I'm trying to set RabbitMQ to work over SSL.
I have changed the configuration file (/etc/rabbitmq/rabbitmq.config) as mentioned in the following link
https://www.rabbitmq.com/ssl.html to:
# Defaults to rabbit. This can be useful if you want to run more than one node
# per machine - RABBITMQ_NODENAME should be unique per erlang-node-and-machine
# combination. See the clustering on a single machine guide for details:
# http://www.rabbitmq.com/clustering.html#single-machine
#NODENAME=rabbit
# By default RabbitMQ will bind to all interfaces, on IPv4 and IPv6 if
# available. Set this if you only want to bind to one network interface or#
# address family.
#NODE_IP_ADDRESS=127.0.0.1
# Defaults to 5672.
#NODE_PORT=5672
listeners.ssl.default = 5671
ssl_options.cacertfile = /home/myuser/rootca.crt
ssl_options.certfile = /home/myuser/mydomain.com.crt
ssl_options.keyfile = /home/myuser/mydomain.com.key
ssl_options.verify = verify_peer
ssl_options.password = 1234
ssl_options.fail_if_no_peer_cert = false
I keep getting the following errors:
sudo rabbitmq-server
/usr/lib/rabbitmq/bin/rabbitmq-server: 15: /etc/rabbitmq/rabbitmq-env.conf: listeners.ssl.default: not found
If I remove the above line I get the following error:
sudo rabbitmq-server
/usr/lib/rabbitmq/bin/rabbitmq-server: 17: /etc/rabbitmq/rabbitmq-env.conf: ssl_options.cacertfile: not found
It is worth to mention that without the above, SSL configuration, everything works just fine.
Could you please assist?
Thanks :)
It's very important when you request assistance with software that you always state what version of the software you're using. In the case of RabbitMQ, providing the Erlang version and operating system used is also necessary.
In your case, you have (commented-out) environment configuration in /etc/rabbitmq/rabbitmq-env.conf, as well as RabbitMQ configuration, which is not correct. The following lines must be removed from rabbitmq-env.conf and put into the /etc/rabbitmq/rabbitmq.conf file:
listeners.ssl.default = 5671
ssl_options.cacertfile = /home/myuser/rootca.crt
ssl_options.certfile = /home/myuser/mydomain.com.crt
ssl_options.keyfile = /home/myuser/mydomain.com.key
ssl_options.verify = verify_peer
ssl_options.password = 1234
ssl_options.fail_if_no_peer_cert = false
Please also see the documentation
NOTE: the RabbitMQ team monitors the rabbitmq-users mailing list and only sometimes answers questions on StackOverflow.
in the Rabbitmq.config change the following to listen on 5673
listeners.ssl.default = 5673
Related
We are planning to rotate the log that is generated by Tomcat using Logrotate for volume maintenance. When I checked for the logs I was able to find two places in which these logs were been generated "../apache-tomcat-7.0.57/logs" and in the path that is specified in the "logging.properties". I did check in the Tomcat document, from which I was able to understand that Tomcat uses the default path which is "/logs" is no path is mentioned externally in "logging.properties". I was not able to find if I have missed any configuration.
logging.properties file:
handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, 3manager.org.apache.juli.FileHandler, 4host-manager.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
############################################################
# Handler specific properties.
# Describes specific configuration info for Handlers.
############################################################
1catalina.org.apache.juli.FileHandler.level = FINE
1catalina.org.apache.juli.FileHandler.directory = <custome path>
1catalina.org.apache.juli.FileHandler.prefix = catalina.
2localhost.org.apache.juli.FileHandler.level = FINE
2localhost.org.apache.juli.FileHandler.directory = <custome path>
2localhost.org.apache.juli.FileHandler.prefix = localhost.
3manager.org.apache.juli.FileHandler.level = FINE
3manager.org.apache.juli.FileHandler.directory = <custome path>
3manager.org.apache.juli.FileHandler.prefix = manager.
4host-manager.org.apache.juli.FileHandler.level = FINE
4host-manager.org.apache.juli.FileHandler.directory = <custome path>
4host-manager.org.apache.juli.FileHandler.prefix = host-manager.
java.util.logging.ConsoleHandler.level = FINE
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
############################################################
# Facility specific properties.
# Provides extra control for each logger.
############################################################
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.FileHandler
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.FileHandler
# For example, set the org.apache.catalina.util.LifecycleBase logger to log
# each component that extends LifecycleBase changing state:
#org.apache.catalina.util.LifecycleBase.level = FINE
# To see debug messages in TldLocationsCache, uncomment the following line:
#org.apache.jasper.compiler.TldLocationsCache.level = FINE
My question is why are the logs getting generated in multiple places and how to make it log in just in one directory for maintaining the same ?
Reference link
https://tomcat.apache.org/tomcat-7.0-doc/logging.html
By default - It'll log to ${catalina.base}/logs which is what you should see in ${catalina.base}/conf/logging.properties
Additionally standard output (aka exception.printStackTrace()) goes into (by default) ${catalina.base}/logs/catalina.out
${catalina.base}/logs/catalina.out can be set to a different file by setting the environment variable CATALINA_OUT or CATALINA_OUT_CMD. So see what CATALINA_OUT_CMD does - It'll be easier to read the comments in ${catalina.home}/bin/catalina.sh
I have two Openwrt APs with dnsmasq on each ap. Lets call them DNS1 (main AP on 192.168.10.1) and DNS2 (dumb AP on 192.168.10.2). DNS1 is also the only DHCP server on my local network. I have stubby running on each instance to resolve external DNS requests on ports 5453. I have a couple of static dhcp hosts on DNS1 which I sync to DNS2 and they resolve fine. My problem is, I cannot get DNS2 to query DNS1 if it cannot resolve a local (lan) query. To clarify further: Since DNS1 is also handles DHCP, a new client (client1) will only get resolved by DNS1. Any client using DNS2 as its dns server/resolver will not be able to resolve client1 or client1.lan. I thought adding a 'server=/lan/192.168.10.1' would do the trick, but no luck. Here is my /etc/config/dhcp and autogenerated DNSMASQ.conf from DNS2:
config dnsmasq
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option quietdhcp '1'
option cachesize '4096'
option readethers '1'
option localise_queries '1'
option expandhosts '1'
option noresolv '1'
option rebind_protection '1'
option rebind_localhost '1'
option filterwin2k '1'
option domain 'lan'
option domainneeded '1'
list addnhosts '/adblock/custom'
list addnhosts '/adblock/dlhosts'
list addnhosts '/adblock/dlhosts-ipv6'
option local_ttl '300'
list server '/lan/192.168.10.1'
list server '127.0.0.1#5453'
# auto-generated config file from /etc/config/dhcp
conf-file=/etc/dnsmasq.conf
domain-needed
filterwin2k
no-resolv
localise-queries
read-ethers
enable-ubus=dnsmasq
expand-hosts
bind-dynamic
local-service
quiet-dhcp
cache-size=4096
domain=lan
server=/lan/192.168.10.1
server=127.0.0.1#5453
addn-hosts=/tmp/hosts
addn-hosts=/adblock/custom
addn-hosts=/adblock/dlhosts
addn-hosts=/adblock/dlhosts-ipv6
dhcp-leasefile=/tmp/dhcp.leases
local-ttl=300
stop-dns-rebind
rebind-localhost-ok
dhcp-broadcast=tag:needs-broadcast
conf-dir=/tmp/dnsmasq.d
user=dnsmasq
group=dnsmasq
dhcp-ignore-names=tag:dhcp_bogus_hostname
bogus-priv
conf-file=/usr/share/dnsmasq/rfc6761.conf
This is likely dnsmasq's rebind protection kicking in from stop-dns-rebind. Check your logs, if you see lines like this then that is your issue.
dnsmasq[3835]: possible DNS-rebind attack detected: hostname.lan
You want to add rebind-domain-ok=lan to your dnsmasq.conf. Your OpenWRT config should look like this:
config dnsmasq
list rebind_domain 'lan'
I have installed gitlab on AWS server and it is working as expected.
http://ec2-54-167-34-63.compute-1.amazonaws.com/
But when I click on "Registry" tab, I am shown page not found error (500)
The relevant part from /etc/gitlab/gitlab.rb
gitlab_rails['gitlab_default_projects_features_container_registry'] = true
# registry_external_url 'https://registry.gitlab.example.com'
registry_external_url 'http://ec2-54-167-34-63.compute-1.amazonaws.com:4567'
# Settings used by GitLab application
gitlab_rails['registry_enabled'] = true
gitlab_rails['registry_host'] = "http://ec2-54-167-34-63.compute-1.amazonaws.com"
gitlab_rails['registry_port'] = "5005"
gitlab_rails['registry_api_url'] = "http://localhost:5000"
gitlab_rails['registry_key_path'] = "/var/opt/gitlab/gitlab-rails/certificate.key"
gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry"
gitlab_rails['registry_issuer'] = "omnibus-gitlab-issuer"
# Settings used by Registry application
registry['enable'] = true
registry['username'] = "registry"
registry['group'] = "registry"
registry['uid'] = nil
registry['gid'] = nil
registry['dir'] = "/var/opt/gitlab/registry"
registry['log_directory'] = "/var/log/gitlab/registry"
registry['log_level'] = "info"
registry['rootcertbundle'] = "/var/opt/gitlab/registry/certificate.crt"
registry['storage_delete_enabled'] = true
Update
As per the logs below, I need gitlab-registry.key file in the correct location. What is this file and how do I generate one?
tail /var/log/gitlab/gitlab-rails/production.log
Started GET "/root/test/container_registry" for 125.99.49.46 at 2016-10-24 08:29:27 +0000
Processing by Projects::ContainerRegistryController#index as HTML
Parameters: {"namespace_id"=>"root", "project_id"=>"test"}
Completed 500 Internal Server Error in 23ms (ActiveRecord: 3.5ms)
Errno::ENOENT (No such file or directory # rb_sysopen - /var/opt/gitlab/gitlab-rails/etc/gitlab-registry.key):
lib/json_web_token/rsa_token.rb:20:in `read'
lib/json_web_token/rsa_token.rb:20:in `key_data'
lib/json_web_token/rsa_token.rb:24:in `key'
lib/json_web_token/rsa_token.rb:28:in `public_key'
lib/json_web_token/rsa_token.rb:33:in `kid'
lib/json_web_token/rsa_token.rb:12:in `encoded'
app/services/auth/container_registry_authentication_service.rb:30:in `full_access_token'
app/models/project.rb:421:in `container_registry_repository'
app/controllers/projects/container_registry_controller.rb:28:in `container_registry_repository'
app/controllers/projects/container_registry_controller.rb:8:in `index'
lib/gitlab/request_profiler/middleware.rb:15:in `call'
lib/gitlab/middleware/go.rb:16:in `call'
Update 2
I guess I need to generate a certificate as explained here...
http://www.bonusbits.com/wiki/HowTo:Setup_HTTPS_for_Gitlab
Check the GitLab server log (since it is an error 500. Example of such logs: issue 23019)
There is an issue pending with GitLab 8.13: 23575: No way to enable container registry, with a merge request 7037: Fix typo in project settings that prevents users from enabling container registry.
They might be related with your issue.
Issue 23339 mentions also "sorting out self signed certs problem (my registry is under different domain than gitlab itself)": that should not be the case here.
Issue 23181 (Pushing to Registry Still Frequently Encounters unauthorized: authentication required) suggests that the error is gone ofr docker 1.11+ (so it depends on which version of docker you are using on AWS)
Regarding gitlab-registry.key mentioned by the OP's edit, it should be created by a simple reconfigure, if declared properly.
So double-check:
1316
It turns out it was a typo on my part.
The config key is registry_nginx["ssl_certificate"] not registry_nginx[ssl_certificate].
1218 and merge request 3787 which show how this feature was added.
Try to set only few of the registry settings like :
registry_external_url 'http://ec2-54-167-34-63.compute1.amazonaws.com:4567'
Don't set the gitlab_rail['registry'] and registry['xxxxx'] if you want to keep the default values, and don't set values if you don't know what you are modifying.
About the certificates, check at the very bottom of the gitlab.rb file, and here you can set your certificates for the registry:
registry_nginx['ssl_certificate'] = "/path/to/my/cert.crt"
registry_nginx['ssl_certificate_key'] = "/path/to/my/key.key"
Also check the output of this commands to make a check of your GitLab instance:
sudo gitlab-rake gitlab:check
Just like deporclick did, Set your certificates for the registry as:
registry_nginx['ssl_certificate'] = "/path/to/my/cert.crt"
registry_nginx['ssl_certificate_key'] = "/path/to/my/key.key"
I have a custom puppet module which installs a daemon/service: a small ruby Webrick. I have both a systemd script to start/stop the daemon. I also now have a Sysvinit script. I would like to install the appropriate script for either one.
My ideal puppet-flow would be:
puppet detects if systemd or sysvinit is being used
puppet module then installs the appropriate script
puppet module enables & ensures it is running.
Is this possible?
We are running puppet 4.4.2.
The usual way to handle it is using facts and conditionals, e.g. (from the Elasticsearch Approved module):
params.pp:
case $::operatingsystem {
'RedHat', 'CentOS', 'Fedora', 'Scientific', 'OracleLinux', 'SLC': {
$service_name = 'elasticsearch'
$service_hasrestart = true
$service_hasstatus = true
$service_pattern = $service_name
$defaults_location = '/etc/sysconfig'
$pid_dir = '/var/run/elasticsearch'
if versioncmp($::operatingsystemmajrelease, '7') >= 0 {
$init_template = 'elasticsearch.systemd.erb'
$service_providers = 'systemd'
$systemd_service_path = '/lib/systemd/system'
} else {
$init_template = 'elasticsearch.RedHat.erb'
$service_providers = 'init'
$systemd_service_path = undef
}
}
Note that this is Puppet 3 compatible code; look into current best practices with respect to facter facts and $facts Hash if you want Puppet 4 best practices and you don't need to support Puppet 3.
If you don't like assuming the availability of Systemd based on the OS version, you could also make a custom fact to report Systemd's available.
I set autoport=yes in a domain's("virtual machine" in libvirt) config file so the VNC port is assigned automatically in the run time.
I need to get this port so I can connect to the vm from outside, but I can't find the proper API to do so. Better in python because I'm using the libvirt-python bindings.
I have not found any API for the VNC port, not sure if the newer version of libvirt has this interface?
However, you can use the command virsh vncdisplay $domainName to show the port. NOTE: you must modify /etc/libvirt/qemu.conf enable vnc_listen='0.0.0.0'.
There's no API to get the VNC port. You have to take and parse the XML file to find out that port. Of course if the guest is destroyed (powered off/offline) that port will be a value of -1.
char * virDomainGetXMLDesc (virDomainPtr domain, unsigned int flags)
<domain>
<devices>
<graphics type='vnc' port='5900' autoport='yes'/>
</devices>
</domain>
References
http://libvirt.org/html/libvirt-libvirt.html#virDomainGetXMLDesc
Here's how you do it in python, in case anyone needs this.
Save as vncport.py
from xml.etree import ElementTree as ET
import sys
import libvirt
conn = libvirt.open()
domain = conn.lookupByName(sys.argv[1])
#get the XML description of the VM
vmXml = domain.XMLDesc(0)
root = ET.fromstring(vmXml)
#get the VNC port
graphics = root.find('./devices/graphics')
port = graphics.get('port')
print port
Run Command
python vncport.py <domain name>
Here is one for the PHP version, if anyone needs this:
$res = libvirt_domain_lookup_by_name($conn, $domname);
$xmlString = libvirt_domain_get_xml_desc($res, '');
$xml = simplexml_load_string($xmlString);
$json = json_encode($xml);
$data = json_decode($json,TRUE);
$port = intval($data["devices"]["graphics"]["#attributes"]["port"]);