2.3. Install the Message Broker
If you are deploying a full Red Hat OpenStack Platform environment, you must set up a working message broker for the following OpenStack components:
- Block Storage service
- Compute service
- OpenStack Networking
- Orchestration service
- Image service
- Telemetry service
2.3.1. Install the RabbitMQ Message Broker Package
RabbitMQ is the default (and recommended) message broker. The RabbitMQ messaging service is provided by the rabbitmq-server package.
Install RabbitMQ:
#
yum install rabbitmq-server
2.3.2. Configure the Firewall for Message Broker Traffic
Before installing and configuring the message broker, allow incoming connections on the port it will use. The default port for message broker (AMQP) traffic is
5672
. All steps in this procedure must be performed on the server hosting the messaging service, while logged in as the root
user.
Procedure 2.8. Configuring the Firewall for Message Broker Traffic
- Open the
/etc/sysconfig/iptables
file in a text editor. - Add an INPUT rule allowing incoming connections on port
5672
. The new rule must appear before any INPUT rules that REJECT traffic.-A INPUT -p tcp -m tcp --dport 5672 -j ACCEPT
- Save the changes to the
/etc/sysconfig/iptables
file. - Restart the
iptables
service for the firewall changes to take effect:#
systemctl restart iptables.service
2.3.3. Launch and Configure the RabbitMQ Message Broker
Procedure 2.9. Launching and Configuring the RabbitMQ Message Broker for Use with OpenStack
- Launch the
rabbitmq-server
service and configure it to start at boot time:#
systemctl start rabbitmq-server.service
#
systemctl enable rabbitmq-server.service
- When the rabbitmq-server package is installed, a
guest
user with a defaultguest
password is automatically created for the RabbitMQ service. Red Hat strongly advises that you change this default password, especially if you have IPv6 available. With IPv6, RabbitMQ may be accessible from outside the network. Change the default guest password:#
rabbitmqctl change_password guest NEW_RABBITMQ_PASS
Replace NEW_RABBITMQ_PASS with a more secure password. - Create a RabbitMQ user account for the Block Storage service, the Compute service, OpenStack Networking, the Orchestration service, the Image service, and the Telemetry service:
#
rabbitmqctl add_user cinder CINDER_PASS
#
rabbitmqctl add_user nova NOVA_PASS
#
rabbitmqctl add_user neutron NEUTRON_PASS
#
rabbitmqctl add_user heat HEAT_PASS
#
rabbitmqctl add_user glance GLANCE_PASS
#
rabbitmqctl add_user ceilometer CEILOMETER_PASS
Replace CINDER_PASS, NOVA_PASS, NEUTRON_PASS, HEAT_PASS, GLANCE_PASS, and CEILOMETER_PASS with secure passwords for each service. - Grant each of these RabbitMQ users read and write permissions to all resources:
#
rabbitmqctl set_permissions cinder ".*" ".*" ".*"
#
rabbitmqctl set_permissions nova ".*" ".*" ".*"
#
rabbitmqctl set_permissions neutron ".*" ".*" ".*"
#
rabbitmqctl set_permissions heat ".*" ".*" ".*"
#
rabbitmqctl set_permissions glance ".*" ".*" ".*"
#
rabbitmqctl set_permissions ceilometer ".*" ".*" ".*"
2.3.4. Enable SSL on the RabbitMQ Message Broker
The RabbitMQ message broker features built-in support for SSL, which you can use to secure traffic. Create the certificates required for SSL communication, and configure SSL on RabbitMQ through the
/etc/rabbitmq/rabbitmq.config
configuration file.
Procedure 2.10. Enabling SSL on the RabbitMQ Message Broker
- Create a directory in which to store the required certificates:
#
mkdir /etc/pki/rabbitmq
- Choose a secure certificate password and store it in a file within the
/etc/pki/rabbitmq
directory:#
echo SSL_RABBITMQ_PW > /etc/pki/rabbitmq/certpw
Replace SSL_RABBITMQ_PW with a certificate password. This password will be used later for further securing the necessary certificates. - Set the permissions for the certificate directory and password file:
#
chmod 700 /etc/pki/rabbitmq
#
chmod 600 /etc/pki/rabbitmq/certpw
- Create the certificate database files (
*.db
) in the/etc/pki/rabbitmq
directory, using the password in the/etc/pki/rabbitmq/certpw
file:#
certutil -N -d /etc/pki/rabbitmq -f /etc/pki/rabbitmq/certpw
- For a production environment, it is recommended that you use a reputable third-party Certificate Authority (CA) to sign your certificates. Create a Certificate Signing Request (CSR) for a third-party CA:
#
certutil -R -d /etc/pki/rabbitmq -s "CN=RABBITMQ_HOST" \
-a -f /etc/pki/rabbitmq/certpw > RABBITMQ_HOST.csr
Replace RABBITMQ_HOST with the IP or host name of the server hosting the RabbitMQ message broker. This command produces a CSR namedRABBITMQ_HOST.csr
and a key file (keyfile.key). The key file will be used later when configuring the RabbitMQ message broker to use SSL.Note
Some CAs may require additional values other than"CN=RABBITMQ_HOST"
. - Provide
RABBITMQ_HOST.csr
to your third-party CA for signing. Your CA should provide you with a signed certificate (server.crt) and a CA file (ca.crt). Add these files to your certificate database:#
certutil -A -d /etc/pki/rabbitmq -n RABBITMQ_HOST -f /etc/pki/rabbitmq/certpw \
-t u,u,u -a -i /path/to/server.crt
#
certutil -A -d /etc/pki/rabbitmq -n "Your CA certificate" \
-f /etc/pki/rabbitmq/certpw -t CT,C,C -a -i /path/to/ca.crt
- Configure the RabbitMQ message broker to use the certificate files for secure communications. Open the
/etc/rabbitmq/rabbitmq.config
configuration file in a text editor, and edit therabbit
section as follows:- Find the line that reads:
%% {ssl_listeners, [5671]},
Uncomment the setting by removing the percent signs:{ssl_listeners, [5671]},
- Scroll down to the line that reads:
%% {ssl_options, [{cacertfile, "/path/to/testca/cacert.pem"},
Replace this line and the next few lines which comprise thessl_options
section with the following content:{ssl_options, [{cacertfile, "/path/to/ca.crt"}, {certfile, "/path/to/server.crt"}, {keyfile, "/path/to/keyfile.key"}, {verify, verify_peer}, {versions, ['tlsv1.2','tlsv1.1',tlsv1]}, {fail_if_no_peer_cert, false}]}
- Replace /path/to/ca.crt with the absolute path to the CA certificate.
- Replace /path/to/server.crt with the absolute path to the signed certificate.
- Replace /path/to/keyfile.key with the absolute path to the key file.
- Disable SSLv3 by editing the
rabbitmq.config
to include support for only specific TLS encryption versions:{rabbit, [ {ssl_options, [{versions, ['tlsv1.2','tlsv1.1',tlsv1]}]}, ]}
- Restart the RabbitMQ service for the change to take effect:
# systemctl restart rabbitmq-server.service
2.3.5. Export an SSL Certificate for Clients
When SSL is enabled on a server, the clients require a copy of the SSL certificate to establish a secure connection.
The following example commands can be used to export a client certificate and the private key from the message broker's certificate database:
#
pk12util -o <p12exportfile> -n <certname> -d <certdir> -w <p12filepwfile>
#
openssl pkcs12 -in <p12exportfile> -out <clcertname> -nodes -clcerts -passin pass:<p12pw>
For more information on SSL commands and options, see the OpenSSL Documentation. On Red Hat Enterprise Linux, see the
openssl
manual page.