Use sysctl ini-like config file

Starting from RabbitMQ 3.7.0 it's recommended to use new-style
config which is simply an ini file.

It's easier to read and maintain config file in ini fromat rather then
in classic erlang.

At the same time we still keep old-style config as it might have settings
that are not supported in new-style config.

There're no evidences that used there options are still supported,
but it's worth deprecating them in follow-up patch anyway.

Change-Id: I239366ad4aa2bc7a02d826b6c2f94631f4b0e622

defaults/main.yml

@@ -227,6 +227,9 @@ rabbitmq_collect_statistics_interval: 5000
 
 # RabbitMQ Management service bind address
 rabbitmq_management_bind_address: 0.0.0.0
+rabbitmq_management_bind_tcp_port: 15672
+rabbitmq_management_bind_tls_port: 15671
+rabbitmq_management_ssl: true
 
 # RabbitMQ Management rates mode
 rabbitmq_management_rates_mode: basic

releasenotes/notes/rabbitmq_ini_config-dcf95fe46a37ff2c.yaml

@@ -0,0 +1,15 @@
+---
+features:
+  - |
+    New variables that provide better control over RabbitMQ management
+    interface have been implemented:
+
+    * rabbitmq_management_bind_tcp_port
+    * rabbitmq_management_bind_tls_port
+    * rabbitmq_management_ssl
+
+upgrade:
+  - |
+    RabbitMQ was migrated to the new-style config, which resides in
+    ``/etc/rabbitmq/rabbitmq.conf``. Old config ``rabbitmq.config`` will be
+    removed during upgrade.

tasks/rabbitmq_post_install.yml

@@ -30,13 +30,21 @@
     dest: "{{ item.dest }}"
     owner: "{{ rabbit_system_user_name }}"
     group: "{{ rabbit_system_group_name }}"
+    mode: "{{ item.mode | default('0640') }}"
   with_items:
-    - { src: "rabbitmq.config.j2", dest: "/etc/rabbitmq/rabbitmq.config" }
-    - { src: "rabbitmq-server.j2", dest: "/etc/default/rabbitmq-server" }
+    - { src: "rabbitmq.conf.j2", dest: "/etc/rabbitmq/rabbitmq.conf" }
+    - { src: "advanced.config.j2", dest: "/etc/rabbitmq/advanced.config" }
+    - { src: "rabbitmq-server.j2", dest: "/etc/default/rabbitmq-server", mode: "0644" }
     - { src: "rabbitmq-env.j2", dest: "/etc/rabbitmq/rabbitmq-env.conf" }
   tags:
     - rabbitmq-config
 
+# TODO(noonedeadpunk): Remove after Z release
+- name: Remove old rabbitmq config
+  file:
+    path: /etc/rabbitmq/rabbitmq.config
+    state: absent
+
 - name: Apply resource limits (systemd)
   template:
     src: "limits.conf.j2"

templates/advanced.config.j2

@@ -0,0 +1,3 @@
+[
+  {mnesia, [{dump_log_write_threshold, {{ mnesia_dump_log_write_threshold }} }]}
+].

templates/rabbitmq-env.j2

@@ -4,7 +4,3 @@
 NODENAME=rabbit@{{ ansible_facts['hostname'] }}
 RABBITMQ_IO_THREAD_POOL_SIZE={{ rabbitmq_async_threads }}
 RABBITMQ_SERVER_ERL_ARGS="+P {{ rabbitmq_process_limit }}"
-
-{% if (rabbitmq_management_bind_address != '0.0.0.0') %}
-export ERL_EPMD_ADDRESS={{ rabbitmq_management_bind_address }}
-{% endif %}

templates/rabbitmq.conf.j2

@@ -0,0 +1,70 @@
+
+collect_statistics_interval = {{ rabbitmq_collect_statistics_interval }}
+
+{% for key, value in rabbitmq_port_bindings.items() %}
+{%   if 'tcp' in key %}
+{%     set _opt = 'tcp' %}
+{%   elif 'ssl' in key %}
+{%     set _opt = 'ssl' %}
+{%   endif %}
+{%   for _key, _value in value.items() %}
+listeners.{{ _opt }}.{{ loop.index }} = {{ _key }}:{{ _value }}
+{%   endfor %}
+{% endfor %}
+
+ssl_options.certfile   = {{ rabbitmq_ssl_cert }}
+ssl_options.keyfile    = {{ rabbitmq_ssl_key }}
+{% if rabbitmq_user_ssl_ca_cert is defined -%}
+ssl_options.cacertfile = {{ rabbitmq_ssl_ca_cert }}
+{% endif %}
+ssl_options.honor_cipher_order   = true
+ssl_options.honor_ecc_order      = true
+{% if "tlsv1.3" not in rabbitmq_ssl_tls_versions %}
+ssl_options.client_renegotiation = false
+ssl_options.secure_renegotiate   = true
+{% endif %}
+{% for version in rabbitmq_ssl_tls_versions %}
+ssl_options.versions.{{ loop.index }} = {{ version }}
+{% endfor %}
+{% for cipher in rabbitmq_ssl_ciphers %}
+ssl_options.ciphers.{{ loop.index }} = {{ cipher }}
+{% endfor %}
+ssl_options.verify               = {{ rabbitmq_ssl_verify | lower }}
+ssl_options.fail_if_no_peer_cert = {{ rabbitmq_ssl_fail_if_no_peer_cert | lower }}
+
+{% if rabbitmq_memory_high_watermark is float %}
+{%  set watermark_type = 'relative' %}
+{% else %}
+{%  set watermark_type = 'absolute' %}
+{% endif %}
+vm_memory_high_watermark.{{ watermark_type }} = {{ rabbitmq_memory_high_watermark }}
+cluster_partition_handling = {{ rabbitmq_cluster_partition_handling }}
+
+# Management plugin configuration
+
+{% if rabbitmq_management_ssl %}
+management.ssl.ip = {{ rabbitmq_management_bind_address }}
+management.ssl.port = {{ rabbitmq_management_bind_tls_port }}
+management.ssl.certfile   = {{ rabbitmq_ssl_cert }}
+management.ssl.keyfile    = {{ rabbitmq_ssl_key }}
+{%   if rabbitmq_user_ssl_ca_cert is defined -%}
+management.ssl.cacertfile = {{ rabbitmq_ssl_ca_cert }}
+{%   endif %}
+management.ssl.honor_cipher_order   = true
+management.ssl.honor_ecc_order      = true
+{%   if "tlsv1.3" not in rabbitmq_ssl_tls_versions %}
+management.ssl.client_renegotiation = false
+management.ssl.secure_renegotiate   = true
+{%   endif %}
+{%   for version in rabbitmq_ssl_tls_versions %}
+management.ssl.versions.{{ loop.index }} = {{ version }}
+{%   endfor %}
+{%   for cipher in rabbitmq_ssl_ciphers %}
+management.ssl.ciphers.{{ loop.index }} = {{ cipher }}
+{%   endfor %}
+management.ssl.verify               = {{ rabbitmq_ssl_verify | lower }}
+management.ssl.fail_if_no_peer_cert = {{ rabbitmq_ssl_fail_if_no_peer_cert | lower }}
+{% else %}
+management.tcp.ip = {{ rabbitmq_management_bind_address }}
+management.tcp.port = {{ rabbitmq_management_bind_tcp_port }}
+{% endif %}

templates/rabbitmq.config.j2

@@ -1,66 +0,0 @@
-[
-  { rabbit, [
-      { loopback_users, [] },
-{% for key, value in rabbitmq_port_bindings.items() %}
-      { {{ key }}, [
-{%    for _key, _value in value.items() %}
-          { "{{ _key }}", {{ _value | int }} }{% if not loop.last -%},{%- endif %}
-
-{%    endfor %}
-        ]
-      },
-{% endfor %}
-      { collect_statistics_interval, {{ rabbitmq_collect_statistics_interval }} },
-      { ssl_options, [
-          { certfile, "{{ rabbitmq_ssl_cert }}" },
-          { keyfile, "{{ rabbitmq_ssl_key }}" },
-          { honor_cipher_order, true},
-          { honor_ecc_order, true},
-{% if "tlsv1.3" not in rabbitmq_ssl_tls_versions %}
-          { client_renegotiation, {{ rabbitmq_ssl_client_renegotiation | lower }} },
-          { secure_renegotiate, {{ rabbitmq_ssl_secure_renegotiate | lower }} },
-{% endif %}
-{% if rabbitmq_user_ssl_ca_cert is defined -%}
-          { cacertfile, "{{ rabbitmq_ssl_ca_cert }}" },
-{% endif %}
-          { versions, [
-{% for version in rabbitmq_ssl_tls_versions %}
-              '{{ version }}'{% if not loop.last -%},{%- endif %}
-
-{% endfor %}
-            ]
-          },
-{% if rabbitmq_ssl_ciphers | length > 0 %}
-          { ciphers, [
-{%   for cipher in rabbitmq_ssl_ciphers %}
-              "{{ cipher }}"{% if not loop.last -%},{%- endif %}
-
-{%   endfor %}
-            ]
-          },
-{% endif %}
-          { verify, {{ rabbitmq_ssl_verify | lower }} },
-          { fail_if_no_peer_cert, {{ rabbitmq_ssl_fail_if_no_peer_cert | lower }} }
-        ]
-      },
-      { vm_memory_high_watermark, {{ rabbitmq_memory_high_watermark }} }
-{%- if rabbitmq_cluster_partition_handling != 'ignore' -%}
-,
-      { cluster_partition_handling, {{ rabbitmq_cluster_partition_handling }} }
-{%- endif -%}
-{%- if rabbitmq_hipe_compile | bool -%}
-,
-      { hipe_compile, true }
-{% endif %}
-    ]
-  },
-  { rabbitmq_management, [
-      { rates_mode, {{ rabbitmq_management_rates_mode }} },
-      { listener, [{ip, "{{ rabbitmq_management_bind_address }}" }]}
-    ]
-  },
-  {kernel, [
-     {inet_dist_use_interface, { {{ rabbitmq_management_bind_address|replace('.',',') }} } }
-  ]},
-  {mnesia, [{dump_log_write_threshold, {{ mnesia_dump_log_write_threshold }} }]}
-].