diff --git a/defaults/main.yml b/defaults/main.yml index 798b44e9..c512fb96 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -227,6 +227,9 @@ rabbitmq_collect_statistics_interval: 5000 # RabbitMQ Management service bind address rabbitmq_management_bind_address: 0.0.0.0 +rabbitmq_management_bind_tcp_port: 15672 +rabbitmq_management_bind_tls_port: 15671 +rabbitmq_management_ssl: true # RabbitMQ Management rates mode rabbitmq_management_rates_mode: basic diff --git a/releasenotes/notes/rabbitmq_ini_config-dcf95fe46a37ff2c.yaml b/releasenotes/notes/rabbitmq_ini_config-dcf95fe46a37ff2c.yaml new file mode 100644 index 00000000..ef05a2ce --- /dev/null +++ b/releasenotes/notes/rabbitmq_ini_config-dcf95fe46a37ff2c.yaml @@ -0,0 +1,15 @@ +--- +features: + - | + New variables that provide better control over RabbitMQ management + interface have been implemented: + + * rabbitmq_management_bind_tcp_port + * rabbitmq_management_bind_tls_port + * rabbitmq_management_ssl + +upgrade: + - | + RabbitMQ was migrated to the new-style config, which resides in + ``/etc/rabbitmq/rabbitmq.conf``. Old config ``rabbitmq.config`` will be + removed during upgrade. diff --git a/tasks/rabbitmq_post_install.yml b/tasks/rabbitmq_post_install.yml index a4741ba4..b3dbb4be 100644 --- a/tasks/rabbitmq_post_install.yml +++ b/tasks/rabbitmq_post_install.yml @@ -30,13 +30,21 @@ dest: "{{ item.dest }}" owner: "{{ rabbit_system_user_name }}" group: "{{ rabbit_system_group_name }}" + mode: "{{ item.mode | default('0640') }}" with_items: - - { src: "rabbitmq.config.j2", dest: "/etc/rabbitmq/rabbitmq.config" } - - { src: "rabbitmq-server.j2", dest: "/etc/default/rabbitmq-server" } + - { src: "rabbitmq.conf.j2", dest: "/etc/rabbitmq/rabbitmq.conf" } + - { src: "advanced.config.j2", dest: "/etc/rabbitmq/advanced.config" } + - { src: "rabbitmq-server.j2", dest: "/etc/default/rabbitmq-server", mode: "0644" } - { src: "rabbitmq-env.j2", dest: "/etc/rabbitmq/rabbitmq-env.conf" } tags: - rabbitmq-config +# TODO(noonedeadpunk): Remove after Z release +- name: Remove old rabbitmq config + file: + path: /etc/rabbitmq/rabbitmq.config + state: absent + - name: Apply resource limits (systemd) template: src: "limits.conf.j2" diff --git a/templates/advanced.config.j2 b/templates/advanced.config.j2 new file mode 100644 index 00000000..c2d3ab68 --- /dev/null +++ b/templates/advanced.config.j2 @@ -0,0 +1,3 @@ +[ + {mnesia, [{dump_log_write_threshold, {{ mnesia_dump_log_write_threshold }} }]} +]. diff --git a/templates/rabbitmq-env.j2 b/templates/rabbitmq-env.j2 index 93d58d1f..91d98f87 100644 --- a/templates/rabbitmq-env.j2 +++ b/templates/rabbitmq-env.j2 @@ -4,7 +4,3 @@ NODENAME=rabbit@{{ ansible_facts['hostname'] }} RABBITMQ_IO_THREAD_POOL_SIZE={{ rabbitmq_async_threads }} RABBITMQ_SERVER_ERL_ARGS="+P {{ rabbitmq_process_limit }}" - -{% if (rabbitmq_management_bind_address != '0.0.0.0') %} -export ERL_EPMD_ADDRESS={{ rabbitmq_management_bind_address }} -{% endif %} diff --git a/templates/rabbitmq.conf.j2 b/templates/rabbitmq.conf.j2 new file mode 100644 index 00000000..9e9e9d74 --- /dev/null +++ b/templates/rabbitmq.conf.j2 @@ -0,0 +1,70 @@ + +collect_statistics_interval = {{ rabbitmq_collect_statistics_interval }} + +{% for key, value in rabbitmq_port_bindings.items() %} +{% if 'tcp' in key %} +{% set _opt = 'tcp' %} +{% elif 'ssl' in key %} +{% set _opt = 'ssl' %} +{% endif %} +{% for _key, _value in value.items() %} +listeners.{{ _opt }}.{{ loop.index }} = {{ _key }}:{{ _value }} +{% endfor %} +{% endfor %} + +ssl_options.certfile = {{ rabbitmq_ssl_cert }} +ssl_options.keyfile = {{ rabbitmq_ssl_key }} +{% if rabbitmq_user_ssl_ca_cert is defined -%} +ssl_options.cacertfile = {{ rabbitmq_ssl_ca_cert }} +{% endif %} +ssl_options.honor_cipher_order = true +ssl_options.honor_ecc_order = true +{% if "tlsv1.3" not in rabbitmq_ssl_tls_versions %} +ssl_options.client_renegotiation = false +ssl_options.secure_renegotiate = true +{% endif %} +{% for version in rabbitmq_ssl_tls_versions %} +ssl_options.versions.{{ loop.index }} = {{ version }} +{% endfor %} +{% for cipher in rabbitmq_ssl_ciphers %} +ssl_options.ciphers.{{ loop.index }} = {{ cipher }} +{% endfor %} +ssl_options.verify = {{ rabbitmq_ssl_verify | lower }} +ssl_options.fail_if_no_peer_cert = {{ rabbitmq_ssl_fail_if_no_peer_cert | lower }} + +{% if rabbitmq_memory_high_watermark is float %} +{% set watermark_type = 'relative' %} +{% else %} +{% set watermark_type = 'absolute' %} +{% endif %} +vm_memory_high_watermark.{{ watermark_type }} = {{ rabbitmq_memory_high_watermark }} +cluster_partition_handling = {{ rabbitmq_cluster_partition_handling }} + +# Management plugin configuration + +{% if rabbitmq_management_ssl %} +management.ssl.ip = {{ rabbitmq_management_bind_address }} +management.ssl.port = {{ rabbitmq_management_bind_tls_port }} +management.ssl.certfile = {{ rabbitmq_ssl_cert }} +management.ssl.keyfile = {{ rabbitmq_ssl_key }} +{% if rabbitmq_user_ssl_ca_cert is defined -%} +management.ssl.cacertfile = {{ rabbitmq_ssl_ca_cert }} +{% endif %} +management.ssl.honor_cipher_order = true +management.ssl.honor_ecc_order = true +{% if "tlsv1.3" not in rabbitmq_ssl_tls_versions %} +management.ssl.client_renegotiation = false +management.ssl.secure_renegotiate = true +{% endif %} +{% for version in rabbitmq_ssl_tls_versions %} +management.ssl.versions.{{ loop.index }} = {{ version }} +{% endfor %} +{% for cipher in rabbitmq_ssl_ciphers %} +management.ssl.ciphers.{{ loop.index }} = {{ cipher }} +{% endfor %} +management.ssl.verify = {{ rabbitmq_ssl_verify | lower }} +management.ssl.fail_if_no_peer_cert = {{ rabbitmq_ssl_fail_if_no_peer_cert | lower }} +{% else %} +management.tcp.ip = {{ rabbitmq_management_bind_address }} +management.tcp.port = {{ rabbitmq_management_bind_tcp_port }} +{% endif %} diff --git a/templates/rabbitmq.config.j2 b/templates/rabbitmq.config.j2 deleted file mode 100644 index 3c3a322e..00000000 --- a/templates/rabbitmq.config.j2 +++ /dev/null @@ -1,66 +0,0 @@ -[ - { rabbit, [ - { loopback_users, [] }, -{% for key, value in rabbitmq_port_bindings.items() %} - { {{ key }}, [ -{% for _key, _value in value.items() %} - { "{{ _key }}", {{ _value | int }} }{% if not loop.last -%},{%- endif %} - -{% endfor %} - ] - }, -{% endfor %} - { collect_statistics_interval, {{ rabbitmq_collect_statistics_interval }} }, - { ssl_options, [ - { certfile, "{{ rabbitmq_ssl_cert }}" }, - { keyfile, "{{ rabbitmq_ssl_key }}" }, - { honor_cipher_order, true}, - { honor_ecc_order, true}, -{% if "tlsv1.3" not in rabbitmq_ssl_tls_versions %} - { client_renegotiation, {{ rabbitmq_ssl_client_renegotiation | lower }} }, - { secure_renegotiate, {{ rabbitmq_ssl_secure_renegotiate | lower }} }, -{% endif %} -{% if rabbitmq_user_ssl_ca_cert is defined -%} - { cacertfile, "{{ rabbitmq_ssl_ca_cert }}" }, -{% endif %} - { versions, [ -{% for version in rabbitmq_ssl_tls_versions %} - '{{ version }}'{% if not loop.last -%},{%- endif %} - -{% endfor %} - ] - }, -{% if rabbitmq_ssl_ciphers | length > 0 %} - { ciphers, [ -{% for cipher in rabbitmq_ssl_ciphers %} - "{{ cipher }}"{% if not loop.last -%},{%- endif %} - -{% endfor %} - ] - }, -{% endif %} - { verify, {{ rabbitmq_ssl_verify | lower }} }, - { fail_if_no_peer_cert, {{ rabbitmq_ssl_fail_if_no_peer_cert | lower }} } - ] - }, - { vm_memory_high_watermark, {{ rabbitmq_memory_high_watermark }} } -{%- if rabbitmq_cluster_partition_handling != 'ignore' -%} -, - { cluster_partition_handling, {{ rabbitmq_cluster_partition_handling }} } -{%- endif -%} -{%- if rabbitmq_hipe_compile | bool -%} -, - { hipe_compile, true } -{% endif %} - ] - }, - { rabbitmq_management, [ - { rates_mode, {{ rabbitmq_management_rates_mode }} }, - { listener, [{ip, "{{ rabbitmq_management_bind_address }}" }]} - ] - }, - {kernel, [ - {inet_dist_use_interface, { {{ rabbitmq_management_bind_address|replace('.',',') }} } } - ]}, - {mnesia, [{dump_log_write_threshold, {{ mnesia_dump_log_write_threshold }} }]} -].