puppet¶

If Puppet was already disabled on a host with a different reason, the reason will not be overriden, allowing to leave Puppet disabled when re-enabling it if it was already disabled.

Parameters: reason (spicerack.administrative.Reason) -- the reason to set for the Puppet disable.

disabled(reason: spicerack.administrative.Reason) → Iterator[None][source]¶

Context manager to perform actions while puppet is disabled.

Parameters: reason (spicerack.administrative.Reason) -- the reason to set for the Puppet disable and to use for the Puppet enable.

enable(reason: spicerack.administrative.Reason) → None[source]¶

Enable Puppet with a specific reason, it must be the same used to disable it.

Puppet will be re-enabled only if it was disable with the same reason. If it was disable with a different reason it will keep being disabled.

Parameters: reason (spicerack.administrative.Reason) -- the reason to use for the Puppet enable.

first_run(has_systemd: bool = True) → Iterator[Tuple][source]¶

Perform the first Puppet run on a clean host without using custom wrappers.

Parameters: has_systemd (bool, optional) -- if the host has systemd as init system.

get_ca_servers() → Dict[str, str][source]¶

Retrieve the ca_servers of the nodes.

Returns

The mapping from host fqdn to its configured: ca_server

Return type

Dict[str, str]

regenerate_certificate() → Dict[str, str][source]¶

Delete the local Puppet certificate and generate a new CSR.

Returns: a dictionary with hostnames as keys and CSR fingerprint as values.
Return type: dict

run(timeout: int = 300, enable_reason: Optional[spicerack.administrative.Reason] = None, quiet: bool = False, failed_only: bool = False, force: bool = False, attempts: int = 0, batch_size: int = 10) → None[source]¶

Run Puppet.

Parameters

timeout (int, optional) -- the timeout in seconds to set in Cumin for the execution of the command.
enable_reason (spicerack.administrative.Reason, optional) -- the reason to use to contextually re-enable Puppet if it was disabled.
quiet (bool, optional) -- suppress Puppet output if True.
failed_only (bool, optional) -- run Puppet only if the last run failed.
force (bool, optional) -- forcely re-enable Puppet if it was disabled with ANY message.
attempts (int, optional) -- override the default number of attempts waiting that an in-flight Puppet run completes before timing out as set in run-puppet-agent.
batch_size (int, optional) -- how many concurrent Puppet runs to perform. The default value is tailored to not overload the Puppet masters.

wait() → None[source]¶: Wait until the next successful Puppet run is completed.

wait_since(start: datetime.datetime) → None[source]¶

Wait until a successful Puppet run is completed after the start time.

Parameters: start (datetime.datetime) -- wait until a Puppet run is completed after this time.
Raises: spicerack.puppet.PuppetHostsCheckError -- if unable to get a successful Puppet run within the timeout.

class spicerack.puppet.PuppetMaster(master_host: spicerack.remote.RemoteHosts)[source]¶

Bases: object

Class to manage nodes and certificates on a Puppet master and Puppet CA server.

Initialize the instance.

Parameters: master_host (spicerack.remote.RemoteHosts) -- the remote hosts instance for the Puppetmaster and Puppet CA server. It must have only one target host.
Raises: spicerack.puppet.PuppetMasterError -- if the master_host doesn't have only one target host.

delete(hostname: str) → None[source]¶

Remove the host from the Puppet master and PuppetDB.

Clean up signed certs, cached facts, node objects, and reports in the Puppet master, deactivate it in PuppetDB. Doesn't raise exception if the host was already removed.

Parameters: hostname (str) -- the FQDN of the host for which to remove the certificate.

destroy(hostname: str) → None[source]¶

Remove the certificate for the given hostname.

If there is no certificate to remove it doesn't raise exception as the Puppet CA just outputs 'Nothing was deleted'.

Parameters: hostname (str) -- the FQDN of the host for which to remove the certificate.

get_certificate_metadata(hostname: str) → Dict[source]¶

Return the metadata of the certificate of the given hostname in the Puppet CA.

Parameters

hostname (str) -- the FQDN of the host for which to verify the certificate.

Returns

as returned by the Puppet CA CLI with the render as JSON option set. As example:

{
    'dns_alt_names': ['DNS:service.example.com'],
    'fingerprint': '00:FF:...',
    'fingerprints': {
        'SHA1': '00:FF:...',
        'SHA256': '00:FF:...',
        'SHA512': '00:FF:...',
        'default': '00:FF:...',
    },
    'name': 'host.example.com',
    'state': 'signed',
}

Return type

dict

Raises

spicerack.puppet.PuppetMasterCheckError -- if no certificate is found.
spicerack.puppet.PuppetMasterError -- if more than one certificate is found or it has invalid data.

sign(hostname: str, fingerprint: str, allow_alt_names: bool = False) → None[source]¶

Sign a CSR on the Puppet CA for the given host checking its fingerprint.

Parameters

hostname (str) -- the FQDN of the host for which to sign the certificate.
fingerprint (str) -- the fingerprint of the CSR generated on the client to verify it.
allow_alt_names (bool, optional) -- whether to allow DNS alternative names in the certificate.

Raises

spicerack.puppet.PuppetMasterError -- if the certificate is in an unexpected state.

verify(hostname: str) → None[source]¶

Verify that there is a valid certificate signed by the Puppet CA for the given hostname.

Parameters: hostname (str) -- the FQDN of the host for which to verify the certificate.
Raises: spicerack.puppet.PuppetMasterError -- if the certificate is not valid.

wait_for_csr(hostname: str) → None[source]¶

Poll until a CSR appears for the given hostname or the timeout is reached.

Parameters

hostname (str) -- the FQDN of the host for which to check a CSR.

Raises

spicerack.puppet.PuppetMasterError -- if the certificate is in an unexpected state.
spicerack.puppet.PuppetMasterCheckError -- if within the timeout no CSR is found.

property master_host: spicerack.remote.RemoteHosts¶: Accessor for the master_host property.

spicerack.puppet.get_puppet_ca_hostname() → str[source]¶

Return the FQDN of the current Puppet CA server.

Raises: spicerack.puppet.PuppetMasterError -- if unable to get the configured Puppet CA server.
Returns: the hostname of the Puppet Certification Authority server.
Return type: str