Re: [salt-users] Salt Minion cannot reach Salt Master at port 4505. What workaround can I use?

[Paolo Smiraglia]

Hi Rodolfo,

I'm pretty sure it is a firewall problem. According to the information
you provided, you have some working Minons (I assume in the same network
of the Master) and one Minion in another "strict" network.

You should check the firewall(s) rules and verify if the tcp/4505
traffic is allowed from the "strict network" to the "Master network".

In practice, you should check local firewall rules defined on the
Master/Minion machines as well as the rules defined on the
infrastructural firewall (if present).

I hope this helped you,

Paolo

On 09/07/2017 12:37 PM, Rodolfo del Valle wrote:
>
>
> I've a Salt Master server and some Minions that work well. All the
> configuration is by default.
>
>
> I've one Salt Minion in a really strict network. Running
>
> nc -v -z salt.master.ip.addr 4505
>
> returns
>
> 4505 (tcp) failed: Connection timed out
>
>
> And obviously it cannot connect to the Master. I'm not an expert on network
> topics and I haven't found a nice workaround. What can you suggest?
>
>
> Thanks!
>


--
PAOLO SMIRAGLIA

"Non c'è cattivo più cattivo di un buono
quando diventa cattivo" (Bud Spencer)

[Paolo Smiraglia]

Hi Rodolfo,

see comments inline.

Bests,

Paolo

On 09/08/2017 11:17 AM, Rodolfo del Valle wrote:
> Thanks Paolo.
>
> The minions that are working are not in the same network -> the input ports
> in the master are well configured.

Are you sure the Master accepts ingress 4505/tcp connection from ALL the
networks? If so, the problem could be on the Minion firewall where
output 4505/tcp connections are not allowed.

> The problem is that I don't have access to the local firewall. Therefore,
> I'm looking for a workaround. Any ideas?

If you was able to install/configure salt-minion (a.k.a. you was able to
make sudo), you should also have access to the local firewall. Anyway,
if the firewalls block the connections, unfortunately there are not
walkable workarounds. Did you asked your sys/net admin about firewalls
configurations?

[gargi]

Hi,

If it's a unix based environment, the minion might have firewalld installed. If you have sudo access, you can run:

systemctl status firewalld

This should answer you whether it's installed and/or running?

Another option would be to find out what ports are open for the minions and configure the master and minion to run against those ports, would not recommend it because there is a little bit of configuration involved and you would also need to reconfigure the minions which already work together with the master.

Cheers,

Edgar

On Friday, September 8, 2017 at 3:17:27 AM UTC-6, Rodolfo del Valle wrote:

Thanks Paolo.

The minions that are working are not in the same network -> the input ports in the master are well configured.

The problem is that I don't have access to the local firewall. Therefore, I'm looking for a workaround. Any ideas?

Best regards,

Rodolfo

--

Rodolfo del Valle

CEO Printfor.me

+49 17634681109

+56 224054056

[Thomas Phipps]

doubt it is a local firewall to the system. as they already said it is a secure network. meaning it has a global firewall. which most likely is the problem. and doubtful they can open 4505 and 4506 to the master as that won't fly. 

two options i can think of going masterless. or going with salt-ssh instead of a minion. 

there is always the option of changing ports. but that can be problematic for all of the other minions already configured. 

--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/salt-users/ab9c113d-31f9-4640-9b81-61bcf4b04fc9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.