Change location of the erlang-cookie

[thoma...@gmail.com]

Hello fellow rabbitmq users,

I am checking the possibility to change the location of the erlang-cookie for our RabbitMQ servers.

Reason for this is that in our linux environment, all home directories are NFS shares.

This means that a majority of our deployed RabbitMQ servers will use the same erlang cookie: $HOME/.erlang-cookie as they are running as a particular user. (Same user means same $HOME/.erlang-cookie).

When I read up on the subject, it seems the only option to override the default location is to use the RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS="-setcookie cookie" environment variable.

However, this means that the cookie will be visible for anyone with access to the system.

For instance a "ps -ef | grep beam" will show the cookie in cleartext.

The RABBITMQ_ERLANG_COOKIE environment variable seems to be working  the way I want, I can provide a path to a file that contains a node specific cookie.

However, using this variable throws warnings;  it is deprecated and I assume it will be removed completely in the future?

So, this seems to boil down to either use an insecure solution or stay with the default?

Best Regards,

Thomas

[Luke Bakken]

Hi Thomas,

Setting RABBITMQ_ERLANG_COOKIE to a path doesn't work the way you think it is. The path itself (as a string) is used as the cookie value. You can verify this by running the following command:

rabbitmqctl eval 'erlang:get_cookie().'

By default RabbitMQ runs as the rabbitmq user, and the cookie is expected to be at /var/lib/rabbitmq, because our packaging has set HOME for that user.

One option that comes to mind is to set HOME in the /etc/rabbitmq/rabbitmq-env.conf file like this (it must be exported):

export HOME=/path/to/home

This will override HOME during the startup and lifetime of RabbitMQ. Since you've customized your RabbitMQ installation I can't be 100% sure this will work.

I did a quick test using the 3.11.6 generic unix package and the above suggestion worked as expected to set HOME to /tmp/home-CPFtnQ5yEK4. The cookie file was created there when I started up RabbitMQ.

Thanks,

Luke

[thoma...@gmail.com]

Hi Luke,

Oh.. Silly me.. Thanks for pointing that out!

I was fooled by the fact that I do not see the cookie when doing a "ps -ef | grep beam" when using RABBITMQ_ERLANG_COOKIE. 

We can investigate if we can change the HOME env parameter like you suggest. Not clear if we have other dependencies to HOME in our deployment, but will find out.

Thank you for your quick reply!

All the best,

Thomas

[Luke Bakken]

Note that setting HOME in rabbitmq-env.conf will ONLY affect RabbitMQ and will not affect the user as whom RabbitMQ is running. If you review the rabbitmq-server startup script, you can trace back to where rabbitmq-env.conf is sourced:

https://github.com/rabbitmq/rabbitmq-server/blob/main/deps/rabbit/scripts/rabbitmq-server#L15

...which then sources:

https://github.com/rabbitmq/rabbitmq-server/blob/main/deps/rabbit/scripts/rabbitmq-env#L88-L101

[thoma...@gmail.com]

Hi Luke,

Ok, that is an important factor for us. This user account is used for deploying and running several other services as well.

We will test!

Thanks for your help! Always fast responses.. :-)

Kind Regards,

Thomas