The Salt master communicates with the minions using an AES-encrypted ZeroMQ connection. These communications are done over TCP ports 4505 and 4506, which need to be accessible on the master only. This document outlines suggested firewall rules for allowing these incoming connections to the master.
注解
在Salt minions端没有设置防火墙的必要。下面的配置只是涉及master。
Starting with Fedora 18 FirewallD is the tool that is used to dynamically
manage the firewall rules on a host. It has support for IPv4/6 settings and
the separation of runtime and permanent configurations. To interact with
FirewallD use the command line client firewall-cmd
.
firewall-cmd example:
firewall-cmd --permanent --zone=<zone> --add-port=4505-4506/tcp
Please choose the desired zone according to your setup. Don't forget to reload after you made your changes.
firewall-cmd --reload
一些Linux发行版带有的``lokkit``命令行软件可以很简单的通过命令行打开iptables防火墙的端口。只是需要小心不要太粗心而关闭了ssh端口。
lokkit范例:
lokkit -p 22:tcp -p 4505:tcp -p 4506:tcp
``system-config-firewall-tui``命令提供了一个文本界面来修改防火墙配置。
system-config-firewall-tui:
system-config-firewall-tui
Salt安装防火墙规则通过 /etc/sysconfig/SuSEfirewall2.d/services/salt。使用这个方法开启:
SuSEfirewall2 open
SuSEfirewall2 start
如果你有一个旧版本的Salt,并不包含以上的配置文件,那么可以使用``SuSEfirewall2``命令非常简单的通过命令行打开iptables防火墙端口。
SuSEfirewall范例:
SuSEfirewall2 open EXT TCP 4505
SuSEfirewall2 open EXT TCP 4506
在YaST2中已经提供了一个几乎文本界面的防火墙模块去修改防火墙配置。
YaST2:
yast2 firewall
不同Linux发行版的`iptables`_ (又名`netfilter`_) 规则存放在不同的路径,使得很难形成一个标准化防火墙配置文档。本文档已经包含了一些更常见的路径,但是你的情况可能有所不同。
Fedora / RHEL / CentOS:
/etc/sysconfig/iptables
Arch Linux:
/etc/iptables/iptables.rules
Debian
依照这些操作指南: https://wiki.debian.org/iptables
一旦你找到了你的防火墙规则配置,你需要加入下面两条规则``tcp/4505``和``tcp/4506``来允许数据传输:
-A INPUT -m state --state new -m tcp -p tcp --dport 4505 -j ACCEPT
-A INPUT -m state --state new -m tcp -p tcp --dport 4506 -j ACCEPT
Ubuntu
Salt安装防火墙规则通过 /etc/ufw/applications.d/salt.ufw。使用这个方法开启:
ufw allow salt
BSD家族的操作系统使用`packet filter (pf)`_。接下来的例子描述了如何添加附加选项到``pf.conf``来访问Salt master。
pass in on $int_if proto tcp from any to $int_if port 4505
pass in on $int_if proto tcp from any to $int_if port 4506
一旦这些附加选项在``pf.conf``配置,规则需要重新加载。这些可以通过使用``pfctl``命令完成。
pfctl -vf /etc/pf.conf
There are situations where you want to selectively allow Minion traffic from specific hosts or networks into your Salt Master. The first scenario which comes to mind is to prevent unwanted traffic to your Master out of security concerns, but another scenario is to handle Minion upgrades when there are backwards incompatible changes between the installed Salt versions in your environment.
这里有个范例:ref:`Linux iptables <linux-iptables>`在Master端如何设置:
# Allow Minions from these networks
-I INPUT -s 10.1.2.0/24 -p tcp -m multiport --dports 4505,4506 -j ACCEPT
-I INPUT -s 10.1.3.0/24 -p tcp -m multiport --dports 4505,4506 -j ACCEPT
# Allow Salt to communicate with Master on the loopback interface
-A INPUT -i lo -p tcp -m multiport --dports 4505,4506 -j ACCEPT
# Reject everything else
-A INPUT -p tcp -m multiport --dports 4505,4506 -j REJECT
注解
重要的是注意这里``salt``命令需要传递一个``salt-master``的监听网络socket在*loopback*接口。没有这个你将会看不到Salt从master端输出的信息,即使是简单的``salt '*' test.ping``,因为``salt``客户端从没有接收到``salt-master``告诉它要执行什么。