Juju Charms Collection
rabbitmq-server package

Merge lp:~tal-it-innovation/charms/precise/rabbitmq-server/ssl-support into lp:charms/rabbitmq-server

  1. Precise Pangolin (12.04)
  2. ssl-support
  3. Merge into trunk
Proposed by Thomas Leonard
Status: Merged
Approved by: Clint Byrum
Approved revision: 34
Merged at revision: 33
Proposed branch: lp:~tal-it-innovation/charms/precise/rabbitmq-server/ssl-support
Merge into: lp:charms/rabbitmq-server
Diff against target: 112 lines (+92/-1)
4 files modified
README (+17/-0)
config.yaml (+15/-0)
hooks/config-changed (+59/-0)
revision (+1/-1)
To merge this branch: bzr merge lp:~tal-it-innovation/charms/precise/rabbitmq-server/ssl-support
Reviewer Review Type Date Requested Status
Clint Byrum (community) Approve
Review via email: mp+122698@code.launchpad.net

Description of the change

This branch adds support for enabling Rabbit's SSL support. Instructions are in the README.

To post a comment you must log in.
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Hi Thomas. This is a great change. Needs a few fixups:

+exec 3> rabbitmq.config.new

This is a predictable temp file. While the dir is not normally world-writable, its best not to tempt fate with this type of code. If an admin or a later release of Ubuntu were to add group-write perms to the dir, then an attacker could use this predictability to overwrite files as root.

new_config=`mktemp /etc/rabbitmq/.rabbitmq.config.XXXXXX`
exec 3> $new_config

and then later of course you need to do your rename using $new_config.

Also I think there's something missing here (though its not a blocker to merge the change) which is to add an amqp-ssl relation or some kind of indicator that SSL is available to the existing "rabbitmq" interface relation.

review: Needs Fixing
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Oh I forgot to mention, after fixing these things, please change the status of the merge proposal back to 'Needs Review'.

Revision history for this message
Thomas Leonard (tal-it-innovation) wrote :

I don't think that will allow untrusted rabbit admins. If you grant some group (e.g. rabbitadm) write access to the config directory:

cd /etc/rabbitmq
sudo chgrp rabbitadm .
sudo chmod g+sw
[ and change juju umask to make new files group writable ]

then members of the group can cause a file called .rabbitmq.config.XXXXXX to be written to the root-owned directory of their choice with:

ln -s /some/path.d /etc/rabbitmq/rabbitmq.config

They can then edit that file as they please.

("run-parts" ignores files whose names contain dots, which limits the problem a bit though)

Auditing all Juju charms to make sure they are safe when modifying configuration directories that are under the control of attackers seems infeasibly-hard. I don't know what the right fix is, though. If there were a rabbitadm group already then we could run the juju hooks as that user, which would solve the problem. The FreeBSD *at system calls (openat, renameat, etc) don't follow symlinks to locations above the given FD directory (after calling cap_enter(2)) which would be handy for limiting changes to be within the /etc/rabbitmq directory, but Ubuntu doesn't support that yet.

(hopefully https://bugs.launchpad.net/juju/+bug/728905 will clear things up a bit though)

Anyway, I'll make your suggested change. Thanks,

Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Indeed having the .new file in /etc/rabbitmq helps a lot. Perhaps I am being a bit over-zealous with requiring using mktemp in a root-owned dir. However, I'd like to think if somebody copies your charm bits, they will be less likely to expose themselves. The official charms are as much examples for others to follow as they are whole solutions to be used.

Also we don't necessarily need to audit every charm, we just need to catch problems like these on review.

Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Alright, w/ mktemp looks good.

Now.. about putting the SSL key in config settings. I was thinking about this and it may not be the best practice given Juju's current design. This data will be in ZooKeeper, readable by many hosts and transmitted in clear text inside the environment's network (we use SSH between the client and ZK, but agents just speak to ZK directly). It would probably be better to allow and document manual copying of the SSL key using juju scp if the user wants higher security. Given juju's current security bug list[1] though, I don't think this is a blocker. +1

[1] https://bugs.launchpad.net/juju/+bugs?field.tag=security

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added file 'README'
2--- README 1970-01-01 00:00:00 +0000
3+++ README 2012-09-06 13:22:19 +0000
4@@ -0,0 +1,17 @@
5+Configuring SSL
6+---------------
7+Generate an unencrypted RSA private key for the servers and a certificate:
8+
9+ openssl genrsa -out rabbit-server-privkey.pem 2048
10+
11+Get an X.509 certificate. This can be self-signed, for example:
12+
13+ openssl req -batch -new -x509 -key rabbit-server-privkey.pem -out rabbit-server-cert.pem -days 10000
14+
15+Deploy the service:
16+
17+ juju deploy rabbitmq-server rabbit
18+
19+Enable SSL, passing in the key and certificate as configuration settings:
20+
21+ juju set rabbit ssl_enabled=True ssl_key="`cat rabbit-server-privkey.pem`" ssl_cert="`cat rabbit-server-cert.pem`"
22
23=== added file 'config.yaml'
24--- config.yaml 1970-01-01 00:00:00 +0000
25+++ config.yaml 2012-09-06 13:22:19 +0000
26@@ -0,0 +1,15 @@
27+options:
28+ ssl_enabled:
29+ type: boolean
30+ default: False
31+ description: enable SSL
32+ ssl_port:
33+ type: int
34+ default: 5673
35+ description: SSL port
36+ ssl_key:
37+ type: string
38+ description: private unencrypted key in PEM format (starts "-----BEGIN RSA PRIVATE KEY-----")
39+ ssl_cert:
40+ type: string
41+ description: X.509 certificate in PEM format (starts "-----BEGIN CERTIFICATE-----")
42
43=== added file 'hooks/config-changed'
44--- hooks/config-changed 1970-01-01 00:00:00 +0000
45+++ hooks/config-changed 2012-09-06 13:22:19 +0000
46@@ -0,0 +1,59 @@
47+#!/bin/bash
48+set -eu
49+
50+juju-log "rabbitmq-server: Firing config hook"
51+
52+ssl_enabled=`config-get ssl_enabled`
53+
54+cd /etc/rabbitmq
55+
56+new_config=`mktemp /etc/rabbitmq/.rabbitmq.config.XXXXXX`
57+chgrp rabbitmq "$new_config"
58+chmod g+r "$new_config"
59+exec 3> "$new_config"
60+
61+cat >&3 <<EOF
62+[
63+ {rabbit, [
64+EOF
65+
66+ssl_key_file=/etc/rabbitmq/rabbit-server-privkey.pem
67+ssl_cert_file=/etc/rabbitmq/rabbit-server-cert.pem
68+
69+if [ "$ssl_enabled" == "True" ]; then
70+ umask 027
71+ config-get ssl_key > "$ssl_key_file"
72+ config-get ssl_cert > "$ssl_cert_file"
73+ chgrp rabbitmq "$ssl_key_file" "$ssl_cert_file"
74+ if [ ! -s "$ssl_key_file" ]; then
75+ juju-log "ssl_key not set - can't configure SSL"
76+ exit 0
77+ fi
78+ if [ ! -s "$ssl_cert_file" ]; then
79+ juju-log "ssl_cert not set - can't configure SSL"
80+ exit 0
81+ fi
82+ cat >&3 <<EOF
83+ {ssl_listeners, [`config-get ssl_port`]},
84+ {ssl_options, [
85+ {certfile,"$ssl_cert_file"},
86+ {keyfile,"$ssl_key_file"}
87+ ]},
88+EOF
89+fi
90+
91+cat >&3 <<EOF
92+ {tcp_listeners, [5672]}
93+ ]}
94+].
95+EOF
96+
97+exec 3>&-
98+
99+if [ -f rabbitmq.config ]; then
100+ mv rabbitmq.config{,.bak}
101+fi
102+
103+mv "$new_config" rabbitmq.config
104+
105+/etc/init.d/rabbitmq-server restart
106
107=== modified file 'revision'
108--- revision 2012-04-14 05:42:17 +0000
109+++ revision 2012-09-06 13:22:19 +0000
110@@ -1,1 +1,1 @@
111-31
112+34

Subscribers

People subscribed via source and target branches