Salt-Minion can't talk to Salt-Master

DustinB3403

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

And you've reloaded the firewall with firewall-cmd --reload?

Still not working

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

Just for laughs check the status of setenforce.

Enforcing

Try setting setenforce to permissive or disabled for now and test.

NerdyDad

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

And you've reloaded the firewall with firewall-cmd --reload?

Still not working

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

Just for laughs check the status of setenforce.

Enforcing

Try setting setenforce to permissive or disabled for now and test.

Finally, got the minion to talk to the master. Thanks

dafyre

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

And you've reloaded the firewall with firewall-cmd --reload?

Still not working

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

Just for laughs check the status of setenforce.

Enforcing

Try setting setenforce to permissive or disabled for now and test.

Finally, got the minion to talk to the master. Thanks

Was it SELinux?

DustinB3403

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

And you've reloaded the firewall with firewall-cmd --reload?

Still not working

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

Just for laughs check the status of setenforce.

Enforcing

Try setting setenforce to permissive or disabled for now and test.

Finally, got the minion to talk to the master. Thanks

Cool so now you need create an exclusion in setenforce.

NerdyDad

@dafyre said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

And you've reloaded the firewall with firewall-cmd --reload?

Still not working

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

Just for laughs check the status of setenforce.

Enforcing

Try setting setenforce to permissive or disabled for now and test.

Finally, got the minion to talk to the master. Thanks

Was it SELinux?

I think that was part of it. The other part as not to specify a port to the server in the minions config file.

NerdyDad

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

And you've reloaded the firewall with firewall-cmd --reload?

Still not working

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

Just for laughs check the status of setenforce.

Enforcing

Try setting setenforce to permissive or disabled for now and test.

Finally, got the minion to talk to the master. Thanks

Cool so now you need create an exclusion in setenforce.

How do I do that? Help the newb here please.

black3dynamite

I don't recall ever needed to configure SELinux.

DustinB3403

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

And you've reloaded the firewall with firewall-cmd --reload?

Still not working

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

Just for laughs check the status of setenforce.

Enforcing

Try setting setenforce to permissive or disabled for now and test.

Finally, got the minion to talk to the master. Thanks

Cool so now you need create an exclusion in setenforce.

How do I do that? Help the newb here please.

You'll need to use semanage to allow this.

DustinB3403

Here is a decent man page and examples.

Since you're allowing ports through you'd want to do that.

NerdyDad

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

And you've reloaded the firewall with firewall-cmd --reload?

Still not working

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

Just for laughs check the status of setenforce.

Enforcing

Try setting setenforce to permissive or disabled for now and test.

Finally, got the minion to talk to the master. Thanks

Cool so now you need create an exclusion in setenforce.

How do I do that? Help the newb here please.

You'll need to use semanage to allow this.

semanage port -a -t http_port_t -p tcp 4505-4506

What would http_port_t translate to? Everything else I understand except that.

scottalanmiller

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@black3dynamite said in Salt-Minion can't talk to Salt-Master:

Will you show the command for adding the firewall rules for 4505-5606?
The reason I'm asking is because if you include --zone=FedoraServer but your active firewall zone is public then that could be the issue.

I've tried a number of commands

firewall-cmd --permanent --zone=trusted --add-port=4505-4506/tcp
firewall-cmd --permanent --zone=default --add-port=4505-4506/tcp
firewall-cmd --permanent --add-port=4505-4506/tcp

In that order, but not all at the same time. I reloaded the firewall and retested between each line.

None of those is expected to work. The default zone is FedoraServer

scottalanmiller

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

And you've reloaded the firewall with firewall-cmd --reload?

Still not working

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

Just for laughs check the status of setenforce.

Enforcing

Try setting setenforce to permissive or disabled for now and test.

Finally, got the minion to talk to the master. Thanks

Cool so now you need create an exclusion in setenforce.

How do I do that? Help the newb here please.

You'll need to use semanage to allow this.

Or just setenforce

DustinB3403

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

And you've reloaded the firewall with firewall-cmd --reload?

Still not working

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

Just for laughs check the status of setenforce.

Enforcing

Try setting setenforce to permissive or disabled for now and test.

Finally, got the minion to talk to the master. Thanks

Cool so now you need create an exclusion in setenforce.

How do I do that? Help the newb here please.

You'll need to use semanage to allow this.

semanage port -a -t http_port_t -p tcp 4505-4506

What would http_port_t translate to? Everything else I understand except that.

-t specifies a type of service http_port_t is all "type 80 traffic"

NerdyDad

@scottalanmiller said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@black3dynamite said in Salt-Minion can't talk to Salt-Master:

Will you show the command for adding the firewall rules for 4505-5606?
The reason I'm asking is because if you include --zone=FedoraServer but your active firewall zone is public then that could be the issue.

I've tried a number of commands

firewall-cmd --permanent --zone=trusted --add-port=4505-4506/tcp
firewall-cmd --permanent --zone=default --add-port=4505-4506/tcp
firewall-cmd --permanent --add-port=4505-4506/tcp

In that order, but not all at the same time. I reloaded the firewall and retested between each line.

None of those is expected to work. The default zone is FedoraServer

Followup question. Is this a security risk? Do they need to be removed? Or they just won't work?

DustinB3403

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@scottalanmiller said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@black3dynamite said in Salt-Minion can't talk to Salt-Master:

Will you show the command for adding the firewall rules for 4505-5606?
The reason I'm asking is because if you include --zone=FedoraServer but your active firewall zone is public then that could be the issue.

I've tried a number of commands

firewall-cmd --permanent --zone=trusted --add-port=4505-4506/tcp
firewall-cmd --permanent --zone=default --add-port=4505-4506/tcp
firewall-cmd --permanent --add-port=4505-4506/tcp

In that order, but not all at the same time. I reloaded the firewall and retested between each line.

None of those is expected to work. The default zone is FedoraServer

Followup question. Is this a security risk? Do they need to be removed? Or they just won't work?

It's bloating the firewall with rules you don't need.

DustinB3403

@scottalanmiller said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

And you've reloaded the firewall with firewall-cmd --reload?

Still not working

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

Just for laughs check the status of setenforce.

Enforcing

Try setting setenforce to permissive or disabled for now and test.

Finally, got the minion to talk to the master. Thanks

Cool so now you need create an exclusion in setenforce.

How do I do that? Help the newb here please.

You'll need to use semanage to allow this.

Or just setenforce

yea. . but semanage is so much easier.

scottalanmiller

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@scottalanmiller said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@black3dynamite said in Salt-Minion can't talk to Salt-Master:

Will you show the command for adding the firewall rules for 4505-5606?
The reason I'm asking is because if you include --zone=FedoraServer but your active firewall zone is public then that could be the issue.

I've tried a number of commands

firewall-cmd --permanent --zone=trusted --add-port=4505-4506/tcp
firewall-cmd --permanent --zone=default --add-port=4505-4506/tcp
firewall-cmd --permanent --add-port=4505-4506/tcp

In that order, but not all at the same time. I reloaded the firewall and retested between each line.

None of those is expected to work. The default zone is FedoraServer

Followup question. Is this a security risk? Do they need to be removed? Or they just won't work?

No, they are just ignored.

black3dynamite

setenforce is not a permanent solution. Has soon as you reboot, the setting will revert back to enforcing.

DustinB3403

@black3dynamite said in Salt-Minion can't talk to Salt-Master:

setenforce is not a permanent solution. Has soon as you reboot, the setting will revert back to enforcing. Unless you disable it permanently, which isn't recommended.

FTFY

NerdyDad

Just did the following commands

semanage port -a -t http_port_t -p tcp 4505-4506

then

setenforce enforcing

So far, still good.