docker-library
/
rabbitmq
mirror of https://github.com/docker-library/rabbitmq.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #97 from infosiftr/fix-management-ssl 

Fix management SSL issues (needs separate "verify" and "fail_if_no_peer_cert" defaults)
This commit is contained in:
yosifkit 2016-07-07 17:38:45 -07:00 committed by GitHub
parent 3569ec7f11 01cebb700e
commit 9b10a78c06
1 changed files with 105 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

175
docker-entrypoint.sh
View File

@ -1,5 +1,5 @@
#!/bin/bash #!/bin/bash
set -e set -eu
# allow the container to be started with `--user` # allow the container to be started with `--user`
if [[ "$1" == rabbitmq* ]] && [ "$(id -u)" = '0' ]; then if [[ "$1" == rabbitmq* ]] && [ "$(id -u)" = '0' ]; then
@ -14,32 +14,62 @@ fi
: "${RABBITMQ_SSL_KEYFILE:=${RABBITMQ_SSL_KEY_FILE:-}}" : "${RABBITMQ_SSL_KEYFILE:=${RABBITMQ_SSL_KEY_FILE:-}}"
: "${RABBITMQ_SSL_CACERTFILE:=${RABBITMQ_SSL_CA_FILE:-}}" : "${RABBITMQ_SSL_CACERTFILE:=${RABBITMQ_SSL_CA_FILE:-}}"
# "management" SSL config should default to using the same certs
: "${RABBITMQ_MANAGEMENT_SSL_CACERTFILE:=$RABBITMQ_SSL_CACERTFILE}"
: "${RABBITMQ_MANAGEMENT_SSL_CERTFILE:=$RABBITMQ_SSL_CERTFILE}"
: "${RABBITMQ_MANAGEMENT_SSL_KEYFILE:=$RABBITMQ_SSL_KEYFILE}"
# https://www.rabbitmq.com/configure.html # https://www.rabbitmq.com/configure.html
fileConfigs=( sslConfigKeys=(
ssl_cacertfile cacertfile
ssl_certfile certfile
ssl_keyfile fail_if_no_peer_cert
keyfile
verify
) )
configs=( managementConfigKeys=(
"${sslConfigKeys[@]/#/ssl_}"
)
rabbitConfigKeys=(
default_pass default_pass
default_user default_user
default_vhost default_vhost
hipe_compile hipe_compile
ssl_fail_if_no_peer_cert )
ssl_verify fileConfigKeys=(
"${fileConfigs[@]}" management_ssl_cacertfile
management_ssl_certfile
management_ssl_keyfile
ssl_cacertfile
ssl_certfile
ssl_keyfile
)
allConfigKeys=(
"${managementConfigKeys[@]/#/management_}"
"${rabbitConfigKeys[@]}"
"${sslConfigKeys[@]/#/ssl_}"
)
declare -A configDefaults=(
[management_ssl_fail_if_no_peer_cert]='false'
[management_ssl_verify]='verify_none'
[ssl_fail_if_no_peer_cert]='true'
[ssl_verify]='verify_peer'
) )
haveConfig= haveConfig=
haveSslConfig= haveSslConfig=
for conf in "${configs[@]}"; do haveManagementSslConfig=
for conf in "${allConfigKeys[@]}"; do
var="RABBITMQ_${conf^^}" var="RABBITMQ_${conf^^}"
val="${!var}" val="${!var:-}"
if [ "$val" ]; then if [ "$val" ]; then
haveConfig=1 haveConfig=1
if [[ "$conf" == ssl_* ]]; then case "$conf" in
haveSslConfig=1 ssl_*) haveSslConfig=1 ;;
fi management_ssl_*) haveManagementSslConfig=1 ;;
esac
fi fi
done done
if [ "$haveSslConfig" ]; then if [ "$haveSslConfig" ]; then
@ -64,7 +94,7 @@ if [ "$haveSslConfig" ]; then
fi fi
fi fi
missingFiles=() missingFiles=()
for conf in "${fileConfigs[@]}"; do for conf in "${fileConfigKeys[@]}"; do
var="RABBITMQ_${conf^^}" var="RABBITMQ_${conf^^}"
val="${!var}" val="${!var}"
if [ "$val" ] && [ ! -f "$val" ]; then if [ "$val" ] && [ ! -f "$val" ]; then
@ -83,12 +113,20 @@ if [ "${#missingFiles[@]}" -gt 0 ]; then
exit 1 exit 1
fi fi
# set defaults for missing values (but only after we're done with all our checking so we don't throw any of that off)
for conf in "${!configDefaults[@]}"; do
default="${configDefaults[$conf]}"
var="RABBITMQ_${conf^^}"
[ -z "${!var:-}" ] || continue
eval "export $var=\"\$default\""
done
# If long & short hostnames are not the same, use long hostnames # If long & short hostnames are not the same, use long hostnames
if [ "$(hostname)" != "$(hostname -s)" ]; then if [ "$(hostname)" != "$(hostname -s)" ]; then
: "${RABBITMQ_USE_LONGNAME:=true}" : "${RABBITMQ_USE_LONGNAME:=true}"
fi fi
if [ "$RABBITMQ_ERLANG_COOKIE" ]; then if [ "${RABBITMQ_ERLANG_COOKIE:-}" ]; then
cookieFile='/var/lib/rabbitmq/.erlang.cookie' cookieFile='/var/lib/rabbitmq/.erlang.cookie'
if [ -e "$cookieFile" ]; then if [ -e "$cookieFile" ]; then
if [ "$(cat "$cookieFile" 2>/dev/null)" != "$RABBITMQ_ERLANG_COOKIE" ]; then if [ "$(cat "$cookieFile" 2>/dev/null)" != "$RABBITMQ_ERLANG_COOKIE" ]; then
@ -127,6 +165,45 @@ rabbit_array() {
esac esac
echo -n ']' echo -n ']'
} }
rabbit_env_config() {
local prefix="$1"; shift
local ret=()
local conf
for conf; do
local var="rabbitmq${prefix:+_$prefix}_$conf"
var="${var^^}"
local val="${!var:-}"
local rawVal=
case "$conf" in
verify|fail_if_no_peer_cert)
[ "$val" ] || continue
rawVal="$val"
;;
hipe_compile)
[ "$val" ] && rawVal='true' || rawVal='false'
;;
cacertfile|certfile|keyfile)
[ "$val" ] || continue
rawVal='"'"$val"'"'
;;
*)
[ "$val" ] || continue
rawVal='<<"'"$val"'">>'
;;
esac
[ "$rawVal" ] || continue
ret+=( "{ $conf, $rawVal }" )
done
join $'\n' "${ret[@]}"
}
if [ "$1" = 'rabbitmq-server' ] && [ "$haveConfig" ]; then if [ "$1" = 'rabbitmq-server' ] && [ "$haveConfig" ]; then
fullConfig=() fullConfig=()
@ -135,34 +212,10 @@ if [ "$1" = 'rabbitmq-server' ] && [ "$haveConfig" ]; then
"{ loopback_users, $(rabbit_array) }" "{ loopback_users, $(rabbit_array) }"
) )
rabbitSslOptions=()
if [ "$haveSslConfig" ]; then if [ "$haveSslConfig" ]; then
for conf in "${configs[@]}"; do IFS=$'\n'
sslConf="${conf#ssl_}" rabbitSslOptions=( $(rabbit_env_config 'ssl' "${sslConfigKeys[@]}") )
[ "$sslConf" != "$conf" ] || continue unset IFS
var="RABBITMQ_${conf^^}"
val="${!var}"
# default values
case "$sslConf" in
verify) : "${val:=verify_peer}" ;;
fail_if_no_peer_cert) : "${val:=true}" ;;
esac
rawVal=
case "$sslConf" in
verify|fail_if_no_peer_cert) rawVal="$val" ;;
*)
[ "$val" ] || continue
rawVal='"'"$val"'"'
;;
esac
[ "$rawVal" ] || continue
rabbitSslOptions+=( "{ $sslConf, $rawVal }" )
done
rabbitConfig+=( rabbitConfig+=(
"{ tcp_listeners, $(rabbit_array) }" "{ tcp_listeners, $(rabbit_array) }"
@ -176,41 +229,23 @@ if [ "$1" = 'rabbitmq-server' ] && [ "$haveConfig" ]; then
) )
fi fi
for conf in "${configs[@]}"; do IFS=$'\n'
var="RABBITMQ_${conf^^}" rabbitConfig+=( $(rabbit_env_config '' "${rabbitConfigKeys[@]}") )
val="${!var}" unset IFS
rawVal=
case "$conf" in
# SSL-related options are configured above, so should be ignored here
ssl_*) continue ;;
# convert shell booleans into Erlang booleans
hipe_compile)
[ "$val" ] && rawVal='true' || rawVal='false'
;;
# otherwise, assume string-based (and skip or add appropriate decorations)
*)
[ "$val" ] || continue
rawVal='<<"'"$val"'">>'
;;
esac
[ "$rawVal" ] || continue
rabbitConfig+=( "{ $conf, $rawVal }" )
done
fullConfig+=( "{ rabbit, $(rabbit_array "${rabbitConfig[@]}") }" ) fullConfig+=( "{ rabbit, $(rabbit_array "${rabbitConfig[@]}") }" )
# If management plugin is installed, then generate config consider this # If management plugin is installed, then generate config consider this
if [ "$(rabbitmq-plugins list -m -e rabbitmq_management)" ]; then if [ "$(rabbitmq-plugins list -m -e rabbitmq_management)" ]; then
rabbitManagementListenerConfig=() if [ "$haveManagementSslConfig" ]; then
if [ "$haveSslConfig" ]; then IFS=$'\n'
rabbitManagementSslOptions=( $(rabbit_env_config 'management_ssl' "${sslConfigKeys[@]}") )
unset IFS
rabbitManagementListenerConfig+=( rabbitManagementListenerConfig+=(
'{ port, 15671 }' '{ port, 15671 }'
'{ ssl, true }' '{ ssl, true }'
"{ ssl_opts, $(rabbit_array "${rabbitSslOptions[@]}") }" "{ ssl_opts, $(rabbit_array "${rabbitManagementSslOptions[@]}") }"
) )
else else
rabbitManagementListenerConfig+=( rabbitManagementListenerConfig+=(