Bug 1087270

This bug report is effectively a summary of 3 separate bugs that have not really been addressed properly in my opinion:
(1) https://bugzilla.suse.com/show_bug.cgi?id=927301
(2) https://bugzilla.suse.com/show_bug.cgi?id=1029031
(3) https://bugzilla.suse.com/show_bug.cgi?id=1003085

I will be referring to them in the following paragraphs.

First, a short introduction to rabbitmq and its dependencies. Rabbitmq is an Erlang-based software and it runs on BEAM (essentially the Erlang VM). It is networked software so it also uses (and requires) EPMD (Erlang Port Mapper Daemon) which is what Erlang platform provides to make it relatively easy to build networked clusters of Erlang software. EPMD maps names to ports. Rabbitmq is the still-recommended MQ server for e.g. OpenStack.

Now a little bit about some example machine configuration (quite popular scenario in fact).
FQDN: opensuse.local (could be any really)
one interface, eth0: 192.168.56.2 (could be any really)
added in /etc/hosts: (could be in DNS, it does not matter)
  192.168.56.2 opensuse.local opensuse
OS: OpenSUSE 42.3, fully patched, minimal install to reduce the cruft

Now let us install rabbitmq-server
# zypper in rabbitmq-server
So far so good.
Let's enable and start it up:
# systemctl enable rabbitmq-server.service && systemctl start rabbitmq-server.service
And it worked. But we essentially triggered the first bug, the bug that will lead to (2).

Let us dig deeper before showing (2).
Installing rabbitmq-server installed us erlang-epmd as well.
Let's find out how the situation looks now:
# systemctl status epmd.service
and it turns out epmd is down. We might wonder why rabbitmq works...
# systemctl status epmd.socket
and it is down as well. It is enabled and all but its RPM scripts did not start it.
Now:
# systemctl status rabbitmq-server.service
and we can see it started epmd by itself (also violating security concerns mentioned in (3)).
Trying to stop it:
# systemctl stop rabbitmq-server.service
will result in a timeout because of epmd - stop action does not turn off epmd which systemd waits for. Hence we get (2).

Ok, so we covered one thing that does go wrong and causes a timeout plus possible security invalidation.

Now since epmd.socket is enabled by default, let us reboot and see what happens...
# reboot
...
# systemctl status epmd.socket
# systemctl status epmd.service
# systemctl status rabbitmq-server.service
And now epmd.socket and epmd.service are up but rabbitmq-server.service is down.
Rabbitmq could not start because it detected epmd running and by default it tries to contact epmd at `hostname -s` which is in our example 'opensuse' and it points to 192.168.56.2 while epmd is started on 127.0.0.1 (localhost) only (by default SUSE policy mentioned in (3)). (1) and (3) have been triggered.


I believe there are two fixes necessary to not compromise security and ensure smooth(er) experience. First, ensure that rabbitmq-server.service starts after epmd.service and requires it (to enforce epmd.socket settings); RPM script for erlang-epmd could also start epmd.socket since it is enabled by default anyway. Second, ensure that rabbitmq-server.service uses localhost epmd (to comply with SUSE policy here as well).

First fix consists at least of adding:
  After=epmd.service
  BindsTo=epmd.service
to [Unit] section in rabbitmq-server.service
Plus optionally starting epmd.socket by erlang-epmd package.

Second fix is to add a default config file /etc/rabbitmq/rabbitmq-env.conf with content e.g.:
  # This is to comply to SUSE policy of starting epmd to listen on localhost only.
  NODENAME=rabbit@localhost

I currently apply both fixes to have my local test rabbitmq deployment start and stop reliably.