I would like to know which is the recommended way to set up your rabbitmq users.
I know there is an env to replace the 'guest' user, but we need a more fine grained user setup. To do it I overrode the Dockerfile's ENTRYPOINT by pointing to the following script
#!/usr/bin/env bash
set -e
(
count=0;
# Execute list_users until service is up and running
until timeout 5 rabbitmqctl list_users >/dev/null 2>/dev/null || (( count++ >= 60 )); do sleep 1; done;
if rabbitmqctl list_users | grep guest > /dev/null
then
# Delete default user and create new users
rabbitmqctl delete_user guest
rabbitmqctl add_user admin ${RABBITMQ_ADMIN_PASSWORD}
rabbitmqctl set_user_tags admin administrator
rabbitmqctl set_permissions -p / admin ".*" ".*" ".*"
rabbitmqctl add_user app ${RABBITMQ_APP_PASSWORD}
rabbitmqctl set_permissions -p / app ".*" ".*" ".*"
echo "setup completed"
else
echo "already setup"
fi
) &
# Call original entrypoint
exec docker-entrypoint.sh rabbitmq-server $@
Overall it works, even if It has a few hacks:
list_users succeeds)This allows me to setup my users at runtime and everything works as expected, but I would like to know if this is the recommended way or not.
I think it's more convenient to do it at runtime (so not a build time), because we don't want to put the "secret" on the build itself for production, and for production we can just start the same container but with different envs
If this is the recommended way, I would suggest to offer an hook where we can hook up to register more users (or just to do other config changes) instead of overriding the entrypoint, this will get rid of "hacks" 1 and 3 at least.
Hey Danny,
Did you manage to fix this? I'm having exactly the same problem but now when I try to use your script I get this error:
error: SSL requested, but missing required configuration
- RABBITMQ_SSL_CACERTFILE
- RABBITMQ_SSL_CERTFILE
- RABBITMQ_SSL_KEYFILE
It seems that neither entrypoint works now as your entrypoint override doesn't have the variables in the docker-entrypoint.sh that comes with the official RabbitMQ build
Did you do the exact copy? How your Dockerfile looks like? It should be something like
FROM rabbitmq:3.6.6-management
COPY wrapper-entrypoint.sh /
ENTRYPOINT ["/wrapper-entrypoint.sh"]
while wrapper-entrypoint.sh should be just like the script in the first post, (that just wraps the real default-entry-point.sh)
It seems like what you recommended works now. I was using CMD instead of ENTRYPOINT.
I've used the Bash script to create the user/password + vhost + user_tags and permissions but now it seems that the Management Interface login is failing
Do you think this is because RABBITMQ_DEFAULT_USER and RABBITMQ_DEFAULT_PASS are not defined in my docker-compose?
Trying to define the environmental variables at the same time as using your wrapper-entrypoint.sh results in a fatal error.
Are you able to login to the Management URL (http://localhost:15672) with your User that you created in the Bash script?
#!/usr/bin/env bash
set -e
(
count=0;
# Execute list_users until service is up and running
until timeout 5 rabbitmqctl list_users >/dev/null 2>/dev/null || (( count++ >= 60 )); do sleep 1; done;
if rabbitmqctl list_users | grep guest > /dev/null
then
# Delete default user and create new users
rabbitmqctl delete_user guest
# Specific commands for Application
rabbitmqctl add_user mime_engine 908790172834598012374
rabbitmqctl add_vhost mime_engine_vhost
rabbitmqctl set_user_tags mime_engine mime_engine_consumer_poster
rabbitmqctl set_permissions -p mime_engine_vhost mime_engine ".*" ".*" ".*"
echo "setup completed"
else
echo "already setup"
fi
) &
# Call original entrypoint
exec docker-entrypoint.sh rabbitmq-server $@
you are missing the tag that allows you to use the management console
rabbitmqctl set_user_tags YOUR_USER administrator
Hey Dany,
I just discovered this literally 5minutes ago before I read your comment. Was about to comment and say thanks!
Thanks so much for the help, your bash script really helped with the workaround.
I wonder why RabbitMQ didn't build this in as environmental variables or at least something that you can execute through the management interface for settings user_tags and permissions
For anyone interested I've developed a slightly more flexible image based on the suggestions in this issue. You can find it at https://hub.docker.com/r/authentise/container-rabbitmq/
The idea is to detect that startup has completed - I couldn't think of a better mechanism than the originally suggested polling in the background of the shell - and then source a script in the bash context. This works great for running arbitrary rabbitmqctl commands like setting up vhosts, authentication, etc.
I used source instead of exec because I want to control this via configs in docker swarm so I need to use files that don't have the executable bit set.
I'm guessing the actual RabbitMQ team could come up with a better way of detecting startup. If so, I'd be happy to adapt my image.
EliRibble, that link 404s me. Did you mean: https://hub.docker.com/r/authentise/rabbitmq/ ?
Thanks, yes, that's the one, though I think I need to update the
description a bit
sent from the nexus
On Sep 7, 2017 4:45 AM, "Roel de Cock" notifications@github.com wrote:
EliRibble, that link 404s me. Did you mean: https://hub.docker.com/r/
authentise/rabbitmq/ ?—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/docker-library/rabbitmq/issues/135#issuecomment-327763654,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ACNjZ5j2KkgSwKeyyMW3EOZ0RUQ4SQv5ks5sf8kSgaJpZM4Lj4oI
.
@EliRibble great code! It would be very nice to have support for hooks in the standard image.
Definitions import is a good way to pre-configure vhosts, users, permissions and even topologies. Projects such as this image should at least support it as an option. rabbitmqctl and friends can work OK but after a certain point it becomes more painful than definitions import.
If using the management variants, dropping your definitions file at /etc/rabbitmq/definitions.json should "just work":
:+1: :heart:
definitions.json let's me define the users and other resources, that is great, but, there is a problem regarding the user password. To generate a definitions.json I started a rabbitmq container, added rabbitmqadmin, added some users to it and exported the result. The thing is: in the exported file, the password is not there (which is good). There is only the hash. So, I copied the export output to my secrets to use it from there. But there is a little problem with that: the password hash is never the same, even If I use the same password and the same username, so, how can I make this approach work?
The hash isn't the same because it is salted, so the same password generates different hashes. The algorithm for this is documented here.
The resultant hashes will work with your password. If you really wanted to, you could just generate the hash yourself from your plaintext secret using the above linked algorithm.
Thanks @arch273 Just made a "rabbitmq password hash generator" for myself. Here is the source, if anyone is interested.
It would be a good idea to describe the definitions.json option on the Docker store documentation page, https://store.docker.com/images/rabbitmq .
https://github.com/docker-library/rabbitmq/issues/135#issuecomment-335237954 seems to have resolved the question so I'm going to prune.
Most helpful comment
It would be a good idea to describe the definitions.json option on the Docker store documentation page, https://store.docker.com/images/rabbitmq .