Installs and configures the RabbitMQ message broker.



  • Debian


The version of RabbitMQ in Debian's main repository is quite old, so it is recommended that you also install the patchwerks-chef-debian cookbook and add RabbitMQ's APT repository to your sources.list like so:

"debian": {
  "sources": [
      "archive": "testing",
      "key":     "",
      "url":     ""


Node attributes are placed under the rabbitmq namespace, following the same structure as RabbitMQ's rabbitmq.config file. Default values are as follows:

  "rabbitmq": {
    "plugins": [],
    "vhosts":  {},
    "rabbit":  {
      "auth_mechanisms":     ["AMQPLAIN", "PLAIN"],
      "ssl_cert_login_from": "distinguished_name",
      "ssl_listeners":       [],
      "tcp_listeners":       [""],
      "ssl_options": {
        "fail_if_no_peer_cert": false,
        "verify":               "verify_none"

The plugins array is a list of the names of enabled plugins. You can get a list of available plugins from the rabbitmq-plugins command or from the RabbitMQ website.

vhosts is a hash that maps the vhost name to a hash of configuration options for that vhost. No configuration options are supported at this time, so the configuration hashes should be empty.

"vhosts": {
  "ci":         {},
  "production": {},
  "staging":    {}

ssl_cert_login_from is used by the rabbitmq_auth_mechanism_ssl plugin and can be either “common_name” or “distinguished_name”. These options are documented more thoroughly in the plugin’s README.

Data Bag Items


Every item in the people data bag with an attribute named rabbitmq will be added as a RabbitMQ user.

  "id": "[username]",
  "rabbitmq": {
    "password": null,
    "vhosts":   {}

The user will be assigned permissions for each vhost listed in the vhost hash based on the values in the hash. Permissions that are omitted from the hash default to “.*”, enabling full access. Access control configuration is discussed more thoroughly on the RabbitMQ website.

"vhosts": {
  "development": {
    "configure": ".*",
    "read":      ".*",
    "write":     ".*"

If the user does not have a password set in the data bag, their password will be cleared in RabbitMQ. This disables all password-based authentication for the user but still allows connections for the user through other mechanisms (eg, SSL client certificates).


If the services data bag has an item named rabbitmq, it will be consulted for SSL keys and certificates. You cannot use SSL without providing values for at least cert and key; you must also specify cacert if you intend to use client certificates.

  "id":     "rabbitmq",
  "cacert": "-----BEGIN CERTIFICATE-----\nMII...",
  "cert":   "-----BEGIN CERTIFICATE-----\nMII...",
  "key":    "-----BEGIN RSA PRIVATE KEY-----\nMII..."


The following example from a role definition file enables TCP for local connections only on port 5672 and SSL for all interfaces on port 5671. It creates vhosts named production and staging.

run_list 'recipe[rabbitmq]'
override_attributes rabbitmq: {
  ssl_listeners: [''],
  tcp_listeners: [''],
  vhosts:        {
    production: {},
    staging:    {}