetHosts class.

class spicerack.puppet.PuppetMaster(master_host)[source]

Bases: object

Class to manage nodes and certificates on a Puppet master and Puppet CA server.

__init__(master_host)[source]

Initialize the instance.

Parameters:master_host (spicerack.remote.RemoteHosts) -- the remote hosts instance for the Puppetmaster and Puppet CA server. It must have only one target host.
Raises:spicerack.puppet.PuppetMasterError -- if the master_host doesn't have only one target host.
_run_json_command(command)[source]

Execute and parse a Puppet CLI command that output JSON format.

The commands run are assumed to be safe as the JSON format is useful for read-only operations only.

Parameters:command (str) -- the command to execute on the Puppet master that returns JSON output.
Returns:the parsed JSON object.
Return type:dict, list
Raises:spicerack.puppet.PuppetMasterError -- if unable to get or parse the command output.
destroy(hostname)[source]

Remove the certificate for the given hostname.

If there is no certificate to remove it doesn't raise exception as the Puppet CA just outputs 'Nothing was deleted'.

Parameters:hostname (str) -- the FQDN of the host for which to remove the certificate.
get_certificate_metadata(hostname)[source]

Return the metadata of the certificate of the given hostname in the Puppet CA.

Parameters:

hostname (str) -- the FQDN of the host for which to verify the certificate.

Returns:

as returned by the Puppet CA CLI with the render as JSON option set. As example:

{'dns_alt_names': ['DNS:service.example.com'],
 'fingerprint': '00:FF:...',
 'fingerprints': {
    'SHA1': '00:FF:...', 'SHA256': '00:FF:...', 'SHA512': '00:FF:...', 'default': '00:FF:...'},
 'name': 'host.example.com',
 'state': 'signed'}

Return type:

dict

Raises:
sign(hostname, fingerprint, allow_alt_names=False)[source]

Sign a CSR on the Puppet CA for the given host checking its fingerprint.

Parameters:
  • hostname (str) -- the FQDN of the host for which to sign the certificate.
  • fingerprint (str) -- the fingerprint of the CSR generated on the client to verify it.
  • allow_alt_names (bool, optional) -- whether to allow DNS alternative names in the certificate.
Raises:

spicerack.puppet.PuppetMasterError -- if the certificate is in an unexpected state.

verify(hostname)[source]

Verify that there is a valid certificate signed by the Puppet CA for the given hostname.

Parameters:hostname (str) -- the FQDN of the host for which to verify the certificate.
Raises:spicerack.puppet.PuppetMasterError -- if the certificate is not valid.
wait_for_csr(hostname)[source]

Poll until a CSR appears for the given hostname or the timeout is reached.

Parameters:

hostname (str) -- the FQDN of the host for which to check a CSR.

Raises:
exception spicerack.puppet.PuppetMasterCheckError[source]

Bases: spicerack.exceptions.SpicerackCheckError

Custom exception class for check errors in the PuppetMaster class.

exception spicerack.puppet.PuppetMasterError[source]

Bases: spicerack.exceptions.SpicerackError

Custom base exception class for errors in the PuppetMaster class.

spicerack.puppet.get_puppet_ca_hostname()[source]

Return the FQDN of the current Puppet CA server.

Raises:spicerack.puppet.PuppetMasterError -- if unable to get the configured Puppet CA server.
Returns:the hostname of the Puppet Certification Authority server.
Return type:str