how to remove eldap OTP app dependency
200 views
Skip to first unread message
Naoya Sugioka
Mar 7, 2018, 10:14:55 PM3/7/18
to rabbitmq-users
Hello,
I am the one who posts following issue recently:
https://github.com/rabbitmq/erlang-rpm/issues/58
I'am one who wants to harden erlang environement and remove unnecessary application there (ex corba)
but I cannot remove eldap OTP app dependency, without eldap, rabbitmq does not boot up.
Is there anything I need to configure to remove ldap dependency? I don't see anything tells about ldap in status output.
CentOS7, Erlang/OTP 20.2.4, RabbitrMQ 3.7.3
thank you for paying attention to my issue.
-Naoya
I am the one who posts following issue recently:
https://github.com/rabbitmq/erlang-rpm/issues/58
I'am one who wants to harden erlang environement and remove unnecessary application there (ex corba)
but I cannot remove eldap OTP app dependency, without eldap, rabbitmq does not boot up.
Mar 07 19:42:04 host.com rabbitmq-server[21919]: rabbit_plugins:ensure_dependencies/1 line 263
Mar 07 19:42:04 host.com rabbitmq-server[21919]: throw:{error,{missing_dependencies,[eldap],[rabbitmq_auth_backend_ldap]}}
Mar 07 19:42:04 host.com rabbitmq-server[21919]: Log file(s) (may contain more information):
Mar 07 19:42:04 host.com rabbitmq-server[21919]: /var/log/rabbitmq/rab...@localhost.log
Mar 07 19:42:04 host.com rabbitmq-server[21919]: /var/log/rabbitmq/rabbit@localhost_upgrade.log
Mar 07 19:42:06 host.com rabbitmq-server[21919]: {"init terminating in do_boot",{error,{missing_dependencies,[eldap],[rabbitmq_auth_backend_ldap]}}}
Mar 07 19:42:06 host.com rabbitmq-server[21919]: init terminating in do_boot ({error,{missing_dependencies,[eldap],[rabbitmq_auth_backend_ldap]}})
Is there anything I need to configure to remove ldap dependency? I don't see anything tells about ldap in status output.
CentOS7, Erlang/OTP 20.2.4, RabbitrMQ 3.7.3
thank you for paying attention to my issue.
-Naoya
# rabbitmqctl status
Status of node rabbit@localhost ...
[{pid,19811},
{running_applications,
[{rabbitmq_management,"RabbitMQ Management Console","3.7.3"},
{amqp_client,"RabbitMQ AMQP Client","3.7.3"},
{rabbitmq_web_dispatch,"RabbitMQ Web Dispatcher","3.7.3"},
{rabbitmq_management_agent,"RabbitMQ Management Agent","3.7.3"},
{rabbit,"RabbitMQ","3.7.3"},
{rabbit_common,
"Modules shared by rabbitmq-server and rabbitmq-erlang-client",
"3.7.3"},
{ranch_proxy_protocol,"Ranch Proxy Protocol Transport","1.4.4"},
{cowboy,"Small, fast, modern HTTP server.","2.0.0"},
{ranch,"Socket acceptor pool for TCP protocols.","1.4.0"},
{ssl,"Erlang/OTP SSL application","8.2.3"},
{public_key,"Public key infrastructure","1.5.2"},
{asn1,"The Erlang ASN1 compiler version 5.0.4","5.0.4"},
{xmerl,"XML parser","1.3.16"},
{recon,"Diagnostic tools for production use","2.3.2"},
{jsx,"a streaming, evented json parsing toolkit","2.8.2"},
{os_mon,"CPO CXC 138 46","2.4.4"},
{inets,"INETS CXC 138 49","6.4.5"},
{cowlib,"Support library for manipulating Web protocols.","2.0.0"},
{crypto,"CRYPTO","4.2"},
{mnesia,"MNESIA CXC 138 12","4.15.3"},
{lager,"Erlang logging framework","3.5.1"},
{goldrush,"Erlang event stream processor","0.1.9"},
{compiler,"ERTS CXC 138 10","7.1.4"},
{syntax_tools,"Syntax tools","2.1.4"},
{sasl,"SASL CXC 138 11","3.1.1"},
{stdlib,"ERTS CXC 138 10","3.4.3"},
{kernel,"ERTS CXC 138 10","5.4.2"}]},
{os,{unix,linux}},
{erlang_version,
"Erlang/OTP 20 [erts-9.2.1] [source] [64-bit] [smp:12:12] [ds:12:12:10] [async-threads:192] [hipe] [kernel-poll:true]\n"},
{memory,
[{connection_readers,2794688},
{connection_writers,578824},
{connection_channels,2258464},
{connection_other,15361008},
{queue_procs,3618456},
{queue_slave_procs,0},
{plugins,15209760},
{other_proc,20206096},
{metrics,1819768},
{mgmt_db,9796320},
{mnesia,645176},
{other_ets,2722712},
{binary,195427960},
{msg_index,131064},
{code,28336077},
{atom,1123529},
{other_system,16062986},
{allocated_unused,93142568},
{reserved_unallocated,0},
{strategy,rss},
{total,[{erlang,316092888},{rss,188612608},{allocated,409235456}]}]},
{alarms,[]},
{listeners,
[{clustering,25672,"::"},
{amqp,5672,"127.0.0.1"},
{amqp,5672,"172.19.248.93"},
{'amqp/ssl',5671,"127.0.0.1"},
{'amqp/ssl',5671,"172.19.248.93"},
{http,15672,"::"}]},
{vm_memory_calculation_strategy,rss},
{vm_memory_high_watermark,{absolute,12884901888}},
{vm_memory_limit,12884901888},
{disk_free_limit,50000000},
{disk_free,212686827520},
{file_descriptors,
[{total_limit,924},
{total_used,87},
{sockets_limit,829},
{sockets_used,77}]},
{processes,[{limit,1048576},{used,2854}]},
{run_queue,0},
{uptime,9697},
{kernel,{net_ticktime,60}}]
Luke Bakken
Mar 8, 2018, 11:10:33 AM3/8/18
to rabbitmq-users
Hello Naoya,
I read through rabbitmq/erlang-rpm#58 and this message.
How are you removing the eldap dependency? Are you building RabbitMQ from source? If you are using a configuration file, please post it here. Also, what is the output of rabbitmq-plugins list?
Thanks,
Luke
On Wednesday, March 7, 2018 at 7:14:55 PM UTC-8, Naoya Sugioka wrote:
Hello,
I am the one who posts following issue recently:
https://github.com/rabbitmq/erlang-rpm/issues/58
I'am one who wants to harden erlang environement and remove unnecessary application there (ex corba)
but I cannot remove eldap OTP app dependency, without eldap, rabbitmq does not boot up.
Mar 07 19:42:04 host.com rabbitmq-server[21919]: rabbit_plugins:ensure_dependencies/1 line 263
Mar 07 19:42:04 host.com rabbitmq-server[21919]: throw:{error,{missing_dependencies,[eldap],[rabbitmq_auth_backend_ldap]}}
Mar 07 19:42:04 host.com rabbitmq-server[21919]: Log file(s) (may contain more information):
Mar 07 19:42:04 host.com rabbitmq-server[21919]: /var/log/rabbitmq/rabbit@localhost.log
Mar 07 19:42:04 host.com rabbitmq-server[21919]: /var/log/rabbitmq/rabbit@localhost_upgrade.log
Mar 07 19:42:06 host.com rabbitmq-server[21919]: {"init terminating in do_boot",{error,{missing_dependencies,[eldap],[rabbitmq_auth_backend_ldap]}}}
Mar 07 19:42:06 host.com rabbitmq-server[21919]: init terminating in do_boot ({error,{missing_dependencies,[eldap],[rabbitmq_auth_backend_ldap]}})
Michael Klishin
Mar 8, 2018, 2:07:25 PM3/8/18
to rabbitm...@googlegroups.com
If rabbitmq_auth_backend_ldap is not enabled, eldap won't be used. It can be that plugin dependency graph
is eagerly checked, we don't generally hear from folks who try to remove parts of OTP.
Instead of removing apps/modules that are potentially relevant, consider removing those that aren't (RabbitMQ zero dependency
RPM already drops some) and adding some firewall rules to filter out LDAP traffic instead.
is eagerly checked, we don't generally hear from folks who try to remove parts of OTP.
Instead of removing apps/modules that are potentially relevant, consider removing those that aren't (RabbitMQ zero dependency
RPM already drops some) and adding some firewall rules to filter out LDAP traffic instead.
Support forOTP installations with a cherry-picked subset of apps is not going to be a priority for our team, so even if you
find a short term solution, this is not a wise strategy if you ask me.
On Thu, Mar 8, 2018 at 6:14 AM, Naoya Sugioka <naoya....@gmail.com> wrote:
Hello,
I am the one who posts following issue recently:
https://github.com/rabbitmq/erlang-rpm/issues/58
I'am one who wants to harden erlang environement and remove unnecessary application there (ex corba)
but I cannot remove eldap OTP app dependency, without eldap, rabbitmq does not boot up.
Mar 07 19:42:04 host.com rabbitmq-server[21919]: rabbit_plugins:ensure_dependencies/1 line 263
Mar 07 19:42:04 host.com rabbitmq-server[21919]: throw:{error,{missing_dependencies,[eldap],[rabbitmq_auth_backend_ldap]}}
Mar 07 19:42:04 host.com rabbitmq-server[21919]: Log file(s) (may contain more information):
Mar 07 19:42:04 host.com rabbitmq-server[21919]: /var/log/rabbitmq/rabbit@localhost.log
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
MK
Staff Software Engineer, Pivotal/RabbitMQ
Naoya Sugioka
Mar 13, 2018, 2:28:28 PM3/13/18
to rabbitmq-users
Hi Michael,
Thank you for your response, and sorry for my slow recap.
In my understanding, rabbitmq_auth_backed_ldap plugin is not enabled (from rabbitmq-plugins output).
My perspective, it seems some backgound task is happened at startup. That prevents disabling eldap erlang/otp app.
That's why we should not disable eldap application if we deploy rabbitmq 3.7.3 with erlang/otp 20.2.4.
Anyway, I am fine with leaving eldap inside erlang/otp, and then I harden my system with port filtering for ldap. It makes me surprised though.
I see updated document on gthub rabbitmq/erlang as well. I hope that helps other people avoiding to see unexpected behavior.
Again, thank you.
-Naoya
# rabbitmq-plugins list Configured: E = explicitly enabled; e = implicitly enabled | Status: * = running on rabbit@localhost |/ [ ] rabbitmq_amqp1_0 3.7.3 [ ] rabbitmq_auth_backend_cache 3.7.3 [ ] rabbitmq_auth_backend_http 3.7.3 [ ] rabbitmq_auth_backend_ldap 3.7.3
...
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Luke Bakken
Mar 13, 2018, 2:50:28 PM3/13/18
to rabbitmq-users
Hello,
It's not a "background task", it's a side-effect of this code which Michael mentioned as an "eager check" during startup -
We may be able to make improvements in how we check plugin dependencies. But, this is the first time (that I know of) that someone has tried to disable something like eldap.
You can rest assured that there will be no LDAP activity without the plugin enabled.
Thanks,
Thanks,
Luke
Reply all
Reply to author
Forward
0 new messages