Salt-Minion can't talk to Salt-Master
-
@NerdyDad said in Salt-Minion can't talk to Salt-Master:
@DustinB3403 said in Salt-Minion can't talk to Salt-Master:
@NerdyDad said in Salt-Minion can't talk to Salt-Master:
@DustinB3403 said in Salt-Minion can't talk to Salt-Master:
@NerdyDad said in Salt-Minion can't talk to Salt-Master:
@DustinB3403 said in Salt-Minion can't talk to Salt-Master:
And you've reloaded the firewall with
firewall-cmd --reload
?Still not working
@DustinB3403 said in Salt-Minion can't talk to Salt-Master:
Just for laughs check the status of setenforce.
Enforcing
Try setting setenforce to permissive or disabled for now and test.
Finally, got the minion to talk to the master. Thanks
Cool so now you need create an exclusion in setenforce.
How do I do that? Help the newb here please.
You'll need to use
semanage
to allow this. -
Here is a decent man page and examples.
Since you're allowing ports through you'd want to do that.
-
@DustinB3403 said in Salt-Minion can't talk to Salt-Master:
@NerdyDad said in Salt-Minion can't talk to Salt-Master:
@DustinB3403 said in Salt-Minion can't talk to Salt-Master:
@NerdyDad said in Salt-Minion can't talk to Salt-Master:
@DustinB3403 said in Salt-Minion can't talk to Salt-Master:
@NerdyDad said in Salt-Minion can't talk to Salt-Master:
@DustinB3403 said in Salt-Minion can't talk to Salt-Master:
And you've reloaded the firewall with
firewall-cmd --reload
?Still not working
@DustinB3403 said in Salt-Minion can't talk to Salt-Master:
Just for laughs check the status of setenforce.
Enforcing
Try setting setenforce to permissive or disabled for now and test.
Finally, got the minion to talk to the master. Thanks
Cool so now you need create an exclusion in setenforce.
How do I do that? Help the newb here please.
You'll need to use
semanage
to allow this.semanage port -a -t http_port_t -p tcp 4505-4506
What would
http_port_t
translate to? Everything else I understand except that. -
@NerdyDad said in Salt-Minion can't talk to Salt-Master:
@black3dynamite said in Salt-Minion can't talk to Salt-Master:
Will you show the command for adding the firewall rules for 4505-5606?
The reason I'm asking is because if you include --zone=FedoraServer but your active firewall zone is public then that could be the issue.I've tried a number of commands
firewall-cmd --permanent --zone=trusted --add-port=4505-4506/tcp
firewall-cmd --permanent --zone=default --add-port=4505-4506/tcp
firewall-cmd --permanent --add-port=4505-4506/tcp
In that order, but not all at the same time. I reloaded the firewall and retested between each line.
None of those is expected to work. The default zone is FedoraServer
-
@DustinB3403 said in Salt-Minion can't talk to Salt-Master:
@NerdyDad said in Salt-Minion can't talk to Salt-Master:
@DustinB3403 said in Salt-Minion can't talk to Salt-Master:
@NerdyDad said in Salt-Minion can't talk to Salt-Master:
@DustinB3403 said in Salt-Minion can't talk to Salt-Master:
@NerdyDad said in Salt-Minion can't talk to Salt-Master:
@DustinB3403 said in Salt-Minion can't talk to Salt-Master:
And you've reloaded the firewall with
firewall-cmd --reload
?Still not working
@DustinB3403 said in Salt-Minion can't talk to Salt-Master:
Just for laughs check the status of setenforce.
Enforcing
Try setting setenforce to permissive or disabled for now and test.
Finally, got the minion to talk to the master. Thanks
Cool so now you need create an exclusion in setenforce.
How do I do that? Help the newb here please.
You'll need to use
semanage
to allow this.Or just
setenforce
-
@NerdyDad said in Salt-Minion can't talk to Salt-Master:
@DustinB3403 said in Salt-Minion can't talk to Salt-Master:
@NerdyDad said in Salt-Minion can't talk to Salt-Master:
@DustinB3403 said in Salt-Minion can't talk to Salt-Master:
@NerdyDad said in Salt-Minion can't talk to Salt-Master:
@DustinB3403 said in Salt-Minion can't talk to Salt-Master:
@NerdyDad said in Salt-Minion can't talk to Salt-Master:
@DustinB3403 said in Salt-Minion can't talk to Salt-Master:
And you've reloaded the firewall with
firewall-cmd --reload
?Still not working
@DustinB3403 said in Salt-Minion can't talk to Salt-Master:
Just for laughs check the status of setenforce.
Enforcing
Try setting setenforce to permissive or disabled for now and test.
Finally, got the minion to talk to the master. Thanks
Cool so now you need create an exclusion in setenforce.
How do I do that? Help the newb here please.
You'll need to use
semanage
to allow this.semanage port -a -t http_port_t -p tcp 4505-4506
What would
http_port_t
translate to? Everything else I understand except that.-t
specifies a type of servicehttp_port_t
is all "type 80 traffic" -
@scottalanmiller said in Salt-Minion can't talk to Salt-Master:
@NerdyDad said in Salt-Minion can't talk to Salt-Master:
@black3dynamite said in Salt-Minion can't talk to Salt-Master:
Will you show the command for adding the firewall rules for 4505-5606?
The reason I'm asking is because if you include --zone=FedoraServer but your active firewall zone is public then that could be the issue.I've tried a number of commands
firewall-cmd --permanent --zone=trusted --add-port=4505-4506/tcp
firewall-cmd --permanent --zone=default --add-port=4505-4506/tcp
firewall-cmd --permanent --add-port=4505-4506/tcp
In that order, but not all at the same time. I reloaded the firewall and retested between each line.
None of those is expected to work. The default zone is FedoraServer
Followup question. Is this a security risk? Do they need to be removed? Or they just won't work?
-
@NerdyDad said in Salt-Minion can't talk to Salt-Master:
@scottalanmiller said in Salt-Minion can't talk to Salt-Master:
@NerdyDad said in Salt-Minion can't talk to Salt-Master:
@black3dynamite said in Salt-Minion can't talk to Salt-Master:
Will you show the command for adding the firewall rules for 4505-5606?
The reason I'm asking is because if you include --zone=FedoraServer but your active firewall zone is public then that could be the issue.I've tried a number of commands
firewall-cmd --permanent --zone=trusted --add-port=4505-4506/tcp
firewall-cmd --permanent --zone=default --add-port=4505-4506/tcp
firewall-cmd --permanent --add-port=4505-4506/tcp
In that order, but not all at the same time. I reloaded the firewall and retested between each line.
None of those is expected to work. The default zone is FedoraServer
Followup question. Is this a security risk? Do they need to be removed? Or they just won't work?
It's bloating the firewall with rules you don't need.
-
@scottalanmiller said in Salt-Minion can't talk to Salt-Master:
@DustinB3403 said in Salt-Minion can't talk to Salt-Master:
@NerdyDad said in Salt-Minion can't talk to Salt-Master:
@DustinB3403 said in Salt-Minion can't talk to Salt-Master:
@NerdyDad said in Salt-Minion can't talk to Salt-Master:
@DustinB3403 said in Salt-Minion can't talk to Salt-Master:
@NerdyDad said in Salt-Minion can't talk to Salt-Master:
@DustinB3403 said in Salt-Minion can't talk to Salt-Master:
And you've reloaded the firewall with
firewall-cmd --reload
?Still not working
@DustinB3403 said in Salt-Minion can't talk to Salt-Master:
Just for laughs check the status of setenforce.
Enforcing
Try setting setenforce to permissive or disabled for now and test.
Finally, got the minion to talk to the master. Thanks
Cool so now you need create an exclusion in setenforce.
How do I do that? Help the newb here please.
You'll need to use
semanage
to allow this.Or just
setenforce
yea. . but semanage is so much easier.
-
@NerdyDad said in Salt-Minion can't talk to Salt-Master:
@scottalanmiller said in Salt-Minion can't talk to Salt-Master:
@NerdyDad said in Salt-Minion can't talk to Salt-Master:
@black3dynamite said in Salt-Minion can't talk to Salt-Master:
Will you show the command for adding the firewall rules for 4505-5606?
The reason I'm asking is because if you include --zone=FedoraServer but your active firewall zone is public then that could be the issue.I've tried a number of commands
firewall-cmd --permanent --zone=trusted --add-port=4505-4506/tcp
firewall-cmd --permanent --zone=default --add-port=4505-4506/tcp
firewall-cmd --permanent --add-port=4505-4506/tcp
In that order, but not all at the same time. I reloaded the firewall and retested between each line.
None of those is expected to work. The default zone is FedoraServer
Followup question. Is this a security risk? Do they need to be removed? Or they just won't work?
No, they are just ignored.
-
setenforce
is not a permanent solution. Has soon as you reboot, the setting will revert back to enforcing. -
@black3dynamite said in Salt-Minion can't talk to Salt-Master:
setenforce
is not a permanent solution. Has soon as you reboot, the setting will revert back to enforcing. Unless you disable it permanently, which isn't recommended.FTFY
-
Just did the following commands
semanage port -a -t http_port_t -p tcp 4505-4506
then
setenforce enforcing
So far, still good.
-
@NerdyDad try restarting and seeing if the issue persists.
-
@DustinB3403 said in Salt-Minion can't talk to Salt-Master:
@NerdyDad try restarting and seeing if the issue persists.
Oh, no issues. They're still communicating.
-
Dont specify a zone when you run a firewall-cmd and it automatically uses the whatever the current zone is.
By the way because your zone is Fedora Server, you installed a full server instance and not a minimal instance.
Unless that changed in 29 for minimal.
-
Weird.. I didn't have to do anything with SELinux to get it working:
https://timothygruber.com/linux/saltstack-installation-configuration/#Installing_the_Salt-Master