How to use Salt Stack with minions all behind NAT (not publicly accessible, default salt ports not open)?

Posted by MountainX on Server Fault See other posts from Server Fault or by MountainX
Published on 2013-06-25T01:47:10Z Indexed on 2013/06/25 4:22 UTC
Read the original article Hit count: 904

Can Salt Stack minions communicate with the salt master from behind NAT/Firewalls, etc., using standard ports that would be open be default in all consumer NAT routers (and without the minions having a public DNS record or static IP)?

I'm working my way through my first salt tutorial, and this is where I'm stuck.

I am able to configure iptables on the Ubuntu salt-master. But I have no control over the routers/NAT that the minions will sit behind.

So far I tried these settings:

/etc/salt/master:

publish_port: 465
ret_port: 443

/etc/salt/minion:

master_port: 465

That did not work.

Background:

I have a custom developed application presently running on about 40 Kubuntu laptops (& more planned). Every few months I have to update the application. (Often this just amounts to replacing a .jar file, which requires root permissions.) I also have to run Ubuntu updates and a few other minor things. I've been doing it manually, one by one, using Team Viewer to log into each client.

I would like to dramatically improve this process. The two options I'm aware of are either:

  1. use reverse ssh tunnels and bash scripts. I tested this and it works. But I don't get any of the reporting, etc., I would get with Salt Stack.

  2. use Salt Stack (or similar) management tool. But I need a really simple tool. I can't invest any time in a big learning curve.

I looked at Puppet and a bunch of related tools. The only one I found that looked simple enough for me (so far) was Salt Stack. But I'm stuck now because my minion can't reach the salt-master, as stated above.

I appreciate suggestions.

© Server Fault or respective owner

Related posts about configuration-management

Related posts about remote-administration