This guide covers installing RabbitMQ on Fedora 38 or later, enabling the management UI, and securing the broker with a dedicated user and virtual host. The steps also apply to RHEL 9 and CentOS Stream 9 with the same repository configuration.
Prerequisites
- Fedora 38 or later (x86-64)
sudoaccess- Internet access to reach the Cloudsmith package repositories
Step 1: Install Erlang
RabbitMQ requires Erlang. The version packaged in Fedora’s default repos often lags behind RabbitMQ’s requirements, so install from the Erlang Solutions repository to get a supported version.
1
2
3
sudo dnf install -y https://packages.erlang-solutions.com/erlang-solutions-2.0-1.noarch.rpm
sudo dnf install -y erlang
erl -eval 'erlang:display(erlang:system_info(otp_release)), halt().' -noshell
The last command prints the OTP version (e.g. "26"). RabbitMQ 3.13.x requires OTP 26 or later.
Step 2: Add the RabbitMQ repository
The official RabbitMQ team publishes signed RPMs on Cloudsmith. Add both the RabbitMQ repo and the matching Erlang repo (as a fallback):
1
2
3
4
5
6
7
8
9
sudo tee /etc/yum.repos.d/rabbitmq.repo << 'EOF'
[rabbitmq-el9]
name=RabbitMQ RPM Repository
baseurl=https://dl.cloudsmith.io/free/rabbitmq/rabbitmq-server/rpmrepositories/el/9/$basearch/
gpgcheck=1
gpgkey=https://dl.cloudsmith.io/free/rabbitmq/rabbitmq-server/gpg.844C0B4B0EE2E45F.key
repo_gpgcheck=1
enabled=1
EOF
Import the signing key:
1
sudo rpm --import https://dl.cloudsmith.io/free/rabbitmq/rabbitmq-server/gpg.844C0B4B0EE2E45F.key
Step 3: Install RabbitMQ Server
1
2
sudo dnf install -y rabbitmq-server
rabbitmqctl version
A successful install prints the RabbitMQ version:
3.13.x
Step 4: Configure firewalld
If firewalld is active, open the AMQP port (5672) and the management UI port (15672):
1
2
3
4
sudo firewall-cmd --add-port=5672/tcp --permanent # AMQP
sudo firewall-cmd --add-port=15672/tcp --permanent # Management UI
sudo firewall-cmd --reload
sudo firewall-cmd --list-ports
For AMQP over TLS (recommended in production), also open port 5671:
1
2
sudo firewall-cmd --add-port=5671/tcp --permanent
sudo firewall-cmd --reload
Step 5: Enable and start the service
1
2
sudo systemctl enable --now rabbitmq-server
sudo systemctl status rabbitmq-server
RabbitMQ runs as the rabbitmq system user created automatically during installation. The data directory is /var/lib/rabbitmq/ and logs are written to /var/log/rabbitmq/.
Check the node is healthy:
1
sudo rabbitmqctl status
Look for {pid,<N>} and {running_applications,...} in the output confirming the broker is up.
Step 6: Enable the management plugin
The management plugin provides a web UI and HTTP API for inspecting queues, exchanges, bindings, and connections.
1
2
sudo rabbitmq-plugins enable rabbitmq_management
sudo systemctl restart rabbitmq-server
The UI is now available at http://localhost:15672. The default credentials are guest / guest, but the guest account can only connect from localhost by design you will replace it in the next step.
Step 7: Create a user and virtual host
Never use the default guest account beyond initial verification. Create a dedicated admin user, a virtual host for your application, and grant permissions.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# Create an admin user
sudo rabbitmqctl add_user myadmin 'S3cur3P@ssw0rd!'
sudo rabbitmqctl set_user_tags myadmin administrator
# Create a virtual host for your application
sudo rabbitmqctl add_vhost myapp
# Grant full permissions on the vhost
sudo rabbitmqctl set_permissions -p myapp myadmin '.*' '.*' '.*'
# Delete the default guest account
sudo rabbitmqctl delete_user guest
# Verify
sudo rabbitmqctl list_users
sudo rabbitmqctl list_vhosts
The three '.*' patterns in set_permissions control configure, write, and read access respectively. '.*' grants full access to all resources in the vhost.
Log in to http://localhost:15672 with your new admin credentials to confirm access.
Step 8: Verify with a test message
Install pika and run a quick publish/consume cycle to confirm end-to-end connectivity:
1
pip install pika
1
2
3
4
5
6
7
8
9
10
11
12
13
import pika
creds = pika.PlainCredentials('myadmin', 'S3cur3P@ssw0rd!')
params = pika.ConnectionParameters(host='localhost', virtual_host='myapp', credentials=creds)
with pika.BlockingConnection(params) as conn:
ch = conn.channel()
ch.queue_declare(queue='test', durable=True)
ch.basic_publish(exchange='', routing_key='test', body=b'hello')
print('Published')
method, props, body = ch.basic_get(queue='test', auto_ack=True)
print(f'Received: {body.decode()}')
Running this script should print:
Published
Received: hello
Upgrading RabbitMQ
1
2
3
sudo dnf update rabbitmq-server
sudo systemctl restart rabbitmq-server
sudo rabbitmqctl status
For major version upgrades (e.g. 3.12 to 3.13), read the RabbitMQ upgrade guide before proceeding some upgrades require a rolling restart or schema migration.
What to avoid
Do not keep the default guest account in production. Even though guest is restricted to localhost connections, it is a known credential that reduces your security posture. Delete it as shown in Step 7.
Do not skip TLS for non-localhost traffic. Port 5672 transmits credentials and message payloads in plaintext. For any traffic that crosses a network boundary, configure TLS on port 5671 and add the certificate to /etc/rabbitmq/rabbitmq.conf.
Do not run rabbitmq-server as root. The package installer creates a dedicated rabbitmq system user. Do not override this with sudo rabbitmq-server running the broker as root removes the OS-level isolation that limits the blast radius of a vulnerability.
Do not ignore memory and disk alarms. RabbitMQ raises a memory alarm when used memory exceeds 40% of total RAM and blocks all publishers. It raises a disk alarm when free disk space falls below 50 MB. Monitor these via the management UI or the /api/healthchecks/node endpoint and size your server accordingly.