Ability to enable both ssl (5671) and non ssl 5672

[dantran]

Hi,

when passing SSL env, rabbitmq container switches to SSL port 5671, however, it also disables none SSL port 5672

The work around is to update the entry file and restart the container

Is there a setting/env I can pass in to enable this feature? I am very much new to docker and rabbitmq

Thanks

[Gillingham]

Was just about to open an issue for this, with the new configuration file generation refactor in ab3b8b8 this would be a nice new feature to that.

[tianon]

Sounds like it'd be an interesting thing to support. Any ideas for a clean UX?

[Gillingham]

Perhaps instead of having the RABBITMQ_SSL_* variables define only the ssl_listeners/ssl_options have it be additive, this however would change existing behavior.
If existing ssl OR normal-tcp behavior was desired than perhaps a new RABBITMQ_SSL_AND_TCP variable (a better name should probably be decided on) which would allow the new additive behavior.

[jonapich]

I think implementing specific environment variables is great for the SSL stuff, because it requires some additional actions that you really don't want to handle outside the dockerfile (discovering erlang's ssl version and merged cert are good example and great value). For these, env variables are a great way to bake in some magic into the UX.

The real bug here is that the .sh script bakes its own rabbitmq.config file based on the presence of the SSL variables without any consideration for anything else. Picture this: you first configure a docker rabbitmq, spend a lot of time writing and then linking a home-made rabbit.config inside the container. Everything works as expected... until you try the the SSL environment variables. At that point, your config file is completely overwritten and workarounds become too involved.

The fact that the SSL environment variables act as an SSL/non-SSL switch is already a problem in itself (it shouldn't assume anything; let the user disable 5672 and 15672 at their leisure if they want to), but the biggest pain is that you can't configure the rabbitmq.config file unless the dockerfile explicitly supports them.

Surely there's a way to fix #116, #107, #76, #44, #38 using one generic way?

[tianon]

If you're writing your own custom configuration already, what value is added by setting the environment variables we support (thus signalling to our entrypoint intent to have us write/manage your configuration)? (Trying to understand the use-case properly.)

[jonapich]

I have a working ssl rabbitmq using the environment variables. Now I am adding LDAP support, so I tried injecting a rabbit config file to its usual location, to no avail. I will also have to configure authorization, and I was planning on adding some clustering info as well.

I can certainly inject the whole configuration (including SSL) and bake the special Erlang SSL clustering args in a way or another. Environment variables tend to be very practical because they live closer to the docker deployment, eliminating the need for intermediate storage and hooks (e.g.: aws s3 for ECS) or custom dockerfiles. Its simple kvp format makes it easy for overrides; you declare the global picture and redeclare some of them in some specific services.

To sum it up, plugin configuration support is not provided OOTB. Configuring plugins invalidate some of the features of the docker-entrypoint.sh script. #116 has some thoughts on how to improve this aspect.

[nicktogo]

As of today, is there any way to enable both TCP and SSL listener? I tried to mount my own config file, but when the container start up, my config file is replaced...(perhaps by the entrypoint.sh)

[Castaglia]

As far as I can tell, to enable both TCP and SSL listeners, you have to specify the custom RabbitMQ config yourself, e.g.:

$ docker run --rm \
  --hostname my-rabbit \
  --name me \
  -p 5671:5671 -p 5672:5672 \
  -e RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS='-rabbit ssl_listeners [{"::",5671}] -rabbit ssl_options [{certfile,"/etc/tls/server-cert.pem"},{keyfile,"/etc/tls/server-cert.pem"},{cacertfile,"/etc/tls/ca-cert.pem"},{verify,verify_peer},{depth,3},{fail_if_no_peer_cert,false}] -rabbit tcp_listeners [{"::",5672}]' \
  rabbitmq:3

[tianon]

As of 3.7, a new sysctl-style config file should be added to instead of replaced, but I'm not sure whether that helps in this specific case.

[nicktogo]

Thanks for the help. I ended up with modifying the entrypoint file to create a config file with both ssl and tcp enabled.

[yosifkit]

Given docker-library/docs#1011, and that 3.7 introduced the new (trivial to write/append to) ini/sysctl-style configuration format (https://www.rabbitmq.com/configure.html#config-file-formats), I'm going to close this.

In Kubernetes, it should be pretty trivial to create a config object which gets inserted at /etc/rabbitmq/rabbitmq.conf with the desired settings included. 👍

(Or to create a derivative image FROM this one which adds a simple ENTRYPOINT that appends the contents of an environment variable to the above-noted file.)

- #186 (comment)

[Navlesh]

any useful link to configure SSL for RabbitMQ running on Kuberenetes cluster? please suggest

[michaelklishin]

This is not a support forum. The only Kubernetes-specific aspect is certificate generation and distribution, the rest is not different from vanilla RabbitMQ configuration. That's a Kubernetes mailing list/forum type of question.