Page MenuHomePhabricator

Spicerack puppetserver.destroy() raises an exception when certificate does not exist
Closed, ResolvedPublicBUG REPORT


Calling Spicerack's puppetserver.destroy when a certificate does not exist fails with:

----- OUTPUT of 'sudo -i' -----
    Could not find files to clean for
100.0% (1/1) of nodes failed to execute command 'sudo -i':
0.0% (0/1) success ratio (< 100.0% threshold) for command: 'sudo -i'. Aborting.
0.0% (0/1) success ratio (< 100.0% threshold) of nodes successfully executed all commands. Aborting.
Exception raised while executing cookbook wmcs.vps.refresh_puppet_certs:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/spicerack/", line 250, in _run
    raw_ret =
  File "/home/taavi/cookbooks_testing/cookbooks/wmcs_libs/", line 751, in _wrapped_run
    return object.__getattribute__(self, __name)(*args, **kwargs)
  File "/home/taavi/cookbooks_testing/cookbooks/cookbooks/wmcs/vps/", line 146, in run
    _refresh_cert(spicerack=self.spicerack, remote_host=remote_host)
  File "/home/taavi/cookbooks_testing/cookbooks/cookbooks/wmcs/vps/", line 54, in _refresh_cert
  File "/usr/lib/python3/dist-packages/spicerack/", line 423, in destroy
    self.server_host.run_sync(f"puppetserver ca clean --certname {hostname}", print_progress_bars=False)
  File "/usr/lib/python3/dist-packages/spicerack/", line 514, in run_sync
    return self._execute(
  File "/usr/lib/python3/dist-packages/spicerack/", line 720, in _execute
    raise RemoteExecutionError(ret, "Cumin execution failed", worker.get_results())
spicerack.remote.RemoteExecutionError: Cumin execution failed (exit_code=2)

This is different from the old Puppet 5 Puppetserver behaviour, and does not match the documentation of that method which says:

If there is no certificate to remove it doesn't raise exception as the Puppet CA just outputs
'Nothing was deleted'.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Volans triaged this task as Medium priority.Mar 18 2024, 11:17 AM
Volans subscribed.

That's indeed the current behaviour and clearly an error, thanks for reporting it!
The exit codes of the puppetserver ca clean command are not documented in Puppet, or at least I couldn't find them in the public docs/manpage/help messages/source code.
Ideally puppetserver should report two different set of errors, the ones in which there is a certificate but it failed to perform some cleaning operations and the one where the certificate does not exists at all, but it doesn't seem the case.
Given that it doesn't, I think we shouldn't rely on specific output messages of the CLI and exit codes as it could hide other errors now or in the future.

We have two possible approches, one is to update the documentation of spicerack to specify that it actually raises an error on missing ones.
The other is to check if it exists first with puppetserver ca list --certname $FQDN (with or without --format json) and ignore the missing ones.
Probably the latter is the better in terms of usability for the cookbook user. Thoughts?

If there would be a method to check whether a certificate exists or not we could update cookbooks to use that, in which case destroy raising an error would be fine.

We do have get_certificate_metadata() that raises spicerack.puppet.PuppetServerCheckError if the cert is not found (as opposed to other errors).
What I was suggesting is that we could do that check directly in destroy() in the puppetserver class so that it behaves the same of the old puppetmaster one.

Change #1016438 had a related patch set uploaded (by Volans; author: Volans):

[operations/software/spicerack@master] puppet: PuppetServer.destroy improvement

I've sent a proposal implementation in the patch above

Change #1016438 merged by jenkins-bot:

[operations/software/spicerack@master] puppet: PuppetServer.destroy improvement

This is now live.