Salt: Feature Request : master listening on many NIC
Hi,
can you make possible for the master config file to add more than one IP
would be handy for pushing configs across multiple networks
thanks
phil123456
All 8 comments
I am not aware of this being in salt currently. Currently in the docs it states to use 0.0.0.0 for all interfaces but I think its a good idea to add this feature.
I am guessing this feature requested is tied to #34332 . Do you mind if we close that issue and track this feature here?
Ch3LL
on 1 Jul 2016
yes go ahead
I am no network specialist but apparently I read many times, using 0.0.0.0 is not secure
phil123456
on 4 Jul 2016
0.0.0.0 is not a security issue at all, it just means bind to any interface on the server. It so you do not have to hard code any of the local IP address including loopback (localhost).
Their is no difference between "adding all the IP address to a configuration file + 127.0.0.1" and 0.0.0.0
You can always use firewall rules on the host to restrict access. Most OS install with a locked down firewall already, and you need to update the firewall rules to let the minions connect to salt master in the first place.
The bind will fail, if you list an IP address which does not exist on a server, in the configuration file. It would be bad idea to silently ignore a invalid IP address.
damon-atkins
on 4 Jul 2016
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.
![stale[bot] picture](https://avatars.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 4 Jun 2018
I'd like to re-open the issue. There are situations where the local firewall is not the solution and :: (or 0.0.0.0) is too wide. Being able to specify multiple listen addresses would be definatly be useful.
And I have no problem with the server refusing to start if it can't bind to one of the addresses because of a configuration error, as long as the error message clearly indicates which address caused the failure.
mherrb
on 22 Aug 2019
Thank you for updating this issue. It is no longer marked as stale.
stale[bot]
on 4 Sep 2019
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.
stale[bot]
on 8 Jan 2020
Re-open please. The issue is outstanding and would be useful.
Recent case was a salt cluster where each node (including the master) has a routed, public address and a private cluster address on a dedicated management network. Custom, vendor-provided kernel with no iptables support.
terryburton
on 2 Mar 2020
Related issues
nixjdm
路
3Comments
icycle77
路
3Comments
golmaal
路
3Comments
erwindon
路
3Comments
layer3switch
路
3Comments
Most helpful comment
I'd like to re-open the issue. There are situations where the local firewall is not the solution and :: (or 0.0.0.0) is too wide. Being able to specify multiple listen addresses would be definatly be useful.
And I have no problem with the server refusing to start if it can't bind to one of the addresses because of a configuration error, as long as the error message clearly indicates which address caused the failure.