Master to Minion Communication
Salt master is a dedicated server to manage one or multiple minion servers.
Salt master is the control center for the minions. Salt minions are the servers that run all the applications and services. Each Minion is associated with an ID, and the Salt master specifies minions with this ID.
Communication
The Salt management system includes Salt Master to receive and communicate with Salt Minions on different machines.
Salt master uses an AES-encrypted ZeroMQ connection to communicate with the minions. This communication is established over 4505 and 4506 TCP ports; which must be accessible on the master only. For allowing these incoming connections to the master this document outlines suggested firewall rules.
Firewall Configuration
FEDORA 18 AND BEYOND / RHEL 7 / CENTOS 7
To interact with FirewallD, use the firewall-cmd command.
firewall-cmd --permanent --zone=<zone> --add-port=4505-4506/tcp
We use firewall-cmd to interact with the FirewalID, which supports IPv4 and IPv6 settings. Choose your <zone> in the command according to your setup.
After making changes, you need to reload. For that, use the following command.
firewall-cmd --reload
RHEL 6 / CENTOS 6
Use the lokkit command to make open iptables firewall ports.
lokkit -p 22:tcp -p 4505:tcp -p 4506:tcp
We use the lokkit command packaged with Linux distributions for the 4505 and 4506 TCP ports.
To provide a text-based interface to modify the firewall, use the following command.
system-config-firewall-tui
OpenSUSE
In OpenSUSE, firewall rules are in /etc/sysconfig/SuSEfirewall2.d/services/salt. To enable them, you need to use the following commands.
SuSEfirewall2 open
SuSEfirewall2 start
For 4505 and 4506 TCP ports, the command will be like this.
SuSEfirewall2 open EXT TCP 4505
SuSEfirewall2 open EXT TCP 4506
To provide a text-based interface to modify the firewall in YaST2, use the following command.
yast2 firewall
IPTABLES
Iptables is used to configure the packet filtering rules. It monitors traffic from and to the user's server using tables. The location of iptables is different in different systems. Here few common locations for iptables are given below.
Note - iptables is also known as Netfilter.
Fedora / RHEL / CentOS
/etc/sysconfig/iptables
Arch Linux
/etc/iptables/iptables.rules
Debian
First, you need to locate the iptables; after that, you need to add the following two lines below for TCP 4505 and 4506 ports.
Script
-A INPUT -m state --state new -m tcp -p tcp --dport 4505 -j ACCEPT
-A INPUT -m state --state new -m tcp -p tcp --dport 4506 -j ACCEPT
Ubuntu
In Ubuntu, firewall rules are placed in /etc/ufw/applications.d/salt.ufw. Use the following command to enable it.
ufw allow salt
PF.CONF
For the operating system that uses packet filter(pf), add the following scripts to the pf.conf to access Salt Master.
Script
pass in on $int_if proto tcp from any to $int_if port 4505
pass in on $int_if proto tcp from any to $int_if port 4506
After adding the script reload pf.conf using the pfctl command.
pfctl -vf /etc/pf.conf
Example
Let's say we want some specific minions traffic to communicate with the Master and block other unwanted traffic.
The first case which comes to the mind is to prevent unwanted traffic to your Salt Master out of security concerns, but another case is to handle the Salt Minion upgrades when there are backwards incompatible changes between the installed Salt versions in your environment.
Here is an example Linux iptables ruleset to be set on the Master:
Ruleset:
# Allow Minions from these networks
-I INPUT -s 10.1.2.0/24 -p tcp -m multiport --dports 4505,4506 -j ACCEPT
-I INPUT -s 10.1.3.0/24 -p tcp -m multiport --dports 4505,4506 -j ACCEPT
# Allow Salt to communicate with Master on the loopback interface
-A INPUT -i lo -p tcp -m multiport --dports 4505,4506 -j ACCEPT
# Reject everything else
-A INPUT -p tcp -m multiport --dports 4505,4506 -j REJECT
Frequently Asked Questions
What is Salt Minion?
Salt minions are the servers that run applications and services.
What is Salt Master?
Salt master is a server that runs the remote execution commands. Salt master commands and controls its minions.
Why do we need to authenticate minions?
To remove unwanted traffic and provide security.
What is the Advantage of SaltStack?
SaltStack can be set up in a tiered configuration to achieve load balancing and boast redundancy.
Who uses SaltStack?
Various organizations use SaltStack software to manage and protect digital business infrastructure at scale, including TD Bank, IBM Cloud, LinkedIn, eBay, Lego, First Data, Bloomberg, Adobe, Sanofi, and thousands more.
Conclusion
In this article, we discussed Salt master communication with Salt minions. We learned how salt master specifies the minions, how firewall rules are set in Salt master for different systems, how to avoid unwanted traffic, and learned the commands for doing all these.
We hope this blog title was helpful. You can also refer to other similar articles.
You may refer to our Guided Path on Code Studios for enhancing your skill set on DSA, Competitive Programming, System Design, etc. Check out essential interview questions, practice our available mock tests, look at the interview bundle for interview preparations, and so much more!
Happy Learning Ninja!
7+ registered 
