rabbitmq-server
rabbitmq-server copied to clipboard
rabbitmq
Unix Domain Socket
Discussed in https://github.com/rabbitmq/rabbitmq-server/discussions/7298
Originally posted by jvary February 14, 2023 {repost from rabbitmq-users mailing list}
Hello all!
I am looking to add support for Unix Domain Socket in RabbitMQ, to add extra safety & segregation when used locally (versus listening on 127.0.0.1). In a 2018 message on the mailing list, it was suggested to do an “exchange plugin“, but since then, ranch_tcp added support for inet:local_address().
My plan would be to change the listeners configuration ‘pipe’ to support inet:local_address() up to ranch, and modify the Erlang & C# client libs to support it as well.
Before I jump into the code, any chance that such PRs could reach the main branch ?
Julien
to add extra safety & segregation when used locally
@jvary what does that mean? Can you explain these two terms extra safety and segregation in more detail?
Specifically:
- Why is it more secure to use Unix domain sockets compared to listening on the loopback address?
- What means
segregationhere? What benefits do Unix domain sockets have in this context?
- You can't accidentally expose a Unix domain socket port over the network and can restrict it further via file permissions.
Like Loïc Hoguin said above.
@ansd
Can you explain these two terms extra safety and segregation in more detail?
Mostly any process running on the host can write to 127.0.0.1, and it is easier for mass produced devices to restrict service access by local UserFileSystemPermissions than using ClientSecrets. Likely the same reasons the ‘Docker daemon socket’ is by default an UnixDomainSocket as well.
Also, we encountered a few funky use cases were we would benefit from a UnixDomainSocket, among them :
- Isolation of a highly exposed process into its own network namespace (Linux; with no 'IP way out' at all from that namespace), but have this process able to output messages to RabbitMQ running in the default namespace.
- Sharing RabbitMQ between the host and ‘network bridged’ Docker containers, without having the RabbitMQ (running on the host) listening on ‘any’ (we would mount the socket in a docker volume)
- The segregation can be achieved by group rights under a Unix operating system or SELinux hardening.
- The workload on the TCP stack can be reduced by using a Unix socket, which improves resource efficiency, especially in embedded systems with limited resources.
Hello all,
FYI, I did start the work, but while changing the core server-code itself to support UnixDomainSocket wasn't so horrible in itself, I got stuck in updating all the monitoring paths/tools that assumed an IP endpoint.
Given the scale of doing a clean PR that doesn't break the whole ecosystem, it became no longer rational for us to spend so much time on this.
If anyone would like a pet project, here is your chance to take over :-)
Our team has chosen to use RabbitMQ for our embedded system. At some point in our development, I will allow us to work on this issue. If you can share your early work, maybe we can collaborate and share the effort. Thanks, @jvary, for your update.
There are many monitoring-related parts that do assume a (hostname, port) pair. Management UI, Prometheus scraping endpoint and CLI commands such as rabbitmq-diagnostics listeners and derivatives such as rabbitmq-diagnostics report will need to be adjusted.
I don't recall seeing a request for this from paying customers or regular contributors, so until 4.1.x or so, this has a close to zero probability of being worked on by the core team.