add a puppet_signed_certs_dir option to point to where puppet stores the pem files. This is necessary in order to completely know about hosts which were not revoked but were --cleaned from the puppetdb also make sure we're looking for revoked serials only after sorting for the latest serials per host. --- func/commonconfig.py | 1 + func/overlord/client.py | 14 +++++++++----- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/func/commonconfig.py b/func/commonconfig.py index f35d576..76607a4 100644 --- a/func/commonconfig.py +++ b/func/commonconfig.py @@ -44,6 +44,7 @@ class OverlordConfig(BaseConfig): ca_file = Option('') puppet_minions = BoolOption(False) puppet_inventory = Option('/var/lib/puppet/ssl/ca/inventory.txt') + puppet_signed_certs_dir = Option('/var/lib/puppet/ssl/ca/signed') puppet_crl = Option('/var/lib/puppet/ssl/ca/ca_crl.pem') host_down_list = Option('/var/lib/func/hosts_down.lst') diff --git a/func/overlord/client.py b/func/overlord/client.py index 27a92c7..d92dce1 100644 --- a/func/overlord/client.py +++ b/func/overlord/client.py @@ -281,8 +281,6 @@ class PuppetMinions(Minions): tmp_certs = set() tmp_hosts = set() - # revoked certs - revoked_serials = self._return_revoked_serials(self.overlord_config.puppet_crl) # get all hosts if os.access(self.overlord_config.puppet_inventory, os.R_OK): fo = open(self.overlord_config.puppet_inventory, 'r') @@ -293,8 +291,6 @@ class PuppetMinions(Minions): if re.match('\s*(#|$)', line): continue (serial, before, after, cn) = line.split() - if int(serial, 16) in revoked_serials: - continue before = time.strftime('%s', time.strptime(before, time_format)) if now < int(before): continue @@ -308,8 +304,16 @@ class PuppetMinions(Minions): if host_inv[hn] > serial: continue host_inv[hn] = serial - + fo.close() + + # revoked certs + revoked_serials = self._return_revoked_serials(self.overlord_config.puppet_crl) for hostname in host_inv.keys(): + if int(host_inv[hostname], 16) in revoked_serials: + continue + pempath = '%s/%s.pem' % (self.overlord_config.puppet_signed_certs_dir, hostname) + if not os.path.exists(pempath): + continue if fnmatch.fnmatch(hostname, each_gloob): tmp_hosts.add(hostname) # don't return certs path - just hosts -- 1.6.6 _______________________________________________ Func-list mailing list Func-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/func-list