puppet¶

Puppet module.

class spicerack.puppet.PuppetHosts(remote_hosts)[source]¶

Bases: spicerack.remote.RemoteHostsAdapter

Class to manage Puppet on the target hosts.

__init__(remote_hosts)¶

static inherited Initialize the instance.

Parameters:	remote_hosts (spicerack.remote.RemoteHosts) -- the instance to act on the remote hosts.

disable(reason)[source]¶

Disable puppet with a specific reason.

If Puppet was already disabled on a host with a different reason, the reason will not be overriden, allowing to leave Puppet disabled when re-enabling it if it was already disabled.

Parameters:	reason (spicerack.administrative.Reason) -- the reason to set for the Puppet disable.

disabled(reason)[source]¶

Context manager to perform actions while puppet is disabled.

Parameters:	reason (spicerack.administrative.Reason) -- the reason to set for the Puppet disable and to use for the Puppet enable.

enable(reason)[source]¶

Enable Puppet with a specific reason, it must be the same used to disable it.

Puppet will be re-enabled only if it was disable with the same reason. If it was disable with a different reason it will keep being disabled.

Parameters:	reason (spicerack.administrative.Reason) -- the reason to use for the Puppet enable.

first_run(has_systemd=True)[source]¶

Perform the first Puppet run on a clean host without using custom wrappers.

Parameters:	has_systemd (bool, optional) -- if the host has systemd as init system.

regenerate_certificate()[source]¶

Delete the local Puppet certificate and generate a new CSR.

Returns:	a dictionary with hostnames as keys and CSR fingerprint as values.
Return type:	dict

run(timeout=300, enable_reason=None, quiet=False, failed_only=False, force=False, attempts=0, batch_size=10)[source]¶

Run Puppet.

Parameters:

timeout (int, optional) -- the timeout in seconds to set in Cumin for the execution of the command.
enable_reason (spicerack.administrative.Reason, optional) -- the reason to use to contestually re-enable Puppet if it was disabled.
quiet (bool, optional) -- suppress Puppet output if True.
failed_only (bool, optional) -- run Puppet only if the last run failed.
force (bool, optional) -- forcely re-enable Puppet if it was disabled with ANY message.
attempts (int, optional) -- override the default number of attempts waiting that an in-flight Puppet run completes before timing out as set in run-puppet-agent.
batch_size (int, optional) -- how many concurrent Puppet runs to perform. The default value is tailored to not overload the Puppet masters.

wait()[source]¶: Wait until the next successful Puppet run is completed.

wait_since(start)[source]¶

Wait until a successful Puppet run is completed after the start time.

Parameters:	start (datetime.datetime) -- wait until a Puppet run is completed after this time.
Raises:	`spicerack.puppet.PuppetHostsCheckError` -- if unable to get a successful Puppet run within the timeout.

exception spicerack.puppet.PuppetHostsCheckError[source]¶

Bases: spicerack.exceptions.SpicerackError

Custom base exception class for check errors in the PuppetHosts class.

exception spicerack.puppet.PuppetHostsError[source]¶

Bases: spicerack.exceptions.SpicerackError

Custom base exception class for errors in the PuppetHosts class.

class spicerack.puppet.PuppetMaster(master_host)[source]¶

Bases: object

Class to manage nodes and certificates on a Puppet master and Puppet CA server.

__init__(master_host)[source]¶

Initialize the instance.

Parameters:	master_host (spicerack.remote.RemoteHosts) -- the remote hosts instance for the Puppetmaster and Puppet CA server. It must have only one target host.
Raises:	`spicerack.puppet.PuppetMasterError` -- if the master_host doesn't have only one target host.

_run_json_command(command)[source]¶

Execute and parse a Puppet CLI command that output JSON format.

The commands run are assumed to be safe as the JSON format is useful for read-only operations only.

Parameters:	command (str) -- the command to execute on the Puppet master that returns JSON output.
Returns:	the parsed JSON object.
Return type:	dict, list
Raises:	`spicerack.puppet.PuppetMasterError` -- if unable to get or parse the command output.

destroy(hostname)[source]¶

Remove the certificate for the given hostname.

If there is no certificate to remove it doesn't raise exception as the Puppet CA just outputs 'Nothing was deleted'.

Parameters:	hostname (str) -- the FQDN of the host for which to remove the certificate.

get_certificate_metadata(hostname)[source]¶

Return the metadata of the certificate of the given hostname in the Puppet CA.

Parameters:	hostname (str) -- the FQDN of the host for which to verify the certificate.
Returns:	as returned by the Puppet CA CLI with the render as JSON option set. As example: {'dns_alt_names': ['DNS:service.example.com'], 'fingerprint': '00:FF:...', 'fingerprints': { 'SHA1': '00:FF:...', 'SHA256': '00:FF:...', 'SHA512': '00:FF:...', 'default': '00:FF:...'}, 'name': 'host.example.com', 'state': 'signed'}
Return type:	dict
Raises:	`spicerack.puppet.PuppetMasterCheckError` -- if no certificate is found. `spicerack.puppet.PuppetMasterError` -- if more than one certificate is found or it has invalid data.

sign(hostname, fingerprint, allow_alt_names=False)[source]¶

Sign a CSR on the Puppet CA for the given host checking its fingerprint.

Parameters:	hostname (str) -- the FQDN of the host for which to sign the certificate. fingerprint (str) -- the fingerprint of the CSR generated on the client to verify it. allow_alt_names (bool, optional) -- whether to allow DNS alternative names in the certificate.
Raises:	`spicerack.puppet.PuppetMasterError` -- if the certificate is in an unexpected state.

verify(hostname)[source]¶

Verify that there is a valid certificate signed by the Puppet CA for the given hostname.

Parameters:	hostname (str) -- the FQDN of the host for which to verify the certificate.
Raises:	`spicerack.puppet.PuppetMasterError` -- if the certificate is not valid.

wait_for_csr(hostname)[source]¶

Poll until a CSR appears for the given hostname or the timeout is reached.

Parameters:	hostname (str) -- the FQDN of the host for which to check a CSR.
Raises:	`spicerack.puppet.PuppetMasterError` -- if the certificate is in an unexpected state. `spicerack.puppet.PuppetMasterCheckError` -- if within the timeout no CSR is found.

exception spicerack.puppet.PuppetMasterCheckError[source]¶

Bases: spicerack.exceptions.SpicerackCheckError

Custom exception class for check errors in the PuppetMaster class.

exception spicerack.puppet.PuppetMasterError[source]¶

Bases: spicerack.exceptions.SpicerackError

Custom base exception class for errors in the PuppetMaster class.

spicerack.puppet.get_puppet_ca_hostname()[source]¶

Return the FQDN of the current Puppet CA server.

Raises:	`spicerack.puppet.PuppetMasterError` -- if unable to get the configured Puppet CA server.
Returns:	the hostname of the Puppet Certification Authority server.
Return type:	str