[Bug 1842408] Re: rabbitmq-server writes to /etc/rabbitmq
Hadmut Danisch
hadmut at danisch.de
Thu Sep 5 10:25:42 UTC 2019
Well, it might help if I point out the background of trouble and
confusion.
I tried to configure rabbitmq automatically with puppet, using the
officially recommended plugin, see
https://forge.puppet.com/puppetlabs/rabbitmq
https://github.com/voxpupuli/puppet-rabbitmq
Two problems came together then:
Problem 1:
The plugin is not really compatible with ubuntu/debian, and was obviously written for some other distribution (red hat I guess), and enforces the ownership the plugin authors believed to be correct, i.e. changes /etc/rabbitmq and it's contents to be owned by root.
Problem 2:
The system I was testing this on has for security reasons an umask of 027 (instead of the usual 022) for root, and both puppet and this plugin forgot to set a proper umask.
The result was that rabbitmq did not work anymore, since /etc/rabbitmq
was owned by root and lost public read access.
My problem then was: How to repair? I didn't find a hint about what it was supposed to be.
Making it all readable did not help:
Running rabbitmq-plugins as root renders rabbitmq dead probably because
of the umask 027, file becomes undreadable.
running rabbitmq-plugins as
su -c "rabbitmq-plugins ..." -s /bin/sh rabbitmq
doesn't work either if /etc/rabbitmq is owned by root, because rabbitmq-
plugins wants to write a temporary /etc/rabbitmq/enabled_plugins.tmp
So the central problem is that it is not obvious how things are supposed
to be used and to work. Just having a umask different from 022 seems to
break everything.
Under what uid is rabbitmq-plugins supposed to be used?
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to rabbitmq-server in Ubuntu.
https://bugs.launchpad.net/bugs/1842408
Title:
rabbitmq-server writes to /etc/rabbitmq
Status in rabbitmq-server package in Ubuntu:
Incomplete
Bug description:
Hi,
I just ran into a design problem of the ubuntu/debian installation of rabbitmq-server.
I tried to configure rabbitmq with puppet, it didn't work, and I
debugged it.
Problem: the puppet plugin changes ownership of /etc/rabbitmq to root,
while the ubuntu/debian package requires it to be rabbitmq.rabbitmq,
because the tool rabbitmq-plugins needs to write to
/etc/rabbitmq/enabled_plugins and create
/etc/rabbitmq/enabled_plugins.tmp
So if the /etc/rabbitmq belongs root, rabbitmq-plugins can write only if run as root, but then it issues error message because ownership trouble with rabbitmq daemon, which expects things to be rabbitmq.
It is definitely a poor and insecure idea to give an /etc directory
ownership to a daemon and use it to store state information.
/etc/rabbitmq/enabled_plugins definitely belongs to /var/lib/rabbitmq,
and as far as I know, this is what linux design guides say.
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: rabbitmq-server 3.6.10-1
ProcVersionSignature: Ubuntu 4.15.0-58.64-generic 4.15.18
Uname: Linux 4.15.0-58-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.9-0ubuntu7.7
Architecture: amd64
CurrentDesktop: LXDE
Date: Tue Sep 3 12:17:42 2019
InstallationDate: Installed on 2018-04-30 (491 days ago)
InstallationMedia: Lubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
PackageArchitecture: all
SourcePackage: rabbitmq-server
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.default.rabbitmq-server: [modified]
mtime.conffile..etc.default.rabbitmq-server: 2019-09-02T17:17:09.167373
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rabbitmq-server/+bug/1842408/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list