puppet¶
Puppet module.
- exception spicerack.puppet.PuppetHostsCheckError[source]¶
Bases:
SpicerackCheckError
Custom base exception class for check errors in the PuppetHosts class.
- exception spicerack.puppet.PuppetHostsError[source]¶
Bases:
SpicerackError
Custom base exception class for errors in the PuppetHosts class.
- exception spicerack.puppet.PuppetServerCheckError[source]¶
Bases:
SpicerackCheckError
Custom exception class for check errors in the PuppetMaster class.
- exception spicerack.puppet.PuppetServerError[source]¶
Bases:
SpicerackError
Custom base exception class for errors in the PuppetMaster class.
- class spicerack.puppet.PuppetHosts(remote_hosts: spicerack.remote.RemoteHosts) None [source]¶
Bases:
RemoteHostsAdapter
Class to manage Puppet on the target hosts.
Initialize the instance.
- Parameters:
remote_hosts (
spicerack.remote.RemoteHosts
) -- the instance to act on the remote hosts.
- check_disabled() None [source]¶
Check if Puppet is disabled on all hosts.
- Raises:
spicerack.puppet.PuppetHostsCheckError -- if Puppet is enabled on some hosts.
- Return type:
- check_enabled() None [source]¶
Check if Puppet is enabled on all hosts.
- Raises:
spicerack.puppet.PuppetHostsCheckError -- if Puppet is disabled on some hosts.
- Return type:
- disable(reason: spicerack.administrative.Reason, verbatim_reason: bool = False) None [source]¶
Disable puppet with a specific reason.
If Puppet was already disabled on a host with a different reason, the reason will not be overriden, allowing to leave Puppet disabled when re-enabling it if it was already disabled.
- Parameters:
reason (
spicerack.administrative.Reason
) -- the reason to set for the Puppet disable.verbatim_reason (
bool
, default:False
) -- if true use the reason value verbatim.
- Return type:
- disabled(reason: spicerack.administrative.Reason, verbatim_reason: bool = False) collections.abc.Iterator[None] [source]¶
Context manager to perform actions while puppet is disabled.
- Parameters:
reason (
spicerack.administrative.Reason
) -- the reason to set for the Puppet disable and to use for the Puppet enable.verbatim_reason (
bool
, default:False
) -- if true use the reason value verbatim.
- Return type:
- enable(reason: spicerack.administrative.Reason, verbatim_reason: bool = False) None [source]¶
Enable Puppet with a specific reason, it must be the same used to disable it.
Puppet will be re-enabled only if it was disable with the same reason. If it was disable with a different reason it will keep being disabled.
- Parameters:
reason (
spicerack.administrative.Reason
) -- the reason to use for the Puppet enable.verbatim_reason (
bool
, default:False
) -- if true use the reason value verbatim.
- Return type:
- first_run(has_systemd: bool = True) collections.abc.Iterator[tuple] [source]¶
Perform the first Puppet run on a clean host without using custom wrappers.
- Parameters:
has_systemd (
bool
, default:True
) -- if the host has systemd as init system.- Return type:
- get_config(config: str, *, section: str = 'agent') dict[str, str] [source]¶
Retrieve the ca_servers for each node.
- regenerate_certificate() dict[str, str] [source]¶
Delete the local Puppet certificate and generate a new CSR.
- run(timeout: int = 300, enable_reason: spicerack.administrative.Reason | None = None, quiet: bool = False, failed_only: bool = False, force: bool = False, attempts: int = 0, batch_size: int = 10) None [source]¶
Run Puppet.
- Parameters:
timeout (
int
, default:300
) -- the timeout in seconds to set in Cumin for the execution of the command.enable_reason (
typing.Optional
[spicerack.administrative.Reason
], default:None
) -- the reason to use to contextually re-enable Puppet if it was disabled.quiet (
bool
, default:False
) -- suppress Puppet output if True.failed_only (
bool
, default:False
) -- run Puppet only if the last run failed.force (
bool
, default:False
) -- forcely re-enable Puppet if it was disabled with ANY message.attempts (
int
, default:0
) -- override the default number of attempts waiting that an in-flight Puppet run completes before timing out as set in run-puppet-agent.batch_size (
int
, default:10
) -- how many concurrent Puppet runs to perform. The default value is tailored to not overload the Puppet masters.
- Return type:
- wait_since(start: datetime.datetime) None [source]¶
Wait until a successful Puppet run is completed after the start time.
- Parameters:
start (
datetime.datetime
) -- wait until a Puppet run is completed after this time.- Raises:
spicerack.puppet.PuppetHostsCheckError -- if unable to get a successful Puppet run within the timeout.
- Return type:
- class spicerack.puppet.PuppetMaster(server_host: spicerack.remote.RemoteHosts) None [source]¶
Bases:
PuppetServer
Class to manage nodes and certificates on a Puppet master and Puppet CA server.
Initialize the instance.
- Parameters:
server_host (
spicerack.remote.RemoteHosts
) -- the remote hosts instance for the Puppetserver and Puppet CA server. It must have only one target host.- Raises:
spicerack.puppet.PuppetServerError -- if the server_host doesn't have only one target host.
- destroy(hostname: str) None [source]¶
Remove the certificate for the given hostname.
If there is no certificate to remove it doesn't raise exception as the Puppet CA just outputs 'Nothing was deleted'.
- get_certificate_metadata(hostname: str) dict [source]¶
Return the metadata of the certificate of the given hostname in the Puppet CA.
- Parameters:
hostname (
str
) -- the FQDN of the host for which to verify the certificate.- Return type:
- Returns:
As returned by the Puppet CA CLI with the render as JSON option set. As example:
{ 'dns_alt_names': ['DNS:service.example.com'], 'fingerprint': '00:FF:...', 'fingerprints': { 'SHA1': '00:FF:...', 'SHA256': '00:FF:...', 'SHA512': '00:FF:...', 'default': '00:FF:...', }, 'name': 'host.example.com', 'state': 'signed', }
- Raises:
spicerack.puppet.PuppetServerCheckError -- if no certificate is found.
spicerack.puppet.PuppetServerError -- if more than one certificate is found or it has invalid data.
- sign(hostname: str, fingerprint: str) None [source]¶
Sign a CSR on the Puppet CA for the given host checking its fingerprint.
- Parameters:
- Raises:
spicerack.puppet.PuppetServerError -- if the certificate is in an unexpected state.
- Return type:
- verify(hostname: str) None [source]¶
Verify that there is a valid certificate signed by the Puppet CA for the given hostname.
- Parameters:
hostname (
str
) -- the FQDN of the host for which to verify the certificate.- Raises:
spicerack.puppet.PuppetServerError -- if the certificate is not valid.
- Return type:
- property master_host: RemoteHosts¶
Accessor for the master_host property.
- class spicerack.puppet.PuppetServer(server_host: spicerack.remote.RemoteHosts) None [source]¶
Bases:
RemoteHostsAdapter
Class to manage nodes and certificates on a Puppet server and Puppet CA server.
Initialize the instance.
- Parameters:
server_host (
spicerack.remote.RemoteHosts
) -- the remote hosts instance for the Puppetserver and Puppet CA server. It must have only one target host.- Raises:
spicerack.puppet.PuppetServerError -- if the server_host doesn't have only one target host.
- delete(hostname: str) None [source]¶
Remove the host from the Puppet server and PuppetDB.
Clean up signed certs, cached facts, node objects, and reports in the Puppet server, deactivate it in PuppetDB. Doesn't raise exception if the host was already removed.
- destroy(hostname: str) None [source]¶
Remove the certificate for the given hostname.
If there is no certificate to remove it doesn't raise exception.
- Parameters:
hostname (
str
) -- the FQDN of the host for which to remove the certificate.- Raises:
spicerack.remote.RemoteExecutionError -- if unable to destroy the certificate.
- Return type:
- get_certificate_metadata(hostname: str) dict [source]¶
Return the metadata of the certificate of the given hostname in the Puppet CA.
- Parameters:
hostname (
str
) -- the FQDN of the host for which to verify the certificate.- Return type:
- Returns:
As returned by the Puppet CA CLI with the render as JSON option set. As example:
{ 'dns_alt_names': ['DNS:service.example.com'], 'fingerprint': '00:FF:...', 'fingerprints': { 'SHA1': '00:FF:...', 'SHA256': '00:FF:...', 'SHA512': '00:FF:...', 'default': '00:FF:...', }, 'name': 'host.example.com', 'state': 'signed', }
- Raises:
spicerack.puppet.PuppetServerCheckError -- if no certificate is found.
spicerack.puppet.PuppetServerError -- if more than one certificate is found or it has invalid data.
- sign(hostname: str, fingerprint: str) None [source]¶
Sign a CSR on the Puppet CA for the given host checking its fingerprint.
- Parameters:
- Raises:
spicerack.puppet.PuppetServerError -- if the certificate is in an unexpected state.
- Return type:
- verify(hostname: str) None [source]¶
Verify that there is a valid certificate signed by the Puppet CA for the given hostname.
- Parameters:
hostname (
str
) -- the FQDN of the host for which to verify the certificate.- Raises:
spicerack.puppet.PuppetServerError -- if the certificate is not valid.
- Return type:
- wait_for_csr(hostname: str) None [source]¶
Poll until a CSR appears for the given hostname or the timeout is reached.
- Parameters:
hostname (
str
) -- the FQDN of the host for which to check a CSR.- Raises:
spicerack.puppet.PuppetServerError -- if the certificate is in an unexpected state.
spicerack.puppet.PuppetServerCheckError -- if within the timeout no CSR is found.
- Return type:
- property server_host: RemoteHosts¶
Accessor for the server_host property.
- spicerack.puppet.get_ca_via_srv_record(domain: str) str [source]¶
Lookup the CA Server via the domain srv record.
- Return type:
- spicerack.puppet.get_puppet_ca_hostname() str [source]¶
Return the FQDN of the current Puppet CA server.
- Raises:
spicerack.puppet.PuppetServerError -- if unable to get the configured Puppet CA server.
- Return type: