Salt-Minion can't talk to Salt-Master

NerdyDad

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

And you've reloaded the firewall with firewall-cmd --reload?

Still not working

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

Just for laughs check the status of setenforce.

Enforcing

Try setting setenforce to permissive or disabled for now and test.

Finally, got the minion to talk to the master. Thanks

Cool so now you need create an exclusion in setenforce.

How do I do that? Help the newb here please.

You'll need to use semanage to allow this.

semanage port -a -t http_port_t -p tcp 4505-4506

What would http_port_t translate to? Everything else I understand except that.

scottalanmiller

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@black3dynamite said in Salt-Minion can't talk to Salt-Master:

Will you show the command for adding the firewall rules for 4505-5606?
The reason I'm asking is because if you include --zone=FedoraServer but your active firewall zone is public then that could be the issue.

I've tried a number of commands

firewall-cmd --permanent --zone=trusted --add-port=4505-4506/tcp
firewall-cmd --permanent --zone=default --add-port=4505-4506/tcp
firewall-cmd --permanent --add-port=4505-4506/tcp

In that order, but not all at the same time. I reloaded the firewall and retested between each line.

None of those is expected to work. The default zone is FedoraServer

scottalanmiller

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

And you've reloaded the firewall with firewall-cmd --reload?

Still not working

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

Just for laughs check the status of setenforce.

Enforcing

Try setting setenforce to permissive or disabled for now and test.

Finally, got the minion to talk to the master. Thanks

Cool so now you need create an exclusion in setenforce.

How do I do that? Help the newb here please.

You'll need to use semanage to allow this.

Or just setenforce

DustinB3403

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

And you've reloaded the firewall with firewall-cmd --reload?

Still not working

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

Just for laughs check the status of setenforce.

Enforcing

Try setting setenforce to permissive or disabled for now and test.

Finally, got the minion to talk to the master. Thanks

Cool so now you need create an exclusion in setenforce.

How do I do that? Help the newb here please.

You'll need to use semanage to allow this.

semanage port -a -t http_port_t -p tcp 4505-4506

What would http_port_t translate to? Everything else I understand except that.

-t specifies a type of service http_port_t is all "type 80 traffic"

NerdyDad

@scottalanmiller said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@black3dynamite said in Salt-Minion can't talk to Salt-Master:

Will you show the command for adding the firewall rules for 4505-5606?
The reason I'm asking is because if you include --zone=FedoraServer but your active firewall zone is public then that could be the issue.

I've tried a number of commands

firewall-cmd --permanent --zone=trusted --add-port=4505-4506/tcp
firewall-cmd --permanent --zone=default --add-port=4505-4506/tcp
firewall-cmd --permanent --add-port=4505-4506/tcp

In that order, but not all at the same time. I reloaded the firewall and retested between each line.

None of those is expected to work. The default zone is FedoraServer

Followup question. Is this a security risk? Do they need to be removed? Or they just won't work?

DustinB3403

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@scottalanmiller said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@black3dynamite said in Salt-Minion can't talk to Salt-Master:

Will you show the command for adding the firewall rules for 4505-5606?
The reason I'm asking is because if you include --zone=FedoraServer but your active firewall zone is public then that could be the issue.

I've tried a number of commands

firewall-cmd --permanent --zone=trusted --add-port=4505-4506/tcp
firewall-cmd --permanent --zone=default --add-port=4505-4506/tcp
firewall-cmd --permanent --add-port=4505-4506/tcp

In that order, but not all at the same time. I reloaded the firewall and retested between each line.

None of those is expected to work. The default zone is FedoraServer

Followup question. Is this a security risk? Do they need to be removed? Or they just won't work?

It's bloating the firewall with rules you don't need.

DustinB3403

@scottalanmiller said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

And you've reloaded the firewall with firewall-cmd --reload?

Still not working

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

Just for laughs check the status of setenforce.

Enforcing

Try setting setenforce to permissive or disabled for now and test.

Finally, got the minion to talk to the master. Thanks

Cool so now you need create an exclusion in setenforce.

How do I do that? Help the newb here please.

You'll need to use semanage to allow this.

Or just setenforce

yea. . but semanage is so much easier.

scottalanmiller

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@scottalanmiller said in Salt-Minion can't talk to Salt-Master:

@NerdyDad said in Salt-Minion can't talk to Salt-Master:

@black3dynamite said in Salt-Minion can't talk to Salt-Master:

Will you show the command for adding the firewall rules for 4505-5606?
The reason I'm asking is because if you include --zone=FedoraServer but your active firewall zone is public then that could be the issue.

I've tried a number of commands

firewall-cmd --permanent --zone=trusted --add-port=4505-4506/tcp
firewall-cmd --permanent --zone=default --add-port=4505-4506/tcp
firewall-cmd --permanent --add-port=4505-4506/tcp

In that order, but not all at the same time. I reloaded the firewall and retested between each line.

None of those is expected to work. The default zone is FedoraServer

Followup question. Is this a security risk? Do they need to be removed? Or they just won't work?

No, they are just ignored.

black3dynamite

setenforce is not a permanent solution. Has soon as you reboot, the setting will revert back to enforcing.

DustinB3403

@black3dynamite said in Salt-Minion can't talk to Salt-Master:

setenforce is not a permanent solution. Has soon as you reboot, the setting will revert back to enforcing. Unless you disable it permanently, which isn't recommended.

FTFY

NerdyDad

Just did the following commands

semanage port -a -t http_port_t -p tcp 4505-4506

then

setenforce enforcing

So far, still good.

DustinB3403

@NerdyDad try restarting and seeing if the issue persists.

NerdyDad

@DustinB3403 said in Salt-Minion can't talk to Salt-Master:

@NerdyDad try restarting and seeing if the issue persists.

Oh, no issues. They're still communicating.

JaredBusch

Dont specify a zone when you run a firewall-cmd and it automatically uses the whatever the current zone is.

By the way because your zone is Fedora Server, you installed a full server instance and not a minimal instance.

Unless that changed in 29 for minimal.

Obsolesce

Weird.. I didn't have to do anything with SELinux to get it working:

https://timothygruber.com/linux/saltstack-installation-configuration/#Installing_the_Salt-Master