puppet

Puppet module.

class spicerack.puppet.PuppetHosts(remote_hosts)[source]

Bases: spicerack.remote.RemoteHostsAdapter

Class to manage Puppet on the target hosts.

Initialize the instance.

Parameters:remote_hosts (spicerack.remote.RemoteHosts) -- the instance to act on the remote hosts.
check_disabled()[source]

Check if Puppet is disabled on all hosts.

Raises:spicerack.puppet.PuppetHostsCheckError -- if Puppet is enabled on some hosts.
check_enabled()[source]

Check if Puppet is enabled on all hosts.

Raises:spicerack.puppet.PuppetHostsCheckError -- if Puppet is disabled on some hosts.
disable(reason)[source]

Disable puppet with a specific reason.

If Puppet was already disabled on a host with a different reason, the reason will not be overriden, allowing to leave Puppet disabled when re-enabling it if it was already disabled.

Parameters:reason (spicerack.administrative.Reason) -- the reason to set for the Puppet disable.
disabled(reason)[source]

Context manager to perform actions while puppet is disabled.

Parameters:reason (spicerack.administrative.Reason) -- the reason to set for the Puppet disable and to use for the Puppet enable.
enable(reason)[source]

Enable Puppet with a specific reason, it must be the same used to disable it.

Puppet will be re-enabled only if it was disable with the same reason. If it was disable with a different reason it will keep being disabled.

Parameters:reason (spicerack.administrative.Reason) -- the reason to use for the Puppet enable.
first_run(has_systemd=True)[source]

Perform the first Puppet run on a clean host without using custom wrappers.

Parameters:has_systemd (bool, optional) -- if the host has systemd as init system.
regenerate_certificate()[source]

Delete the local Puppet certificate and generate a new CSR.

Returns:a dictionary with hostnames as keys and CSR fingerprint as values.
Return type:dict
run(timeout=300, enable_reason=None, quiet=False, failed_only=False, force=False, attempts=0, batch_size=10)[source]

Run Puppet.

Parameters:
  • timeout (int, optional) -- the timeout in seconds to set in Cumin for the execution of the command.
  • enable_reason (spicerack.administrative.Reason, optional) -- the reason to use to contextually re-enable Puppet if it was disabled.
  • quiet (bool, optional) -- suppress Puppet output if True.
  • failed_only (bool, optional) -- run Puppet only if the last run failed.
  • force (bool, optional) -- forcely re-enable Puppet if it was disabled with ANY message.
  • attempts (int, optional) -- override the default number of attempts waiting that an in-flight Puppet run completes before timing out as set in run-puppet-agent.
  • batch_size (int, optional) -- how many concurrent Puppet runs to perform. The default value is tailored to not overload the Puppet masters.
wait()[source]

Wait until the next successful Puppet run is completed.

wait_since(start)[source]

Wait until a successful Puppet run is completed after the start time.

Parameters:start (datetime.datetime) -- wait until a Puppet run is completed after this time.
Raises:spicerack.puppet.PuppetHostsCheckError -- if unable to get a successful Puppet run within the timeout.
exception spicerack.puppet.PuppetHostsCheckError[source]

Bases: spicerack.exceptions.SpicerackError

Custom base exception class for check errors in the PuppetHosts class.

exception spicerack.puppet.PuppetHostsError[source]

Bases: spicerack.exceptions.SpicerackError

Custom base exception class for errors in the PuppetHosts class.

class spicerack.puppet.PuppetMaster(master_host)[source]

Bases: object

Class to manage nodes and certificates on a Puppet master and Puppet CA server.

Initialize the instance.

Parameters:master_host (spicerack.remote.RemoteHosts) -- the remote hosts instance for the Puppetmaster and Puppet CA server. It must have only one target host.
Raises:spicerack.puppet.PuppetMasterError -- if the master_host doesn't have only one target host.
delete(hostname)[source]

Remove the host from the Puppet master and PuppetDB.

Clean up signed certs, cached facts, node objects, and reports in the Puppet master, deactivate it in PuppetDB. Doesn't raise exception if the host was already removed.

Parameters:hostname (str) -- the FQDN of the host for which to remove the certificate.
destroy(hostname)[source]

Remove the certificate for the given hostname.

If there is no certificate to remove it doesn't raise exception as the Puppet CA just outputs 'Nothing was deleted'.

Parameters:hostname (str) -- the FQDN of the host for which to remove the certificate.
get_certificate_metadata(hostname)[source]

Return the metadata of the certificate of the given hostname in the Puppet CA.

Parameters:

hostname (str) -- the FQDN of the host for which to verify the certificate.

Returns:

as returned by the Puppet CA CLI with the render as JSON option set. As example:

{
    'dns_alt_names': ['DNS:service.example.com'],
    'fingerprint': '00:FF:...',
    'fingerprints': {
        'SHA1': '00:FF:...',
        'SHA256': '00:FF:...',
        'SHA512': '00:FF:...',
        'default': '00:FF:...',
    },
    'name': 'host.example.com',
    'state': 'signed',
}

Return type:

dict

Raises:
sign(hostname, fingerprint, allow_alt_names=False)[source]

Sign a CSR on the Puppet CA for the given host checking its fingerprint.

Parameters:
  • hostname (str) -- the FQDN of the host for which to sign the certificate.
  • fingerprint (str) -- the fingerprint of the CSR generated on the client to verify it.
  • allow_alt_names (bool, optional) -- whether to allow DNS alternative names in the certificate.
Raises:

spicerack.puppet.PuppetMasterError -- if the certificate is in an unexpected state.

verify(hostname)[source]

Verify that there is a valid certificate signed by the Puppet CA for the given hostname.

Parameters:hostname (str) -- the FQDN of the host for which to verify the certificate.
Raises:spicerack.puppet.PuppetMasterError -- if the certificate is not valid.
wait_for_csr(hostname)[source]

Poll until a CSR appears for the given hostname or the timeout is reached.

Parameters:

hostname (str) -- the FQDN of the host for which to check a CSR.

Raises:
exception spicerack.puppet.PuppetMasterCheckError[source]

Bases: spicerack.exceptions.SpicerackCheckError

Custom exception class for check errors in the PuppetMaster class.

exception spicerack.puppet.PuppetMasterError[source]

Bases: spicerack.exceptions.SpicerackError

Custom base exception class for errors in the PuppetMaster class.

spicerack.puppet.get_puppet_ca_hostname()[source]

Return the FQDN of the current Puppet CA server.

Raises:spicerack.puppet.PuppetMasterError -- if unable to get the configured Puppet CA server.
Returns:the hostname of the Puppet Certification Authority server.
Return type:str