How do I list IP addresses where minions connect from?

Question

Some minions are behind NAT and I'd like to get their public IP address as seen from master (for firewall purposes).

There is external_ip grain but AFAIK it depends on third party service and doesn't even work reliably for me.

pincoded · Answer 1 · 2014-09-09T10:01:57.007

3

First make sure that each of your minion has curl package installed.

Then you could use:

salt '*' cmd.run "curl ifconfig.me"

If ifconfig.me doesn't respond, you can use another provider:

salt '*' cmd.run "curl -s icanhazip.com"

Each minion will respond with the external ip address:

zeus.example.com:
    1.2.3.1
hera.example.com:
    1.2.3.2
apollo.example.com:
    1.2.3.3
athena.example.com:
    1.2.3.4

If curl is not installed the response will be:

castor.example.com:
    /bin/bash: curl: command not found

edited Sep 09 '14 at 10:01

answered Jul 29 '14 at 20:51

pincoded

359
2
9

They are behind a NAT. All they know is their private address... – Vasili Syrakis Jul 30 '14 at 07:17
1

Vasili, the command mentioned above, will return the public ip address, the one it is used to communicate with the master. Just try to run `curl ifconfig.me` from a host behind NAT, see what it returns. – pincoded Jul 30 '14 at 18:25
But the master sees nodes' public addresses and should be able to provide them, without need to use third parties! – Juraj Aug 31 '14 at 19:09
@Juraj, you can get the ip address of the minion via `salt '*' grains.item ipv4` but not the ip address from NAT. You query minions for information not the master itself. – pincoded Sep 12 '14 at 14:05
@pincoded I know. I made feature request for that: https://github.com/saltstack/salt/issues/15777 – Juraj Sep 13 '14 at 18:53

score 0 · Answer 2 · answered Jul 29 '14 at 12:20

A computer behind a NAT has no knowledge of the public IP address that it's meant to have... I don't think you'd be able to get this information from the minion itself.

This information has to come from your NAT device, whether it be a firewall, switch, or some other device. Maybe you could create a Runner in salt to retrieve that information for you.

Alternatively, you could simply drop in a file on your minion's filesystem that contains information such as the public IP address, which could be retrieved a bit easier...

But salt master does know where the minions connect from, why can't it publish this information? — Juraj, Jul 29 '14 at 12:31

How do I list IP addresses where minions connect from?

2 Answers2

Linked