Passive minions / Minion behind a NAT?
273 views
Skip to first unread message
Zuzzy
Aug 24, 2012, 1:51:15 PM8/24/12
to salt-...@googlegroups.com
Apologies in advance because I am doing what I hate people doing - asking a question without actually building a test to check it myself.
However I am in a situation where I think Salt is ideal for what I need but I can't actually start building it until quite close to when I need it live as I need some rPis to arrive first!
The master runs with a publish_port and a ret_port open and the minions talk back to the master. What I need to verify is whether there is ever any requirement for the master to talk to a minion for any reason as the scenario is that there will be minions behind a lot of NATd routers and will have outbound access only (I have no control of the routers). I plan to change the publish_port and ret_port to ports that should be open in most places (not sure what yet, maybe 80 and 443 as even guest wireless hotspots allow them out).
Is there are situation where I am going to run into problems with this plan - I ask here because I think its the sort of question where someone may have found issues themselves. The pf rules suggested for the server would indicate not but best to ask than not!
I figure I can handle issues like OS hanging etc via some cron jobs on the minions, reboots and scripts to 'self-heal' so I should never need to access the minions once first connected
Thanks, --Chris
Joseph Hall
Aug 24, 2012, 1:56:10 PM8/24/12
to salt-...@googlegroups.com
I have several minions running behind NATs. One environment has every
port closed, unless you can talk the netadmin into opening specific
ports that you need. I had him open 4505 and 4506, and salt works
perfectly. The other environment has no such port restrictions, and so
worked out of the box. Both environments have minions talking to the
same salt master (which lives in a third, non-NAT environment).
Long story short, you should be fine.
--
"In order to create, you have to have the willingness, the desire to
be challenged, to be learning." -- Ferran Adria (speaking at Harvard,
2011)
port closed, unless you can talk the netadmin into opening specific
ports that you need. I had him open 4505 and 4506, and salt works
perfectly. The other environment has no such port restrictions, and so
worked out of the box. Both environments have minions talking to the
same salt master (which lives in a third, non-NAT environment).
Long story short, you should be fine.
"In order to create, you have to have the willingness, the desire to
be challenged, to be learning." -- Ferran Adria (speaking at Harvard,
2011)
Zuzzy
Aug 24, 2012, 3:15:24 PM8/24/12
to salt-...@googlegroups.com
Brilliant, thanks. I knew that zeromq can work that way I just wasnt sure that it had been implemented in Salt without restrictions. Much apprecaiated.
--Chris
Reply all
Reply to author
Forward
0 new messages