Red Hat Training
A Red Hat training course is available for Red Hat OpenStack Platform
2.3. Install the Message Broker
If you are deploying a full Red Hat OpenStack Platform environment, you must set up a working message broker for the following OpenStack components:
- Block Storage service
- Compute service
- OpenStack Networking
- Orchestration service
- Image service
- Telemetry service
2.3.1. Install the RabbitMQ Message Broker Package
RabbitMQ is the default (and recommended) message broker. The RabbitMQ messaging service is provided by the rabbitmq-server package.
Install RabbitMQ:
#yum install rabbitmq-server
2.3.2. Configure the Firewall for Message Broker Traffic
Before installing and configuring the message broker, allow incoming connections on the port it will use. The default port for message broker (AMQP) traffic is
5672. All steps in this procedure must be performed on the server hosting the messaging service, while logged in as the root user.
Procedure 2.8. Configuring the Firewall for Message Broker Traffic
- Open the
/etc/sysconfig/iptablesfile in a text editor. - Add an INPUT rule allowing incoming connections on port
5672. The new rule must appear before any INPUT rules that REJECT traffic.-A INPUT -p tcp -m tcp --dport 5672 -j ACCEPT
- Save the changes to the
/etc/sysconfig/iptablesfile. - Restart the
iptablesservice for the firewall changes to take effect:#systemctl restart iptables.service
2.3.3. Launch and Configure the RabbitMQ Message Broker
Procedure 2.9. Launching and Configuring the RabbitMQ Message Broker for Use with OpenStack
- Launch the
rabbitmq-serverservice and configure it to start at boot time:#systemctl start rabbitmq-server.service#systemctl enable rabbitmq-server.service - When the rabbitmq-server package is installed, a
guestuser with a defaultguestpassword is automatically created for the RabbitMQ service. Red Hat strongly advises that you change this default password, especially if you have IPv6 available. With IPv6, RabbitMQ may be accessible from outside the network. Change the default guest password:#rabbitmqctl change_password guest NEW_RABBITMQ_PASSReplace NEW_RABBITMQ_PASS with a more secure password. - Create a RabbitMQ user account for the Block Storage service, the Compute service, OpenStack Networking, the Orchestration service, the Image service, and the Telemetry service:
#rabbitmqctl add_user cinder CINDER_PASS#rabbitmqctl add_user nova NOVA_PASS#rabbitmqctl add_user neutron NEUTRON_PASS#rabbitmqctl add_user heat HEAT_PASS#rabbitmqctl add_user glance GLANCE_PASS#rabbitmqctl add_user ceilometer CEILOMETER_PASSReplace CINDER_PASS, NOVA_PASS, NEUTRON_PASS, HEAT_PASS, GLANCE_PASS, and CEILOMETER_PASS with secure passwords for each service. - Grant each of these RabbitMQ users read and write permissions to all resources:
#rabbitmqctl set_permissions cinder ".*" ".*" ".*"#rabbitmqctl set_permissions nova ".*" ".*" ".*"#rabbitmqctl set_permissions neutron ".*" ".*" ".*"#rabbitmqctl set_permissions heat ".*" ".*" ".*"#rabbitmqctl set_permissions glance ".*" ".*" ".*"#rabbitmqctl set_permissions ceilometer ".*" ".*" ".*"
2.3.4. Enable SSL on the RabbitMQ Message Broker
The RabbitMQ message broker features built-in support for SSL, which you can use to secure traffic. Create the certificates required for SSL communication, and configure SSL on RabbitMQ through the
/etc/rabbitmq/rabbitmq.config configuration file.
Procedure 2.10. Enabling SSL on the RabbitMQ Message Broker
- Create a directory in which to store the required certificates:
#mkdir /etc/pki/rabbitmq - Choose a secure certificate password and store it in a file within the
/etc/pki/rabbitmqdirectory:#echo SSL_RABBITMQ_PW > /etc/pki/rabbitmq/certpwReplace SSL_RABBITMQ_PW with a certificate password. This password will be used later for further securing the necessary certificates. - Set the permissions for the certificate directory and password file:
#chmod 700 /etc/pki/rabbitmq#chmod 600 /etc/pki/rabbitmq/certpw - Create the certificate database files (
*.db) in the/etc/pki/rabbitmqdirectory, using the password in the/etc/pki/rabbitmq/certpwfile:#certutil -N -d /etc/pki/rabbitmq -f /etc/pki/rabbitmq/certpw - For a production environment, it is recommended that you use a reputable third-party Certificate Authority (CA) to sign your certificates. Create a Certificate Signing Request (CSR) for a third-party CA:
#certutil -R -d /etc/pki/rabbitmq -s "CN=RABBITMQ_HOST" \-a -f /etc/pki/rabbitmq/certpw > RABBITMQ_HOST.csrReplace RABBITMQ_HOST with the IP or host name of the server hosting the RabbitMQ message broker. This command produces a CSR namedRABBITMQ_HOST.csrand a key file (keyfile.key). The key file will be used later when configuring the RabbitMQ message broker to use SSL.Note
Some CAs may require additional values other than"CN=RABBITMQ_HOST". - Provide
RABBITMQ_HOST.csrto your third-party CA for signing. Your CA should provide you with a signed certificate (server.crt) and a CA file (ca.crt). Add these files to your certificate database:#certutil -A -d /etc/pki/rabbitmq -n RABBITMQ_HOST -f /etc/pki/rabbitmq/certpw \-t u,u,u -a -i /path/to/server.crt#certutil -A -d /etc/pki/rabbitmq -n "Your CA certificate" \-f /etc/pki/rabbitmq/certpw -t CT,C,C -a -i /path/to/ca.crt - Configure the RabbitMQ message broker to use the certificate files for secure communications. Open the
/etc/rabbitmq/rabbitmq.configconfiguration file in a text editor, and edit therabbitsection as follows:- Find the line that reads:
%% {ssl_listeners, [5671]},Uncomment the setting by removing the percent signs:{ssl_listeners, [5671]}, - Scroll down to the line that reads:
%% {ssl_options, [{cacertfile, "/path/to/testca/cacert.pem"},Replace this line and the next few lines which comprise thessl_optionssection with the following content:{ssl_options, [{cacertfile, "/path/to/ca.crt"}, {certfile, "/path/to/server.crt"}, {keyfile, "/path/to/keyfile.key"}, {verify, verify_peer}, {versions, ['tlsv1.2','tlsv1.1',tlsv1]}, {fail_if_no_peer_cert, false}]}- Replace /path/to/ca.crt with the absolute path to the CA certificate.
- Replace /path/to/server.crt with the absolute path to the signed certificate.
- Replace /path/to/keyfile.key with the absolute path to the key file.
- Disable SSLv3 by editing the
rabbitmq.configto include support for only specific TLS encryption versions:{rabbit, [ {ssl_options, [{versions, ['tlsv1.2','tlsv1.1',tlsv1]}]}, ]} - Restart the RabbitMQ service for the change to take effect:
# systemctl restart rabbitmq-server.service
2.3.5. Export an SSL Certificate for Clients
When SSL is enabled on a server, the clients require a copy of the SSL certificate to establish a secure connection.
The following example commands can be used to export a client certificate and the private key from the message broker's certificate database:
#pk12util -o <p12exportfile> -n <certname> -d <certdir> -w <p12filepwfile>#openssl pkcs12 -in <p12exportfile> -out <clcertname> -nodes -clcerts -passin pass:<p12pw>
For more information on SSL commands and options, see the OpenSSL Documentation. On Red Hat Enterprise Linux, see the
openssl manual page.