diff --git a/.travis.yml b/.travis.yml index b10937e..a68fb44 100644 --- a/.travis.yml +++ b/.travis.yml @@ -2,6 +2,8 @@ language: bash services: docker env: + - VERSION=3.8-beta VARIANT=ubuntu + - VERSION=3.8-beta VARIANT=alpine - VERSION=3.7-rc VARIANT=ubuntu - VERSION=3.7-rc VARIANT=alpine - VERSION=3.7 VARIANT=ubuntu diff --git a/3.8-beta/alpine/Dockerfile b/3.8-beta/alpine/Dockerfile new file mode 100644 index 0000000..1b451b6 --- /dev/null +++ b/3.8-beta/alpine/Dockerfile @@ -0,0 +1,233 @@ +# Alpine Linux is not officially supported by the RabbitMQ team -- use at your own risk! +FROM alpine:3.8 + +# grab su-exec for easy step-down from root +# bash for docker-entrypoint.sh +RUN apk add --no-cache 'su-exec>=0.2' bash + +# Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally +ARG PGP_KEYSERVER=ha.pool.sks-keyservers.net +# If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors, +# run the build with a different PGP_KEYSERVER, e.g. docker build --tag rabbitmq:3.7 --build-arg PGP_KEYSERVER=pgpkeys.eu 3.7/ubuntu +# For context, see https://github.com/docker-library/official-images/issues/4252 + +# Using the latest OpenSSL LTS release, with support until September 2023 - https://www.openssl.org/source/ +ENV OPENSSL_VERSION 1.1.1a +ENV OPENSSL_SOURCE_SHA256="fc20130f8b7cbd2fb918b2f14e2f429e109c31ddd0fb38fc5d71d9ffed3f9f41" +# https://www.openssl.org/community/omc.html +ENV OPENSSL_PGP_KEY_ID="0x8657ABB260F056B1E5190839D9C4D26D0E604491" + +# Use the latest stable Erlang/OTP release (https://github.com/erlang/otp/tags) +ENV OTP_VERSION 21.2.3 +# TODO add PGP checking when the feature will be added to Erlang/OTP's build system +# http://erlang.org/pipermail/erlang-questions/2019-January/097067.html +ENV OTP_SOURCE_SHA256="109a5722e398bdcd3aeb4f4833cde90bf441a9c014006439643aab550a770923" + +# Install dependencies required to build Erlang/OTP from source +# http://erlang.org/doc/installation_guide/INSTALL.html +# autoconf: Required to configure Erlang/OTP before compiling +# dpkg-dev: Required to set up host & build type when compiling Erlang/OTP +# gnupg: Required to verify OpenSSL artefacts +# libncurses5-dev: Required for Erlang/OTP new shell & observer_cli - https://github.com/zhongwencool/observer_cli +# m4: Required for Erlang/OTP HiPE support +RUN set -eux; \ + \ + apk add --no-cache --virtual .build-deps \ + autoconf \ + ca-certificates \ + dpkg-dev dpkg \ + gcc \ + gnupg \ + libc-dev \ + linux-headers \ + m4 \ + make \ + ncurses-dev \ + wget \ + ; \ + \ + OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ + OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ + OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \ + \ +# /usr/local/src doesn't exist in Alpine by default + mkdir /usr/local/src; \ + \ +# Required by the crypto & ssl Erlang/OTP applications + wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ + wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz" "$OPENSSL_SOURCE_URL"; \ + export GNUPGHOME="$(mktemp -d)"; \ + gpg --batch --keyserver "$PGP_KEYSERVER" --recv-keys "$OPENSSL_PGP_KEY_ID"; \ + gpg --batch --verify "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_PATH.tar.gz"; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + echo "$OPENSSL_SOURCE_SHA256 *$OPENSSL_PATH.tar.gz" | sha256sum -c -; \ + mkdir -p "$OPENSSL_PATH"; \ + tar --extract --file "$OPENSSL_PATH.tar.gz" --directory "$OPENSSL_PATH" --strip-components 1; \ + \ +# Configure OpenSSL for compilation + cd "$OPENSSL_PATH"; \ + ./config --openssldir="$OPENSSL_CONFIG_DIR"; \ +# Compile, install OpenSSL, verify that the command-line works & development headers are present + make -j "$(getconf _NPROCESSORS_ONLN)"; \ + make install_sw install_ssldirs; \ + cd ..; \ + rm -rf "$OPENSSL_PATH"*; \ +# use Alpine's CA certificates + rmdir "$OPENSSL_CONFIG_DIR/certs" "$OPENSSL_CONFIG_DIR/private"; \ + ln -sf /etc/ssl/certs /etc/ssl/private "$OPENSSL_CONFIG_DIR"; \ +# smoke test + openssl version; \ + \ + OTP_SOURCE_URL="https://github.com/erlang/otp/archive/OTP-$OTP_VERSION.tar.gz"; \ + OTP_PATH="/usr/local/src/otp-$OTP_VERSION"; \ + \ +# Download, verify & extract OTP_SOURCE + mkdir -p "$OTP_PATH"; \ + wget --progress dot:giga --output-document "$OTP_PATH.tar.gz" "$OTP_SOURCE_URL"; \ + echo "$OTP_SOURCE_SHA256 *$OTP_PATH.tar.gz" | sha256sum -c -; \ + tar --extract --file "$OTP_PATH.tar.gz" --directory "$OTP_PATH" --strip-components 1; \ + \ +# Configure Erlang/OTP for compilation, disable unused features & applications +# http://erlang.org/doc/applications.html +# ERL_TOP is required for Erlang/OTP makefiles to find the absolute path for the installation + cd "$OTP_PATH"; \ + export ERL_TOP="$OTP_PATH"; \ + ./otp_build autoconf; \ + CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \ + hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ + buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ + ./configure \ + --host="$hostArch" \ + --build="$buildArch" \ + --disable-dynamic-ssl-lib \ + --disable-sctp \ + --disable-silent-rules \ + --enable-clock-gettime \ + --enable-hipe \ + --enable-hybrid-heap \ + --enable-kernel-poll \ + --enable-shared-zlib \ + --enable-smp-support \ + --enable-threads \ + --with-microstate-accounting=extra \ + --without-common_test \ + --without-debugger \ + --without-dialyzer \ + --without-diameter \ + --without-edoc \ + --without-erl_docgen \ + --without-erl_interface \ + --without-et \ + --without-eunit \ + --without-ftp \ + --without-jinterface \ + --without-megaco \ + --without-observer \ + --without-odbc \ + --without-reltool \ + --without-ssh \ + --without-tftp \ + --without-wx \ + ; \ +# Compile & install Erlang/OTP + make -j "$(getconf _NPROCESSORS_ONLN)" GEN_OPT_FLGS="-O2 -fno-strict-aliasing"; \ + make install; \ + cd ..; \ + rm -rf "$OTP_PATH"* /usr/local/lib/erlang/lib/*/src; \ + \ + runDeps="$( \ + scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \ + | tr ',' '\n' \ + | sort -u \ + | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ + )"; \ + apk add --no-cache --virtual .otp-run-deps $runDeps; \ + apk del --no-network .build-deps; \ + \ +# Check that OpenSSL still works after purging build dependencies + openssl version; \ +# Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly + erl -noshell -eval 'io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' + +ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq +# Create rabbitmq system user & group, fix permissions & allow root user to connect to the RabbitMQ Erlang VM +RUN set -eux; \ + addgroup -g 101 -S rabbitmq; \ + adduser -u 100 -S -h "$RABBITMQ_DATA_DIR" -G rabbitmq rabbitmq; \ + mkdir -p "$RABBITMQ_DATA_DIR" /etc/rabbitmq /tmp/rabbitmq-ssl /var/log/rabbitmq; \ + chown -fR rabbitmq:rabbitmq "$RABBITMQ_DATA_DIR" /etc/rabbitmq /tmp/rabbitmq-ssl /var/log/rabbitmq; \ + chmod 777 "$RABBITMQ_DATA_DIR" /etc/rabbitmq /tmp/rabbitmq-ssl /var/log/rabbitmq; \ + ln -sf "$RABBITMQ_DATA_DIR/.erlang.cookie" /root/.erlang.cookie + +# Use the latest stable RabbitMQ release (https://www.rabbitmq.com/download.html) +ENV RABBITMQ_VERSION 3.8.0-beta.1 +# https://www.rabbitmq.com/signatures.html#importing-gpg +ENV RABBITMQ_PGP_KEY_ID="0x0A9AF2115F4687BD29803A206B73A36E6026DFCA" +ENV RABBITMQ_HOME=/opt/rabbitmq + +# Add RabbitMQ to PATH, send all logs to TTY +ENV PATH=$RABBITMQ_HOME/sbin:$PATH \ + RABBITMQ_LOGS=- RABBITMQ_SASL_LOGS=- + +# Install RabbitMQ +RUN set -eux; \ + \ + apk add --no-cache --virtual .build-deps \ + ca-certificates \ + gnupg \ + wget \ + xz \ + ; \ + \ + RABBITMQ_SOURCE_URL="https://github.com/rabbitmq/rabbitmq-server/releases/download/v$RABBITMQ_VERSION/rabbitmq-server-generic-unix-$RABBITMQ_VERSION.tar.xz"; \ + RABBITMQ_PATH="/usr/local/src/rabbitmq-$RABBITMQ_VERSION"; \ + \ + wget --progress dot:giga --output-document "$RABBITMQ_PATH.tar.xz.asc" "$RABBITMQ_SOURCE_URL.asc"; \ + wget --progress dot:giga --output-document "$RABBITMQ_PATH.tar.xz" "$RABBITMQ_SOURCE_URL"; \ + \ + export GNUPGHOME="$(mktemp -d)"; \ + gpg --batch --keyserver "$PGP_KEYSERVER" --recv-keys "$RABBITMQ_PGP_KEY_ID"; \ + gpg --batch --verify "$RABBITMQ_PATH.tar.xz.asc" "$RABBITMQ_PATH.tar.xz"; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + \ + mkdir -p "$RABBITMQ_HOME"; \ + tar --extract --file "$RABBITMQ_PATH.tar.xz" --directory "$RABBITMQ_HOME" --strip-components 1; \ + rm -rf "$RABBITMQ_PATH"*; \ +# Do not default SYS_PREFIX to RABBITMQ_HOME, leave it empty + grep -qE '^SYS_PREFIX=\$\{RABBITMQ_HOME\}$' "$RABBITMQ_HOME/sbin/rabbitmq-defaults"; \ + sed -i 's/^SYS_PREFIX=.*$/SYS_PREFIX=/' "$RABBITMQ_HOME/sbin/rabbitmq-defaults"; \ + grep -qE '^SYS_PREFIX=$' "$RABBITMQ_HOME/sbin/rabbitmq-defaults"; \ + chown -R rabbitmq:rabbitmq "$RABBITMQ_HOME"; \ + \ + apk del .build-deps; \ + \ +# verify assumption of no stale cookies + [ ! -e "$RABBITMQ_DATA_DIR/.erlang.cookie" ]; \ +# Ensure RabbitMQ was installed correctly by running a few commands that do not depend on a running server, as the rabbitmq user +# If they all succeed, it's safe to assume that things have been set up correctly + su-exec rabbitmq rabbitmqctl help; \ + su-exec rabbitmq rabbitmqctl list_ciphers; \ + su-exec rabbitmq rabbitmq-plugins list; \ +# no stale cookies + rm "$RABBITMQ_DATA_DIR/.erlang.cookie" + +# Added for backwards compatibility - users can simply COPY custom plugins to /plugins +RUN ln -sf /opt/rabbitmq/plugins /plugins + +# set home so that any `--user` knows where to put the erlang cookie +ENV HOME $RABBITMQ_DATA_DIR +# Hint that the data (a.k.a. home dir) dir should be separate volume +VOLUME $RABBITMQ_DATA_DIR + +# warning: the VM is running with native name encoding of latin1 which may cause Elixir to malfunction as it expects utf8. Please ensure your locale is set to UTF-8 (which can be verified by running "locale" in your shell) +# Setting all environment variables that control language preferences, behaviour differs - https://www.gnu.org/software/gettext/manual/html_node/The-LANGUAGE-variable.html#The-LANGUAGE-variable +# https://docs.docker.com/samples/library/ubuntu/#locales +ENV LANG=C.UTF-8 LANGUAGE=C.UTF-8 LC_ALL=C.UTF-8 + +COPY docker-entrypoint.sh /usr/local/bin/ +ENTRYPOINT ["docker-entrypoint.sh"] + +EXPOSE 4369 5671 5672 25672 +CMD ["rabbitmq-server"] diff --git a/3.8-beta/alpine/docker-entrypoint.sh b/3.8-beta/alpine/docker-entrypoint.sh new file mode 100755 index 0000000..aea0160 --- /dev/null +++ b/3.8-beta/alpine/docker-entrypoint.sh @@ -0,0 +1,404 @@ +#!/bin/bash +set -eu + +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + export "$var"="$val" + unset "$fileVar" +} + +# backwards compatibility for old environment variables +: "${RABBITMQ_SSL_CERTFILE:=${RABBITMQ_SSL_CERT_FILE:-}}" +: "${RABBITMQ_SSL_KEYFILE:=${RABBITMQ_SSL_KEY_FILE:-}}" +: "${RABBITMQ_SSL_CACERTFILE:=${RABBITMQ_SSL_CA_FILE:-}}" + +# "management" SSL config should default to using the same certs +: "${RABBITMQ_MANAGEMENT_SSL_CACERTFILE:=$RABBITMQ_SSL_CACERTFILE}" +: "${RABBITMQ_MANAGEMENT_SSL_CERTFILE:=$RABBITMQ_SSL_CERTFILE}" +: "${RABBITMQ_MANAGEMENT_SSL_KEYFILE:=$RABBITMQ_SSL_KEYFILE}" + +# Allowed env vars that will be read from mounted files (i.e. Docker Secrets): +fileEnvKeys=( + default_user + default_pass +) + +# https://www.rabbitmq.com/configure.html +sslConfigKeys=( + cacertfile + certfile + depth + fail_if_no_peer_cert + keyfile + verify +) +managementConfigKeys=( + "${sslConfigKeys[@]/#/ssl_}" +) +rabbitConfigKeys=( + default_pass + default_user + default_vhost + hipe_compile + vm_memory_high_watermark +) +fileConfigKeys=( + management_ssl_cacertfile + management_ssl_certfile + management_ssl_keyfile + ssl_cacertfile + ssl_certfile + ssl_keyfile +) +allConfigKeys=( + "${managementConfigKeys[@]/#/management_}" + "${rabbitConfigKeys[@]}" + "${sslConfigKeys[@]/#/ssl_}" +) + +declare -A configDefaults=( + [management_ssl_fail_if_no_peer_cert]='false' + [management_ssl_verify]='verify_none' + + [ssl_fail_if_no_peer_cert]='true' + [ssl_verify]='verify_peer' +) + +# allow the container to be started with `--user` +if [[ "$1" == rabbitmq* ]] && [ "$(id -u)" = '0' ]; then + # this needs to happen late enough that we have the SSL config + # https://github.com/docker-library/rabbitmq/issues/283 + for conf in "${allConfigKeys[@]}"; do + var="RABBITMQ_${conf^^}" + val="${!var:-}" + [ -n "$val" ] || continue + case "$conf" in + *_ssl_*file | ssl_*file ) + if [ -f "$val" ] && ! su-exec rabbitmq test -r "$val"; then + newFile="/tmp/rabbitmq-ssl/$conf.pem" + echo >&2 + echo >&2 "WARNING: '$val' ($var) is not readable by rabbitmq ($(id rabbitmq)); copying to '$newFile'" + echo >&2 + cat "$val" > "$newFile" + chown rabbitmq "$newFile" + chmod 0400 "$newFile" + eval 'export '$var'="$newFile"' + fi + ;; + esac + done + + if [ "$1" = 'rabbitmq-server' ]; then + find /var/lib/rabbitmq \! -user rabbitmq -exec chown rabbitmq '{}' + + fi + + exec su-exec rabbitmq "$BASH_SOURCE" "$@" +fi + +haveConfig= +haveSslConfig= +haveManagementSslConfig= +for fileEnvKey in "${fileEnvKeys[@]}"; do file_env "RABBITMQ_${fileEnvKey^^}"; done +for conf in "${allConfigKeys[@]}"; do + var="RABBITMQ_${conf^^}" + val="${!var:-}" + if [ "$val" ]; then + if [ "${configDefaults[$conf]:-}" ] && [ "${configDefaults[$conf]}" = "$val" ]; then + # if the value set is the same as the default, treat it as if it isn't set + continue + fi + haveConfig=1 + case "$conf" in + ssl_*) haveSslConfig=1 ;; + management_ssl_*) haveManagementSslConfig=1 ;; + esac + fi +done +if [ "$haveSslConfig" ]; then + missing=() + for sslConf in cacertfile certfile keyfile; do + var="RABBITMQ_SSL_${sslConf^^}" + val="${!var}" + if [ -z "$val" ]; then + missing+=( "$var" ) + fi + done + if [ "${#missing[@]}" -gt 0 ]; then + { + echo + echo 'error: SSL requested, but missing required configuration' + for miss in "${missing[@]}"; do + echo " - $miss" + done + echo + } >&2 + exit 1 + fi +fi +missingFiles=() +for conf in "${fileConfigKeys[@]}"; do + var="RABBITMQ_${conf^^}" + val="${!var}" + if [ "$val" ] && [ ! -f "$val" ]; then + missingFiles+=( "$val ($var)" ) + fi +done +if [ "${#missingFiles[@]}" -gt 0 ]; then + { + echo + echo 'error: files specified, but missing' + for miss in "${missingFiles[@]}"; do + echo " - $miss" + done + echo + } >&2 + exit 1 +fi + +# set defaults for missing values (but only after we're done with all our checking so we don't throw any of that off) +for conf in "${!configDefaults[@]}"; do + default="${configDefaults[$conf]}" + var="RABBITMQ_${conf^^}" + [ -z "${!var:-}" ] || continue + eval "export $var=\"\$default\"" +done + +# if long and short hostnames are not the same, use long hostnames +if [ "$(hostname)" != "$(hostname -s)" ]; then + : "${RABBITMQ_USE_LONGNAME:=true}" +fi + +if [ "${RABBITMQ_ERLANG_COOKIE:-}" ]; then + cookieFile='/var/lib/rabbitmq/.erlang.cookie' + if [ -e "$cookieFile" ]; then + if [ "$(cat "$cookieFile" 2>/dev/null)" != "$RABBITMQ_ERLANG_COOKIE" ]; then + echo >&2 + echo >&2 "warning: $cookieFile contents do not match RABBITMQ_ERLANG_COOKIE" + echo >&2 + fi + else + echo "$RABBITMQ_ERLANG_COOKIE" > "$cookieFile" + fi + chmod 600 "$cookieFile" +fi + +configBase="${RABBITMQ_CONFIG_FILE:-/etc/rabbitmq/rabbitmq}" +oldConfigFile="$configBase.config" +newConfigFile="$configBase.conf" + +shouldWriteConfig="$haveConfig" +if [ -n "$shouldWriteConfig" ] && [ -f "$oldConfigFile" ]; then + { + echo "error: Docker configuration environment variables specified, but old-style (Erlang syntax) configuration file '$oldConfigFile' exists" + echo " Suggested fixes: (choose one)" + echo " - remove '$oldConfigFile'" + echo " - remove any Docker-specific 'RABBITMQ_...' environment variables" + echo " - convert '$oldConfigFile' to the newer sysctl format ('$newConfigFile'); see https://www.rabbitmq.com/configure.html#config-file" + } >&2 + exit 1 +fi +if [ -z "$shouldWriteConfig" ] && [ ! -f "$oldConfigFile" ] && [ ! -f "$newConfigFile" ]; then + # no config files, we should write one + shouldWriteConfig=1 +fi + +# http://stackoverflow.com/a/2705678/433558 +sed_escape_lhs() { + echo "$@" | sed -e 's/[]\/$*.^|[]/\\&/g' +} +sed_escape_rhs() { + echo "$@" | sed -e 's/[\/&]/\\&/g' +} +rabbit_set_config() { + local key="$1"; shift + local val="$1"; shift + + [ -e "$newConfigFile" ] || touch "$newConfigFile" + + local sedKey="$(sed_escape_lhs "$key")" + local sedVal="$(sed_escape_rhs "$val")" + sed -ri \ + "s/^[[:space:]]*(${sedKey}[[:space:]]*=[[:space:]]*)\S.*\$/\1${sedVal}/" \ + "$newConfigFile" + if ! grep -qE "^${sedKey}[[:space:]]*=" "$newConfigFile"; then + echo "$key = $val" >> "$newConfigFile" + fi +} +rabbit_comment_config() { + local key="$1"; shift + + [ -e "$newConfigFile" ] || touch "$newConfigFile" + + local sedKey="$(sed_escape_lhs "$key")" + sed -ri \ + "s/^[[:space:]]*#?[[:space:]]*(${sedKey}[[:space:]]*=[[:space:]]*\S.*)\$/# \1/" \ + "$newConfigFile" +} +rabbit_env_config() { + local prefix="$1"; shift + + local conf + for conf; do + local var="rabbitmq${prefix:+_$prefix}_$conf" + var="${var^^}" + + local key="$conf" + case "$prefix" in + ssl) key="ssl_options.$key" ;; + management_ssl) key="management.listener.ssl_opts.$key" ;; + esac + + local val="${!var:-}" + local rawVal="$val" + case "$conf" in + fail_if_no_peer_cert|hipe_compile) + case "${val,,}" in + false|no|0|'') rawVal='false' ;; + true|yes|1|*) rawVal='true' ;; + esac + ;; + + vm_memory_high_watermark) continue ;; # handled separately + esac + + if [ -n "$rawVal" ]; then + rabbit_set_config "$key" "$rawVal" + else + rabbit_comment_config "$key" + fi + done +} + +if [ "$1" = 'rabbitmq-server' ] && [ "$shouldWriteConfig" ]; then + rabbit_set_config 'loopback_users.guest' 'false' + + # determine whether to set "vm_memory_high_watermark" (based on cgroups) + memTotalKb= + if [ -r /proc/meminfo ]; then + memTotalKb="$(awk -F ':? +' '$1 == "MemTotal" { print $2; exit }' /proc/meminfo)" + fi + memLimitB= + if [ -r /sys/fs/cgroup/memory/memory.limit_in_bytes ]; then + # "18446744073709551615" is a valid value for "memory.limit_in_bytes", which is too big for Bash math to handle + # "$(( 18446744073709551615 / 1024 ))" = 0; "$(( 18446744073709551615 * 40 / 100 ))" = 0 + memLimitB="$(awk -v totKb="$memTotalKb" '{ + limB = $0; + limKb = limB / 1024; + if (!totKb || limKb < totKb) { + printf "%.0f\n", limB; + } + }' /sys/fs/cgroup/memory/memory.limit_in_bytes)" + fi + if [ -n "$memLimitB" ]; then + # if we have a cgroup memory limit, let's inform RabbitMQ of what it is (so it can calculate vm_memory_high_watermark properly) + # https://github.com/rabbitmq/rabbitmq-server/pull/1234 + rabbit_set_config 'total_memory_available_override_value' "$memLimitB" + fi + # https://www.rabbitmq.com/memory.html#memsup-usage + if [ "${RABBITMQ_VM_MEMORY_HIGH_WATERMARK:-}" ]; then + # https://github.com/docker-library/rabbitmq/pull/105#issuecomment-242165822 + vmMemoryHighWatermark="$( + echo "$RABBITMQ_VM_MEMORY_HIGH_WATERMARK" | awk ' + /^[0-9]*[.][0-9]+$|^[0-9]+([.][0-9]+)?%$/ { + perc = $0; + if (perc ~ /%$/) { + gsub(/%$/, "", perc); + perc = perc / 100; + } + if (perc > 1.0 || perc <= 0.0) { + printf "error: invalid percentage for vm_memory_high_watermark: %s (must be > 0%%, <= 100%%)\n", $0 > "/dev/stderr"; + exit 1; + } + printf "vm_memory_high_watermark.relative %0.03f\n", perc; + next; + } + /^[0-9]+$/ { + printf "vm_memory_high_watermark.absolute %s\n", $0; + next; + } + /^[0-9]+([.][0-9]+)?[a-zA-Z]+$/ { + printf "vm_memory_high_watermark.absolute %s\n", $0; + next; + } + { + printf "error: unexpected input for vm_memory_high_watermark: %s\n", $0; + exit 1; + } + ' + )" + if [ "$vmMemoryHighWatermark" ]; then + vmMemoryHighWatermarkKey="${vmMemoryHighWatermark%% *}" + vmMemoryHighWatermarkVal="${vmMemoryHighWatermark#$vmMemoryHighWatermarkKey }" + rabbit_set_config "$vmMemoryHighWatermarkKey" "$vmMemoryHighWatermarkVal" + case "$vmMemoryHighWatermarkKey" in + # make sure we only set one or the other + 'vm_memory_high_watermark.absolute') rabbit_comment_config 'vm_memory_high_watermark.relative' ;; + 'vm_memory_high_watermark.relative') rabbit_comment_config 'vm_memory_high_watermark.absolute' ;; + esac + fi + fi + + if [ "$haveSslConfig" ]; then + rabbit_set_config 'listeners.ssl.default' 5671 + rabbit_env_config 'ssl' "${sslConfigKeys[@]}" + else + rabbit_set_config 'listeners.tcp.default' 5672 + fi + + rabbit_env_config '' "${rabbitConfigKeys[@]}" + + # if management plugin is installed, generate config for it + # https://www.rabbitmq.com/management.html#configuration + if [ "$(rabbitmq-plugins list -q -m -e rabbitmq_management)" ]; then + if [ "$haveManagementSslConfig" ]; then + rabbit_set_config 'management.listener.port' 15671 + rabbit_set_config 'management.listener.ssl' 'true' + rabbit_env_config 'management_ssl' "${sslConfigKeys[@]}" + else + rabbit_set_config 'management.listener.port' 15672 + rabbit_set_config 'management.listener.ssl' 'false' + fi + + # if definitions file exists, then load it + # https://www.rabbitmq.com/management.html#load-definitions + managementDefinitionsFile='/etc/rabbitmq/definitions.json' + if [ -f "$managementDefinitionsFile" ]; then + # see also https://github.com/docker-library/rabbitmq/pull/112#issuecomment-271485550 + rabbit_set_config 'management.load_definitions' "$managementDefinitionsFile" + fi + fi +fi + +combinedSsl='/tmp/rabbitmq-ssl/combined.pem' +if [ "$haveSslConfig" ] && [[ "$1" == rabbitmq* ]] && [ ! -f "$combinedSsl" ]; then + # Create combined cert + cat "$RABBITMQ_SSL_CERTFILE" "$RABBITMQ_SSL_KEYFILE" > "$combinedSsl" + chmod 0400 "$combinedSsl" +fi +if [ "$haveSslConfig" ] && [ -f "$combinedSsl" ]; then + # More ENV vars for make clustering happiness + # we don't handle clustering in this script, but these args should ensure + # clustered SSL-enabled members will talk nicely + export ERL_SSL_PATH="$(erl -eval 'io:format("~p", [code:lib_dir(ssl, ebin)]),halt().' -noshell)" + sslErlArgs="-pa $ERL_SSL_PATH -proto_dist inet_tls -ssl_dist_opt server_certfile $combinedSsl -ssl_dist_opt server_secure_renegotiate true client_secure_renegotiate true" + export RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS="${RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS:-} $sslErlArgs" + export RABBITMQ_CTL_ERL_ARGS="${RABBITMQ_CTL_ERL_ARGS:-} $sslErlArgs" +fi + +exec "$@" diff --git a/3.8-beta/alpine/management/Dockerfile b/3.8-beta/alpine/management/Dockerfile new file mode 100644 index 0000000..7336d06 --- /dev/null +++ b/3.8-beta/alpine/management/Dockerfile @@ -0,0 +1,27 @@ +FROM rabbitmq:3.8-beta-alpine + +RUN rabbitmq-plugins enable --offline rabbitmq_management + +# extract "rabbitmqadmin" from inside the "rabbitmq_management-X.Y.Z.ez" plugin zipfile +# see https://github.com/docker-library/rabbitmq/issues/207 +RUN set -eux; \ + erl -noinput -eval ' \ + { ok, AdminBin } = zip:foldl(fun(FileInArchive, GetInfo, GetBin, Acc) -> \ + case Acc of \ + "" -> \ + case lists:suffix("/rabbitmqadmin", FileInArchive) of \ + true -> GetBin(); \ + false -> Acc \ + end; \ + _ -> Acc \ + end \ + end, "", init:get_plain_arguments()), \ + io:format("~s", [ AdminBin ]), \ + init:stop(). \ + ' -- /plugins/rabbitmq_management-*.ez > /usr/local/bin/rabbitmqadmin; \ + [ -s /usr/local/bin/rabbitmqadmin ]; \ + chmod +x /usr/local/bin/rabbitmqadmin; \ + apk add --no-cache python; \ + rabbitmqadmin --version + +EXPOSE 15671 15672 diff --git a/3.8-beta/ubuntu/Dockerfile b/3.8-beta/ubuntu/Dockerfile new file mode 100644 index 0000000..8fe8c9b --- /dev/null +++ b/3.8-beta/ubuntu/Dockerfile @@ -0,0 +1,246 @@ +# The official Canonical Ubuntu Bionic image is ideal from a security perspective, +# especially for the enterprises that we, the RabbitMQ team, have to deal with +FROM ubuntu:18.04 + +# grab gosu for easy step-down from root +RUN set -eux; \ + apt-get update; \ + apt-get install -y --no-install-recommends gosu; \ + rm -rf /var/lib/apt/lists/*; \ +# verify that the binary works + gosu nobody true + +# Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally +ARG PGP_KEYSERVER=ha.pool.sks-keyservers.net +# If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors, +# run the build with a different PGP_KEYSERVER, e.g. docker build --tag rabbitmq:3.7 --build-arg PGP_KEYSERVER=pgpkeys.eu 3.7/ubuntu +# For context, see https://github.com/docker-library/official-images/issues/4252 + +# Using the latest OpenSSL LTS release, with support until September 2023 - https://www.openssl.org/source/ +ENV OPENSSL_VERSION 1.1.1a +ENV OPENSSL_SOURCE_SHA256="fc20130f8b7cbd2fb918b2f14e2f429e109c31ddd0fb38fc5d71d9ffed3f9f41" +# https://www.openssl.org/community/omc.html +ENV OPENSSL_PGP_KEY_ID="0x8657ABB260F056B1E5190839D9C4D26D0E604491" + +# Use the latest stable Erlang/OTP release (https://github.com/erlang/otp/tags) +ENV OTP_VERSION 21.2.3 +# TODO add PGP checking when the feature will be added to Erlang/OTP's build system +# http://erlang.org/pipermail/erlang-questions/2019-January/097067.html +ENV OTP_SOURCE_SHA256="109a5722e398bdcd3aeb4f4833cde90bf441a9c014006439643aab550a770923" + +# Install dependencies required to build Erlang/OTP from source +# http://erlang.org/doc/installation_guide/INSTALL.html +# autoconf: Required to configure Erlang/OTP before compiling +# dpkg-dev: Required to set up host & build type when compiling Erlang/OTP +# gnupg: Required to verify OpenSSL artefacts +# libncurses5-dev: Required for Erlang/OTP new shell & observer_cli - https://github.com/zhongwencool/observer_cli +# m4: Required for Erlang/OTP HiPE support +RUN set -eux; \ + \ + savedAptMark="$(apt-mark showmanual)"; \ + apt-get update; \ + apt-get install --yes --no-install-recommends \ + autoconf \ + ca-certificates \ + dpkg-dev \ + gcc \ + gnupg \ + libncurses5-dev \ + m4 \ + make \ + wget \ + ; \ + rm -rf /var/lib/apt/lists/*; \ + \ + OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ + OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ + OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \ + \ +# Required by the crypto & ssl Erlang/OTP applications + wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ + wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz" "$OPENSSL_SOURCE_URL"; \ + export GNUPGHOME="$(mktemp -d)"; \ + gpg --batch --keyserver "$PGP_KEYSERVER" --recv-keys "$OPENSSL_PGP_KEY_ID"; \ + gpg --batch --verify "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_PATH.tar.gz"; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + echo "$OPENSSL_SOURCE_SHA256 *$OPENSSL_PATH.tar.gz" | sha256sum --check --strict -; \ + mkdir -p "$OPENSSL_PATH"; \ + tar --extract --file "$OPENSSL_PATH.tar.gz" --directory "$OPENSSL_PATH" --strip-components 1; \ + \ +# Configure OpenSSL for compilation + cd "$OPENSSL_PATH"; \ + ./config --openssldir="$OPENSSL_CONFIG_DIR"; \ +# Compile, install OpenSSL, verify that the command-line works & development headers are present + make -j "$(getconf _NPROCESSORS_ONLN)"; \ + make install_sw install_ssldirs; \ + cd ..; \ + rm -rf "$OPENSSL_PATH"*; \ + ldconfig; \ +# use Debian's CA certificates + rmdir "$OPENSSL_CONFIG_DIR/certs" "$OPENSSL_CONFIG_DIR/private"; \ + ln -sf /etc/ssl/certs /etc/ssl/private "$OPENSSL_CONFIG_DIR"; \ +# smoke test + openssl version; \ + \ + OTP_SOURCE_URL="https://github.com/erlang/otp/archive/OTP-$OTP_VERSION.tar.gz"; \ + OTP_PATH="/usr/local/src/otp-$OTP_VERSION"; \ + \ +# Download, verify & extract OTP_SOURCE + mkdir -p "$OTP_PATH"; \ + wget --progress dot:giga --output-document "$OTP_PATH.tar.gz" "$OTP_SOURCE_URL"; \ + echo "$OTP_SOURCE_SHA256 *$OTP_PATH.tar.gz" | sha256sum --check --strict -; \ + tar --extract --file "$OTP_PATH.tar.gz" --directory "$OTP_PATH" --strip-components 1; \ + \ +# Configure Erlang/OTP for compilation, disable unused features & applications +# http://erlang.org/doc/applications.html +# ERL_TOP is required for Erlang/OTP makefiles to find the absolute path for the installation + cd "$OTP_PATH"; \ + export ERL_TOP="$OTP_PATH"; \ + ./otp_build autoconf; \ + CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \ + hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ + buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ + ./configure \ + --host="$hostArch" \ + --build="$buildArch" \ + --disable-dynamic-ssl-lib \ + --disable-sctp \ + --disable-silent-rules \ + --enable-clock-gettime \ + --enable-hipe \ + --enable-hybrid-heap \ + --enable-kernel-poll \ + --enable-shared-zlib \ + --enable-smp-support \ + --enable-threads \ + --with-microstate-accounting=extra \ + --without-common_test \ + --without-debugger \ + --without-dialyzer \ + --without-diameter \ + --without-edoc \ + --without-erl_docgen \ + --without-erl_interface \ + --without-et \ + --without-eunit \ + --without-ftp \ + --without-jinterface \ + --without-megaco \ + --without-observer \ + --without-odbc \ + --without-reltool \ + --without-ssh \ + --without-tftp \ + --without-wx \ + ; \ +# Compile & install Erlang/OTP + make -j "$(getconf _NPROCESSORS_ONLN)" GEN_OPT_FLGS="-O2 -fno-strict-aliasing"; \ + make install; \ + cd ..; \ + rm -rf "$OTP_PATH"* /usr/local/lib/erlang/lib/*/src; \ + \ +# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies + apt-mark auto '.*' > /dev/null; \ + [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; \ + find /usr/local -type f -executable -exec ldd '{}' ';' \ + | awk '/=>/ { print $(NF-1) }' \ + | sort -u \ + | xargs -r dpkg-query --search \ + | cut -d: -f1 \ + | sort -u \ + | xargs -r apt-mark manual \ + ; \ + apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ + \ +# Check that OpenSSL still works after purging build dependencies + openssl version; \ +# Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly + erl -noshell -eval 'io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' + +ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq +# Create rabbitmq system user & group, fix permissions & allow root user to connect to the RabbitMQ Erlang VM +RUN set -eux; \ + groupadd --gid 999 --system rabbitmq; \ + useradd --uid 999 --system --home-dir "$RABBITMQ_DATA_DIR" --gid rabbitmq rabbitmq; \ + mkdir -p "$RABBITMQ_DATA_DIR" /etc/rabbitmq /tmp/rabbitmq-ssl /var/log/rabbitmq; \ + chown -fR rabbitmq:rabbitmq "$RABBITMQ_DATA_DIR" /etc/rabbitmq /tmp/rabbitmq-ssl /var/log/rabbitmq; \ + chmod 777 "$RABBITMQ_DATA_DIR" /etc/rabbitmq /tmp/rabbitmq-ssl /var/log/rabbitmq; \ + ln -sf "$RABBITMQ_DATA_DIR/.erlang.cookie" /root/.erlang.cookie + +# Use the latest stable RabbitMQ release (https://www.rabbitmq.com/download.html) +ENV RABBITMQ_VERSION 3.8.0-beta.1 +# https://www.rabbitmq.com/signatures.html#importing-gpg +ENV RABBITMQ_PGP_KEY_ID="0x0A9AF2115F4687BD29803A206B73A36E6026DFCA" +ENV RABBITMQ_HOME=/opt/rabbitmq + +# Add RabbitMQ to PATH, send all logs to TTY +ENV PATH=$RABBITMQ_HOME/sbin:$PATH \ + RABBITMQ_LOGS=- RABBITMQ_SASL_LOGS=- + +# Install RabbitMQ +RUN set -eux; \ + \ + savedAptMark="$(apt-mark showmanual)"; \ + apt-get update; \ + apt-get install --yes --no-install-recommends \ + ca-certificates \ + gnupg \ + wget \ + xz-utils \ + ; \ + rm -rf /var/lib/apt/lists/*; \ + \ + RABBITMQ_SOURCE_URL="https://github.com/rabbitmq/rabbitmq-server/releases/download/v$RABBITMQ_VERSION/rabbitmq-server-generic-unix-$RABBITMQ_VERSION.tar.xz"; \ + RABBITMQ_PATH="/usr/local/src/rabbitmq-$RABBITMQ_VERSION"; \ + \ + wget --progress dot:giga --output-document "$RABBITMQ_PATH.tar.xz.asc" "$RABBITMQ_SOURCE_URL.asc"; \ + wget --progress dot:giga --output-document "$RABBITMQ_PATH.tar.xz" "$RABBITMQ_SOURCE_URL"; \ + \ + export GNUPGHOME="$(mktemp -d)"; \ + gpg --batch --keyserver "$PGP_KEYSERVER" --recv-keys "$RABBITMQ_PGP_KEY_ID"; \ + gpg --batch --verify "$RABBITMQ_PATH.tar.xz.asc" "$RABBITMQ_PATH.tar.xz"; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + \ + mkdir -p "$RABBITMQ_HOME"; \ + tar --extract --file "$RABBITMQ_PATH.tar.xz" --directory "$RABBITMQ_HOME" --strip-components 1; \ + rm -rf "$RABBITMQ_PATH"*; \ +# Do not default SYS_PREFIX to RABBITMQ_HOME, leave it empty + grep -qE '^SYS_PREFIX=\$\{RABBITMQ_HOME\}$' "$RABBITMQ_HOME/sbin/rabbitmq-defaults"; \ + sed -i 's/^SYS_PREFIX=.*$/SYS_PREFIX=/' "$RABBITMQ_HOME/sbin/rabbitmq-defaults"; \ + grep -qE '^SYS_PREFIX=$' "$RABBITMQ_HOME/sbin/rabbitmq-defaults"; \ + chown -R rabbitmq:rabbitmq "$RABBITMQ_HOME"; \ + \ + apt-mark auto '.*' > /dev/null; \ + apt-mark manual $savedAptMark; \ + apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ + \ +# verify assumption of no stale cookies + [ ! -e "$RABBITMQ_DATA_DIR/.erlang.cookie" ]; \ +# Ensure RabbitMQ was installed correctly by running a few commands that do not depend on a running server, as the rabbitmq user +# If they all succeed, it's safe to assume that things have been set up correctly + gosu rabbitmq rabbitmqctl help; \ + gosu rabbitmq rabbitmqctl list_ciphers; \ + gosu rabbitmq rabbitmq-plugins list; \ +# no stale cookies + rm "$RABBITMQ_DATA_DIR/.erlang.cookie" + +# Added for backwards compatibility - users can simply COPY custom plugins to /plugins +RUN ln -sf /opt/rabbitmq/plugins /plugins + +# set home so that any `--user` knows where to put the erlang cookie +ENV HOME $RABBITMQ_DATA_DIR +# Hint that the data (a.k.a. home dir) dir should be separate volume +VOLUME $RABBITMQ_DATA_DIR + +# warning: the VM is running with native name encoding of latin1 which may cause Elixir to malfunction as it expects utf8. Please ensure your locale is set to UTF-8 (which can be verified by running "locale" in your shell) +# Setting all environment variables that control language preferences, behaviour differs - https://www.gnu.org/software/gettext/manual/html_node/The-LANGUAGE-variable.html#The-LANGUAGE-variable +# https://docs.docker.com/samples/library/ubuntu/#locales +ENV LANG=C.UTF-8 LANGUAGE=C.UTF-8 LC_ALL=C.UTF-8 + +COPY docker-entrypoint.sh /usr/local/bin/ +ENTRYPOINT ["docker-entrypoint.sh"] + +EXPOSE 4369 5671 5672 25672 +CMD ["rabbitmq-server"] diff --git a/3.8-beta/ubuntu/docker-entrypoint.sh b/3.8-beta/ubuntu/docker-entrypoint.sh new file mode 100755 index 0000000..a1bdb3d --- /dev/null +++ b/3.8-beta/ubuntu/docker-entrypoint.sh @@ -0,0 +1,404 @@ +#!/bin/bash +set -eu + +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + export "$var"="$val" + unset "$fileVar" +} + +# backwards compatibility for old environment variables +: "${RABBITMQ_SSL_CERTFILE:=${RABBITMQ_SSL_CERT_FILE:-}}" +: "${RABBITMQ_SSL_KEYFILE:=${RABBITMQ_SSL_KEY_FILE:-}}" +: "${RABBITMQ_SSL_CACERTFILE:=${RABBITMQ_SSL_CA_FILE:-}}" + +# "management" SSL config should default to using the same certs +: "${RABBITMQ_MANAGEMENT_SSL_CACERTFILE:=$RABBITMQ_SSL_CACERTFILE}" +: "${RABBITMQ_MANAGEMENT_SSL_CERTFILE:=$RABBITMQ_SSL_CERTFILE}" +: "${RABBITMQ_MANAGEMENT_SSL_KEYFILE:=$RABBITMQ_SSL_KEYFILE}" + +# Allowed env vars that will be read from mounted files (i.e. Docker Secrets): +fileEnvKeys=( + default_user + default_pass +) + +# https://www.rabbitmq.com/configure.html +sslConfigKeys=( + cacertfile + certfile + depth + fail_if_no_peer_cert + keyfile + verify +) +managementConfigKeys=( + "${sslConfigKeys[@]/#/ssl_}" +) +rabbitConfigKeys=( + default_pass + default_user + default_vhost + hipe_compile + vm_memory_high_watermark +) +fileConfigKeys=( + management_ssl_cacertfile + management_ssl_certfile + management_ssl_keyfile + ssl_cacertfile + ssl_certfile + ssl_keyfile +) +allConfigKeys=( + "${managementConfigKeys[@]/#/management_}" + "${rabbitConfigKeys[@]}" + "${sslConfigKeys[@]/#/ssl_}" +) + +declare -A configDefaults=( + [management_ssl_fail_if_no_peer_cert]='false' + [management_ssl_verify]='verify_none' + + [ssl_fail_if_no_peer_cert]='true' + [ssl_verify]='verify_peer' +) + +# allow the container to be started with `--user` +if [[ "$1" == rabbitmq* ]] && [ "$(id -u)" = '0' ]; then + # this needs to happen late enough that we have the SSL config + # https://github.com/docker-library/rabbitmq/issues/283 + for conf in "${allConfigKeys[@]}"; do + var="RABBITMQ_${conf^^}" + val="${!var:-}" + [ -n "$val" ] || continue + case "$conf" in + *_ssl_*file | ssl_*file ) + if [ -f "$val" ] && ! gosu rabbitmq test -r "$val"; then + newFile="/tmp/rabbitmq-ssl/$conf.pem" + echo >&2 + echo >&2 "WARNING: '$val' ($var) is not readable by rabbitmq ($(id rabbitmq)); copying to '$newFile'" + echo >&2 + cat "$val" > "$newFile" + chown rabbitmq "$newFile" + chmod 0400 "$newFile" + eval 'export '$var'="$newFile"' + fi + ;; + esac + done + + if [ "$1" = 'rabbitmq-server' ]; then + find /var/lib/rabbitmq \! -user rabbitmq -exec chown rabbitmq '{}' + + fi + + exec gosu rabbitmq "$BASH_SOURCE" "$@" +fi + +haveConfig= +haveSslConfig= +haveManagementSslConfig= +for fileEnvKey in "${fileEnvKeys[@]}"; do file_env "RABBITMQ_${fileEnvKey^^}"; done +for conf in "${allConfigKeys[@]}"; do + var="RABBITMQ_${conf^^}" + val="${!var:-}" + if [ "$val" ]; then + if [ "${configDefaults[$conf]:-}" ] && [ "${configDefaults[$conf]}" = "$val" ]; then + # if the value set is the same as the default, treat it as if it isn't set + continue + fi + haveConfig=1 + case "$conf" in + ssl_*) haveSslConfig=1 ;; + management_ssl_*) haveManagementSslConfig=1 ;; + esac + fi +done +if [ "$haveSslConfig" ]; then + missing=() + for sslConf in cacertfile certfile keyfile; do + var="RABBITMQ_SSL_${sslConf^^}" + val="${!var}" + if [ -z "$val" ]; then + missing+=( "$var" ) + fi + done + if [ "${#missing[@]}" -gt 0 ]; then + { + echo + echo 'error: SSL requested, but missing required configuration' + for miss in "${missing[@]}"; do + echo " - $miss" + done + echo + } >&2 + exit 1 + fi +fi +missingFiles=() +for conf in "${fileConfigKeys[@]}"; do + var="RABBITMQ_${conf^^}" + val="${!var}" + if [ "$val" ] && [ ! -f "$val" ]; then + missingFiles+=( "$val ($var)" ) + fi +done +if [ "${#missingFiles[@]}" -gt 0 ]; then + { + echo + echo 'error: files specified, but missing' + for miss in "${missingFiles[@]}"; do + echo " - $miss" + done + echo + } >&2 + exit 1 +fi + +# set defaults for missing values (but only after we're done with all our checking so we don't throw any of that off) +for conf in "${!configDefaults[@]}"; do + default="${configDefaults[$conf]}" + var="RABBITMQ_${conf^^}" + [ -z "${!var:-}" ] || continue + eval "export $var=\"\$default\"" +done + +# if long and short hostnames are not the same, use long hostnames +if [ "$(hostname)" != "$(hostname -s)" ]; then + : "${RABBITMQ_USE_LONGNAME:=true}" +fi + +if [ "${RABBITMQ_ERLANG_COOKIE:-}" ]; then + cookieFile='/var/lib/rabbitmq/.erlang.cookie' + if [ -e "$cookieFile" ]; then + if [ "$(cat "$cookieFile" 2>/dev/null)" != "$RABBITMQ_ERLANG_COOKIE" ]; then + echo >&2 + echo >&2 "warning: $cookieFile contents do not match RABBITMQ_ERLANG_COOKIE" + echo >&2 + fi + else + echo "$RABBITMQ_ERLANG_COOKIE" > "$cookieFile" + fi + chmod 600 "$cookieFile" +fi + +configBase="${RABBITMQ_CONFIG_FILE:-/etc/rabbitmq/rabbitmq}" +oldConfigFile="$configBase.config" +newConfigFile="$configBase.conf" + +shouldWriteConfig="$haveConfig" +if [ -n "$shouldWriteConfig" ] && [ -f "$oldConfigFile" ]; then + { + echo "error: Docker configuration environment variables specified, but old-style (Erlang syntax) configuration file '$oldConfigFile' exists" + echo " Suggested fixes: (choose one)" + echo " - remove '$oldConfigFile'" + echo " - remove any Docker-specific 'RABBITMQ_...' environment variables" + echo " - convert '$oldConfigFile' to the newer sysctl format ('$newConfigFile'); see https://www.rabbitmq.com/configure.html#config-file" + } >&2 + exit 1 +fi +if [ -z "$shouldWriteConfig" ] && [ ! -f "$oldConfigFile" ] && [ ! -f "$newConfigFile" ]; then + # no config files, we should write one + shouldWriteConfig=1 +fi + +# http://stackoverflow.com/a/2705678/433558 +sed_escape_lhs() { + echo "$@" | sed -e 's/[]\/$*.^|[]/\\&/g' +} +sed_escape_rhs() { + echo "$@" | sed -e 's/[\/&]/\\&/g' +} +rabbit_set_config() { + local key="$1"; shift + local val="$1"; shift + + [ -e "$newConfigFile" ] || touch "$newConfigFile" + + local sedKey="$(sed_escape_lhs "$key")" + local sedVal="$(sed_escape_rhs "$val")" + sed -ri \ + "s/^[[:space:]]*(${sedKey}[[:space:]]*=[[:space:]]*)\S.*\$/\1${sedVal}/" \ + "$newConfigFile" + if ! grep -qE "^${sedKey}[[:space:]]*=" "$newConfigFile"; then + echo "$key = $val" >> "$newConfigFile" + fi +} +rabbit_comment_config() { + local key="$1"; shift + + [ -e "$newConfigFile" ] || touch "$newConfigFile" + + local sedKey="$(sed_escape_lhs "$key")" + sed -ri \ + "s/^[[:space:]]*#?[[:space:]]*(${sedKey}[[:space:]]*=[[:space:]]*\S.*)\$/# \1/" \ + "$newConfigFile" +} +rabbit_env_config() { + local prefix="$1"; shift + + local conf + for conf; do + local var="rabbitmq${prefix:+_$prefix}_$conf" + var="${var^^}" + + local key="$conf" + case "$prefix" in + ssl) key="ssl_options.$key" ;; + management_ssl) key="management.listener.ssl_opts.$key" ;; + esac + + local val="${!var:-}" + local rawVal="$val" + case "$conf" in + fail_if_no_peer_cert|hipe_compile) + case "${val,,}" in + false|no|0|'') rawVal='false' ;; + true|yes|1|*) rawVal='true' ;; + esac + ;; + + vm_memory_high_watermark) continue ;; # handled separately + esac + + if [ -n "$rawVal" ]; then + rabbit_set_config "$key" "$rawVal" + else + rabbit_comment_config "$key" + fi + done +} + +if [ "$1" = 'rabbitmq-server' ] && [ "$shouldWriteConfig" ]; then + rabbit_set_config 'loopback_users.guest' 'false' + + # determine whether to set "vm_memory_high_watermark" (based on cgroups) + memTotalKb= + if [ -r /proc/meminfo ]; then + memTotalKb="$(awk -F ':? +' '$1 == "MemTotal" { print $2; exit }' /proc/meminfo)" + fi + memLimitB= + if [ -r /sys/fs/cgroup/memory/memory.limit_in_bytes ]; then + # "18446744073709551615" is a valid value for "memory.limit_in_bytes", which is too big for Bash math to handle + # "$(( 18446744073709551615 / 1024 ))" = 0; "$(( 18446744073709551615 * 40 / 100 ))" = 0 + memLimitB="$(awk -v totKb="$memTotalKb" '{ + limB = $0; + limKb = limB / 1024; + if (!totKb || limKb < totKb) { + printf "%.0f\n", limB; + } + }' /sys/fs/cgroup/memory/memory.limit_in_bytes)" + fi + if [ -n "$memLimitB" ]; then + # if we have a cgroup memory limit, let's inform RabbitMQ of what it is (so it can calculate vm_memory_high_watermark properly) + # https://github.com/rabbitmq/rabbitmq-server/pull/1234 + rabbit_set_config 'total_memory_available_override_value' "$memLimitB" + fi + # https://www.rabbitmq.com/memory.html#memsup-usage + if [ "${RABBITMQ_VM_MEMORY_HIGH_WATERMARK:-}" ]; then + # https://github.com/docker-library/rabbitmq/pull/105#issuecomment-242165822 + vmMemoryHighWatermark="$( + echo "$RABBITMQ_VM_MEMORY_HIGH_WATERMARK" | awk ' + /^[0-9]*[.][0-9]+$|^[0-9]+([.][0-9]+)?%$/ { + perc = $0; + if (perc ~ /%$/) { + gsub(/%$/, "", perc); + perc = perc / 100; + } + if (perc > 1.0 || perc <= 0.0) { + printf "error: invalid percentage for vm_memory_high_watermark: %s (must be > 0%%, <= 100%%)\n", $0 > "/dev/stderr"; + exit 1; + } + printf "vm_memory_high_watermark.relative %0.03f\n", perc; + next; + } + /^[0-9]+$/ { + printf "vm_memory_high_watermark.absolute %s\n", $0; + next; + } + /^[0-9]+([.][0-9]+)?[a-zA-Z]+$/ { + printf "vm_memory_high_watermark.absolute %s\n", $0; + next; + } + { + printf "error: unexpected input for vm_memory_high_watermark: %s\n", $0; + exit 1; + } + ' + )" + if [ "$vmMemoryHighWatermark" ]; then + vmMemoryHighWatermarkKey="${vmMemoryHighWatermark%% *}" + vmMemoryHighWatermarkVal="${vmMemoryHighWatermark#$vmMemoryHighWatermarkKey }" + rabbit_set_config "$vmMemoryHighWatermarkKey" "$vmMemoryHighWatermarkVal" + case "$vmMemoryHighWatermarkKey" in + # make sure we only set one or the other + 'vm_memory_high_watermark.absolute') rabbit_comment_config 'vm_memory_high_watermark.relative' ;; + 'vm_memory_high_watermark.relative') rabbit_comment_config 'vm_memory_high_watermark.absolute' ;; + esac + fi + fi + + if [ "$haveSslConfig" ]; then + rabbit_set_config 'listeners.ssl.default' 5671 + rabbit_env_config 'ssl' "${sslConfigKeys[@]}" + else + rabbit_set_config 'listeners.tcp.default' 5672 + fi + + rabbit_env_config '' "${rabbitConfigKeys[@]}" + + # if management plugin is installed, generate config for it + # https://www.rabbitmq.com/management.html#configuration + if [ "$(rabbitmq-plugins list -q -m -e rabbitmq_management)" ]; then + if [ "$haveManagementSslConfig" ]; then + rabbit_set_config 'management.listener.port' 15671 + rabbit_set_config 'management.listener.ssl' 'true' + rabbit_env_config 'management_ssl' "${sslConfigKeys[@]}" + else + rabbit_set_config 'management.listener.port' 15672 + rabbit_set_config 'management.listener.ssl' 'false' + fi + + # if definitions file exists, then load it + # https://www.rabbitmq.com/management.html#load-definitions + managementDefinitionsFile='/etc/rabbitmq/definitions.json' + if [ -f "$managementDefinitionsFile" ]; then + # see also https://github.com/docker-library/rabbitmq/pull/112#issuecomment-271485550 + rabbit_set_config 'management.load_definitions' "$managementDefinitionsFile" + fi + fi +fi + +combinedSsl='/tmp/rabbitmq-ssl/combined.pem' +if [ "$haveSslConfig" ] && [[ "$1" == rabbitmq* ]] && [ ! -f "$combinedSsl" ]; then + # Create combined cert + cat "$RABBITMQ_SSL_CERTFILE" "$RABBITMQ_SSL_KEYFILE" > "$combinedSsl" + chmod 0400 "$combinedSsl" +fi +if [ "$haveSslConfig" ] && [ -f "$combinedSsl" ]; then + # More ENV vars for make clustering happiness + # we don't handle clustering in this script, but these args should ensure + # clustered SSL-enabled members will talk nicely + export ERL_SSL_PATH="$(erl -eval 'io:format("~p", [code:lib_dir(ssl, ebin)]),halt().' -noshell)" + sslErlArgs="-pa $ERL_SSL_PATH -proto_dist inet_tls -ssl_dist_opt server_certfile $combinedSsl -ssl_dist_opt server_secure_renegotiate true client_secure_renegotiate true" + export RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS="${RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS:-} $sslErlArgs" + export RABBITMQ_CTL_ERL_ARGS="${RABBITMQ_CTL_ERL_ARGS:-} $sslErlArgs" +fi + +exec "$@" diff --git a/3.8-beta/ubuntu/management/Dockerfile b/3.8-beta/ubuntu/management/Dockerfile new file mode 100644 index 0000000..07a770c --- /dev/null +++ b/3.8-beta/ubuntu/management/Dockerfile @@ -0,0 +1,27 @@ +FROM rabbitmq:3.8-beta + +RUN rabbitmq-plugins enable --offline rabbitmq_management + +# extract "rabbitmqadmin" from inside the "rabbitmq_management-X.Y.Z.ez" plugin zipfile +# see https://github.com/docker-library/rabbitmq/issues/207 +RUN set -eux; \ + erl -noinput -eval ' \ + { ok, AdminBin } = zip:foldl(fun(FileInArchive, GetInfo, GetBin, Acc) -> \ + case Acc of \ + "" -> \ + case lists:suffix("/rabbitmqadmin", FileInArchive) of \ + true -> GetBin(); \ + false -> Acc \ + end; \ + _ -> Acc \ + end \ + end, "", init:get_plain_arguments()), \ + io:format("~s", [ AdminBin ]), \ + init:stop(). \ + ' -- /plugins/rabbitmq_management-*.ez > /usr/local/bin/rabbitmqadmin; \ + [ -s /usr/local/bin/rabbitmqadmin ]; \ + chmod +x /usr/local/bin/rabbitmqadmin; \ + apt-get update; apt-get install -y --no-install-recommends python; rm -rf /var/lib/apt/lists/*; \ + rabbitmqadmin --version + +EXPOSE 15671 15672