We'd like to send messages to fedora-messaging from alt-src: https://github.com/release-engineering/alt-src
Can we generate certificates for staging and production? I can find a way to get these securely for use on the alt-src machines.
This week would be nice, but certainly not required
/cc: @siteshwar
Metadata Update from @mohanboddu: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: low-trouble, medium-gain, ops
Done.
The key and certs are in your home dir on batcave01 in alt-src-certs/
Let us know if you need anything further.
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
@kevin We tried the certificate that you shared with us. We are able to verify it through openssl client with this command:
openssl
[centos@svashisht-test7 fedora_messaging]$ openssl s_client -connect rabbitmq.stg.fedoraproject.org:5671 -cert /etc/fedora-messaging/alt-src.stg.crt -key /etc/fedora-messaging/alt-src.stg.key -CAfile /etc/fedora-messaging/stg-cacert.pem -debug
however it does not work with fedora_messaging. Below is our config.toml and output of fedora-messaging --conf config.toml consume:
config.toml
fedora-messaging --conf config.toml consume
[centos@svashisht-test7 fedora-messaging]$ cat config.toml # A basic configuration for Fedora's staging message broker, using the example # callback which simply prints messages to standard output. # # This file is in the TOML format. amqp_url = "amqps://alt-src.stg:@rabbitmq.stg.fedoraproject.org/%2Fpublic_pubsub" callback = "fedora_messaging.example:printer" [tls] # ca_cert = "/etc/fedora-messaging/stg-cacert.pem" # keyfile = "/etc/fedora-messaging/fedora.stg-key.pem" # certfile = "/etc/fedora-messaging/fedora.stg-cert.pem" ca_cert = "/etc/fedora-messaging/stg-cacert.pem" keyfile = "/etc/fedora-messaging/alt-src.stg.key" certfile = "/etc/fedora-messaging/alt-src.stg.crt" [client_properties] app = "Example Application" # Some suggested extra fields: # URL of the project that provides this consumer app_url = "https://github.com/fedora-infra/fedora-messaging" # Contact emails for the maintainer(s) of the consumer - in case the # broker admin needs to contact them, for e.g. app_contacts_email = ["jcline@fedoraproject.org"] [exchanges."amq.topic"] type = "topic" durable = true auto_delete = false arguments = {} # Queue names *must* be in the normal UUID format: run "uuidgen" and use the # output as your queue name. If your queue is not exclusive, anyone can connect # and consume from it, causing you to miss messages, so do not share your queue # name. Any queues that are not auto-deleted on disconnect are garbage-collected # after approximately one hour. # # If you require a stronger guarantee about delivery, please talk to Fedora's # Infrastructure team. [queues.00000000-0000-0000-0000-000000000000] durable = false auto_delete = true exclusive = true arguments = {} [[bindings]] queue = "00000000-0000-0000-0000-000000000000" exchange = "amq.topic" routing_keys = ["#"] # Set this to the specific topics you are interested in. [consumer_config] example_key = "for my consumer" [qos] prefetch_size = 0 prefetch_count = 25 [log_config] version = 1 disable_existing_loggers = true [log_config.formatters.simple] format = "[%(levelname)s %(name)s] %(message)s" [log_config.handlers.console] class = "logging.StreamHandler" formatter = "simple" stream = "ext://sys.stdout" [log_config.loggers.fedora_messaging] level = "INFO" propagate = false handlers = ["console"] [log_config.loggers.twisted] level = "INFO" propagate = false handlers = ["console"] [log_config.loggers.pika] level = "INFO" propagate = false handlers = ["console"] # If your consumer sets up a logger, you must add a configuration for it # here in order for the messages to show up. e.g. if it set up a logger # called 'example_printer', you could do: #[log_config.loggers.example_printer] #level = "INFO" #propagate = false #handlers = ["console"] [log_config.root] level = "ERROR" handlers = ["console"] [centos@svashisht-test7 fedora-messaging]$ fedora-messaging --conf config.toml consume [INFO fedora_messaging.cli] Starting consumer with fedora_messaging.example:printer callback [INFO fedora_messaging.twisted.service] Authenticating with server using x509 (certfile: /etc/fedora-messaging/alt-src.stg.crt, keyfile: /etc/fedora-messaging/alt-src.stg.key) [INFO twisted] Starting factory FedoraMessagingFactoryV2(parameters=<URLParameters host=rabbitmq.stg.fedoraproject.org port=5671 virtual_host=/public_pubsub ssl=True>, confirms=True) [ERROR pika.adapters.twisted_connection] connection_lost: VerificationError(errors=[DNSMismatch(mismatched_id=DNS_ID(hostname='rabbitmq.stg.fedoraproject.org'))]) [INFO pika.connection] AMQP stack terminated, failed to connect, or aborted: opened=False, error-arg=VerificationError(errors=[DNSMismatch(mismatched_id=DNS_ID(hostname='rabbitmq.stg.fedoraproject.org'))]); pending-error=None [INFO pika.connection] Connection setup terminated due to VerificationError(errors=[DNSMismatch(mismatched_id=DNS_ID(hostname='rabbitmq.stg.fedoraproject.org'))]) [ERROR fedora_messaging.cli] The TCP connection appears to have started, but the TLS or AMQP handshake with the broker failed; check your connection and authentication parameters and ensure your user has permission to access the vhost [INFO twisted] <twisted.internet.tcp.Connector instance at 0x7fb5d2c8d0e0 disconnected IPv4Address(type='TCP', host=u'rabbitmq.stg.fedoraproject.org', port=5671)> will retry in 2 seconds [INFO twisted] Stopping factory FedoraMessagingFactoryV2(parameters=<URLParameters host=rabbitmq.stg.fedoraproject.org port=5671 virtual_host=/public_pubsub ssl=True>, confirms=True) [INFO twisted] Main loop terminated.
Do you see any issues with config.toml ? Is the username alt-src.stg correct in our configurations ?
alt-src.stg
First of all, are you listening for messages or only sending messages? If the later, then you can simplify your configuration file quite a bit! See https://pagure.io/fedora-infra/ansible/blob/master/f/roles/batcave/templates/batcave-messaging.toml as an example configuration file that is used for only sending notifications.
If you want to listen for messages on the bus there are a few things to adjust in your configuration file:
The name of the queue must start with the username, so in your case you should have something like:
[queues.alt-src.stg]
or
[queues.alt-src.stg.something]
You probably also do not want to register your queue to listen to every single message on the bus, ie: you want to adjust routing_keys = ["#"] to something more plausible.
routing_keys = ["#"]
Also, have the user and queue be created on the server? This is done in our ansible repo, see for example: https://pagure.io/fedora-infra/ansible/blob/master/f/roles/rabbitmq_cluster/tasks/apps.yml which creates users and queues for application that aren't deployed in our infrastructure/ansible repo but use our rabbitmq cluster.
I am not aware about this. @kevin Can you answer this ?
Yes, you will at least need a user and likely a queue.
We can add them as @pingou says...
@kevin Thanks! Name of the user and queue should be alt-src.stg. I opened another ticket for this https://pagure.io/fedora-infrastructure/issue/9307
Login to comment on this ticket.