防火墙上需要哪些开放端口才能允许盐堆远程执行? [英] What open ports are required on firewall to allow for salt-stack remote execution?
问题描述
关于salt-master-> salt-minion需要哪些端口的信息,盐堆上的文档似乎不清楚(显然不需要). 这表明只需要从salt-minion-> salt-master打开端口. (请参阅: http://docs.saltstack.com/en/latest/topic/tutorials/firewall.html )
The documentation on saltstack appears to be unclear regarding what ports are required from the salt-master -> salt-minion (apparently none are required). It suggests that ports only need to be opened from the salt-minion -> salt-master. (See: http://docs.saltstack.com/en/latest/topics/tutorials/firewall.html)
但是,如果命令是在针对小仆的盐主服务器上远程执行的,则肯定是主服务器必须能够将其推入小仆服务器,因此需要打开网络以允许这样做.
If however commands are executed remotely on the salt-master targeted to a minion, surely the master needs to be able to push this into the minion and therefore require a network opening to allow for this.
因此,我的问题是,是否需要在两个方向上都打开saltstack端口(4505和4506),或者是否通过其他协议触发了远程命令?
Therefore my question is if the saltstack ports (4505 & 4506) need to be opened in both directions, or whether the remote commands are triggered over another protocol?
[背景知识:我的团队希望盐堆设置能够在非常严格的网络中管理服务器环境,在该网络中,在安全性概念中需要请求每个单独的网络路由.这不受我们公司的控制,我需要明确请求所有必需的路线以及各个方向的信息.]
[A bit of background: My team want salt-stack setup to manage a server landscape in quite a restrictive network where each individual network route needs to be requested in the security concept. This is not controlled by our company and I need to explicitly request all required routes and in each direction.]
推荐答案
Salt使用zeromq pub/sub接口与各小部进行通信.实际上,您只需要打开主防火墙上的端口4505和4506.
Salt uses a zeromq pub/sub interface to communicate with the minions. Indeed, you only need to open ports 4505 and 4506 on the master's firewall.
仆从侦听主机上的一个端口(即发布"端口),然后将结果返回到另一个端口上的主机.
The minions listen on one port on the master, which is the "pub" port, and then return results to the master on the other port.
主人从来没有实际推"命令给奴才.仆从侦听发布端口上发布的命令.这就是为什么您不需要在奴才上打开任何传入端口的原因.
The master never actually "pushes" commands to the minions. The minions listen for commands published on the pub port. Which is why you don't need to open any incoming ports on your minions.
这篇关于防火墙上需要哪些开放端口才能允许盐堆远程执行?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
