TECH-3227: Modernizing cloud-init.yml #22
Conversation
cloud-init.yaml
Outdated
| - path: /root/conf/advanced.config | ||
| content: | | ||
| [ | ||
| {rabbit, [ | ||
| {forced_feature_flags_on_init, [ | ||
| drop_unroutable_metric, empty_basic_get_metric, implicit_default_bindings, quorum_queue, virtual_host_metadata | ||
| ]} | ||
| ]} | ||
| ]. |
There was a problem hiding this comment.
Because newer versions of RabbitMQ have feature flags that are automatically enabled and not backwards compatible nor can you disable them once they are on. We need to disable them on boot and then enable them once the cluster is upgraded to the new version.
NOTE: Unfortunately this can only be done using the old config file format.
AND: Yes is auto loaded and yes its advanced.config not *.conf like the new format ><
There was a problem hiding this comment.
It might be nice to have this be a var but I haven't gotten there yet.
| - path: /root/conf/rabbitmq.conf | ||
| content: | | ||
| [ { rabbit, [ | ||
| { loopback_users, [ ] } ] } | ||
| ]. | ||
| loopback_users = none |
There was a problem hiding this comment.
The new config format is much simpler, easier for humans to read and machines to generate. It is also relatively limited compared to the classic config format used prior to RabbitMQ 3.7.0.
NOTE: file name did change from rabbitmq.config -> rabbitmq.conf
REF: https://www.rabbitmq.com/configure.html#config-file-formats
cloud-init.yaml
Outdated
| - yum update -y | ||
| - yum install -y docker jq | ||
| - pip3 install boto3 | ||
| - DD_AGENT_MAJOR_VERSION=7 DD_INSTALL_ONLY=true DD_API_KEY=$(aws ssm get-parameter --name ${dd_api_key} --with-decryption --region ${region} | jq -r '.Parameter.Value') DD_SITE="${dd_site}" bash -c "$(curl -L https://s3.amazonaws.com/dd-agent/scripts/install_script.sh)" | ||
| - DD_AGENT_MAJOR_VERSION=7 DD_INSTALL_ONLY=true DD_API_KEY=$(aws ssm get-parameter --name ${dd_api_key} --with-decryption --region ${region} | jq -r '.Parameter.Value') DD_SITE="${dd_site}" bash -c "$(curl -L https://s3.amazonaws.com/dd-agent/scripts/install_script_agent7.sh)" |
There was a problem hiding this comment.
install_script.sh- Install script that usesDD_AGENT_MAJOR_VERSION=6by default and also emits a deprecation warning when run
REF: https://github.com/DataDog/agent-linux-install-script#working-with-this-repository
| @@ -196,12 +213,14 @@ runcmd: | |||
| - cp /root/datadog-agent/conf.d/rabbitmq.d/conf.yaml /etc/datadog-agent/conf.d/rabbitmq.d/conf.yaml && chown dd-agent /etc/datadog-agent/conf.d/rabbitmq.d/conf.yaml | |||
| - cp /root/datadog-agent/secrets.py /etc/datadog-agent/secrets.py && chown dd-agent /etc/datadog-agent/secrets.py && chmod 0700 /etc/datadog-agent/secrets.py | |||
| - systemctl start datadog-agent | |||
| - $(aws ecr get-login --no-include-email --region ${region} --registry-ids ${ecr_registry_id}) | |||
| - docker run -d --name rabbitmq --hostname $HOSTNAME --log-driver=local --log-opt max-size=10m -p 4369:4369 -p 5672:5672 -p 15672:15672 -p 25672:25672 -e RABBITMQ_ERLANG_COOKIE=$(aws ssm get-parameter --name ${secret_cookie} --with-decryption --region ${region} | jq -r '.Parameter.Value') -v /root/data:/var/lib/rabbitmq -v /root/conf/:/etc/rabbitmq -v /root/bin:/tmp/bin ${rabbitmq_image} | |||
| - $(aws ecr get-login-password --region ${region} | docker login --username AWS --password-stdin ${ecr_registry_id}.dkr.ecr.${region}.amazonaws.com) | |||
There was a problem hiding this comment.
Security risk:
This command displays docker login commands to stdout with authentication credentials. Your credentials could be visible by other users on your system in a process list display or a command history. If you are not on a secure system, you should consider this risk and login interactively. For more information, see get-authorization-token.
REF: https://docs.aws.amazon.com/cli/latest/reference/ecr/get-login.html
| - docker run -d --name rabbitmq --hostname $HOSTNAME --log-driver=local --log-opt max-size=10m -p 4369:4369 -p 5672:5672 -p 15672:15672 -p 25672:25672 -e RABBITMQ_ERLANG_COOKIE=$(aws ssm get-parameter --name ${secret_cookie} --with-decryption --region ${region} | jq -r '.Parameter.Value') -v /root/data:/var/lib/rabbitmq -v /root/conf/:/etc/rabbitmq -v /root/bin:/tmp/bin ${rabbitmq_image} | ||
| - $(aws ecr get-login-password --region ${region} | docker login --username AWS --password-stdin ${ecr_registry_id}.dkr.ecr.${region}.amazonaws.com) | ||
| - bash /root/erlang_cookie.sh | ||
| - docker run -d --name rabbitmq --hostname $HOSTNAME --log-driver=local --log-opt max-size=10m -p 4369:4369 -p 5672:5672 -p 15672:15672 -p 25672:25672 -v /root/data:/var/lib/rabbitmq -v /root/conf/:/etc/rabbitmq -v /root/bin:/tmp/bin ${rabbitmq_image} |
There was a problem hiding this comment.
RABBITMQ_ERLANG_COOKIE env variable support is deprecated and will be REMOVED in a future version. Use the $HOME/.erlang.cookie file or the --erlang-cookie switch instead.
There is not much mentioned about this other than its usage and the deprecated warning found in 3.8.10.
REF: https://www.rabbitmq.com/clustering.html#cookie-file-locations
cloud-init.yaml
Outdated
| - path: /root/erlang_cookie.sh | ||
| content: | | ||
| #!/usr/bin/env bash | ||
| mkdir /root/data/ | ||
| aws ssm get-parameter --name ${secret_cookie} --with-decryption --region ${region} | jq -r '.Parameter.Value' > /root/data/.erlang.cookie | ||
| chmod 400 /root/data/.erlang.cookie | ||
|
|
There was a problem hiding this comment.
Other parts of preexisting docker run will handle the rest of this through volume mounting. But first we need the correct file in the correct location with the correct perms:
- mkdir /root/data/
- /root/data:/var/lib/rabbitmq
- chmod 400 /root/data/.erlang.cookie
There was a problem hiding this comment.
this info would be great to include in a comments!
fjoeaz
added
bug
| - path: /root/conf/enabled_plugins | ||
| content: | | ||
| [prometheus_rabbitmq_exporter,rabbitmq_management]. | ||
| - path: /root/conf/rabbitmq.config | ||
| [ | ||
| rabbitmq_management | ||
| ]. |
There was a problem hiding this comment.
RabbitMQ versions prior to 3.8 used a separate plugin,
prometheus_rabbitmq_exporter, to expose metrics to Prometheus.
NOTE: We are and have been on 3.8.* for a long time no need for this removed plugin.
REF: https://www.rabbitmq.com/prometheus.html#3rd-party-plugin
|
Don't hate the programmer hate the language :) terraform-aws-rabbitmq/main.tf Lines 1 to 29 in c7e6518 All parts tested from 3.8.* to 3.12.* all work as intended even if it looks a little sketchy. Unfortunately TF does NOT give us much options other that gnarly strings with nested if's. |
| - | | ||
| TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` | ||
| sed -i "s/replace_ip_address_here/$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/local-ipv4)/g" /root/datadog-agent/conf.d/rabbitmq.d/conf.yaml |
There was a problem hiding this comment.
v1 wasn't returning anything so needed v2: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
- All better RabbitMQ QA Cluster Degraded: https://app.datadoghq.com/monitors/48134887
- Dashboard: https://app.datadoghq.com/dashboard/kpa-i8c-nqn/rabbitmq-cmw-qa
cloud-init.yaml
Outdated
| - path: /root/erlang_cookie.sh | ||
| content: | | ||
| #!/usr/bin/env bash | ||
| mkdir /root/data/ | ||
| aws ssm get-parameter --name ${secret_cookie} --with-decryption --region ${region} | jq -r '.Parameter.Value' > /root/data/.erlang.cookie | ||
| chmod 400 /root/data/.erlang.cookie | ||
|
|
There was a problem hiding this comment.
this info would be great to include in a comments!
| # https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-linux-2-ami-kernel-5-10/ | ||
| name = "name" | ||
| values = ["amzn2-ami-kernel-5.*"] | ||
| feature_flag_template = ( |
Description
This makes it so we can go from
3.8.0->3.12.*with hot rolling upgrades.Steps to Test
Links