FAQ
If we would use salt, we would have this problem:

Our minions are in a remote corporate LAN and we only have SSH access from
our network **to** our minions.

Our minions can't connect to our central salt master, since there is a
remote firewall which blocks connection
opening from remote corporate LAN to the outside.

I found this solution:

https://github.com/saltstack/salt/issues/1930

I know how to use "ssh -L ...". We use it often, but up to now we use it
only temporarily.

There seems to be a different solution:

http://docs.saltstack.com/en/latest/topics/ssh/

But this seems to be very slow, since it does not use the message queue.

Any ideas who to solve this? We need a way to let the minions connect
to the master through the remote firewall.

I really would like to use salt, but we need
to solve this issue first.

Regards,
   Thomas Güttler

--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Search Discussions

  • Colton Myers at Aug 29, 2014 at 10:53 pm
    The issue is that ssh is inherently slow (as you've discovered).

    Without a way for the minions to connect to the master, I am not sure that
    we can do better than salt-ssh. There must be two-way communication of
    some sort -- we can get around incoming firewalls on the minions by having
    them initiate the connection to the master, but if minions cannot connect
    to the master, we're kind of stuck.

    I'll have to think on this.

    --
    Colton Myers

    On Mon, Aug 4, 2014 at 9:17 AM, Thomas Güttler wrote:

    If we would use salt, we would have this problem:

    Our minions are in a remote corporate LAN and we only have SSH access from
    our network **to** our minions.

    Our minions can't connect to our central salt master, since there is a
    remote firewall which blocks connection
    opening from remote corporate LAN to the outside.

    I found this solution:

    https://github.com/saltstack/salt/issues/1930

    I know how to use "ssh -L ...". We use it often, but up to now we use it
    only temporarily.

    There seems to be a different solution:

    http://docs.saltstack.com/en/latest/topics/ssh/

    But this seems to be very slow, since it does not use the message queue.

    Any ideas who to solve this? We need a way to let the minions connect
    to the master through the remote firewall.

    I really would like to use salt, but we need
    to solve this issue first.

    Regards,
    Thomas Güttler

    --
    You received this message because you are subscribed to the Google Groups
    "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an
    email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
    --
    You received this message because you are subscribed to the Google Groups "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • C. R. Oldham at Aug 30, 2014 at 3:52 am

    On Mon, Aug 4, 2014 at 9:17 AM, Thomas Güttler wrote:

    If we would use salt, we would have this problem:

    Our minions are in a remote corporate LAN and we only have SSH access from
    our network **to** our minions.

    Our minions can't connect to our central salt master, since there is a
    remote firewall which blocks connection
    opening from remote corporate LAN to the outside.
    Thomas,

    Could you potentially place an openvpn server on your minion side? You
    could have your master initiate a VPN connection and obtain an ip inside
    the minion's network. Then minions would connect to the master through the
    tunnel.

    --cro

    --
    You received this message because you are subscribed to the Google Groups "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Thomas Güttler at Sep 3, 2014 at 11:16 am
    Thank you for our answer.

    AFAIK running a VPN over TCP is looking for trouble since you have two
    network layers which
    want to provide a reliable transport. If one package gets lost, two layers
    start to try to transfer the lost package again.
    But maybe OpenVPN over TCP is reliable. I will have a look.

    Up to now we want to use a ssh tunnel.

       Thomas

    Am Samstag, 30. August 2014 05:52:47 UTC+2 schrieb C. R. Oldham:
    On Mon, Aug 4, 2014 at 9:17 AM, Thomas Güttler <h...@tbz-pariv.de
    <javascript:>> wrote:
    If we would use salt, we would have this problem:

    Our minions are in a remote corporate LAN and we only have SSH access
    from our network **to** our minions.

    Our minions can't connect to our central salt master, since there is a
    remote firewall which blocks connection
    opening from remote corporate LAN to the outside.
    Thomas,

    Could you potentially place an openvpn server on your minion side? You
    could have your master initiate a VPN connection and obtain an ip inside
    the minion's network. Then minions would connect to the master through the
    tunnel.

    --cro
    --
    You received this message because you are subscribed to the Google Groups "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Branden Timm at Sep 3, 2014 at 2:46 pm
    RAET is an alternative transport coming in 2014.7 and it uses UDP. Might
    be worth looking into.

    -Branden
    On Wednesday, September 3, 2014 6:16:37 AM UTC-5, Thomas Güttler wrote:

    Thank you for our answer.

    AFAIK running a VPN over TCP is looking for trouble since you have two
    network layers which
    want to provide a reliable transport. If one package gets lost, two layers
    start to try to transfer the lost package again.
    But maybe OpenVPN over TCP is reliable. I will have a look.

    Up to now we want to use a ssh tunnel.

    Thomas

    Am Samstag, 30. August 2014 05:52:47 UTC+2 schrieb C. R. Oldham:
    On Mon, Aug 4, 2014 at 9:17 AM, Thomas Güttler wrote:

    If we would use salt, we would have this problem:

    Our minions are in a remote corporate LAN and we only have SSH access
    from our network **to** our minions.

    Our minions can't connect to our central salt master, since there is a
    remote firewall which blocks connection
    opening from remote corporate LAN to the outside.
    Thomas,

    Could you potentially place an openvpn server on your minion side? You
    could have your master initiate a VPN connection and obtain an ip inside
    the minion's network. Then minions would connect to the master through the
    tunnel.

    --cro
    --
    You received this message because you are subscribed to the Google Groups "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • C. R. Oldham at Sep 3, 2014 at 3:00 pm

    Excerpts from Thomas Güttler's message of 2014-09-03 05:16:37 -0600:
    Thank you for our answer.

    AFAIK running a VPN over TCP is looking for trouble since you have two
    network layers which
    want to provide a reliable transport. If one package gets lost, two layers
    True, in practice I've had it work fine if you give it a little tuning. I use
    it often for when I am at sites that block UDP, I run OpenVPN over TCP port 443,
    which is less likely to be blocked by a restrictive network.

    --cro

    --
    You received this message because you are subscribed to the Google Groups "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupsalt-users @
postedAug 4, '14 at 3:17p
activeSep 3, '14 at 3:00p
posts6
users4

People

Translate

site design / logo © 2022 Grokbase