puppet¶
Puppet module.
- exception spicerack.puppet.PuppetHostsCheckError[source]¶
Bases:
spicerack.exceptions.SpicerackCheckError
Custom base exception class for check errors in the PuppetHosts class.
- exception spicerack.puppet.PuppetHostsError[source]¶
Bases:
spicerack.exceptions.SpicerackError
Custom base exception class for errors in the PuppetHosts class.
- exception spicerack.puppet.PuppetMasterCheckError[source]¶
Bases:
spicerack.exceptions.SpicerackCheckError
Custom exception class for check errors in the PuppetMaster class.
- exception spicerack.puppet.PuppetMasterError[source]¶
Bases:
spicerack.exceptions.SpicerackError
Custom base exception class for errors in the PuppetMaster class.
- class spicerack.puppet.PuppetHosts(remote_hosts: spicerack.remote.RemoteHosts)[source]¶
Bases:
spicerack.remote.RemoteHostsAdapter
Class to manage Puppet on the target hosts.
Initialize the instance.
- Parameters
remote_hosts (spicerack.remote.RemoteHosts) -- the instance to act on the remote hosts.
- check_disabled() None [source]¶
Check if Puppet is disabled on all hosts.
- Raises
spicerack.puppet.PuppetHostsCheckError -- if Puppet is enabled on some hosts.
- check_enabled() None [source]¶
Check if Puppet is enabled on all hosts.
- Raises
spicerack.puppet.PuppetHostsCheckError -- if Puppet is disabled on some hosts.
- disable(reason: spicerack.administrative.Reason) None [source]¶
Disable puppet with a specific reason.
If Puppet was already disabled on a host with a different reason, the reason will not be overriden, allowing to leave Puppet disabled when re-enabling it if it was already disabled.
- Parameters
reason (spicerack.administrative.Reason) -- the reason to set for the Puppet disable.
- disabled(reason: spicerack.administrative.Reason) Iterator[None] [source]¶
Context manager to perform actions while puppet is disabled.
- Parameters
reason (spicerack.administrative.Reason) -- the reason to set for the Puppet disable and to use for the Puppet enable.
- enable(reason: spicerack.administrative.Reason) None [source]¶
Enable Puppet with a specific reason, it must be the same used to disable it.
Puppet will be re-enabled only if it was disable with the same reason. If it was disable with a different reason it will keep being disabled.
- Parameters
reason (spicerack.administrative.Reason) -- the reason to use for the Puppet enable.
- first_run(has_systemd: bool = True) Iterator[Tuple] [source]¶
Perform the first Puppet run on a clean host without using custom wrappers.
- Parameters
has_systemd (bool, optional) -- if the host has systemd as init system.
- regenerate_certificate() Dict[str, str] [source]¶
Delete the local Puppet certificate and generate a new CSR.
- Returns
a dictionary with hostnames as keys and CSR fingerprint as values.
- Return type
- run(timeout: int = 300, enable_reason: Optional[spicerack.administrative.Reason] = None, quiet: bool = False, failed_only: bool = False, force: bool = False, attempts: int = 0, batch_size: int = 10) None [source]¶
Run Puppet.
- Parameters
timeout (int, optional) -- the timeout in seconds to set in Cumin for the execution of the command.
enable_reason (spicerack.administrative.Reason, optional) -- the reason to use to contextually re-enable Puppet if it was disabled.
quiet (bool, optional) -- suppress Puppet output if True.
failed_only (bool, optional) -- run Puppet only if the last run failed.
force (bool, optional) -- forcely re-enable Puppet if it was disabled with ANY message.
attempts (int, optional) -- override the default number of attempts waiting that an in-flight Puppet run completes before timing out as set in run-puppet-agent.
batch_size (int, optional) -- how many concurrent Puppet runs to perform. The default value is tailored to not overload the Puppet masters.
- wait_since(start: datetime.datetime) None [source]¶
Wait until a successful Puppet run is completed after the start time.
- Parameters
start (datetime.datetime) -- wait until a Puppet run is completed after this time.
- Raises
spicerack.puppet.PuppetHostsCheckError -- if unable to get a successful Puppet run within the timeout.
- class spicerack.puppet.PuppetMaster(master_host: spicerack.remote.RemoteHosts)[source]¶
Bases:
object
Class to manage nodes and certificates on a Puppet master and Puppet CA server.
Initialize the instance.
- Parameters
master_host (spicerack.remote.RemoteHosts) -- the remote hosts instance for the Puppetmaster and Puppet CA server. It must have only one target host.
- Raises
spicerack.puppet.PuppetMasterError -- if the master_host doesn't have only one target host.
- delete(hostname: str) None [source]¶
Remove the host from the Puppet master and PuppetDB.
Clean up signed certs, cached facts, node objects, and reports in the Puppet master, deactivate it in PuppetDB. Doesn't raise exception if the host was already removed.
- Parameters
hostname (str) -- the FQDN of the host for which to remove the certificate.
- destroy(hostname: str) None [source]¶
Remove the certificate for the given hostname.
If there is no certificate to remove it doesn't raise exception as the Puppet CA just outputs 'Nothing was deleted'.
- Parameters
hostname (str) -- the FQDN of the host for which to remove the certificate.
- get_certificate_metadata(hostname: str) Dict [source]¶
Return the metadata of the certificate of the given hostname in the Puppet CA.
- Parameters
hostname (str) -- the FQDN of the host for which to verify the certificate.
- Returns
as returned by the Puppet CA CLI with the render as JSON option set. As example:
{ 'dns_alt_names': ['DNS:service.example.com'], 'fingerprint': '00:FF:...', 'fingerprints': { 'SHA1': '00:FF:...', 'SHA256': '00:FF:...', 'SHA512': '00:FF:...', 'default': '00:FF:...', }, 'name': 'host.example.com', 'state': 'signed', }
- Return type
- Raises
spicerack.puppet.PuppetMasterCheckError -- if no certificate is found.
spicerack.puppet.PuppetMasterError -- if more than one certificate is found or it has invalid data.
- sign(hostname: str, fingerprint: str, allow_alt_names: bool = False) None [source]¶
Sign a CSR on the Puppet CA for the given host checking its fingerprint.
- Parameters
- Raises
spicerack.puppet.PuppetMasterError -- if the certificate is in an unexpected state.
- verify(hostname: str) None [source]¶
Verify that there is a valid certificate signed by the Puppet CA for the given hostname.
- Parameters
hostname (str) -- the FQDN of the host for which to verify the certificate.
- Raises
spicerack.puppet.PuppetMasterError -- if the certificate is not valid.
- wait_for_csr(hostname: str) None [source]¶
Poll until a CSR appears for the given hostname or the timeout is reached.
- Parameters
hostname (str) -- the FQDN of the host for which to check a CSR.
- Raises
spicerack.puppet.PuppetMasterError -- if the certificate is in an unexpected state.
spicerack.puppet.PuppetMasterCheckError -- if within the timeout no CSR is found.
- property master_host: spicerack.remote.RemoteHosts¶
Accessor for the master_host property.
- spicerack.puppet.get_puppet_ca_hostname() str [source]¶
Return the FQDN of the current Puppet CA server.
- Raises
spicerack.puppet.PuppetMasterError -- if unable to get the configured Puppet CA server.
- Returns
the hostname of the Puppet Certification Authority server.
- Return type