[rabbitmq-discuss] Running RabbitMQ as a different user

Matt Pietrek mpietrek at skytap.com
Tue Dec 20 20:06:14 GMT 2011


As a follow up to this thread, and in case somebody else can learn from my
learning experience, here are the steps that seem to work for me to run
RabbitMQ as a non-root/non-rabbitmq user.

In addition, I needed to set up clustering, management plugins, and make
rabbitmq not autostart at boot. This is using RabbitMQ 2.7 on Ubuntu 10.04.
YMMV. 

If anybody sees any pitfalls with the approach below, please feel free to
holler.

---- SETUP ----
# Do a fresh install
sudo apt-get install -y rabbitmq-server

# Enable management plugin
sudo rabbitmq-plugins enable rabbitmq_management

# Shut down the rabbitmq server
sudo rabbitmqctl stop

# Remove the mnesia directory, which was created as user rabbitmq, not what
we want.
sudo rm -rf /var/lib/rabbitmq/mnesia

# Prevent rabbitmq from auto starting on boot
sudo update-rc.d -f rabbitmq-server remove

# Rename the rabbitmq supplied commands that enforce user==rabbitmq or root
# This prevents innocent people from inadvertently using them. Entirely
optional.
sudo mv /usr/sbin/rabbitmqctl /usr/sbin/rabbitmqctl_dont_use
sudo mv /usr/sbin/rabbitmq-plugins /usr/sbin/rabbitmq-plugins_dont_use
sudo mv /usr/sbin/rabbitmq-server /usr/sbin/rabbitmq-server_dont_use

# Change ownership of all files previously created by RabbitMQ to
desired_user
sudo chown -R desired_user:desired_user /var/lib/rabbitmq
sudo chown -R desired_user: desired_user /var/log/rabbitmq
----


---- Launching as desired_user ----
export RABBITMQ_CONFIG_FILE=/home/desired_user/config/rabbitmq
export RABBITMQ_SERVER_ERL_ARGS="-setcookie rabbit"
export RABBITMQ_CTL_ERL_ARGS="-setcookie rabbit"

# Note that this is not the "normal" rabbitmq-server script in /usr/sbin/
/usr/lib/rabbitmq/bin/rabbitmq-server start
----

Finally, in /home/desired_user/config/rabbitmq.Config:

[
  {rabbit,
    [{cluster_nodes, ['rabbit at play', 'rabbit at play2']}
    ]
  }
].

Matt

On 12/19/11 3:53 PM, "Jason J. W. Williams" <jasonjwwilliams at gmail.com>
wrote:

> I believe what you're looking for then is this section from the
> RabbitMQ clustering guide:
> 
> "As an alternative, you can insert the option "-setcookie cookie" in
> the erl call in the rabbitmq-server and rabbitmqctl scripts."
> 
> http://www.rabbitmq.com/clustering.html
> 
> For what it's worth, we create a rabbitmq user on every system (for us
> it's in LDAP, but you could write it out to the passwd file) and set
> its home directory to /var/lib/rabbitmq. We then write out the
> .erlang.cookie file into /var/lib/rabbitmq on every Rabbit node using
> Chef (with permissions 0600). We're running Ubuntu 10.04.x LTS.
> 
> 
> -J
> 
> On Mon, Dec 19, 2011 at 3:47 PM, Matt Pietrek <mpietrek at skytap.com> wrote:
>>  Thanks Jason.
>> 
>>  That's helpful, but in my admittedly limited knowledge, I don't believe that
>>  it's as simple as that. In particular I don't understand how handle files
>>  being installed with rabbitmq as the owner.
>> 
>>  A little more context that I forgot to mention earlier:
>> 
>>  I need to cluster multiple nodes so explicitly specifying the cookie is
>>  necessary so they're synced. Also, specifying the cookie via an environment
>>  variable is preferred to having an additional cookie file that I need to
>>  copy to multiple machines.
>>  I need to be able to launch everything from scratch via my own script file
>>  (which will be on all nodes.)
>> 
>>  My current thinking is that my startup script will set some RABBITMQ
>>  environment variables (RABBITMQ_CONFIG_FILE, RABBITMQ_SERVER_START_ARGS,
>>  RABBITMQ_CTL_ERL_ARGS,). The script will then directly run rabbit-server in
>>  /usr/lib/rabbitmq/bin. Also, RABBITMQ_CONFIG_FILE will point to the
>>  rabbitmq.config file that I've dropped on all nodes to set up auto
>>  clustering.)
>> 
>>  Thanks again,
>> 
>>  Matt
>> 
>>  On 12/19/11 2:31 PM, "Jason J. W. Williams" <jasonjwwilliams at gmail.com>
>>  wrote:
>> 
>>  Hi Matt,
>> 
>>  This should do it on Ubuntu:
>> 
>>  sudo -H -u <user> /opt/rabbitmq-server/sbin/rabbitmq-server
>> 
>>  The Erlang process needs to find the Erlang cookie and will check the
>>  home directory of the executing user. You can also specify the
>>  explicit location of the Erlang cookie in the RabbitMQ arguments, but
>>  we find using the HOME environment simpler.
>> 
>>  -J
>> 
>>  On Mon, Dec 19, 2011 at 2:58 PM, Matt Pietrek <mpietrek at skytap.com> wrote:
>> 
>>  We have a production environment where all of our services run in a special,
>>  non-root account an an Ubuntu 10.04 environment. I'm experimenting with how
>>  to make RabbitMQ 2.7 run in this special account, rather than as the
>>  "rabbitmq" user, and not having much luck.
>> 
>>  Extensive searching of the mailing list makes me think I'm close, but I
>>  suspect I'm missing something fundamental.
>> 
>>  I believe part of the answer involves explicitly setting the "-cookie"
>>  option in RABBITMQ_SERVER_START_ARGS and RABBITMQ_CTL_ERL_ARGS environment
>>  variables.
>>  I also suspect that the answer also involves running the "low level" scripts
>>  in /usr/lib/rabbitmq/bin/, rather than the scripts in /usr/sbin/.
>>  Further, I suspect that some directories may need to have their ownership
>>  and/or attributes changed to something other than "rabbitmq".
>> 
>>  So what I'm looking for is a list of what exactly I need to do, both at
>>  launch time, as well as possibly at install time.
>> 
>>  FWIW, we need to launch rabbitmq-server ourselves, rather than having it
>>  auto start on boot. I know how to accomplish this, but it might be useful
>>  context when deciding how to approach the above.
>> 
>>  Thanks much,
>> 
>>  Matt
>> 
>> 
>> 
>>  _______________________________________________
>>  rabbitmq-discuss mailing list
>>  rabbitmq-discuss at lists.rabbitmq.com
>>  https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>> 
>> 
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20111220/9ba97419/attachment.htm>


More information about the rabbitmq-discuss mailing list