Manual RabbitMQ Setup for Red Hat Enterprise Linux OpenStack Platform

Updated -


1. Overview

If you are deploying a full OpenStack cloud service, you will need to set up a working message broker for the following OpenStack components:
  • Block Storage
  • Compute
  • OpenStack Networking
  • Orchestration
  • Image Service
  • Telemetry
For Red Hat Enterprise Linux OpenStack Platform 5, the default message broker is RabbitMQ.


1.1. Migration Prerequisites

If you are migrating to RabbitMQ from QPid, you will first have to shut down the OpenStack service along with QPid:
# openstack-service stop
# service qpidd stop
Prevent QPid from starting at boot:
# chkconfig qpidd off


2. Configure the Firewall for Message Broker Traffic

Before installing and configuring the message broker, you must allow incoming connections on the port it will use. The default port for message broker (AMQP) traffic is 5672.
To allow this the firewall must be altered to allow network traffic on the required port. All steps must be run while logged in to the server as the root user.


Procedure 1. Configuring the firewall for message broker traffic

  1. Open the /etc/sysconfig/iptables file in a text editor.
  2. Add an INPUT rule allowing incoming connections on port 5672 to the file. The new rule must appear before any INPUT rules that REJECT traffic.
    -A INPUT -p tcp -m tcp --dport 5672  -j ACCEPT
  3. Save the changes to the /etc/sysconfig/iptables file.
  4. Restart the iptables service for the firewall changes to take effect.
    # service iptables restart
The firewall is now configured to allow incoming connections to the MariaDB database service on port 5672.


3. Install and Configure the RabbitMQ Message Broker

As of Red Hat Enterprise Linux OpenStack Platform 5, RabbitMQ replaces QPid as the default (and recommended) message broker. The RabbitMQ messaging service is provided by the rabbitmq-server package.
To install RabbitMQ, run:
# yum install rabbitmq-server

Important

When installing the rabbitmq-server package, a guest user with a default guest password will automatically be created for the RabbitMQ service. Red Hat strongly advises that you change this default password, especially if you have IPv6 available. With IPv6, RabbitMQ may be accessible from outside the network.
You should be able to change the guest password after launching the rabbitmq-server server. See Section 4, “Launch the RabbitMQ Message Broker” for details.


3.1. Manually Create RabbitMQ Configuration Files

When manually installing the RabbitMQ packages, the required RabbitMQ configuration files will not be created. This is a known issue, and will be addressed in an upcoming update.
To work around this, manually create the two required RabbitMQ configuration files. These files, along with their required default contents, are as follows:
/etc/rabbitmq/rabbitmq.config
% This file managed by Puppet
% Template Path: rabbitmq/templates/rabbitmq.config
[
  {rabbit, [
    {default_user, <<"guest">>},
    {default_pass, <<"guest">>}
  ]},
  {kernel, [
    
  ]}
].
% EOF
/etc/rabbitmq/rabbitmq-env.conf
RABBITMQ_NODE_PORT=5672


4. Launch the RabbitMQ Message Broker

After installing the RabbitMQ message broker and configuring the firewall to accept message broker traffic, launch the rabbitmq-server service and configure it to launch on boot:
For Red Hat Enterprise Linux 6 systems, use the service and chkconfig commands to start and enable the rabbitmq-server service
# service rabbitmq-server start
# chkconfig rabbitmq-server on

Important

When installing the rabbitmq-server package, a guest user with a default guest password will automatically be created for the RabbitMQ service. Red Hat strongly advises that you change this default password, especially if you have IPv6 available. With IPv6, RabbitMQ may be accessible from outside the network.
To change the default guest password of RabbitMQ:
# rabbitmqctl change_password guest NEW_RABBITMQ_PASS
Replace NEW_RABBITMQ_PASS with a more secure password.
After launching RabbitMQ and changing the default password of the guest user, perform the following procedure:


Procedure 2. Configuring the RabbitMQ message broker for OpenStack use

  1. Create a RabbitMQ user account for the Block Storage, Compute, OpenStack Networking, Orchestration, Image, and Telemetry services:
    # rabbitmqctl add_user cinder CINDER_PASS
    # rabbitmqctl add_user nova NOVA_PASS
    # rabbitmqctl add_user neutron NEUTRON_PASS
    # rabbitmqctl add_user heat HEAT_PASS
    # rabbitmqctl add_user glance GLANCE_PASS
    # rabbitmqctl add_user ceilometer CEILOMETER_PASS
    Replace CINDER_PASS, NOVA_PASS, NEUTRON_PASS, HEAT_PASS, GLANCE_PASS, and CEILOMETER_PASS with secure passwords for each service.
  2. Next, grant each of these RabbitMQ users read/write permissions to all resources:
    # rabbitmqctl set_permissions cinder ".*" ".*" ".*"
    # rabbitmqctl set_permissions nova ".*" ".*" ".*"
    # rabbitmqctl set_permissions neutron ".*" ".*" ".*"
    # rabbitmqctl set_permissions heat ".*" ".*" ".*"
    # rabbitmqctl set_permissions glance ".*" ".*" ".*"
    # rabbitmqctl set_permissions ceilometer ".*" ".*" ".*"
  3. The OpenStack services require a restart to apply the new permissions. This step is performed later in Section 12, “Finalize Migration to RabbitMQ”. Once the OpenStack services have been restarted, you can verify that the permissions were correctly applied using the list_permissions subcommand on the Messaging server:
    # rabbitmqctl list_permissions
       Listing permissions in vhost "/" ...
       ceilometer   .*  .*  .*
       cinder   .*  .*  .*
       glance   .*  .*  .*
       guest    .*  .*  .*
       heat     .*  .*  .*   
       neutron  .*  .*  .*
       nova     .*  .*  .*


5. Configure RabbitMQ Message Broker Settings for the Block Storage Service

  1. Log in as root to the system hosting the Block Storage services.
  2. In /etc/cinder/cinder.conf, set RabbitMQ as the RPC back end.
    # openstack-config --set /etc/cinder/cinder.conf \
       DEFAULT rpc_backend cinder.openstack.common.rpc.impl_kombu
  3. Set the Block Storage service to connect to the RabbitMQ host:
    # openstack-config --set /etc/cinder/cinder.conf \
       DEFAULT rabbit_host RABBITMQ_HOST
    Replace RABBITMQ_HOST with the IP address or host name of the message broker.
  4. Set the message broker port to 5672:
    # openstack-config --set /etc/cinder/cinder.conf \
       DEFAULT rabbit_port 5672
  5. Set the RabbitMQ username and password created for the Block Storage service:
    # openstack-config --set /etc/cinder/cinder.conf \
       DEFAULT rabbit_userid cinder
    # openstack-config --set /etc/cinder/cinder.conf \
       DEFAULT rabbit_password CINDER_PASS
    Where cinder and CINDER_PASS are the RabbitMQ username and password created for Block Storage (in Section 3, “Install and Configure the RabbitMQ Message Broker”).
  6. In Section 4, “Launch the RabbitMQ Message Broker”, we gave the cinder user read/write permissions to all resources -- specifically, through the virtual host /. Configure the Block Storage service to connect to this virtual host:
    # openstack-config --set /etc/cinder/cinder.conf \
       DEFAULT rabbit_virtual_host /


6. Configure RabbitMQ Message Broker Settings for the OpenStack Networking Service

Perform these steps on all Red Hat Enterprise Linux OpenStack Platform nodes.
  1. In /etc/neutron/neutron.conf, set RabbitMQ as the RPC back end.
    # openstack-config --set /etc/neutron/neutron.conf \
       DEFAULT rpc_backend neutron.openstack.common.rpc.impl_kombu
  2. Set the neutron-server service to connect to the RabbitMQ host:
    # openstack-config --set /etc/neutron/neutron.conf \
       DEFAULT rabbit_host RABBITMQ_HOST
    Replace RABBITMQ_HOST with the IP address or host name of the message broker.
  3. Set the message broker port to 5672:
    # openstack-config --set /etc/neutron/neutron.conf \
       DEFAULT rabbit_port 5672
  4. Set the RabbitMQ username and password created for the OpenStack Networking service:
    # openstack-config --set /etc/neutron/neutron.conf \
       DEFAULT rabbit_userid neutron
    # openstack-config --set /etc/neutron/neutron.conf \
       DEFAULT rabbit_password NEUTRON_PASS
    Where neutron and NEUTRON_PASS are the RabbitMQ username and password created for OpenStack Networking (in Section 3, “Install and Configure the RabbitMQ Message Broker”).
  5. In Section 4, “Launch the RabbitMQ Message Broker”, we gave the neutron user read/write permissions to all resources -- specifically, through the virtual host /. Configure the Networking service to connect to this virtual host:
    # openstack-config --set /etc/neutron/neutron.conf \
       DEFAULT rabbit_virtual_host /


7. Configure RabbitMQ Message Broker Settings for the Compute Service

Perform the following steps as root on the Compute controller, and all Compute nodes.
  1. In /etc/nova/nova.conf of that system, set RabbitMQ as the RPC back end.
    # openstack-config --set /etc/nova/nova.conf \
       DEFAULT rpc_backend rabbit
  2. Set the Compute service to connect to the RabbitMQ host:
    # openstack-config --set /etc/nova/nova.conf \
       DEFAULT rabbit_host RABBITMQ_HOST
    Replace RABBITMQ_HOST with the IP address or host name of the message broker.
  3. Set the message broker port to 5672:
    # openstack-config --set /etc/nova/nova.conf \
       DEFAULT rabbit_port 5672
  4. Set the RabbitMQ username and password created for the Compute service:
    # openstack-config --set /etc/nova/nova.conf \
       DEFAULT rabbit_userid nova
    # openstack-config --set /etc/nova/nova.conf \
       DEFAULT rabbit_password NOVA_PASS
    Where nova and NOVA_PASS are the RabbitMQ username and password created for Compute (in Section 3, “Install and Configure the RabbitMQ Message Broker”).
  5. In Section 4, “Launch the RabbitMQ Message Broker”, we gave the nova user read/write permissions to all resources -- specifically, through the virtual host /. Configure the Compute service to connect to this virtual host:
    # openstack-config --set /etc/nova/nova.conf \
       DEFAULT rabbit_virtual_host /


8. Configure RabbitMQ Message Broker Settings for the Orchestration Service

  1. Log in as root to the Orchestration controller node.
  2. In /etc/heat/heat.conf of that system, set RabbitMQ as the RPC back end.
    # openstack-config --set /etc/heat/heat.conf \
       DEFAULT rpc_backend heat.openstack.common.rpc.impl_kombu
  3. Set the Orchestration service to connect to the RabbitMQ host:
    # openstack-config --set /etc/heat/heat.conf \
       DEFAULT rabbit_host RABBITMQ_HOST
    Replace RABBITMQ_HOST with the IP address or host name of the message broker.
  4. Set the message broker port to 5672:
    # openstack-config --set /etc/heat/heat.conf \
       DEFAULT rabbit_port 5672
  5. Set the RabbitMQ username and password created for the Orchestration service:
    # openstack-config --set /etc/heat/heat.conf \
       DEFAULT rabbit_userid heat
    # openstack-config --set /etc/heat/heat.conf \
       DEFAULT rabbit_password HEAT_PASS
    Where heat and HEAT_PASS are the RabbitMQ username and password created for Orchestration (in Section 3, “Install and Configure the RabbitMQ Message Broker”).
  6. In Section 4, “Launch the RabbitMQ Message Broker”, we gave the heat user read/write permissions to all resources -- specifically, through the virtual host /. Configure the Orchestration service to connect to this virtual host:
    # openstack-config --set /etc/heat/heat.conf \
       DEFAULT rabbit_virtual_host /


9. Configure RabbitMQ Message Broker Settings for the Image Service

  1. Log in as root to the Image Service node.
  2. In glance-api.conf of that system, set RabbitMQ as the notifier:
    # openstack-config --set /etc/glance/glance-api.conf \
       DEFAULT notification_driver messaging
  3. Set the name of the RabbitMQ host. Replace rabbitmq-hostname with the name of the RabbitMQ host:
    # openstack-config --set /etc/glance/glance-api.conf \
       DEFAULT rabbit_host RABBITMQ_HOST
    Replace RABBITMQ_HOST with the IP address or host name of the message broker.
  4. Set the message broker port to 5672:
    # openstack-config --set /etc/glance/glance-api.conf \
       DEFAULT rabbit_port 5672
  5. Set the RabbitMQ username and password created for the Image Service:
    # openstack-config --set /etc/glance/glance-api.conf \
       DEFAULT rabbit_userid glance
    # openstack-config --set /etc/glance/glance-api.conf \
       DEFAULT rabbit_password GLANCE_PASS
    Where glance and GLANCE_PASS are the RabbitMQ username and password created for the Image Service (in Section 3, “Install and Configure the RabbitMQ Message Broker”).
  6. In Section 4, “Launch the RabbitMQ Message Broker”, we gave the glance user read/write permissions to all resources -- specifically, through the virtual host /. Configure the Image Service to connect to this virtual host:
    # openstack-config --set /etc/glance/glance-api.conf \
       DEFAULT rabbit_virtual_host /


10. Configure RabbitMQ Message Broker Settings for the Telemetry Service

  1. Log in as root to the Telemetry service node.
  2. In /etc/ceilometer/ceilometer.conf of that system, set RabbitMQ as the RPC back end.
    # openstack-config --set /etc/ceilometer/ceilometer.conf \
       DEFAULT rpc_backend ceilometer.openstack.common.rpc.impl_kombu
  3. Set the Telemetry service to connect to the RabbitMQ host:
    # openstack-config --set /etc/ceilometer/ceilometer.conf \
       DEFAULT rabbit_host RABBITMQ_HOST
    Replace RABBITMQ_HOST with the IP address or host name of the message broker.
  4. Set the message broker port to 5672:
    # openstack-config --set /etc/ceilometer/ceilometer.conf \
       DEFAULT rabbit_port 5672
  5. Set the RabbitMQ username and password created for the Telemetry service:
    # openstack-config --set /etc/ceilometer/ceilometer.conf \
       DEFAULT rabbit_userid ceilometer
    # openstack-config --set /etc/ceilometer/ceilometer.conf \
       DEFAULT rabbit_password CEILOMETER_PASS
    Where ceilometer and CEILOMETER_PASS are the RabbitMQ username and password created for Telemetry (in Section 3, “Install and Configure the RabbitMQ Message Broker”).
  6. In Section 4, “Launch the RabbitMQ Message Broker”, we gave the ceilometer user read/write permissions to all resources -- specifically, through the virtual host /. Configure the Telemetry service to connect to this virtual host:
    # openstack-config --set /etc/ceilometer/ceilometer.conf \
       DEFAULT rabbit_virtual_host /


11. Enable SSL on the RabbitMQ Message Broker

The RabbitMQ message broker features built-in support for SSL, which you can use to secure traffic. You can configure SSL on RabbitMQ through the /etc/rabbitmq/rabbitmq.config configuration file. Before doing so, you will first need to create the certificates required for SSL communication.

Note

Enabling SSL communication with the message broker is not required for an OpenStack service to function properly. However, we recommend that you enable SSL for security purposes, particularly in a production environment.
The following procedure demonstrates how to create the necessary certificates using certutil.


Procedure 3. Creating and adding the certificates required for SSL communication

  1. Create a directory in which to store the required certificates:
    # mkdir /etc/pki/rabbitmq
  2. Choose a secure certificate password and store it in a file within /etc/pki/rabbitmq:
    # echo SSL_RABBITMQ_PW > /etc/pki/rabbitmq/certpw
    Replace SSL_RABBITMQ_PW with the certificate password you wish to use. This password will be used later for further securing the necessary certificates..
  3. Set the necessary file mode bits of the certificate directory and password file:
    # chmod 700 /etc/pki/rabbitmq
    # chmod 600 /etc/pki/rabbitmq/certpw
  4. Create the certificate database files (*.db) in /etc/pki/rabbitmq, using the password in /etc/pki/rabbitmq/certpw:

    # certutil -N -d /etc/pki/rabbitmq -f /etc/pki/rabbitmq/certpw
  5. For a production environment, it is recommended that you use a reputable third-party Certificate Authority (CA) to sign your certificates. A third-party CA will require a Certificate Signing Request (CSR), which you can create by running:
    # certutil -R -d /etc/pki/rabbitmq -s "CN=RABBITMQ_HOST" \
     -a -f /etc/pki/rabbitmq/certpw > RABBITMQ_HOST.csr
    Replace RABBITMQ_HOST with the IP or hostname of the system hosting the RabbitMQ message broker. This command will produce a CSR named RABBITMQ_HOST.csr and a key file (keyfile.key). The key file will be used later when configuring the RabbitMQ message broker to use SSL.

    Note

    Some CAs may require additional values other than "CN=RABBITMQ_HOST".
  6. Provide RABBITMQ_HOST.csr to your third-party CA for signing. Your CA should provide you with a signed certificate (server.crt) and a CA file (ca.crt). Add these files to your certificate database:
    # certutil -A -d /etc/pki/rabbitmq -n RABBITMQ_HOST -f /etc/pki/rabbitmq/certpw \
     -t u,u,u -a -i /path/to/server.crt
    # certutil -A -d /etc/pki/rabbitmq -n "Your CA certificate" \
     -f /etc/pki/rabbitmq/certpw -t CT,C,C -a -i /path/to/ca.crt
Alternatively, you can also create a self-signed certificate and key file if you do not have a Certificate Authority. To do so, run:
# certutil -S -d /etc/pki/rabbitmq -n RABBITMQ_HOST -s "CN=RABBITMQ_HOST" \
 -t "CT,," -x -f /etc/pki/rabbitmq/certpw -z /usr/bin/certutil
After creating the required certificates and key file, you can now configure the RabbitMQ message broker to use those certificates for secure communications. To do so, add the following section to the /etc/rabbitmq/rabbitmq.config configuration file:
[
  {rabbit, [
     {ssl_listeners, [5671]},
     {ssl_options, [{cacertfile,"/path/to/ca.crt"},
                    {certfile,"/path/to/server.crt"},
                    {keyfile,"/path/to/keyfile.key"},
                    {verify,verify_peer},
                    {fail_if_no_peer_cert,false}]}
   ]}
].

Note

If you are using a self-signed certificate, omit the following string:
{cacertfile,"/path/to/ca.crt"},


11.1. Export an SSL Certificate for Clients

When SSL is enabled on a server, the clients require a copy of the SSL certificate to establish a secure connection.
The following example commands can be used to export a client certificate and the private key from the message broker's certificate database:
# pk12util -o <p12exportfile> -n <certname> -d <certdir> -w <p12filepwfile>
# openssl pkcs12 -in <p12exportfile> -out <clcertname> -nodes -clcerts -passin pass:<p12pw>
For more information on SSL commands and options, refer to the OpenSSL Documentation. On Red Hat Enterprise Linux type: man openssl.


11.2. Enable SSL Communication Between Message Broker and Each Service

Once you have the necessary certificates and key, run the following commands from the Block Storage, Networking, Compute, and Orchestration hosts to enable SSL communication with the message broker:
# openstack-config --set CONFIGFILE DEFAULT rabbit_use_ssl True
# openstack-config --set CONFIGFILE DEFAULT kombu_ssl_certfile /path/to/client.crt
# openstack-config --set CONFIGFILE DEFAULT kombu_ssl_keyfile /path/to/clientkeyfile.key
Where:
  • CONFIGFILE is the corresponding configuration file of each service, namely:
    • Block Storage: /etc/cinder/cinder.conf
    • Networking: /etc/neutron/neutron.conf
    • Compute: /etc/nova/nova.conf
    • Orchestration: /etc/heat/heat.conf
    • Image: /etc/glance/glance-api.conf
    • Telemetry: /etc/ceilometer/ceilometer.conf
  • /path/to/client.crt is the absolute path to the exported client certificate.
  • /path/to/clientkeyfile.key is the absolute path to the exported client key file.
If your certificates were signed by a third-party Certificate Authority (CA), then you will also need to run the following command on each service's host:
# openstack-config --set /etc/neutron/neutron.conf CONFIGFILE DEFAULT kombu_ssl_ca_certs /path/to/ca.crt
Replace /path/to/ca.crt with the absolute path to the CA file provided by the third-party CA (see Section 11, “Enable SSL on the RabbitMQ Message Broker” for more information).


12. Finalize Migration to RabbitMQ

As part of migrating to RabbitMQ, you would have shut down OpenStack (as instructed in Section 1.1, “Migration Prerequisites”). After migrating to the RabbitMQ Message Broker, you can now restart OpenStack:
# openstack-service start

1 Comments

The creation of per-service users in rabbit seems to be a problem when working with standard HA solution using pacemaker as the rabbitmq-cluster resource wipes the entire cluster on every cluster bootstrap. On this process, users created with rabbitmqctl add_user seems to be lost.