MQ admin notes

The design is resilient

• There are two hosts, rapoport and rainier.
• The service will stay up if either is up.
• Individual connections will break, but the clients know how to reconnect
• All queues and exchanges configured to be created as durable by default

The design is reasonably secure

• All connections are over SSL, using the autoca host certs
• The default guest account has been removed
• All d.o machines have autogenerated passwords

Admin tools

• Web consoles (not directly accessible from the internet)
  • https://rainier.debian.org:15671
  • https://rapoport.debian.org:15671
• CLI tool
  • go to either (same, not accessible from the internet)
  • https://rainier.debian.org:15671/cli/
  • https://rapoport.debian.org:15671/cli/
  • Download the rabbitmqadmin tool and put in ~/bin
  • set up ~/.rabbitmqadmin.conf. Passwords on handel
• Directly on rainier/rapoport
  • rabbitmqadmin is present at /usr/bin/rabbitmqadmin
  • A quite old version is also present in /usr/local/bin and sadly this one has precedence and doesn't work. Before having it removed, you can just symlink /usr/bin/rabbitmqadmin in ~/bin and be done with it.

Sample .rabbitmqadmin.conf:

[rainier]
hostname = rainier.debian.org
port = 15671
username = admin
password = XXX
ssl = True
ssl_ca_cert_file = /etc/ssl/debian/certs/ca.crt

[rapoport]
hostname = rapoport.debian.org
port = 15671
username = admin
password = XX
ssl = True
ssl_ca_cert_file = /etc/ssl/debian/certs/ca.crt

A word about terminology:

pubsub messaging involves a sender and a receiver.

The sender connects to an exchange, and publishes a message. The sender may or may not create the exchange during the course of that action. During message sending, the sender declares a topic for the message.

Topics are just '.' separated strings, eg dsa.git.mail, ftpteam.package.upload.clamav, etc. They allow for two types of wildcards. dsa.git.* matches any single git repo but not dsa.git.mail.commit. #.clamav match anything ending in clamav, no matter how many separators.

The receiver connects to a queue, binds it to an exchange with a topic binding for a specific topic, and waits for a message. If a message submitted to the exchange matches the topic, it is routed to the receiver queue, and the receiver gets it.

The tcp connection from a client to the MQ server is called a channel. The protocol layer on top of the TCP connection is called a connection (I know, good, right?). The connection between a queue and an exchange is called a binding.

Sun, 26 Jan 2014 17:24:28 +0000