Home / server / Questions / 518230
Accepted
MountainX
Asked: 2013-06-25 17:47:10 +0800 CST

How to use Salt Stack with minions all behind NAT (not publicly accessible, default salt ports not open)?

  • 772

Can Salt Stack minions communicate with the salt master from behind NAT/Firewalls, etc., using standard ports that would be open be default in all consumer NAT routers (and without the minions having a public DNS record or static IP)?

I'm working my way through my first salt tutorial, and this is where I'm stuck.

I am able to configure iptables on the Ubuntu salt-master. But I have no control over the routers/NAT that the minions will sit behind.

So far I tried these settings:

/etc/salt/master:

publish_port: 465
ret_port: 443

/etc/salt/minion:

master_port: 465

That did not work.

Background:

I have a custom developed application presently running on about 40 Kubuntu laptops (& more planned). Every few months I have to update the application. (Often this just amounts to replacing a .jar file, which requires root permissions.) I also have to run Ubuntu updates and a few other minor things. I've been doing it manually, one by one, using Team Viewer to log into each client.

I would like to dramatically improve this process. The two options I'm aware of are either:

  1. use reverse ssh tunnels and bash scripts. I tested this and it works. But I don't get any of the reporting, etc., I would get with Salt Stack.

  2. use Salt Stack (or similar) management tool. But I need a really simple tool. I can't invest any time in a big learning curve.

I looked at Puppet and a bunch of related tools. The only one I found that looked simple enough for me (so far) was Salt Stack. But I'm stuck now because my minion can't reach the salt-master, as stated above.

I appreciate suggestions.

configuration-management

2 Answers

  1. Best Answer

    The answer is "it just works." There is no need to change the configuration files (of either master or minion). There is no need to worry about NAT or firewalls for the minions.

    However, on the master, two ports need to be opened on the firewall. I accomplished this with:

    iptables -A INPUT -m state --state new -m tcp -p tcp --dport 4505 -j ACCEPT
iptables -A INPUT -m state --state new -m tcp -p tcp --dport 4506 -j ACCEPT

    On the minions, add an entry to /etc/hosts pointing the name "salt" to the master's IP address. Example:

    root@minion2:~# cat /etc/hosts
127.0.0.1       localhost.localdomain   localhost
111.222.333.444  salt salt.example.com

    Really, it is very simple.

    • 7

  2. To get the minion's connection out through any kind of firewall that allows outgoing connections on http and https ports, we are using this on the master:

    publish_port: 80
ret_port: 443

    And this on the minion:

    publish_port: 80
master_port: 443

    I still find the names confusing – I'd expect publish_port on the master to correspond to master_port on the minion – but that's how it is.

    • 0