How to add initial users when starting a RabbitMQ Docker container?
Solution 1
You can create a simple Dockerfile that extends the functionality of the basic image and creates a default user. The Docker file you need is the following:
FROM rabbitmq
# Define environment variables.
ENV RABBITMQ_USER user
ENV RABBITMQ_PASSWORD user
ENV RABBITMQ_PID_FILE /var/lib/rabbitmq/mnesia/rabbitmq
ADD init.sh /init.sh
RUN chmod +x /init.sh
EXPOSE 15672
# Define default command
CMD ["/init.sh"]
And the init.sh:
#!/bin/sh
# Create Rabbitmq user
( rabbitmqctl wait --timeout 60 $RABBITMQ_PID_FILE ; \
rabbitmqctl add_user $RABBITMQ_USER $RABBITMQ_PASSWORD 2>/dev/null ; \
rabbitmqctl set_user_tags $RABBITMQ_USER administrator ; \
rabbitmqctl set_permissions -p / $RABBITMQ_USER ".*" ".*" ".*" ; \
echo "*** User '$RABBITMQ_USER' with password '$RABBITMQ_PASSWORD' completed. ***" ; \
echo "*** Log in the WebUI at port 15672 (example: http:/localhost:15672) ***") &
# $@ is used to pass arguments to the rabbitmq-server command.
# For example if you use it like this: docker run -d rabbitmq arg1 arg2,
# it will be as you run in the container rabbitmq-server arg1 arg2
rabbitmq-server $@
This script also initialize and expose the RabbitMQ webadmin at port 15672.
Solution 2
Came up with a solution that suits my needs, leaving it here in case anybody else needs it.
Summary
The idea is to take a standard rabbitmq container with management plugin enabled and use it to create the required configuration, then export and use it to start new containers. The below solution creates a derived docker image but it also works to just mount the two files at runtime (e.g. using docker compose).
References
Components
-
official rabbitmq image, management plugin version (rabbitmq:management)
-
custom image based on the original one, with this Dockerfile (using version 3.6.6):
FROM rabbitmq:3.6.6-management ADD rabbitmq.config /etc/rabbitmq/ ADD definitions.json /etc/rabbitmq/ RUN chown rabbitmq:rabbitmq /etc/rabbitmq/rabbitmq.config /etc/rabbitmq/definitions.json CMD ["rabbitmq-server"]
-
rabbitmq.config just tells rabbitmq to load definitions from the json file
-
definitions.json contains the users, vhosts, etc. and can be generated by the export function of the management web interface
rabbitmq.config example:
[
{rabbit, [
{loopback_users, []}
]},
{rabbitmq_management, [
{load_definitions, "/etc/rabbitmq/definitions.json"}
]}
].
definitions.json example:
{
"rabbit_version": "3.6.6",
"users": [
{
"name": "user1",
"password_hash": "pass1",
"hashing_algorithm": "rabbit_password_hashing_sha256",
"tags": ""
},
{
"name": "adminuser",
"password_hash": "adminpass",
"hashing_algorithm": "rabbit_password_hashing_sha256",
"tags": "administrator"
}
],
"vhosts": [
{
"name": "\/vhost1"
},
{
"name": "\/vhost2"
}
],
"permissions": [
{
"user": "user1",
"vhost": "\/vhost1",
"configure": ".*",
"write": ".*",
"read": ".*"
}
],
"parameters": [],
"policies": [],
"queues": [],
"exchanges": [],
"bindings": []
}
Alternave version
Deriving a new docker image is just one solution and works best when portability is key, since it avoids including host-based file management in the picture.
In some situations using the official image and providing configuration files from storage local to the host might be preferred.
The rabbitmq.config and definitions.json files are produced the same way, then mounted at runtime.
Notes:
- I'm assuming they have been placed in /etc/so/ for the sake of these examples
- files need to either be world readable or owned by the rabbitmq user or group (numerical id inside the docker container is 999), this needs to be handled by the host's sysadmin
docker run example:
docker run --rm -it \
-v /etc/so/rabbitmq.config:/etc/rabbitmq/rabbitmq.config:ro \
-v /etc/so/definitions.json:/etc/rabbitmq/definitions.json:ro \
rabbitmq:3.6-management
docker compose example:
version: '2.1'
services:
rabbitmq:
image: "rabbitmq:3.6-management"
ports:
- 5672:5672
- 15672:15672
volumes:
- /etc/so/rabbitmq.config:/etc/rabbitmq/rabbitmq.config:ro
- /etc/so/definitions.json:/etc/rabbitmq/definitions.json:ro
Solution 3
The newest version of the RabbitMQ image on Dockerhub has in-built functionality for changing the default username / password from "guest" / "guest" to something else.
Simply set the environment variables "RABBITMQ_DEFAULT_USER" and "RABBITMQ_DEFAULT_PASS" when starting the image.
As a docker command, you would run the image like this:
docker run \
-e RABBITMQ_DEFAULT_USER=test-user \
-e RABBITMQ_DEFAULT_PASS=test-user \
-p 5672:5672 \
rabbitmq
Solution 4
I would like to add that sudo's response helped me a lot. But that it still missed a command to be added to the Dockerfile.
The rabbitmq.config and definitions.json file should be owned by the rabbitmq user & group. So after adding the files run chown.
The full Dockerfile in my case was the following:
FROM rabbitmq:3-management-alpine
ADD definitions.json /etc/rabbitmq/
ADD rabbitmq.config /etc/rabbitmq/
RUN chown rabbitmq:rabbitmq /etc/rabbitmq/rabbitmq.config /etc/rabbitmq/definitions.json
EXPOSE 4369 5671 5672 15671 15672 25672
CMD ["rabbitmq-server"]
The rabbitmq.config
file has the following content being a merge from the default image's config and the added definitions loading:
[
{ rabbit, [
{loopback_users, []},
{ tcp_listeners, [ 5672 ]},
{ ssl_listeners, [ ]},
{ hipe_compile, false }
]},
{ rabbitmq_management, [
{ load_definitions, "/etc/rabbitmq/definitions.json"},
{ listeners, [
{ port, 15672 },
{ ssl, false }
]}
]}
].
The definitions file can be exported from the management interface in the overview tab.
So you would first create a normal 'empty' rabbitmq container. Define whatever users, exchanges and queues you like. Then enter the management interface, export the definitions and create your own image using the file as described above.
Downloading the definitions is the easiest way to get the right password hashes in the definitions file for your own passwords. If you do not wish to do that you should follow the instructions as noted here (https://www.rabbitmq.com/passwords.html) to generate the correct hashes.
Solution 5
With RabbitMQ 3.7, and the newer rabbitmq.conf (sysctl) configuration format, the following sets up RabbitMQ with a default user and queue in Docker, you can optionally add the following RUN commands in the dockerfile to create users...
RUN rabbitmqctl add_user {username} {password}
RUN rabbitmqctl set_user_tags {username} administrator
RUN rabbitmqctl set_permissions ...
rabbitmq.conf
# Default user
default_user = testuser
default_pass = testpassword
## The default "guest" user is only permitted to access the server
## via a loopback interface (e.g. localhost).
loopback_users.guest = true
# IPv4
listeners.tcp.default = 5672
## HTTP listener and embedded Web server settings.
management.tcp.port = 15672
# Load queue definitions
management.load_definitions = /etc/rabbitmq/definitions.json
#Ignore SSL
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true
definitions.json
{
"rabbit_version": "3.7.11",
"users": [
{
"name": "testuser",
"password_hash": "txn+nsYVkAaIMvDsH8Fsyb3RWMCMWihRUVCk/wICL1NBKKvz",
"hashing_algorithm": "rabbit_password_hashing_sha256",
"tags": "administrator"
}
],
"vhosts": [ { "name": "test-vhost" } ],
"permissions": [
{
"user": "testuser",
"vhost": "test-vhost",
"configure": ".*",
"write": ".*",
"read": ".*"
}
],
"topic_permissions": [],
"parameters": [],
"global_parameters": [
{
"name": "cluster_name",
"value": "rabbit@test-rabbit"
}
],
"policies": [],
"queues": [
{
"name": "testqueue",
"vhost": "test-vhost",
"durable": true,
"auto_delete": false,
"arguments": {}
}
],
"exchanges": [],
"bindings": []
}
Dockerfile
FROM rabbitmq:3.7-management
COPY rabbitmq.conf /etc/rabbitmq
COPY definitions.json /etc/rabbitmq
RUN ls /etc/rabbitmq
RUN cat /etc/rabbitmq/rabbitmq.conf
Dockers commands to build and run the container...
docker build -t rabbitmq-with-queue .
docker run --rm -it --hostname my-rabbit -p 5672:5672 -p 15672:15672 rabbitmq-with-queue
Marco
Happy coder, system architect, software geek, cloud believer, tech guy, open-source enthusiasts, wannabe cooking chef, likes to travel, meet new people, share knowledge, and watch movies/series.
Updated on January 12, 2022Comments
-
Marco over 2 years
Currently i am starting RabbitMQ Docker container using the default RabbitMQ image from DockerHub. Using the following commands.
docker run --restart=always \ -d \ -e RABBITMQ_NODENAME=rabbitmq \ -v /opt/docker/rabbitmq/data:/var/lib/rabbitmq/mnesia/rabbitmq \ -p 5672:5672 \ -p 15672:15672 \ --name rabbitmq rabbitmq:3-management
I have a need where i want to provide defaults users / and virtual-hosts when the image is first started. For example to create a default 'test-user'.
Currently i have to do that manually by using the management plugin and adding the users / virtual-hosts via the web ui. Is there a way i can provide default settings when starting the RabbitMQ image?
-
Marco about 9 yearsThanks for your suggestion, but somehow the users do not get persisted.
-
Marco about 9 yearsGot it working, but i have maybe a stupid question.. what does the $@ at the rabbitmq-server do?
-
george.yord about 9 years$@ is used to pass arguments to the
rabbitmq-server
command. For example if you use it like this:docker run -d rabbitmq [arg1] [arg2]
, it will be as you run in the containerrabbitmq-server [arg1] [arg2]
. -
Joris Mans over 8 years
cd /tmp ; \ wget http://localhost:15672/cli/rabbitmqadmin ; \ mv ./rabbitmqadmin /rabbitmqadmin ; \ chmod +x /rabbitmqadmin ; \
I think these lines can be removed, as the admin command is already available inside the container. -
blueFast about 8 years@JorisMans: and wget is not available in the base rabbitmq image
-
Marco over 7 years@JanuszSkonieczny Maybe something wrong with your line endings? I just tried the instructions again and it worked.
-
Janusz Skonieczny over 7 years@Marco, thx line ending where wrong. But I'm not sure why passing env
RABBITMQ_DEFAULT_USER
andRABBITMQ_DEFAULT_PASS
settings don'g have any effect. You end up withguest
admin user withguest
password, which is not desirable ;) -
Marco over 7 years@JanuszSkonieczny The post was just an example on how stuff could be done. You can pull the RABBITMQ_DEFAULT_USER etc into the init.sh and create the correct user
-
george.yord over 7 years@JorisMans: Thanks, great suggestion, I edited the answer and removed the rabbitmqadmin installation.
-
cdimitroulas over 7 yearsI get this error: /usr/local/bin/docker-entrypoint.sh: line 296: /init.sh: Permission denied. Did I miss something?
-
Derek about 7 yearsDoes this actually work? On 3.6.6 I can't add any users without first having the node/application running. It looks like you are adding them before running
rabbitmq-server
. -
Mihail Petkov about 7 yearsAdd
RUN ["chmod", "+x", "/init.sh"]
, otherwise it doesn't work. -
GhostCat almost 7 yearsI think you have enough content to make this an answer. So rather delete all the sentences that prevent this from being an answer (like saying: should be a comment). And that comment-needs-50 rule exists for good reasons.
-
Tom P. almost 7 yearsSorry those reputation roles are a sore point. There's been many times I felt like wanting to contribute something in a comment, an upvote and for everything I would get the 'this requires x reputation' message. Makes it a really high boundary to start contributing. In any case, thanks for the comment, I've made those changes. :)
-
GhostCat almost 7 yearsThe problem is that a very high number of people get accounts here. Too many of them give zip nada niente about quality. It only takes 1,2 well received questions to get to "upvote", and 1,2 well received answers and you are up to "comment".
-
mbeacom almost 7 years@MihailPetkov You should be setting the
init.sh
file to executable beforeCOPY
ing the shell script and building the image. That'll eliminate the need for this step, as file attributes are preserved by default. -
Kent Bull almost 7 years@TomP. That was great recommending the export from Rabbit. That really saved me time! And it is completely accurate. This should be combined with sudo's answer as the accepted answer.
-
Kent Bull almost 7 yearsThis is a great solution. @Tom.P adds a little to this with the definitions export from Rabbit. Combine the two and that should be the accepted answer. This worked for me!
-
sudo almost 7 years@KentJohnson the fact that "definitions.json [...] can be generated by the export function of the management web interface" is already one of my points, that's how I did it too (the provided examples are just to get an idea right away)
-
sudo over 6 yearsAdded chown command to make sure permissions are ok (thanks @Tom P.) and added an alternate solution that uses the official image + configuration files mounted at runtime
-
Darwayne over 6 yearsfor anyone trying to use this approach with docker-compose. I had to replace
;
with&&
inside of theinit.sh
file and this will work like a charm. -
Oleg Shleif about 6 yearsI tried and the user is not created. I set
sleep 10
in init.sh file and user was created... -
jmhostalet almost 6 yearsI've found this password hashing script which was pretty useful for me also gist.github.com/lukebakken/7b4da46ed9abb7ed14f7a60b49f9e52e
-
jmhostalet almost 6 yearsI've found this password hashing script which was pretty useful for me also gist.github.com/lukebakken/7b4da46ed9abb7ed14f7a60b49f9e52e
-
Kleyson Rios over 5 yearsGreat solution. The main problem is to find documentation for the definitions.json. But you can do manually all the configuration and then export the definiton medium.com/@thomasdecaux/…
-
Nathan Julsrud over 5 yearsYou will need to account for rabbitmq startup time. It's running all user commands in the background. The reason this works is because of the
sleep 5
statement. It's basically saying do these commands in the background, while starting rabbitmq. @Derek If you have a cluster with a lot of established queues/exchanges you will need to makesleep 5
a lot longer, OR write some type of loop that waits for rabbit to come back to life first. @MihailPetkov your suggestion can't work because of how Docker treats CMD -
user3793803 over 5 yearsAbout the
sleep 5
, If you want a more reliable way to wait for rabbitmq to be initalized, I would suggest to use this instead :rabbitmqctl wait /var/lib/rabbitmq/mnesia/rabbitmq.pid
. I'm using a docker-compose running a lot of containers and it worked for me. -
Cocowalla over 4 yearsUnfortunately it doesn't seem possible to combine this with a definitions file :(
-
jeffaudio over 4 yearsUsing
rabbitmqctl wait /var/lib/rabbitmq/mnesia/rabbitmq.pid
worked for me as well, but I had to manually set the environment variableRABBITMQ_PID_FILE
to that location as well or the pid file would be generated with a random name. -
george.yord over 4 yearsThank you all for the valid comments. @user3793803 I incorporated your suggestion, very nice one! I also added a
--timeout 60
param to override the default 10 seconds waiting time to stay on the safe side and wait even if ReabbitMQ takes a little bit longer to load. -
xbmono almost 4 yearsThanks. This worked for me, the env variable was the key
-
Vinicius Dantas almost 4 yearsPerfect advice, thanks. I used this idea together with the kubernetes docs on configmap (didn't know about this feature) for increasing the heartbeat of my rabbitmq server by saving a file under /etc/rabbitmq/conf.d/. But I didn't need to use subPath. Thank you so much for your contribution
-
NicoE over 3 yearsSince RabbitMQ 3.8.2, it's possible to load definitions at node boot time
load_definitions = /path/to/definitions/file.json
in rabbitmq.conf . docs -
lollerskates about 3 yearsi have a clarifying question: do we add
rabbitmq-server $@
at the end of the bash script because we override the default start command in theDockerfiles
withCMD ["/init.sh"]
? -
Iman almost 3 yearsconvert
'/etc/rabbitmq/rabbitmq.config'
to the newer sysctl format ('/etc/rabbitmq/rabbitmq.conf'
); see https://www.rabbitmq.com/configure.html#config-file -
jimnkey over 2 yearsAt first I thought this wasn't supported because of the comment of 'WARNING' -- but the actual variables the warning is for are NOT these. I added the other ports :
-p 15672:15672 -p 15692:15692
-- but this answer is good for what I was looking for - something very simple, easy to pass on to team - thanks! It would have saved me a bit of time if I didn't read that warning comment! -
michasaucer over 2 yearsHow to deal with output: `/init.sh: line 1: syntax error near unexpected token rabbitmqctl' 'init.sh: line 1: ( rabbitmqctl wait --timeout 60 $RABBITMQ_PID_FILE ; ` ?