Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What open ports are required on firewall to allow for salt-stack remote execution?

The documentation on saltstack appears to be unclear regarding what ports are required from the salt-master -> salt-minion (apparently none are required). It suggests that ports only need to be opened from the salt-minion -> salt-master. (See: http://docs.saltstack.com/en/latest/topics/tutorials/firewall.html)

If however commands are executed remotely on the salt-master targeted to a minion, surely the master needs to be able to push this into the minion and therefore require a network opening to allow for this.

Therefore my question is if the saltstack ports (4505 & 4506) need to be opened in both directions, or whether the remote commands are triggered over another protocol?

[A bit of background: My team want salt-stack setup to manage a server landscape in quite a restrictive network where each individual network route needs to be requested in the security concept. This is not controlled by our company and I need to explicitly request all required routes and in each direction.]

like image 821
lintal Avatar asked Jun 05 '15 16:06

lintal


1 Answers

Salt uses a zeromq pub/sub interface to communicate with the minions. Indeed, you only need to open ports 4505 and 4506 on the master's firewall.

The minions listen on one port on the master, which is the "pub" port, and then return results to the master on the other port.

The master never actually "pushes" commands to the minions. The minions listen for commands published on the pub port. Which is why you don't need to open any incoming ports on your minions.

like image 86
Utah_Dave Avatar answered Sep 22 '22 16:09

Utah_Dave