-
Notifications
You must be signed in to change notification settings - Fork 426
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RABBITMQ_DEFAULT_USER/PASS environment variables not taken into account #150
Comments
I can't seem to reproduce: $ docker pull rabbitmq:3.6
3.6: Pulling from library/rabbitmq
Digest: sha256:9f5536f8bf6243b6dfd74dd9fb13d460f55b8e633d20f9a970c228c61b07f987
Status: Image is up to date for rabbitmq:3.6
$ docker run -it --rm -e RABBITMQ_DEFAULT_USER=user -e RABBITMQ_DEFAULT_PASS=pass -e RABBITMQ_DEFAULT_VHOST=vhost rabbitmq:3.6 rabbitmq-server --hostname mq
RabbitMQ 3.6.9. Copyright (C) 2007-2016 Pivotal Software, Inc.
## ## Licensed under the MPL. See http://www.rabbitmq.com/
## ##
########## Logs: tty
###### ## tty
##########
Starting broker...
...
=INFO REPORT==== 25-Apr-2017::22:04:19 ===
Adding vhost 'vhost'
=INFO REPORT==== 25-Apr-2017::22:04:19 ===
Creating user 'user'
=INFO REPORT==== 25-Apr-2017::22:04:19 ===
Setting user tags for user 'user' to [administrator]
=INFO REPORT==== 25-Apr-2017::22:04:19 ===
Setting permissions for 'user' in 'vhost' to '.*', '.*', '.*'
...
=INFO REPORT==== 25-Apr-2017::22:04:19 ===
Server startup complete; 0 plugins started.
|
I think the reporter's
|
Made a quick test and seems that when you set the ex:
result:
removing the
it works
|
Oh yeah, totally missed that. That makes sense. @thijscobben probably meant to override |
Hey! I have a similar problem in my setup. This is my compose file:
The config looks like:
I can open up the management-GUI, but I can only login with guest:guest Docker info:
Running on macOS Sierra, 10.12.5 (16F73) Anyone have any ideas? |
If I bash into the container and manually restart the rabbitmq-node, the config works? Is it possible the the rabbitmq-node starts before the new config is set? |
Bump, experiencing this as well, any movement? |
@Jarlotee Unfortunately, I don't think I can help. It was a long time ago, and if I remember correctly, it suddenly just started working out of nowhere and I did not dig into it any further. |
Since the original issue appears solved, I'm going to close. For further help debugging, I'd recommend trying the Docker Community Forums, the Docker Community Slack, or Stack Overflow. Thanks! |
I ran into what appears to be this exact same problem. If you boot a RabbitMQ container with one value of This suggests an explanation like #150 (comment), where the container isn't reliable about the ordering between doing configuration and starting rabbitmq. Can this issue be reopened? I don't think it's been fixed. |
OK, I figured out what's going on here. The RabbitMQ image is storing the RabbitMQ database across restarts, and that's why the password from the first boot is preserved even after one changes the environment. We don't declare any volumes in our config, but I did notice this line in the Dockerfile for the RabbitMQ image: As a result, one has to do e.g. a Here's the docker-compose config I'm using, for reference: At the very least, this land mine with changing the credentials for this image should be documented. |
I think, this is still an issue. I am facing similar problems, when I am overriding the My docker-compose.yml is as follows: ---
version: '2.3'
#################################################################################
# For more information on the syntax and features of docker-compose files, #
# see: https://docs.docker.com/compose/compose-file/ #
#################################################################################
# Declaration of the network nodes.
services:
rabbit-1:
build:
context: . # directory to build from.
dockerfile: Dockerfile-rabbit # Dockerfile name for rabbit container.
command: bash -c 'ip route add 172.2.0.0/16 via 172.1.0.2 && ip route add 172.3.0.0/16 via 172.1.0.2 && rabbitmq-server'
privileged: true # required so that routing tables can be manipulated.
hostname: rabbit-1 # hostname will be used by RabbitMQ to name the server instance.
ports:
- "7777:15672" # map local port 7777 to the web management console's internal port 15672
volumes: # mount files into rabbit containers.
- type: bind
source: ./enabled_plugins # mount enabled_plugins file into rabbit
target: /etc/rabbitmq/enabled_plugins # for inspection at startup.
environment:
RABBITMQ_DEFAULT_VHOST: rabbit-vhost-1 # Change default Vhost name of RabbitMQ server.
RABBITMQ_DEFAULT_USER: test # Default user name (for management console).
RABBITMQ_DEFAULT_PASS: test1234 # Default password (for management console).
#RABBITMQ_ERLANG_COOKIE: 'secret cookie here' # Erlang Cookie for Clustering. See: https://www.rabbitmq.com/clustering.html#erlang-cookie.
#RABBITMQ_HIPE_COMPILE: 1 # Enable HiPE compiler - pre-compiling parts of RabbitMQ in a JIT fashion to speed up throughput
networks:
network-1:
ipv4_address: 172.1.0.3
rabbit-2:
build:
context: . # directory to build from.
dockerfile: Dockerfile-rabbit # Dockerfile name for rabbit container.
command: bash -c 'ip route add 172.1.0.0/16 via 172.2.0.2 && ip route add 172.3.0.0/16 via 172.2.0.2 && rabbitmq-server'
privileged: true # required so that routing tables can be manipulated.
hostname: rabbit-2 # hostname will be used by RabbitMQ to name the server instance.
ports:
- "7778:15672" # map local port 7778 to the web management console's internal port 15672
volumes: # mount files into rabbit containers.
- type: bind
source: ./enabled_plugins # mount enabled_plugins file into rabbit
target: /etc/rabbitmq/enabled_plugins # for inspection at startup.
environment:
RABBITMQ_DEFAULT_VHOST: rabbit-vhost-2 # Change default Vhost name of RabbitMQ server.
RABBITMQ_DEFAULT_USER: test # Default user name (for management console).
RABBITMQ_DEFAULT_PASS: test1234 # Default password (for management console).
#RABBITMQ_ERLANG_COOKIE: 'secret cookie here' # Erlang Cookie for Clustering. See: https://www.rabbitmq.com/clustering.html#erlang-cookie.
#RABBITMQ_HIPE_COMPILE: 1 # Enable HiPE compiler - pre-compiling parts of RabbitMQ in a JIT fashion to speed up throughput
networks:
network-2:
ipv4_address: 172.2.0.3
rabbit-3:
build:
context: . # directory to build from.
dockerfile: Dockerfile-rabbit # Dockerfile name for rabbit container.
command: bash -c 'ip route add 172.1.0.0/16 via 172.3.0.2 && ip route add 172.2.0.0/16 via 172.3.0.2 && rabbitmq-server'
privileged: true # required so that routing tables can be manipulated.
hostname: rabbit-3 # hostname will be used by RabbitMQ to name the server instance.
ports:
- "7779:15672" # map local port 7777 to the web management console's internal port 15672
volumes: # mount files into rabbit containers.
- type: bind
source: ./enabled_plugins # mount enabled_plugins file into rabbit
target: /etc/rabbitmq/enabled_plugins # for inspection at startup.
environment:
RABBITMQ_DEFAULT_VHOST: rabbit-vhost-3 # Change default Vhost name of RabbitMQ server.
RABBITMQ_DEFAULT_USER: test # Default user name (for management console).
RABBITMQ_DEFAULT_PASS: test1234 # Default password (for management console).
#RABBITMQ_ERLANG_COOKIE: 'secret cookie here' # Erlang Cookie for Clustering. See: https://www.rabbitmq.com/clustering.html#erlang-cookie.
#RABBITMQ_HIPE_COMPILE: 1 # Enable HiPE compiler - pre-compiling parts of RabbitMQ in a JIT fashion to speed up throughput
networks:
network-3:
ipv4_address: 172.3.0.3
router:
build:
context: . # directory to build from.
dockerfile: Dockerfile-router # Dockerfile of the router container.
tty: true # required to keep the container from exiting immediately.
privileged: true # required so that routing tables can be manipulated.
networks:
network-1:
ipv4_address: 172.1.0.2
network-2:
ipv4_address: 172.2.0.2
network-3:
ipv4_address: 172.3.0.2
# Declaration of the networks.
# These are referenced by the nodes above.
networks:
network-1:
driver: "bridge"
ipam:
config:
- subnet: 172.1.0.0/16
gateway: 172.1.0.1
network-2:
driver: "bridge"
ipam:
config:
- subnet: 172.2.0.0/16
gateway: 172.2.0.1
network-3:
driver: "bridge"
ipam:
config:
- subnet: 172.3.0.0/16
gateway: 172.3.0.1 Funny enough, rabbitmq-server still starts the server, but running it from a shell command (like given above) will not create the rabbit config file. Could this be an issue with the entrypoint script?
... evth. works fine. But then I cannot execute the other commands (ip route add etc. as shown above). In any case, I think this behaviour is rather unexpected and seems more like a bug. EDIT:
Note, that I am executing commands before the startup of Still, this is not really ideal. |
What you've discovered is exactly the expected behavior. The So your fix is exactly correct (re-executing |
Well, good to know, thanks. Maybe this should be documented somewhere. |
I fixed this problem by deleting the RabbitMQ docker volume on the host machine and rebuilding/restarting the image/container. It appears the user info is stored in the persistent settings files somehow. |
I still get this error. My version: '3.7'
services:
rabbitmq:
image: rabbitmq:3.11-alpine
ports:
- '4369:4369'
- '5551:5551'
- '5552:5552'
- '5672:5672'
- '25672:25672'
- '15672:15672'
environment:
- RABBITMQ_DEFAULT_USER=user
- RABBITMQ_DEFAULT_PASS=password
Run command: docker compose up -d Logs:
|
@liv1n9 please note that when you comment on a closed GitHub issue it's unlikely that people will see your comment. You are NOT experiencing the issue reported here. Please carefully examine the output you pasted. It is clear that your application is connecting as the I double-checked that Docker command and output
Test application
RabbitMQ logs when test app connects
|
For anyone seeing this in 2023, and new to RabbitMQ, this may still be broken. Apparently the environment variables are deprecated, the After spending a couple of hours on this, the instructions in this blog finally worked -- https://elnatantorres.medium.com/configuring-rabbitmq-on-its-startup-with-docker-d219af4b751a HTHs |
How password hashes are computed in RabbitMQ has not changed for many years (five or six?) |
Env vars They indeed create a user / password when I test it without RABBITMQ_CONFIG_FILE however, everything is changed when RABBITMQ_CONFIG_FILE is set and Had to put some hours on this issue. This task shouldn't be closed. |
@Firfi thanks for reporting. This issue is not specific to the docker image, so I opened rabbitmq/rabbitmq-server#7678 Note that the following was logged in your environment: https://github.com/rabbitmq/rabbitmq-server/blob/main/deps/rabbit/src/rabbit.erl#L1066
However, this may not be clear enough and we could probably improve the documentation. |
For people who come across this issue, please note that as soon as you instruct RabbitMQ to import definitions, there is NO OTHER WAY to import users other than via the definitions file. This behavior is by design because we consider a definitions import to be definitive when creating entities. You will see the following logged when this scenario happens:
|
Well we could |
@Firfi there is no need to |
How passwords are computed is documented and in modern versions, there is a CLI command that does all that work rabbitmqctl hash_password foobarbaz Alternatively you can set up a node however you like and export definitions then use the resulting file (as one of the files imported or the only one). |
Thank you for the suggestion and for the estimation of my proposed solution, but perhaps I struggle with understanding here; how exactly the ability to provide several definitions file resolves my specific case of needing to provide different usernames/passwords depending on the environment the server is run in. |
The thread got forked into two at this point. The detailed use case that I presented here as short "I want env vars to go into password" is here rabbitmq/rabbitmq-server#7678 (comment) The current solution is sed-like shenanigans in entrypoint.sh of Dockerfile
This solution is far from perfect, of course! The ideal solution would be to have the ability to declare users and queues separately. The more I think about it more it makes sense. It's like having the pattern in SQL where they handle DDL and DML differently. Here queue/exchange definitions behave like schema, whereas users are rows in a 'users' table, and tying them together would be, although "definitive", impractical. |
Between environment variable values expansion in In fact, RabbitMQ is open source software that 99% of users get for a grand price of USD 0, |
My docker-setup is:
From the docker-compose logs I see:
when I
docker-compose exec mq /bin/bash
I see
when I do
rabbitmqctl list_users
I only see the guest userand when my service (python app) tries to do something with mq it gets (consistent with startup log and rabbitmqctl output) a permission denied.
I would have expected that the default user would not be guest/guest but user/pass. Also, I think that guest user is prevented from accessing other than localhost. This blocks my system. What am I doing wrong? Or can this be fixed?
The text was updated successfully, but these errors were encountered: