NRPE check check_rabbitmq.py does not work when enforcing SSL

Bug #1687916 reported by Sandor Zeestraten
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack RabbitMQ Server Charm
Fix Released
Low
Felipe Reyes

Bug Description

# Versions
Juju 2.1.3
MAAS 2.1.5
rabbitmq-server rev. 61
nrpe rev. 13

# Issue
The default rabbitmq check that is supplied by the rabbitmq-server charm does not work when ssl=only.

# Error message when running the check in /usr/local/lib/nagios/plugins/check_rabbitmq.py
ERROR: Could not connect to RabbitMQ server localhost:5672

I guess this is because when setting ssl=only, the rabbitmq.config gets the following entries where it only listens to ssl on 5671:
[
    {rabbit, [
        {collect_statistics_interval, 30000},
        {tcp_listeners, []},
        {ssl_listeners, [5671]},
        {ssl_options, [
                {verify, verify_peer},
                {fail_if_no_peer_cert, false},
                {cacertfile, "/etc/rabbitmq/rabbit-server-ca.pem"},
                {certfile, "/etc/rabbitmq/rabbit-server-cert.pem"},
                {keyfile, "/etc/rabbitmq/rabbit-server-privkey.pem"}
        ]},
        {cluster_partition_handling, pause_minority}
    ]}
]

A suggestion for an initial fix: Add a regular systemd service check to make sure rabbitmq is running like many of the other openstack charms have. Then take a look at a better way to make sure rabbitmq is running and behaving as the current check is 4 years old and there are probably better ways to check it.

Revision history for this message
James Page (james-page) wrote :

+1 on adding a generic service check - I suspect that this check script is one of many in this charm that don't work when SSL is enforced.

summary: - NRPE check check_rabbitmq.py does not work when using SSL
+ NRPE check check_rabbitmq.py does not work when enforcing SSL
Changed in charm-rabbitmq-server:
status: New → Triaged
importance: Undecided → Low
tags: added: monitoring
Revision history for this message
James Page (james-page) wrote :

Quick grok of the code confirms the supposition in #1

Felipe Reyes (freyes)
Changed in charm-rabbitmq-server:
assignee: nobody → Felipe Reyes (freyes)
tags: added: sts
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-rabbitmq-server (master)

Fix proposed to branch: master
Review: https://review.openstack.org/551012

Changed in charm-rabbitmq-server:
status: Triaged → In Progress
Felipe Reyes (freyes)
tags: added: backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-rabbitmq-server (master)

Reviewed: https://review.openstack.org/551012
Committed: https://git.openstack.org/cgit/openstack/charm-rabbitmq-server/commit/?id=6ede4d38b392eaff59a5f3b1999e77884c2bde90
Submitter: Zuul
Branch: master

commit 6ede4d38b392eaff59a5f3b1999e77884c2bde90
Author: Felipe Reyes <email address hidden>
Date: Tue Mar 6 18:20:50 2018 -0300

    Extend check_rabbitmq.py to honor ssl=only

    This patch enables checks of rabbitmq when SSL is enabled, when ssl
    config option is set to 'on' both ports (5672 and 5671) will be
    checked.

    Change-Id: Ia0bab1dca65112cd06ae382f6ebc1cc280d7b130
    Closes-Bug: 1687916

Changed in charm-rabbitmq-server:
status: In Progress → Fix Committed
James Page (james-page)
Changed in charm-rabbitmq-server:
milestone: none → 18.05
David Ames (thedac)
Changed in charm-rabbitmq-server:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.