Merge "Use sysctl ini-like config file"

2022-02-11 18:38:02 +00:00
parent 9355e52547 e707eecdd8
commit 5956b05381
7 changed files with 101 additions and 72 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -228,6 +228,9 @@ rabbitmq_collect_statistics_interval: 5000

 # RabbitMQ Management service bind address
 rabbitmq_management_bind_address: 0.0.0.0
+rabbitmq_management_bind_tcp_port: 15672
+rabbitmq_management_bind_tls_port: 15671
+rabbitmq_management_ssl: true

 # RabbitMQ Management rates mode
 rabbitmq_management_rates_mode: basic
--- a/releasenotes/notes/rabbitmq_ini_config-dcf95fe46a37ff2c.yaml
+++ b/releasenotes/notes/rabbitmq_ini_config-dcf95fe46a37ff2c.yaml
@@ -0,0 +1,15 @@
+---
+features:
+  - |
+    New variables that provide better control over RabbitMQ management
+    interface have been implemented:
+
+    * rabbitmq_management_bind_tcp_port
+    * rabbitmq_management_bind_tls_port
+    * rabbitmq_management_ssl
+
+upgrade:
+  - |
+    RabbitMQ was migrated to the new-style config, which resides in
+    ``/etc/rabbitmq/rabbitmq.conf``. Old config ``rabbitmq.config`` will be
+    removed during upgrade.
--- a/tasks/rabbitmq_post_install.yml
+++ b/tasks/rabbitmq_post_install.yml
@@ -30,13 +30,21 @@
    dest: "{{ item.dest }}"
    owner: "{{ rabbit_system_user_name }}"
    group: "{{ rabbit_system_group_name }}"
+    mode: "{{ item.mode | default('0640') }}"
  with_items:
-    - { src: "rabbitmq.config.j2", dest: "/etc/rabbitmq/rabbitmq.config" }
-    - { src: "rabbitmq-server.j2", dest: "/etc/default/rabbitmq-server" }
+    - { src: "rabbitmq.conf.j2", dest: "/etc/rabbitmq/rabbitmq.conf" }
+    - { src: "advanced.config.j2", dest: "/etc/rabbitmq/advanced.config" }
+    - { src: "rabbitmq-server.j2", dest: "/etc/default/rabbitmq-server", mode: "0644" }
    - { src: "rabbitmq-env.j2", dest: "/etc/rabbitmq/rabbitmq-env.conf" }
  tags:
    - rabbitmq-config

+# TODO(noonedeadpunk): Remove after Z release
+- name: Remove old rabbitmq config
+  file:
+    path: /etc/rabbitmq/rabbitmq.config
+    state: absent
+
 - name: Apply resource limits (systemd)
  template:
    src: "limits.conf.j2"
--- a/templates/advanced.config.j2
+++ b/templates/advanced.config.j2
@@ -0,0 +1,3 @@
+[
+  {mnesia, [{dump_log_write_threshold, {{ mnesia_dump_log_write_threshold }} }]}
+].
--- a/templates/rabbitmq-env.j2
+++ b/templates/rabbitmq-env.j2
@@ -4,7 +4,3 @@
 NODENAME=rabbit@{{ ansible_facts['hostname'] }}
 RABBITMQ_IO_THREAD_POOL_SIZE={{ rabbitmq_async_threads }}
 RABBITMQ_SERVER_ERL_ARGS="+P {{ rabbitmq_process_limit }}"
-
-{% if (rabbitmq_management_bind_address != '0.0.0.0') %}
-export ERL_EPMD_ADDRESS={{ rabbitmq_management_bind_address }}
-{% endif %}
--- a/templates/rabbitmq.conf.j2
+++ b/templates/rabbitmq.conf.j2
@@ -0,0 +1,70 @@
+
+collect_statistics_interval = {{ rabbitmq_collect_statistics_interval }}
+
+{% for key, value in rabbitmq_port_bindings.items() %}
+{%   if 'tcp' in key %}
+{%     set _opt = 'tcp' %}
+{%   elif 'ssl' in key %}
+{%     set _opt = 'ssl' %}
+{%   endif %}
+{%   for _key, _value in value.items() %}
+listeners.{{ _opt }}.{{ loop.index }} = {{ _key }}:{{ _value }}
+{%   endfor %}
+{% endfor %}
+
+ssl_options.certfile   = {{ rabbitmq_ssl_cert }}
+ssl_options.keyfile    = {{ rabbitmq_ssl_key }}
+{% if rabbitmq_user_ssl_ca_cert is defined -%}
+ssl_options.cacertfile = {{ rabbitmq_ssl_ca_cert }}
+{% endif %}
+ssl_options.honor_cipher_order   = true
+ssl_options.honor_ecc_order      = true
+{% if "tlsv1.3" not in rabbitmq_ssl_tls_versions %}
+ssl_options.client_renegotiation = false
+ssl_options.secure_renegotiate   = true
+{% endif %}
+{% for version in rabbitmq_ssl_tls_versions %}
+ssl_options.versions.{{ loop.index }} = {{ version }}
+{% endfor %}
+{% for cipher in rabbitmq_ssl_ciphers %}
+ssl_options.ciphers.{{ loop.index }} = {{ cipher }}
+{% endfor %}
+ssl_options.verify               = {{ rabbitmq_ssl_verify | lower }}
+ssl_options.fail_if_no_peer_cert = {{ rabbitmq_ssl_fail_if_no_peer_cert | lower }}
+
+{% if rabbitmq_memory_high_watermark is float %}
+{%  set watermark_type = 'relative' %}
+{% else %}
+{%  set watermark_type = 'absolute' %}
+{% endif %}
+vm_memory_high_watermark.{{ watermark_type }} = {{ rabbitmq_memory_high_watermark }}
+cluster_partition_handling = {{ rabbitmq_cluster_partition_handling }}
+
+# Management plugin configuration
+
+{% if rabbitmq_management_ssl %}
+management.ssl.ip = {{ rabbitmq_management_bind_address }}
+management.ssl.port = {{ rabbitmq_management_bind_tls_port }}
+management.ssl.certfile   = {{ rabbitmq_ssl_cert }}
+management.ssl.keyfile    = {{ rabbitmq_ssl_key }}
+{%   if rabbitmq_user_ssl_ca_cert is defined -%}
+management.ssl.cacertfile = {{ rabbitmq_ssl_ca_cert }}
+{%   endif %}
+management.ssl.honor_cipher_order   = true
+management.ssl.honor_ecc_order      = true
+{%   if "tlsv1.3" not in rabbitmq_ssl_tls_versions %}
+management.ssl.client_renegotiation = false
+management.ssl.secure_renegotiate   = true
+{%   endif %}
+{%   for version in rabbitmq_ssl_tls_versions %}
+management.ssl.versions.{{ loop.index }} = {{ version }}
+{%   endfor %}
+{%   for cipher in rabbitmq_ssl_ciphers %}
+management.ssl.ciphers.{{ loop.index }} = {{ cipher }}
+{%   endfor %}
+management.ssl.verify               = {{ rabbitmq_ssl_verify | lower }}
+management.ssl.fail_if_no_peer_cert = {{ rabbitmq_ssl_fail_if_no_peer_cert | lower }}
+{% else %}
+management.tcp.ip = {{ rabbitmq_management_bind_address }}
+management.tcp.port = {{ rabbitmq_management_bind_tcp_port }}
+{% endif %}
--- a/templates/rabbitmq.config.j2
+++ b/templates/rabbitmq.config.j2
@@ -1,66 +0,0 @@
-[
-  { rabbit, [
-      { loopback_users, [] },
-{% for key, value in rabbitmq_port_bindings.items() %}
-      { {{ key }}, [
-{%    for _key, _value in value.items() %}
-          { "{{ _key }}", {{ _value | int }} }{% if not loop.last -%},{%- endif %}
-
-{%    endfor %}
-        ]
-      },
-{% endfor %}
-      { collect_statistics_interval, {{ rabbitmq_collect_statistics_interval }} },
-      { ssl_options, [
-          { certfile, "{{ rabbitmq_ssl_cert }}" },
-          { keyfile, "{{ rabbitmq_ssl_key }}" },
-          { honor_cipher_order, true},
-          { honor_ecc_order, true},
-{% if "tlsv1.3" not in rabbitmq_ssl_tls_versions %}
-          { client_renegotiation, {{ rabbitmq_ssl_client_renegotiation | lower }} },
-          { secure_renegotiate, {{ rabbitmq_ssl_secure_renegotiate | lower }} },
-{% endif %}
-{% if rabbitmq_user_ssl_ca_cert is defined -%}
-          { cacertfile, "{{ rabbitmq_ssl_ca_cert }}" },
-{% endif %}
-          { versions, [
-{% for version in rabbitmq_ssl_tls_versions %}
-              '{{ version }}'{% if not loop.last -%},{%- endif %}
-
-{% endfor %}
-            ]
-          },
-{% if rabbitmq_ssl_ciphers | length > 0 %}
-          { ciphers, [
-{%   for cipher in rabbitmq_ssl_ciphers %}
-              "{{ cipher }}"{% if not loop.last -%},{%- endif %}
-
-{%   endfor %}
-            ]
-          },
-{% endif %}
-          { verify, {{ rabbitmq_ssl_verify | lower }} },
-          { fail_if_no_peer_cert, {{ rabbitmq_ssl_fail_if_no_peer_cert | lower }} }
-        ]
-      },
-      { vm_memory_high_watermark, {{ rabbitmq_memory_high_watermark }} }
-{%- if rabbitmq_cluster_partition_handling != 'ignore' -%}
-,
-      { cluster_partition_handling, {{ rabbitmq_cluster_partition_handling }} }
-{%- endif -%}
-{%- if rabbitmq_hipe_compile | bool -%}
-,
-      { hipe_compile, true }
-{% endif %}
-    ]
-  },
-  { rabbitmq_management, [
-      { rates_mode, {{ rabbitmq_management_rates_mode }} },
-      { listener, [{ip, "{{ rabbitmq_management_bind_address }}" }]}
-    ]
-  },
-  {kernel, [
-     {inet_dist_use_interface, { {{ rabbitmq_management_bind_address|replace('.',',') }} } }
-  ]},
-  {mnesia, [{dump_log_write_threshold, {{ mnesia_dump_log_write_threshold }} }]}
-].