81f67fd7eb
Leaving the default user enabled is a security issue, as it can be used without credentials. It also may mask issues like seen in [1]. [1] https://bugs.launchpad.net/bugs/1651576 Change-Id: I75b4e5696c0f8017b869127a10f3c14e2f8bd121
175 lines
5.6 KiB
Bash
175 lines
5.6 KiB
Bash
#!/bin/bash
|
|
#
|
|
# lib/rpc_backend
|
|
# Interface for installing RabbitMQ on the system
|
|
|
|
# Dependencies:
|
|
#
|
|
# - ``functions`` file
|
|
# - ``RABBIT_{HOST|PASSWORD|USERID}`` must be defined when RabbitMQ is used
|
|
|
|
# ``stack.sh`` calls the entry points in this order:
|
|
#
|
|
# - check_rpc_backend
|
|
# - install_rpc_backend
|
|
# - restart_rpc_backend
|
|
# - iniset_rpc_backend (stable interface)
|
|
#
|
|
# Note: if implementing an out of tree plugin for an RPC backend, you
|
|
# should install all services through normal plugin methods, then
|
|
# redefine ``iniset_rpc_backend`` in your code. That's the one portion
|
|
# of this file which is a standard interface.
|
|
|
|
# Save trace setting
|
|
_XTRACE_RPC_BACKEND=$(set +o | grep xtrace)
|
|
set +o xtrace
|
|
|
|
RABBIT_USERID=${RABBIT_USERID:-stackrabbit}
|
|
if is_service_enabled rabbit; then
|
|
RABBIT_HOST=${RABBIT_HOST:-$SERVICE_HOST}
|
|
fi
|
|
|
|
# Functions
|
|
# ---------
|
|
|
|
# clean up after rpc backend - eradicate all traces so changing backends
|
|
# produces a clean switch
|
|
function cleanup_rpc_backend {
|
|
if is_service_enabled rabbit; then
|
|
# Obliterate rabbitmq-server
|
|
uninstall_package rabbitmq-server
|
|
# in case it's not actually running, /bin/true at the end
|
|
sudo killall epmd || sudo killall -9 epmd || /bin/true
|
|
if is_ubuntu; then
|
|
# And the Erlang runtime too
|
|
apt_get purge -y erlang*
|
|
fi
|
|
fi
|
|
}
|
|
|
|
# install rpc backend
|
|
function install_rpc_backend {
|
|
if is_service_enabled rabbit; then
|
|
# Install rabbitmq-server
|
|
install_package rabbitmq-server
|
|
if is_fedora; then
|
|
sudo systemctl enable rabbitmq-server
|
|
fi
|
|
fi
|
|
}
|
|
|
|
# restart the rpc backend
|
|
function restart_rpc_backend {
|
|
if is_service_enabled rabbit; then
|
|
# Start rabbitmq-server
|
|
echo_summary "Starting RabbitMQ"
|
|
# NOTE(bnemec): Retry initial rabbitmq configuration to deal with
|
|
# the fact that sometimes it fails to start properly.
|
|
# Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1144100
|
|
# NOTE(tonyb): Extend the original retry logic to only restart rabbitmq
|
|
# every second time around the loop.
|
|
# See: https://bugs.launchpad.net/devstack/+bug/1449056 for details on
|
|
# why this is needed. This can bee seen on vivid and Debian unstable
|
|
# (May 2015)
|
|
# TODO(tonyb): Remove this when Debian and Ubuntu have a fixed systemd
|
|
# service file.
|
|
local i
|
|
for i in `seq 20`; do
|
|
local rc=0
|
|
|
|
[[ $i -eq "20" ]] && die $LINENO "Failed to set rabbitmq password"
|
|
|
|
if [[ $(( i % 2 )) == "0" ]] ; then
|
|
restart_service rabbitmq-server
|
|
fi
|
|
|
|
rabbit_setuser "$RABBIT_USERID" "$RABBIT_PASSWORD" || rc=$?
|
|
if [ $rc -ne 0 ]; then
|
|
continue
|
|
fi
|
|
|
|
# change the rabbit password since the default is "guest"
|
|
sudo rabbitmqctl change_password \
|
|
$RABBIT_USERID $RABBIT_PASSWORD || rc=$?
|
|
if [ $rc -ne 0 ]; then
|
|
continue;
|
|
fi
|
|
|
|
break
|
|
done
|
|
# NOTE(frickler): Remove the default guest user
|
|
sudo rabbitmqctl delete_user guest || true
|
|
fi
|
|
}
|
|
|
|
# adds a vhost to the rpc backend
|
|
function rpc_backend_add_vhost {
|
|
local vhost="$1"
|
|
if is_service_enabled rabbit; then
|
|
if [ -z `sudo rabbitmqctl list_vhosts | grep $vhost` ]; then
|
|
sudo rabbitmqctl add_vhost $vhost
|
|
sudo rabbitmqctl set_permissions -p $vhost $RABBIT_USERID ".*" ".*" ".*"
|
|
fi
|
|
else
|
|
echo 'RPC backend does not support vhosts'
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
# builds transport url string
|
|
function get_transport_url {
|
|
local virtual_host=$1
|
|
if is_service_enabled rabbit || { [ -n "$RABBIT_HOST" ] && [ -n "$RABBIT_PASSWORD" ]; }; then
|
|
echo "rabbit://$RABBIT_USERID:$RABBIT_PASSWORD@$RABBIT_HOST:5672/$virtual_host"
|
|
fi
|
|
}
|
|
|
|
# Repeat the definition, in case get_transport_url is overriden for RPC purpose.
|
|
# get_notification_url can then be used to talk to rabbit for notifications.
|
|
function get_notification_url {
|
|
local virtual_host=$1
|
|
if is_service_enabled rabbit || { [ -n "$RABBIT_HOST" ] && [ -n "$RABBIT_PASSWORD" ]; }; then
|
|
echo "rabbit://$RABBIT_USERID:$RABBIT_PASSWORD@$RABBIT_HOST:5672/$virtual_host"
|
|
fi
|
|
}
|
|
|
|
# iniset configuration
|
|
function iniset_rpc_backend {
|
|
local package=$1
|
|
local file=$2
|
|
local section=${3:-DEFAULT}
|
|
local virtual_host=$4
|
|
if is_service_enabled rabbit || { [ -n "$RABBIT_HOST" ] && [ -n "$RABBIT_PASSWORD" ]; }; then
|
|
iniset $file $section transport_url $(get_transport_url "$virtual_host")
|
|
if [ -n "$RABBIT_HEARTBEAT_TIMEOUT_THRESHOLD" ]; then
|
|
iniset $file oslo_messaging_rabbit heartbeat_timeout_threshold $RABBIT_HEARTBEAT_TIMEOUT_THRESHOLD
|
|
fi
|
|
if [ -n "$RABBIT_HEARTBEAT_RATE" ]; then
|
|
iniset $file oslo_messaging_rabbit heartbeat_rate $RABBIT_HEARTBEAT_RATE
|
|
fi
|
|
fi
|
|
}
|
|
|
|
function rabbit_setuser {
|
|
local user="$1" pass="$2" found="" out=""
|
|
out=$(sudo rabbitmqctl list_users) ||
|
|
{ echo "failed to list users" 1>&2; return 1; }
|
|
found=$(echo "$out" | awk '$1 == user { print $1 }' "user=$user")
|
|
if [ "$found" = "$user" ]; then
|
|
sudo rabbitmqctl change_password "$user" "$pass" ||
|
|
{ echo "failed changing pass for '$user'" 1>&2; return 1; }
|
|
else
|
|
sudo rabbitmqctl add_user "$user" "$pass" ||
|
|
{ echo "failed changing pass for $user"; return 1; }
|
|
fi
|
|
sudo rabbitmqctl set_permissions "$user" ".*" ".*" ".*"
|
|
}
|
|
|
|
# Restore xtrace
|
|
$_XTRACE_RPC_BACKEND
|
|
|
|
# Tell emacs to use shell-script-mode
|
|
## Local variables:
|
|
## mode: shell-script
|
|
## End:
|