RabbitMQ¶
RabbitMQ is a message broker written in Erlang. It is currently the default provider of message queues in Kolla Ansible deployments.
TLS encryption¶
There are a number of channels to consider when securing RabbitMQ communication. Kolla Ansible currently supports TLS encryption of the following:
client-server traffic, typically between OpenStack services using the oslo.messaging library and RabbitMQ
RabbitMQ Management API and UI (frontend connection to HAProxy only)
Encryption of the following channels is not currently supported:
RabbitMQ cluster traffic between RabbitMQ server nodes
RabbitMQ CLI communication with RabbitMQ server nodes
RabbitMQ Management API and UI (backend connection from HAProxy to RabbitMQ)
Client-server¶
Encryption of client-server traffic is enabled by setting
rabbitmq_enable_tls to true. Additionally, certificates and keys must
be available in the following paths (in priority order):
Certificates:
"{{ kolla_certificates_dir }}/{{ inventory_hostname }}/rabbitmq-cert.pem""{{ kolla_certificates_dir }}/{{ inventory_hostname }}-cert.pem""{{ kolla_certificates_dir }}/rabbitmq-cert.pem"
Keys:
"{{ kolla_certificates_dir }}/{{ inventory_hostname }}/rabbitmq-key.pem""{{ kolla_certificates_dir }}/{{ inventory_hostname }}-key.pem""{{ kolla_certificates_dir }}/rabbitmq-key.pem"
The default for kolla_certificates_dir is /etc/kolla/certificates.
The certificates must be valid for the IP address of the host running RabbitMQ on the API network.
Additional TLS configuration options may be passed to RabbitMQ via
rabbitmq_tls_options. This should be a dict, and the keys will be prefixed
with ssl_options.. For example:
rabbitmq_tls_options:
ciphers.1: ECDHE-ECDSA-AES256-GCM-SHA384
ciphers.2: ECDHE-RSA-AES256-GCM-SHA384
ciphers.3: ECDHE-ECDSA-AES256-SHA384
honor_cipher_order: true
honor_ecc_order: true
Details on configuration of RabbitMQ for TLS can be found in the RabbitMQ documentation.
When om_rabbitmq_enable_tls is true (it defaults to the value of
rabbitmq_enable_tls), applicable OpenStack services will be configured to
use oslo.messaging with TLS enabled. The CA certificate is configured via
om_rabbitmq_cacert (it defaults to rabbitmq_cacert, which points to the
system’s trusted CA certificate bundle for TLS). Note that there is currently
no support for using client certificates.
For testing purposes, Kolla Ansible provides the kolla-ansible certificates
command, which will generate self-signed certificates for RabbitMQ if
rabbitmq_enable_tls is true.
Management API and UI¶
The management API and UI are accessed via HAProxy, exposed only on the
internal VIP. As such, traffic to this endpoint is encrypted when
kolla_enable_tls_internal is true. See TLS Configuration.
Passing arguments to RabbitMQ server’s Erlang VM¶
Erlang programs run in an Erlang VM (virtual machine) and use the Erlang runtime. The Erlang VM can be configured.
Kolla Ansible makes it possible to pass arguments to the Erlang VM via the
usage of the rabbitmq_server_additional_erl_args variable. The contents of
it are appended to the RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS environment
variable which is passed to the RabbitMQ server startup script. Kolla Ansible
already configures RabbitMQ server for IPv6 (if necessary). Any argument can be
passed there as documented in https://www.rabbitmq.com/runtime.html
The default value for rabbitmq_server_additional_erl_args is +S 2:2 +sbwt
none +sbwtdcpu none +sbwtdio none.
By default RabbitMQ starts N schedulers where N is the number of CPU cores,
including hyper-threaded cores. This is fine when you assume all CPUs are
dedicated to RabbitMQ. Its not a good idea in a typical Kolla Ansible setup.
Here we go for two scheduler threads (+S 2:2). More details can be found
here: https://www.rabbitmq.com/runtime.html#scheduling and here:
https://erlang.org/doc/man/erl.html#emulator-flags
The +sbwt none +sbwtdcpu none +sbwtdio none arguments prevent busy waiting
of the scheduler, for more details see:
https://www.rabbitmq.com/runtime.html#busy-waiting.
High Availability¶
With the release of RabbitMQ 4.0, all queues are highly available as they are
configured to be quorum queues by default. RabbitMQ also offer queues called
streams, which can be used to replace “fanout” queues with a more performant
alternative. This is enabled by default, but can be disabled by setting
om_enable_rabbitmq_stream_fanout: false. When changing queues to a
different type, the follow procedure will be needed.
Warning
Since the default changed to have all queues be of durable type in the Epoxy release, following procedure is required to be carried out before any upgrade to Epoxy.
Stop all OpenStack services which use RabbitMQ, so that they will not attempt to recreate any queues yet.
kolla-ansible stop --tags <service-tags>Generate the new config for all services.
kolla-ansible genconfigReconfigure RabbitMQ if you were previously using
om_enable_rabbitmq_high_availability.kolla-ansible reconfigure --tags rabbitmqReset the state on each RabbitMQ, to remove the old transient queues and exchanges.
kolla-ansible rabbitmq-reset-stateStart the OpenStack services again, at which point they will recreate the appropriate queues as durable.
kolla-ansible deploy --tags <service-tags>
SLURP¶
Note
The version of RabbitMQ did not increase in Dalmatian, so this will not be needed for a skip-level upgrade to Epoxy.
RabbitMQ has two major version releases per year but does not support jumping two versions in one upgrade. So if you want to perform a skip-level upgrade, you must first upgrade RabbitMQ to an intermediary version. To do this, Kolla provides multiple RabbitMQ versions in the odd OpenStack releases. To use the upgrade from Antelope to Caracal as an example, we start on RabbitMQ version 3.11. In Antelope, you should upgrade to RabbitMQ version 3.12 with the command below. You can then proceed with the usual SLURP upgrade to Caracal (and therefore RabbitMQ version 3.13).
Warning
This command should be run from the Antelope release.
Note that this command is NOT idempotent. See “RabbitMQ versions” below for an alternative approach.
kolla-ansible rabbitmq-upgrade 3.12
RabbitMQ versions¶
Alternatively, you can set rabbitmq_image in your configuration
globals.yml for idempotence in deployments. As an example, Kolla ships
versions 3.11, 3.12 and 3.13 of RabbitMQ in Antelope. By default, Antelope
Kolla-Ansible will deploy version 3.11. If you wish to deploy a later version,
you must override the image. if you want to use version 3.12 change
rabbitmq_image in globals.yml as follows:
rabbitmq_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/rabbitmq-3-12"
You can then upgrade RabbitMQ with the usual command:
kolla-ansible upgrade --tags rabbitmq
Note again that RabbitMQ does not support upgrades between more than one major version, so if you wish to upgrade to version 3.13 you must first upgrade to 3.12.
