I'm using SaltStack to manage several servers on EC2, including both Linux and MS-Windows installations. The master server is deployable in its entirety (using cloud-init) and when I change the configuration of the master I just trash the old master and recreate it from scratch. The master keys are part of the persistent configuration, and autosign is used to accept known hosts automatically, so rebuilding is not a problem for the PKI.
After recreating the master, I can see that the minions reconnect – by running salt-key -L, but are not responding (salt '*' test.ping does not list any response). Restarting the salt-minion service on each host solves the problem, though this does require logging manually in to each and every managed host to issue the restart.
Is there some setup that can be done to prevent that problem?
Best Answer
Do you use the same master key? I assume that if a new masterkey is generated, the minions might not trust it anymore. Just a guess though...