Class: Puppet::Application::Agent

Inherits:

Puppet::Application

• Object
• Puppet::Application
• Puppet::Application::Agent

Defined in:

lib/puppet/application/agent.rb

Constant Summary

Constants inherited from Puppet::Application

DOCPATTERN, SHOULD_PARSE_CONFIG_DEPRECATION_MSG

Constants included from Util

Util::AbsolutePathPosix, Util::AbsolutePathWindows, Util::DEFAULT_POSIX_MODE, Util::DEFAULT_WINDOWS_MODE

Constants included from Util::POSIX

Util::POSIX::LOCALE_ENV_VARS, Util::POSIX::USER_ENV_VARS

Constants included from Util::SymbolicFileMode

Util::SymbolicFileMode::SetGIDBit, Util::SymbolicFileMode::SetUIDBit, Util::SymbolicFileMode::StickyBit, Util::SymbolicFileMode::SymbolicMode, Util::SymbolicFileMode::SymbolicSpecialToBit

Instance Attribute Summary

Attributes inherited from Puppet::Application

#command_line, #options

Instance Method Summary

• #app_defaults ⇒ Object
• #fingerprint ⇒ Object
• #help ⇒ Object
• #main(daemon) ⇒ Object
• #onetime(daemon) ⇒ Object
• #preinit ⇒ Object
• #run_command ⇒ Object
• #setup ⇒ Object
• #setup_test ⇒ Object

  Enable all of the most common test options.

Methods inherited from Puppet::Application

[], available_application_names, banner, clear!, clear?, clear_everything_for_tests, #configure_indirector_routes, controlled_run, exit, find, #handle_logdest_arg, #handlearg, #initialize, #initialize_app_defaults, interrupted?, #log_runtime_environment, #name, option, option_parser_commands, #parse_options, restart!, restart_requested?, #run, run_mode, #set_log_level, #setup_logs, should_not_parse_config, should_parse_config, should_parse_config?, stop!, stop_requested?, try_load_class

Methods included from Util

absolute_path?, activerecord_version, benchmark, binread, chuser, classproxy, deterministic_rand, execfail, execpipe, execute, exit_on_fail, logmethods, memory, path_to_uri, pretty_backtrace, proxy, replace_file, safe_posix_fork, symbolizehash, thinmark, uri_to_path, which, withenv, withumask

Methods included from Util::POSIX

#get_posix_field, #gid, #idfield, #methodbyid, #methodbyname, #search_posix_field, #uid

Methods included from Util::SymbolicFileMode

#normalize_symbolic_mode, #symbolic_mode_to_int, #valid_symbolic_mode?

Constructor Details

This class inherits a constructor from Puppet::Application

Instance Method Details

#app_defaults ⇒ Object

# File 'lib/puppet/application/agent.rb', line 10

def app_defaults
  super.merge({
    :catalog_terminus => :rest,
    :catalog_cache_terminus => :json,
    :node_terminus => :rest,
    :facts_terminus => :facter,
  })
end

#fingerprint ⇒ Object

# File 'lib/puppet/application/agent.rb', line 334

def fingerprint
  host = Puppet::SSL::Host.new
  unless cert = host.certificate || host.certificate_request
    $stderr.puts "Fingerprint asked but no certificate nor certificate request have yet been issued"
    exit(1)
    return
  end
  unless digest = cert.digest(options[:digest].to_s)
    raise ArgumentError, "Could not get fingerprint for digest '#{options[:digest]}'"
  end
  puts digest.to_s
end

#help ⇒ Object

# File 'lib/puppet/application/agent.rb', line 77

def help
  "\npuppet-agent(8) -- The puppet agent daemon\n========\n\nSYNOPSIS\n--------\nRetrieves the client configuration from the puppet master and applies it to\nthe local host.\n\nThis service may be run as a daemon, run periodically using cron (or something\nsimilar), or run interactively for testing purposes.\n\n\nUSAGE\n-----\npuppet agent [--certname <NAME>] [-D|--daemonize|--no-daemonize]\n[-d|--debug] [--detailed-exitcodes] [--digest <DIGEST>] [--disable [MESSAGE]] [--enable]\n[--fingerprint] [-h|--help] [-l|--logdest syslog|eventlog|<FILE>|console]\n[--masterport <PORT>] [--no-client] [--noop] [-o|--onetime] [-t|--test]\n[-v|--verbose] [-V|--version] [-w|--waitforcert <SECONDS>]\n\n\nDESCRIPTION\n-----------\nThis is the main puppet client. Its job is to retrieve the local\nmachine's configuration from a remote server and apply it. In order to\nsuccessfully communicate with the remote server, the client must have a\ncertificate signed by a certificate authority that the server trusts;\nthe recommended method for this, at the moment, is to run a certificate\nauthority as part of the puppet server (which is the default). The\nclient will connect and request a signed certificate, and will continue\nconnecting until it receives one.\n\nOnce the client has a signed certificate, it will retrieve its\nconfiguration and apply it.\n\n\nUSAGE NOTES\n-----------\n'puppet agent' does its best to find a compromise between interactive\nuse and daemon use. Run with no arguments and no configuration, it will\ngo into the background, attempt to get a signed certificate, and retrieve\nand apply its configuration every 30 minutes.\n\nSome flags are meant specifically for interactive use -- in particular,\n'test', 'tags' or 'fingerprint' are useful. 'test' enables verbose\nlogging, causes the daemon to stay in the foreground, exits if the\nserver's configuration is invalid (this happens if, for instance, you've\nleft a syntax error on the server), and exits after running the\nconfiguration once (rather than hanging around as a long-running\nprocess).\n\n'tags' allows you to specify what portions of a configuration you want\nto apply. Puppet elements are tagged with all of the class or definition\nnames that contain them, and you can use the 'tags' flag to specify one\nof these names, causing only configuration elements contained within\nthat class or definition to be applied. This is very useful when you are\ntesting new configurations -- for instance, if you are just starting to\nmanage 'ntpd', you would put all of the new elements into an 'ntpd'\nclass, and call puppet with '--tags ntpd', which would only apply that\nsmall portion of the configuration during your testing, rather than\napplying the whole thing.\n\n'fingerprint' is a one-time flag. In this mode 'puppet agent' will run\nonce and display on the console (and in the log) the current certificate\n(or certificate request) fingerprint. Providing the '--digest' option\nallows to use a different digest algorithm to generate the fingerprint.\nThe main use is to verify that before signing a certificate request on\nthe master, the certificate request the master received is the same as\nthe one the client sent (to prevent against man-in-the-middle attacks\nwhen signing certificates).\n\n\nOPTIONS\n-------\n\nNote that any Puppet setting that's valid in the configuration file is also a\nvalid long argument. For example, 'server' is a valid setting, so you can\nspecify '--server <servername>' as an argument. Boolean settings translate into\n'--setting' and '--no-setting' pairs.\n\nSee the configuration file documentation at\nhttp://docs.puppetlabs.com/references/stable/configuration.html for the\nfull list of acceptable settings. A commented list of all settings can also be\ngenerated by running puppet agent with '--genconfig'.\n\n* --certname:\nSet the certname (unique ID) of the client. The master reads this\nunique identifying string, which is usually set to the node's\nfully-qualified domain name, to determine which configurations the\nnode will receive. Use this option to debug setup problems or\nimplement unusual node identification schemes.\n(This is a Puppet setting, and can go in puppet.conf.)\n\n* --daemonize:\nSend the process into the background. This is the default.\n(This is a Puppet setting, and can go in puppet.conf. Note the special 'no-'\nprefix for boolean settings on the command line.)\n\n* --no-daemonize:\nDo not send the process into the background.\n(This is a Puppet setting, and can go in puppet.conf. Note the special 'no-'\nprefix for boolean settings on the command line.)\n\n* --debug:\nEnable full debugging.\n\n* --detailed-exitcodes:\nProvide transaction information via exit codes. If this is enabled, an exit\ncode of '2' means there were changes, an exit code of '4' means there were\nfailures during the transaction, and an exit code of '6' means there were both\nchanges and failures.\n\n* --digest:\nChange the certificate fingerprinting digest algorithm. The default is\nSHA256. Valid values depends on the version of OpenSSL installed, but\nwill likely contain MD5, MD2, SHA1 and SHA256.\n\n* --disable:\nDisable working on the local system. This puts a lock file in place,\ncausing 'puppet agent' not to work on the system until the lock file\nis removed. This is useful if you are testing a configuration and do\nnot want the central configuration to override the local state until\neverything is tested and committed.\n\nDisable can also take an optional message that will be reported by the\n'puppet agent' at the next disabled run.\n\n'puppet agent' uses the same lock file while it is running, so no more\nthan one 'puppet agent' process is working at a time.\n\n'puppet agent' exits after executing this.\n\n* --enable:\nEnable working on the local system. This removes any lock file,\ncausing 'puppet agent' to start managing the local system again\n(although it will continue to use its normal scheduling, so it might\nnot start for another half hour).\n\n'puppet agent' exits after executing this.\n\n* --fingerprint:\nDisplay the current certificate or certificate signing request\nfingerprint and then exit. Use the '--digest' option to change the\ndigest algorithm used.\n\n* --help:\nPrint this help message\n\n* --logdest:\nWhere to send log messages. Choose between 'syslog' (the POSIX syslog\nservice), 'eventlog' (the Windows Event Log), 'console', or the path to a log\nfile. If debugging or verbosity is enabled, this defaults to 'console'.\nOtherwise, it defaults to 'syslog' on POSIX systems and 'eventlog' on Windows.\n\nA path ending with '.json' will receive structured output in JSON format. The\nlog file will not have an ending ']' automatically written to it due to the\nappending nature of logging. It must be appended manually to make the content\nvalid JSON.\n\n* --masterport:\nThe port on which to contact the puppet master.\n(This is a Puppet setting, and can go in puppet.conf.)\n\n* --no-client:\nDo not create a config client. This will cause the daemon to start\nbut not check configuration unless it is triggered with `puppet\nkick`. This only makes sense when puppet agent is being run with\nlisten = true in puppet.conf or was started with the `--listen` option.\n\n* --noop:\nUse 'noop' mode where the daemon runs in a no-op or dry-run mode. This\nis useful for seeing what changes Puppet will make without actually\nexecuting the changes.\n(This is a Puppet setting, and can go in puppet.conf. Note the special 'no-'\nprefix for boolean settings on the command line.)\n\n* --onetime:\nRun the configuration once. Runs a single (normally daemonized) Puppet\nrun. Useful for interactively running puppet agent when used in\nconjunction with the --no-daemonize option.\n(This is a Puppet setting, and can go in puppet.conf. Note the special 'no-'\nprefix for boolean settings on the command line.)\n\n* --test:\nEnable the most common options used for testing. These are 'onetime',\n'verbose', 'ignorecache', 'no-daemonize', 'no-usecacheonfailure',\n'detailed-exitcodes', 'no-splay', and 'show_diff'.\n\n* --verbose:\nTurn on verbose reporting.\n\n* --version:\nPrint the puppet version number and exit.\n\n* --waitforcert:\nThis option only matters for daemons that do not yet have certificates\nand it is enabled by default, with a value of 120 (seconds). This\ncauses 'puppet agent' to connect to the server every 2 minutes and ask\nit to sign a certificate request. This is useful for the initial setup\nof a puppet client. You can turn off waiting for certificates by\nspecifying a time of 0.\n(This is a Puppet setting, and can go in puppet.conf. Note the special 'no-'\nprefix for boolean settings on the command line.)\n\n\nEXAMPLE\n-------\n  $ puppet agent --server puppet.domain.com\n\n\nDIAGNOSTICS\n-----------\n\nPuppet agent accepts the following signals:\n\n* SIGHUP:\nRestart the puppet agent daemon.\n* SIGINT and SIGTERM:\nShut down the puppet agent daemon.\n* SIGUSR1:\nImmediately retrieve and apply configurations from the puppet master.\n* SIGUSR2:\nClose file descriptors for log files and reopen them. Used with logrotate.\n\nAUTHOR\n------\nLuke Kanies\n\n\nCOPYRIGHT\n---------\nCopyright (c) 2011 Puppet Labs, LLC Licensed under the Apache 2.0 License\n\n  HELP\nend\n"

#main(daemon) ⇒ Object

# File 'lib/puppet/application/agent.rb', line 377

def main(daemon)
  if Puppet[:listen]
    setup_listen(daemon)
  end
  Puppet.notice "Starting Puppet client version #{Puppet.version}"

  daemon.start
end

#onetime(daemon) ⇒ Object

# File 'lib/puppet/application/agent.rb', line 347

def onetime(daemon)
  if Puppet[:listen]
    Puppet.notice "Ignoring --listen on onetime run"
  end

  unless options[:client]
    Puppet.err "onetime is specified but there is no client"
    exit(43)
    return
  end

  daemon.set_signal_traps

  begin
    exitstatus = daemon.agent.run
  rescue => detail
    Puppet.log_exception(detail)
  end

  daemon.stop(:exit => false)

  if not exitstatus
    exit(1)
  elsif options[:detailed_exitcodes] then
    exit(exitstatus)
  else
    exit(0)
  end
end

#preinit ⇒ Object

# File 'lib/puppet/application/agent.rb', line 19

def preinit
  # Do an initial trap, so that cancels don't get a stack trace.
  Signal.trap(:INT) do
    $stderr.puts "Cancelling startup"
    exit(0)
  end

  {
    :waitforcert => nil,
    :detailed_exitcodes => false,
    :verbose => false,
    :debug => false,
    :setdest => false,
    :enable => false,
    :disable => false,
    :client => true,
    :fqdn => nil,
    :serve => [],
    :digest => 'SHA256',
    :graph => true,
    :fingerprint => false,
  }.each do |opt,val|
    options[opt] = val
  end

  @argv = ARGV.dup
end

#run_command ⇒ Object

# File 'lib/puppet/application/agent.rb', line 316

def run_command
  if options[:fingerprint]
    fingerprint
  else
    # It'd be nice to daemonize later, but we have to daemonize before
    # waiting for certificates so that we don't block
    daemon = daemonize_process_when(Puppet[:daemonize])

    wait_for_certificates

    if Puppet[:onetime]
      onetime(daemon)
    else
      main(daemon)
    end
  end
end

#setup ⇒ Object

# File 'lib/puppet/application/agent.rb', line 398

def setup
  setup_test if options[:test]

  setup_logs

  exit(Puppet.settings.print_configs ? 0 : 1) if Puppet.settings.print_configs?

  if options[:fqdn]
    Puppet[:certname] = options[:fqdn]
  end

  Puppet.settings.use :main, :agent, :ssl

  # Always ignoreimport for agent. It really shouldn't even try to import,
  # but this is just a temporary band-aid.
  Puppet[:ignoreimport] = true

  Puppet::Transaction::Report.indirection.terminus_class = :rest
  # we want the last report to be persisted locally
  Puppet::Transaction::Report.indirection.cache_class = :yaml

  if Puppet[:catalog_cache_terminus]
    Puppet::Resource::Catalog.indirection.cache_class = Puppet[:catalog_cache_terminus]
  end

  if options[:fingerprint]
    # in fingerprint mode we just need
    # access to the local files and we don't need a ca
    Puppet::SSL::Host.ca_location = :none
  else
    Puppet::SSL::Host.ca_location = :remote
    setup_agent
  end
end

#setup_test ⇒ Object

Enable all of the most common test options.

# File 'lib/puppet/application/agent.rb', line 387

def setup_test
  Puppet.settings.handlearg("--ignorecache")
  Puppet.settings.handlearg("--no-usecacheonfailure")
  Puppet.settings.handlearg("--no-splay")
  Puppet.settings.handlearg("--show_diff")
  Puppet.settings.handlearg("--no-daemonize")
  options[:verbose] = true
  Puppet[:onetime] = true
  options[:detailed_exitcodes] = true
end