RABBITMQ_DEFAULT_USER/PASS environment variables not taken into account

[thijscobben]

My docker-setup is:

    mq:
        image: rabbitmq:3.6
        restart: "always"
        ports:
            - "15672"
            - "5672"
        environment:
            - "RABBITMQ_DEFAULT_PASS=pass"
            - "RABBITMQ_DEFAULT_USER=user"
            - "RABBITMQ_DEFAULT_VHOST='vhost'"
        read_only: false
        volumes:
            - "${B2SHARE_DATADIR}/rabbitmq-data:/var/lib/rabbitmq"
        entrypoint:
            - "rabbitmq-server"
            - "--hostname"
            - "mq"

From the docker-compose logs I see:

mq_1             | =INFO REPORT==== 12-Apr-2017::08:27:11 ===
mq_1             | Creating user 'guest'
mq_1             | 
mq_1             | =INFO REPORT==== 12-Apr-2017::08:27:11 ===
mq_1             | Setting user tags for user 'guest' to [administrator]
mq_1             | 
mq_1             | =INFO REPORT==== 12-Apr-2017::08:27:11 ===
mq_1             | Setting permissions for 'guest' in '/' to '.*', '.*', '.*'

when I docker-compose exec mq /bin/bash
I see

root@481b33f49db1:/# env
RABBITMQ_DEFAULT_PASS=pass
RABBITMQ_VERSION=3.6.9
HOSTNAME=481b33f49db1
TERM=xterm
RABBITMQ_DEBIAN_VERSION=3.6.9-1
RABBITMQ_SASL_LOGS=-
PATH=/usr/lib/rabbitmq/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
RABBITMQ_DEFAULT_USER=user
PWD=/
RABBITMQ_LOGS=-
SHLVL=1
HOME=/var/lib/rabbitmq
GOSU_VERSION=1.7
RABBITMQ_DEFAULT_VHOST='vhost'
_=/usr/bin/env

when I do rabbitmqctl list_users I only see the guest user

and when my service (python app) tries to do something with mq it gets (consistent with startup log and rabbitmqctl output) a permission denied.

I would have expected that the default user would not be guest/guest but user/pass. Also, I think that guest user is prevented from accessing other than localhost. This blocks my system. What am I doing wrong? Or can this be fixed?

[tianon]

I can't seem to reproduce:

$ docker pull rabbitmq:3.6
3.6: Pulling from library/rabbitmq
Digest: sha256:9f5536f8bf6243b6dfd74dd9fb13d460f55b8e633d20f9a970c228c61b07f987
Status: Image is up to date for rabbitmq:3.6
$ docker run -it --rm -e RABBITMQ_DEFAULT_USER=user -e RABBITMQ_DEFAULT_PASS=pass -e RABBITMQ_DEFAULT_VHOST=vhost rabbitmq:3.6 rabbitmq-server --hostname mq

              RabbitMQ 3.6.9. Copyright (C) 2007-2016 Pivotal Software, Inc.
  ##  ##      Licensed under the MPL.  See http://www.rabbitmq.com/
  ##  ##
  ##########  Logs: tty
  ######  ##        tty
  ##########
              Starting broker...

...

=INFO REPORT==== 25-Apr-2017::22:04:19 ===
Adding vhost 'vhost'

=INFO REPORT==== 25-Apr-2017::22:04:19 ===
Creating user 'user'

=INFO REPORT==== 25-Apr-2017::22:04:19 ===
Setting user tags for user 'user' to [administrator]

=INFO REPORT==== 25-Apr-2017::22:04:19 ===
Setting permissions for 'user' in 'vhost' to '.*', '.*', '.*'

...

=INFO REPORT==== 25-Apr-2017::22:04:19 ===
Server startup complete; 0 plugins started.

[zoidyzoidzoid]

I think the reporter's environment should be a map, not an array:

        environment:
            RABBITMQ_DEFAULT_PASS: pass
            RABBITMQ_DEFAULT_USER: user
            RABBITMQ_DEFAULT_VHOST: 'vhost'

[Gsantomaggio]

Made a quick test and seems that when you set the entrypoint it does not create the config file:

ex:

   environment:
     - "RABBITMQ_DEFAULT_PASS=pass"
     - "RABBITMQ_DEFAULT_USER=user"
     - "RABBITMQ_DEFAULT_VHOST='vhost'"
    entrypoint:
     - "rabbitmq-server"

result:

root@655f2e427736:/# cat /etc/rabbitmq/rabbitmq.config
cat: /etc/rabbitmq/rabbitmq.config: No such file or directory

removing the endpoint

version: "2"
services:
  mq1:
    image: rabbitmq:3.6
    restart: "always"
    ports:
      - "15672"
      - "5672"
    environment:
     - "RABBITMQ_DEFAULT_PASS=pass"
     - "RABBITMQ_DEFAULT_USER=user"
     - "RABBITMQ_DEFAULT_VHOST='vhost'"

it works

root@9b7a6254462c:/# cat /etc/rabbitmq/rabbitmq.config
[ { rabbit, [
	{ loopback_users, [ ] },
	{ tcp_listeners, [ 5672 ] },
	{ ssl_listeners, [ ] },
	{ default_pass, <<"pass">> },
	{ default_user, <<"user">> },
	{ default_vhost, <<"'vhost'">> },
	{ hipe_compile, false }
] } ].
root@9b7a6254462c:/#

[zoidyzoidzoid]

Oh yeah, totally missed that. That makes sense.

@thijscobben probably meant to override command and not entrypoint.

[stavling]

Hey!

I have a similar problem in my setup. This is my compose file:

services:
  rabbitmq:
    image: "rabbitmq:3-management"
    ports:
      - "5672:5672"
      - "15672:15672"
    environment:
      - RABBITMQ_DEFAULT_PASS=${RABBITMQ_DEFAULT_PASS}
      - RABBITMQ_DEFAULT_USER=${RABBITMQ_DEFAULT_USER}
    hostname: "rabbit_mnesia"
    volumes:
    - ~/docker_compose/d/rabbitdb:/var/lib/rabbitmq/mnesia

The config looks like:

[
    { rabbit, [
        { loopback_users, [ ] },
        { tcp_listeners, [ 5672 ] },
        { ssl_listeners, [ ] },
        { default_pass, <<"correct_password">> },
        { default_user, <<"correct_user">> },
        { hipe_compile, false }
    ] },
    { rabbitmq_management, [ { listener, [
        { port, 15672 },
        { ssl, false }
    ] } ] }
].

I can open up the management-GUI, but I can only login with guest:guest

Docker info:

docker-compose version 1.14.0, build c7bdf9e
docker-py version: 2.3.0
CPython version: 2.7.12
OpenSSL version: OpenSSL 1.0.2j  26 Sep 2016

Running on macOS Sierra, 10.12.5 (16F73)

Anyone have any ideas?

[stavling]

If I bash into the container and manually restart the rabbitmq-node, the config works? Is it possible the the rabbitmq-node starts before the new config is set?

[Jarlotee]

Bump, experiencing this as well, any movement?

[stavling]

@Jarlotee Unfortunately, I don't think I can help. It was a long time ago, and if I remember correctly, it suddenly just started working out of nowhere and I did not dig into it any further.

[tesarm]

@stavling @Jarlotee I fixed this by removing the old container and started everything again.

docker stop rabbitmq && docker rm rabbitmq && docker-compose up

[tianon]

Since the original issue appears solved, I'm going to close.

For further help debugging, I'd recommend trying the Docker Community Forums, the Docker Community Slack, or Stack Overflow. Thanks!

[timabbott]

I ran into what appears to be this exact same problem. If you boot a RabbitMQ container with one value of RABBITMQ_DEFAULT_PASS, stop the container, change that RABBITMQ_DEFAULT_PASS to a new password, and start a new container, then connecting with the old password works, and the new password doesn't. The /etc/rabbitmq/rabbitmq.conf has the new password in it, so that part is working.

This suggests an explanation like #150 (comment), where the container isn't reliable about the ordering between doing configuration and starting rabbitmq.

Can this issue be reopened? I don't think it's been fixed.

[timabbott]

OK, I figured out what's going on here. The RabbitMQ image is storing the RabbitMQ database across restarts, and that's why the password from the first boot is preserved even after one changes the environment. We don't declare any volumes in our config, but I did notice this line in the Dockerfile for the RabbitMQ image:

• https://github.com/docker-library/rabbitmq/blob/master/3.7/debian/Dockerfile#L132

As a result, one has to do e.g. a docker-compose rm rabbitmq after editing the environment variables in order to change the password on the volume.

Here's the docker-compose config I'm using, for reference:
https://github.com/zulip/docker-zulip/blob/master/docker-compose.yml

At the very least, this land mine with changing the credentials for this image should be documented.

[TheFonz2017]

I think, this is still an issue. I am facing similar problems, when I am overriding the CMD.
The /etc/rabbitmq/rabbit.conf is not created and hence the default user and password are not available for login via the Web UI.

My docker-compose.yml is as follows:

---
version: '2.3'

#################################################################################
#    For more information on the syntax and features of docker-compose files,   #
#    see: https://docs.docker.com/compose/compose-file/                         #
#################################################################################

# Declaration of the network nodes.
services:
    rabbit-1:
        build: 
          context: .                                       # directory to build from.
          dockerfile: Dockerfile-rabbit                    # Dockerfile name for rabbit container.
        command:  bash -c 'ip route add 172.2.0.0/16 via 172.1.0.2 && ip route add 172.3.0.0/16 via 172.1.0.2 && rabbitmq-server'
        privileged: true                                   # required so that routing tables can be manipulated.
        hostname: rabbit-1                                 # hostname will be used by RabbitMQ to name the server instance.
        ports:
            - "7777:15672"                                 # map local port 7777 to the web management console's internal port 15672
        volumes:                                           # mount files into rabbit containers.
            - type: bind
              source: ./enabled_plugins                    # mount enabled_plugins file into rabbit 
              target: /etc/rabbitmq/enabled_plugins        # for inspection at startup.
        environment:
            RABBITMQ_DEFAULT_VHOST: rabbit-vhost-1         # Change default Vhost name of RabbitMQ server.
            RABBITMQ_DEFAULT_USER: test                    # Default user name (for management console).
            RABBITMQ_DEFAULT_PASS: test1234                # Default password (for management console).
            #RABBITMQ_ERLANG_COOKIE: 'secret cookie here'  # Erlang Cookie for Clustering. See: https://www.rabbitmq.com/clustering.html#erlang-cookie.
            #RABBITMQ_HIPE_COMPILE: 1                      # Enable HiPE compiler - pre-compiling parts of RabbitMQ in a JIT fashion to speed up throughput
        networks:
            network-1:
                ipv4_address: 172.1.0.3

    rabbit-2:
        build:                                              
          context: .                                       # directory to build from.
          dockerfile: Dockerfile-rabbit                    # Dockerfile name for rabbit container.
        command: bash -c 'ip route add 172.1.0.0/16 via 172.2.0.2 && ip route add 172.3.0.0/16 via 172.2.0.2 && rabbitmq-server'
        privileged: true                                   # required so that routing tables can be manipulated.
        hostname: rabbit-2                                 # hostname will be used by RabbitMQ to name the server instance.
        ports:
            - "7778:15672"                                 # map local port 7778 to the web management console's internal port 15672
        volumes:                                           # mount files into rabbit containers.
            - type: bind
              source: ./enabled_plugins                    # mount enabled_plugins file into rabbit 
              target: /etc/rabbitmq/enabled_plugins        # for inspection at startup.
        environment:
            RABBITMQ_DEFAULT_VHOST: rabbit-vhost-2         # Change default Vhost name of RabbitMQ server.
            RABBITMQ_DEFAULT_USER: test                    # Default user name (for management console).
            RABBITMQ_DEFAULT_PASS: test1234                # Default password (for management console).
            #RABBITMQ_ERLANG_COOKIE: 'secret cookie here'  # Erlang Cookie for Clustering. See: https://www.rabbitmq.com/clustering.html#erlang-cookie.
            #RABBITMQ_HIPE_COMPILE: 1                      # Enable HiPE compiler - pre-compiling parts of RabbitMQ in a JIT fashion to speed up throughput
        networks:
            network-2:
                ipv4_address: 172.2.0.3

    rabbit-3:
        build: 
          context: .                                       # directory to build from.
          dockerfile: Dockerfile-rabbit                    # Dockerfile name for rabbit container.
        command: bash -c 'ip route add 172.1.0.0/16 via 172.3.0.2 && ip route add 172.2.0.0/16 via 172.3.0.2 && rabbitmq-server'
        privileged: true                                   # required so that routing tables can be manipulated.
        hostname: rabbit-3                                 # hostname will be used by RabbitMQ to name the server instance.
        ports:
            - "7779:15672"                                 # map local port 7777 to the web management console's internal port 15672
        volumes:                                           # mount files into rabbit containers.
            - type: bind
              source: ./enabled_plugins                    # mount enabled_plugins file into rabbit 
              target: /etc/rabbitmq/enabled_plugins        # for inspection at startup.
        environment:
            RABBITMQ_DEFAULT_VHOST: rabbit-vhost-3         # Change default Vhost name of RabbitMQ server.
            RABBITMQ_DEFAULT_USER: test                    # Default user name (for management console).
            RABBITMQ_DEFAULT_PASS: test1234                # Default password (for management console).
            #RABBITMQ_ERLANG_COOKIE: 'secret cookie here'  # Erlang Cookie for Clustering. See: https://www.rabbitmq.com/clustering.html#erlang-cookie.
            #RABBITMQ_HIPE_COMPILE: 1                      # Enable HiPE compiler - pre-compiling parts of RabbitMQ in a JIT fashion to speed up throughput
        networks:
            network-3:
                ipv4_address: 172.3.0.3

    router:
        build:
            context: .                                     # directory to build from.
            dockerfile: Dockerfile-router                  # Dockerfile of the router container.
        tty: true                                          # required to keep the container from exiting immediately.
        privileged: true                                   # required so that routing tables can be manipulated.
        networks:
            network-1:
                ipv4_address: 172.1.0.2
            network-2:
                ipv4_address: 172.2.0.2
            network-3:
                ipv4_address: 172.3.0.2

# Declaration of the networks. 
# These are referenced by the nodes above.
networks:
    network-1:
        driver: "bridge"
        ipam:
            config:
                - subnet: 172.1.0.0/16
                  gateway: 172.1.0.1
    network-2:
        driver: "bridge"
        ipam:
            config:
                - subnet: 172.2.0.0/16
                  gateway: 172.2.0.1
    network-3:
        driver: "bridge"
        ipam:
            config:
                - subnet:  172.3.0.0/16
                  gateway: 172.3.0.1

Funny enough, rabbitmq-server still starts the server, but running it from a shell command (like given above) will not create the rabbit config file. Could this be an issue with the entrypoint script?
If I specify the command in my compose file like this:

command: ["rabbitmq-server"]

... evth. works fine. But then I cannot execute the other commands (ip route add etc. as shown above).

In any case, I think this behaviour is rather unexpected and seems more like a bug.
I think this should be reopened.

EDIT:
I can definitely confirm that this has to do with the docker-entrypoint.sh script.
Using the following in my docker-compose.yml (without any command:) works:

entrypoint: ["bash", "-c", "ip route add 172.2.0.0/16 via 172.1.0.2 && ip route add 172.3.0.0/16 via 172.1.0.2 && docker-entrypoint.sh rabbitmq-server"]  

Note, that I am executing commands before the startup of rabbitmq-server and then execute the docker-entrypoint.sh together with rabbitmq-server.

Still, this is not really ideal.

[tianon]

What you've discovered is exactly the expected behavior. The docker-entrypoint.sh script is responsible for all the additional behavior provided by this image, and it only does anything if the command is rabbitmq-server (so that folks trying to run bash or the like don't get a container that fails to start due to some random environment variable issue).

So your fix is exactly correct (re-executing docker-entrypoint.sh) for how you're trying to run the application (if the behavior provided by this image is something you want applied).

[TheFonz2017]

Well, good to know, thanks. Maybe this should be documented somewhere.
Although, it is now documented here... ;)
Cheers!

[Joe-Heffer-Shef]

I fixed this problem by deleting the RabbitMQ docker volume on the host machine and rebuilding/restarting the image/container. It appears the user info is stored in the persistent settings files somehow.

[liv1n9]

I still get this error. My docker-compose.yml file:

version: '3.7'

services:
  rabbitmq:
    image: rabbitmq:3.11-alpine
    ports:
      - '4369:4369'
      - '5551:5551'
      - '5552:5552'
      - '5672:5672'
      - '25672:25672'
      - '15672:15672'
    environment:
      - RABBITMQ_DEFAULT_USER=user
      - RABBITMQ_DEFAULT_PASS=password

Run command:

docker compose up -d

Logs:

...
rabbitmq-docker-rabbitmq-1  | 2022-11-01 08:54:00.996865+00:00 [info] <0.728.0> Server startup complete; 3 plugins started.
rabbitmq-docker-rabbitmq-1  | 2022-11-01 08:54:00.996865+00:00 [info] <0.728.0>  * rabbitmq_prometheus
rabbitmq-docker-rabbitmq-1  | 2022-11-01 08:54:00.996865+00:00 [info] <0.728.0>  * rabbitmq_web_dispatch
rabbitmq-docker-rabbitmq-1  | 2022-11-01 08:54:00.996865+00:00 [info] <0.728.0>  * rabbitmq_management_agent
rabbitmq-docker-rabbitmq-1  | 2022-11-01 08:54:03.233935+00:00 [info] <0.802.0> accepting AMQP connection <0.802.0> (192.168.48.1:56122 -> 192.168.48.2:5672)
rabbitmq-docker-rabbitmq-1  | 2022-11-01 08:54:03.235943+00:00 [error] <0.802.0> Error on AMQP connection <0.802.0> (192.168.48.1:56122 -> 192.168.48.2:5672, state: starting):
rabbitmq-docker-rabbitmq-1  | 2022-11-01 08:54:03.235943+00:00 [error] <0.802.0> PLAIN login refused: user 'guest' - invalid credentials
rabbitmq-docker-rabbitmq-1  | 2022-11-01 08:54:03.236336+00:00 [info] <0.802.0> closing AMQP connection <0.802.0> (192.168.48.1:56122 -> 192.168.48.2:5672)

[lukebakken]

@liv1n9 please note that when you comment on a closed GitHub issue it's unlikely that people will see your comment.

You are NOT experiencing the issue reported here. Please carefully examine the output you pasted. It is clear that your application is connecting as the guest user, which is disallowed by default.

I double-checked that RABBITMQ_DEFAULT_USER and RABBITMQ_DEFAULT_PASS work as expected:

Docker command and output

$ docker run --env=RABBITMQ_DEFAULT_USER=foobar --env=RABBITMQ_DEFAULT_PASS=bazbat --publish=5672:5672 --rm rabbitmq:3-alpine

  ##  ##      RabbitMQ 3.11.2
  ##  ##
  ##########  Copyright (c) 2007-2022 VMware, Inc. or its affiliates.
  ######  ##
  ##########  Licensed under the MPL 2.0. Website: https://rabbitmq.com

  Erlang:      25.1.2 [jit]
  TLS Library: OpenSSL - OpenSSL 1.1.1q  5 Jul 2022
...
...
...
2022-11-01 14:21:37.351359+00:00 [info] <0.229.0> Created user 'foobar'
...
...
...
2022-11-01 14:21:37.354002+00:00 [info] <0.229.0> Successfully set user tags for user 'foobar' to [administrator]
2022-11-01 14:21:37.356465+00:00 [info] <0.229.0> Successfully set permissions for 'foobar' in virtual host '/' to '.*', '.*', '.*'
2022-11-01 14:21:37.402895+00:00 [info] <0.799.0> started TCP listener on [::]:5672
 completed with 3 plugins.
2022-11-01 14:21:37.460613+00:00 [info] <0.728.0> Server startup complete; 3 plugins started.
2022-11-01 14:21:37.460613+00:00 [info] <0.728.0>  * rabbitmq_prometheus
2022-11-01 14:21:37.460613+00:00 [info] <0.728.0>  * rabbitmq_web_dispatch
2022-11-01 14:21:37.460613+00:00 [info] <0.728.0>  * rabbitmq_management_agent

Test application

lbakken@shostakovich ~/development/pika/pika/examples (main *=)
$ cat publish.py
# -*- coding: utf-8 -*-
# pylint: disable=C0111,C0103,R0205

import logging
import pika
from pika import DeliveryMode
from pika.exchange_type import ExchangeType

logging.basicConfig(level=logging.DEBUG)

credentials = pika.PlainCredentials('foobar', 'bazbat')
parameters = pika.ConnectionParameters('shostakovich', credentials=credentials)
connection = pika.BlockingConnection(parameters)

RabbitMQ logs when test app connects

2022-11-01 14:19:03.902601+00:00 [info] <0.802.0> accepting AMQP connection <0.802.0> (172.17.0.1:39918 -> 172.17.0.2:5672)
2022-11-01 14:19:03.904926+00:00 [info] <0.802.0> connection <0.802.0> (172.17.0.1:39918 -> 172.17.0.2:5672): user 'foobar' authenticated and granted access to vhost '/'

[srelbo]

For anyone seeing this in 2023, and new to RabbitMQ, this may still be broken. Apparently the environment variables are deprecated, the /etc/rabbitmq/rabbitmq.conf does not get generated (in some cases). The password also needs to SHA256 encrypted and base64'd. Too many changes in RabbitMQ and the docs and old solutions threads don't work.

After spending a couple of hours on this, the instructions in this blog finally worked -- https://elnatantorres.medium.com/configuring-rabbitmq-on-its-startup-with-docker-d219af4b751a

HTHs

[michaelklishin]

RABBITMQ_DEFAULT_USER and friends are now supported by RabbitMQ itself since August 2021 rabbitmq/rabbitmq-server#3299.

How password hashes are computed in RabbitMQ has not changed for many years (five or six?)

[dearlordylord]

Env vars RABBITMQ_DEFAULT_USER and RABBITMQ_DEFAULT_PASS do work accordingly to the documentation of docker container (deprecation warning isn't related to those vars and is about the vars listed a bit above on the Docker page).

They indeed create a user / password when I test it without RABBITMQ_CONFIG_FILE

however, everything is changed when RABBITMQ_CONFIG_FILE is set and management.load_definitions in the file points to a definition file, whether such file contains users: key or not. In such a case, RABBITMQ_DEFAULT_USER and RABBITMQ_DEFAULT_PASS are ignored.

Had to put some hours on this issue. This task shouldn't be closed.

[lukebakken]

@Firfi thanks for reporting. This issue is not specific to the docker image, so I opened rabbitmq/rabbitmq-server#7678

Note that the following was logged in your environment: https://github.com/rabbitmq/rabbitmq-server/blob/main/deps/rabbit/src/rabbit.erl#L1066

Will not seed default virtual host and user: have definitions to load...

However, this may not be clear enough and we could probably improve the documentation.

[lukebakken]

For people who come across this issue, please note that as soon as you instruct RabbitMQ to import definitions, there is NO OTHER WAY to import users other than via the definitions file. This behavior is by design because we consider a definitions import to be definitive when creating entities.

You will see the following logged when this scenario happens:

2023-03-22 19:50:20.339779+00:00 [info] <0.230.0> Will not seed default virtual host and user: have definitions to load...

[dearlordylord]

Well we could sed the definitions file 😅

[michaelklishin]

@Firfi there is no need to sed anything. You can import a conf.d-style directory of definition files in alphabetic order. Just generate a new definition file however you please.

[michaelklishin]

How passwords are computed is documented and in modern versions, there is a CLI command that does all that work
for you:

rabbitmqctl hash_password foobarbaz

Alternatively you can set up a node however you like and export definitions then use the resulting file (as one of the files imported or the only one).

[dearlordylord]

@Firfi there is no need to sed anything. You can import a conf.d-style directory of definition files in alphabetic order. Just generate a new definition file however you please.

Thank you for the suggestion and for the estimation of my proposed solution, but perhaps I struggle with understanding here; how exactly the ability to provide several definitions file resolves my specific case of needing to provide different usernames/passwords depending on the environment the server is run in.

[dearlordylord]

The thread got forked into two at this point. The detailed use case that I presented here as short "I want env vars to go into password" is here rabbitmq/rabbitmq-server#7678 (comment)

The current solution is sed-like shenanigans in entrypoint.sh of Dockerfile

#!/bin/sh

set -e

RABBITMQ_DEFS_FILE="/data/rabbitmq/definitions.json"
RABBITMQ_DEFS_FILE_TMP="/data/rabbitmq/definitions.json.tmp"

# Replace SED_ME_BABY with RABBITMQ_PASSWORD_HASH in the configuration file
awk -v rp="${RABBITMQ_PASSWORD_HASH}" 'BEGIN{ORS=""; first=1}{if(first) {first=0} else {print "\n"}} {gsub(/SED_ME_BABY/, rp); print}' ${RABBITMQ_DEFS_FILE} > ${RABBITMQ_DEFS_FILE_TMP}

# Move the modified configuration file to the original location
mv ${RABBITMQ_DEFS_FILE_TMP} ${RABBITMQ_DEFS_FILE}

# Start RabbitMQ server with the modified configuration
exec docker-entrypoint.sh rabbitmq-server

This solution is far from perfect, of course! The ideal solution would be to have the ability to declare users and queues separately. The more I think about it more it makes sense. It's like having the pattern in SQL where they handle DDL and DML differently. Here queue/exchange definitions behave like schema, whereas users are rows in a 'users' table, and tying them together would be, although "definitive", impractical.

[michaelklishin]

Between environment variable values expansion in rabbitmq.conf and support for directories of definition files, the only small bit I can think of is a CLI tool that would generate
definitions with N virtual hosts and/or users for test environments.

In fact, RabbitMQ is open source software that 99% of users get for a grand price of USD 0,
so the community could probably build such a tool themselves, and support all the environment
variables they please.