From e707eecdd84b420c9f8af318959f6e5653d0c0e8 Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <noonedeadpunk@ya.ru>
Date: Tue, 25 Jan 2022 19:26:10 +0200
Subject: [PATCH] Use sysctl ini-like config file

Starting from RabbitMQ 3.7.0 it's recommended to use new-style
config which is simply an ini file.

It's easier to read and maintain config file in ini fromat rather then
in classic erlang.

At the same time we still keep old-style config as it might have settings
that are not supported in new-style config.

There're no evidences that used there options are still supported,
but it's worth deprecating them in follow-up patch anyway.

Change-Id: I239366ad4aa2bc7a02d826b6c2f94631f4b0e622
---
 defaults/main.yml                             |  3 +
 .../rabbitmq_ini_config-dcf95fe46a37ff2c.yaml | 15 ++++
 tasks/rabbitmq_post_install.yml               | 12 +++-
 templates/advanced.config.j2                  |  3 +
 templates/rabbitmq-env.j2                     |  4 --
 templates/rabbitmq.conf.j2                    | 70 +++++++++++++++++++
 templates/rabbitmq.config.j2                  | 66 -----------------
 7 files changed, 101 insertions(+), 72 deletions(-)
 create mode 100644 releasenotes/notes/rabbitmq_ini_config-dcf95fe46a37ff2c.yaml
 create mode 100644 templates/advanced.config.j2
 create mode 100644 templates/rabbitmq.conf.j2
 delete mode 100644 templates/rabbitmq.config.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index 798b44e9..c512fb96 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -227,6 +227,9 @@ rabbitmq_collect_statistics_interval: 5000
 
 # RabbitMQ Management service bind address
 rabbitmq_management_bind_address: 0.0.0.0
+rabbitmq_management_bind_tcp_port: 15672
+rabbitmq_management_bind_tls_port: 15671
+rabbitmq_management_ssl: true
 
 # RabbitMQ Management rates mode
 rabbitmq_management_rates_mode: basic
diff --git a/releasenotes/notes/rabbitmq_ini_config-dcf95fe46a37ff2c.yaml b/releasenotes/notes/rabbitmq_ini_config-dcf95fe46a37ff2c.yaml
new file mode 100644
index 00000000..ef05a2ce
--- /dev/null
+++ b/releasenotes/notes/rabbitmq_ini_config-dcf95fe46a37ff2c.yaml
@@ -0,0 +1,15 @@
+---
+features:
+  - |
+    New variables that provide better control over RabbitMQ management
+    interface have been implemented:
+
+    * rabbitmq_management_bind_tcp_port
+    * rabbitmq_management_bind_tls_port
+    * rabbitmq_management_ssl
+
+upgrade:
+  - |
+    RabbitMQ was migrated to the new-style config, which resides in
+    ``/etc/rabbitmq/rabbitmq.conf``. Old config ``rabbitmq.config`` will be
+    removed during upgrade.
diff --git a/tasks/rabbitmq_post_install.yml b/tasks/rabbitmq_post_install.yml
index a4741ba4..b3dbb4be 100644
--- a/tasks/rabbitmq_post_install.yml
+++ b/tasks/rabbitmq_post_install.yml
@@ -30,13 +30,21 @@
     dest: "{{ item.dest }}"
     owner: "{{ rabbit_system_user_name }}"
     group: "{{ rabbit_system_group_name }}"
+    mode: "{{ item.mode | default('0640') }}"
   with_items:
-    - { src: "rabbitmq.config.j2", dest: "/etc/rabbitmq/rabbitmq.config" }
-    - { src: "rabbitmq-server.j2", dest: "/etc/default/rabbitmq-server" }
+    - { src: "rabbitmq.conf.j2", dest: "/etc/rabbitmq/rabbitmq.conf" }
+    - { src: "advanced.config.j2", dest: "/etc/rabbitmq/advanced.config" }
+    - { src: "rabbitmq-server.j2", dest: "/etc/default/rabbitmq-server", mode: "0644" }
     - { src: "rabbitmq-env.j2", dest: "/etc/rabbitmq/rabbitmq-env.conf" }
   tags:
     - rabbitmq-config
 
+# TODO(noonedeadpunk): Remove after Z release
+- name: Remove old rabbitmq config
+  file:
+    path: /etc/rabbitmq/rabbitmq.config
+    state: absent
+
 - name: Apply resource limits (systemd)
   template:
     src: "limits.conf.j2"
diff --git a/templates/advanced.config.j2 b/templates/advanced.config.j2
new file mode 100644
index 00000000..c2d3ab68
--- /dev/null
+++ b/templates/advanced.config.j2
@@ -0,0 +1,3 @@
+[
+  {mnesia, [{dump_log_write_threshold, {{ mnesia_dump_log_write_threshold }} }]}
+].
diff --git a/templates/rabbitmq-env.j2 b/templates/rabbitmq-env.j2
index 93d58d1f..91d98f87 100644
--- a/templates/rabbitmq-env.j2
+++ b/templates/rabbitmq-env.j2
@@ -4,7 +4,3 @@
 NODENAME=rabbit@{{ ansible_facts['hostname'] }}
 RABBITMQ_IO_THREAD_POOL_SIZE={{ rabbitmq_async_threads }}
 RABBITMQ_SERVER_ERL_ARGS="+P {{ rabbitmq_process_limit }}"
-
-{% if (rabbitmq_management_bind_address != '0.0.0.0') %}
-export ERL_EPMD_ADDRESS={{ rabbitmq_management_bind_address }}
-{% endif %}
diff --git a/templates/rabbitmq.conf.j2 b/templates/rabbitmq.conf.j2
new file mode 100644
index 00000000..9e9e9d74
--- /dev/null
+++ b/templates/rabbitmq.conf.j2
@@ -0,0 +1,70 @@
+
+collect_statistics_interval = {{ rabbitmq_collect_statistics_interval }}
+
+{% for key, value in rabbitmq_port_bindings.items() %}
+{%   if 'tcp' in key %}
+{%     set _opt = 'tcp' %}
+{%   elif 'ssl' in key %}
+{%     set _opt = 'ssl' %}
+{%   endif %}
+{%   for _key, _value in value.items() %}
+listeners.{{ _opt }}.{{ loop.index }} = {{ _key }}:{{ _value }}
+{%   endfor %}
+{% endfor %}
+
+ssl_options.certfile   = {{ rabbitmq_ssl_cert }}
+ssl_options.keyfile    = {{ rabbitmq_ssl_key }}
+{% if rabbitmq_user_ssl_ca_cert is defined -%}
+ssl_options.cacertfile = {{ rabbitmq_ssl_ca_cert }}
+{% endif %}
+ssl_options.honor_cipher_order   = true
+ssl_options.honor_ecc_order      = true
+{% if "tlsv1.3" not in rabbitmq_ssl_tls_versions %}
+ssl_options.client_renegotiation = false
+ssl_options.secure_renegotiate   = true
+{% endif %}
+{% for version in rabbitmq_ssl_tls_versions %}
+ssl_options.versions.{{ loop.index }} = {{ version }}
+{% endfor %}
+{% for cipher in rabbitmq_ssl_ciphers %}
+ssl_options.ciphers.{{ loop.index }} = {{ cipher }}
+{% endfor %}
+ssl_options.verify               = {{ rabbitmq_ssl_verify | lower }}
+ssl_options.fail_if_no_peer_cert = {{ rabbitmq_ssl_fail_if_no_peer_cert | lower }}
+
+{% if rabbitmq_memory_high_watermark is float %}
+{%  set watermark_type = 'relative' %}
+{% else %}
+{%  set watermark_type = 'absolute' %}
+{% endif %}
+vm_memory_high_watermark.{{ watermark_type }} = {{ rabbitmq_memory_high_watermark }}
+cluster_partition_handling = {{ rabbitmq_cluster_partition_handling }}
+
+# Management plugin configuration
+
+{% if rabbitmq_management_ssl %}
+management.ssl.ip = {{ rabbitmq_management_bind_address }}
+management.ssl.port = {{ rabbitmq_management_bind_tls_port }}
+management.ssl.certfile   = {{ rabbitmq_ssl_cert }}
+management.ssl.keyfile    = {{ rabbitmq_ssl_key }}
+{%   if rabbitmq_user_ssl_ca_cert is defined -%}
+management.ssl.cacertfile = {{ rabbitmq_ssl_ca_cert }}
+{%   endif %}
+management.ssl.honor_cipher_order   = true
+management.ssl.honor_ecc_order      = true
+{%   if "tlsv1.3" not in rabbitmq_ssl_tls_versions %}
+management.ssl.client_renegotiation = false
+management.ssl.secure_renegotiate   = true
+{%   endif %}
+{%   for version in rabbitmq_ssl_tls_versions %}
+management.ssl.versions.{{ loop.index }} = {{ version }}
+{%   endfor %}
+{%   for cipher in rabbitmq_ssl_ciphers %}
+management.ssl.ciphers.{{ loop.index }} = {{ cipher }}
+{%   endfor %}
+management.ssl.verify               = {{ rabbitmq_ssl_verify | lower }}
+management.ssl.fail_if_no_peer_cert = {{ rabbitmq_ssl_fail_if_no_peer_cert | lower }}
+{% else %}
+management.tcp.ip = {{ rabbitmq_management_bind_address }}
+management.tcp.port = {{ rabbitmq_management_bind_tcp_port }}
+{% endif %}
diff --git a/templates/rabbitmq.config.j2 b/templates/rabbitmq.config.j2
deleted file mode 100644
index 3c3a322e..00000000
--- a/templates/rabbitmq.config.j2
+++ /dev/null
@@ -1,66 +0,0 @@
-[
-  { rabbit, [
-      { loopback_users, [] },
-{% for key, value in rabbitmq_port_bindings.items() %}
-      { {{ key }}, [
-{%    for _key, _value in value.items() %}
-          { "{{ _key }}", {{ _value | int }} }{% if not loop.last -%},{%- endif %}
-
-{%    endfor %}
-        ]
-      },
-{% endfor %}
-      { collect_statistics_interval, {{ rabbitmq_collect_statistics_interval }} },
-      { ssl_options, [
-          { certfile, "{{ rabbitmq_ssl_cert }}" },
-          { keyfile, "{{ rabbitmq_ssl_key }}" },
-          { honor_cipher_order, true},
-          { honor_ecc_order, true},
-{% if "tlsv1.3" not in rabbitmq_ssl_tls_versions %}
-          { client_renegotiation, {{ rabbitmq_ssl_client_renegotiation | lower }} },
-          { secure_renegotiate, {{ rabbitmq_ssl_secure_renegotiate | lower }} },
-{% endif %}
-{% if rabbitmq_user_ssl_ca_cert is defined -%}
-          { cacertfile, "{{ rabbitmq_ssl_ca_cert }}" },
-{% endif %}
-          { versions, [
-{% for version in rabbitmq_ssl_tls_versions %}
-              '{{ version }}'{% if not loop.last -%},{%- endif %}
-
-{% endfor %}
-            ]
-          },
-{% if rabbitmq_ssl_ciphers | length > 0 %}
-          { ciphers, [
-{%   for cipher in rabbitmq_ssl_ciphers %}
-              "{{ cipher }}"{% if not loop.last -%},{%- endif %}
-
-{%   endfor %}
-            ]
-          },
-{% endif %}
-          { verify, {{ rabbitmq_ssl_verify | lower }} },
-          { fail_if_no_peer_cert, {{ rabbitmq_ssl_fail_if_no_peer_cert | lower }} }
-        ]
-      },
-      { vm_memory_high_watermark, {{ rabbitmq_memory_high_watermark }} }
-{%- if rabbitmq_cluster_partition_handling != 'ignore' -%}
-,
-      { cluster_partition_handling, {{ rabbitmq_cluster_partition_handling }} }
-{%- endif -%}
-{%- if rabbitmq_hipe_compile | bool -%}
-,
-      { hipe_compile, true }
-{% endif %}
-    ]
-  },
-  { rabbitmq_management, [
-      { rates_mode, {{ rabbitmq_management_rates_mode }} },
-      { listener, [{ip, "{{ rabbitmq_management_bind_address }}" }]}
-    ]
-  },
-  {kernel, [
-     {inet_dist_use_interface, { {{ rabbitmq_management_bind_address|replace('.',',') }} } }
-  ]},
-  {mnesia, [{dump_log_write_threshold, {{ mnesia_dump_log_write_threshold }} }]}
-].