New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Presence detection for minions behind NAT not working #51764
Comments
@saltstack/team-core Any thoughts on this one? |
Should |
@waynew No, |
Ah, I see. So it sounds like the problem is really just that the master is missing some bit of information - perhaps there should be another grain set from the minion corresponding to the visible IP from the master? I'm fairly new to that corner of the world, but given what I just read about
That, combined with the source that you linked to, leads me to believe that there's a grain that should be there that isn't. Of course we may not have thought about such a layout when we were building that feature, so we may never have written code to support that. But we should 😀 |
@brejoc if you'll append ipv4 grain with the external minion ip address the alived shall work. Is it possible for you to do |
@DmitryKuzmenko This workaround should indeed work, but might also cause additional problems when relying on that grain for other purposes. |
I just did a test-run with two minions behind the same NAT. Both got the IPv4 address of the NAT as the ipv4 grain. As expected both of them are in the list wen |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue. |
@waynew or @DmitryKuzmenko can one of you please do a bit of follow up, here? |
Thank you for updating this issue. It is no longer marked as stale. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue. |
Bad bot! |
Thank you for updating this issue. It is no longer marked as stale. |
Okay, how it works now. Master takes 2 lists:
Master returns intersection of these sets. By obvious reason there are no minions behind NAT. I have no quick ideas for the solution. I'll think about it. Sorry for missing this issue. |
I think the presence detection can't be done solely via checking the connections. Would we get the necessary information for the zeromq connections somehow? |
@DmitryKuzmenko Do you maybe have an idea if this could be done at the application level without putting additional pressure on the network? The TCP connections just can't provide the information we need on this. |
If I remember correctly zeromq doesn't provide any useful information about the opposite side of the connection ever in request-reply sockets. You can get the source IP from TCP socket but not from ZeroMQ. |
Also seeing this as an issue. All minions behind NAT are not shown as present. |
Having given various ideas some thought here, I think the minion data cache on the master needs to be populated with the address from which the minion is connecting and the src port. This can then be compared in the presence detection (which already uses the data cache) to determine if the minion is alive over NAT. |
This is still an issue; minions behind NAT are not considered to be alive/joined according to salt's presence-detection system, can @sagetherage @waynew please offer some input as to how it can be moved forward? |
Any news here? This would really help to setup other services which need the ip address the minions are connecting from. |
Description of Issue/Question
Presence detection for minions behind a NAT is not working. In minions.py we fetch all of the IPv4 addresses of the minions. For
minion1
this will be the IP address the master can see. But forminion2
this will be the address the minion gets behind the NAT. Then those addresses are compared to the addresses the master can see from the minions, which will be the address of the NAT forminion2
.I'm not sure how to address this. Any hints welcome!
Setup
minion1
is directly connected to the master.minion2
is behind a NAT.Steps to Reproduce Issue
Let both minions connect and fire a
salt-run manage.alived
.Then you will see this:
While this was expected, since both minions are connected:
Versions Report
But since this was introduced in
2015.8.0
, this should be faulty all the way down.The text was updated successfully, but these errors were encountered: