Getting started¶
Erlang 19.x from 'jessie-backports' on Debian Jessie¶
On Debian Jessie hosts, the role will configure an APT preference for backported Erlang 19.x packages from Debian Stretch. They provide better Elliptic Curve Cryptography (ECC) support and allow deactivation of TLS client-initiated protocol renegotiation, which mitigates potential DoS attacks.
Encrypted client connections¶
The role will check if the debops.pki and debops.dhparam Ansible roles configured their environment on a host, and will automatically enable or disable support for encrypted AMQP connections. Plaintext connections will be available if encryption is disabled.
RabbitMQ clustering¶
By default the debops.rabbitmq_server role configures RabbitMQ service in
a standalone mode, without external access through the firewall. To allow for
clustering, you need to define IP addresses and/or CIDR subnets, which will be
allowed to connect to the epmd (Erlang Port Mapper Daemon) and einc
(Erlang Inter-Process Communication) TCP ports. To do that, set the variable
below in the Ansible inventory:
---
# Allow for cluster communication
rabbitmq_server__cluster_allow: [ '192.0.2.0/24' ]
After that, re-run the role to apply changes to the firewall configuration.
At the moment role does not create clusters automatically. To create a cluster
manually using three hosts (host1, host2, host3) with host1
being the main cluster node, login to the other hosts and using the root
account, run the commands:
rabbitmqctl stop_app
rabbitmqctl join_cluster rabbit@host1
rabbitmqctl start_app
You can check the RabbitMQ cluster status by running the command:
rabbitmqctl cluster_status
See the RabbitMQ Clustering Guide for more details.
Inter-node communication is not encrypted¶
Erlang supports encrypting communication between nodes (processes on the same
or other hosts) using TLS, which RabbitMQ can use to
secure traffic between hosts.
However one downside is that when inter-node traffic is encrypted,
Erlang uses dynamic random ports
for communication, which might interfere with the host's firewall. Therefore by
default debops.rabbitmq_server role does not configure encrypted inter-node
communication. You should consider alternative means of securing the traffic
between hosts, for example a separate VLAN or use of a VPN connection.
Example inventory¶
To configure RabbitMQ on a host, it should be added to the
[debops_service_rabbitmq_server] Ansible inventory group:
[debops_service_rabbitmq_server]
hostname
Example playbook¶
If you are using this role without DebOps, here's an example Ansible playbook
that uses the debops.rabbitmq_server role:
---
- name: Manage RabbitMQ service
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_service_rabbitmq_server' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
pre_tasks:
- name: Prepare rabbitmq_server environment
import_role:
name: 'rabbitmq_server'
tasks_from: 'main_env'
tags: [ 'role::rabbitmq_server', 'role::secret', 'role::rabbitmq_server:config' ]
roles:
- role: secret
tags: [ 'role::secret', 'role::rabbitmq_server', 'role::rabbitmq_server:config' ]
secret__directories:
- '{{ rabbitmq_server__secret__directories }}'
- role: apt_preferences
tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
apt_preferences__dependent_list:
- '{{ rabbitmq_server__apt_preferences__dependent_list }}'
- role: etc_services
tags: [ 'role::etc_services', 'skip::etc_services' ]
etc_services__dependent_list:
- '{{ rabbitmq_server__etc_services__dependent_list }}'
- role: ferm
tags: [ 'role::ferm', 'skip::ferm' ]
ferm__dependent_rules:
- '{{ rabbitmq_server__ferm__dependent_rules }}'
- role: rabbitmq_server
tags: [ 'role::rabbitmq_server', 'skip::rabbitmq_server' ]