Rc
Application Infrastructure Azure

Rocket.Chat Community on Ubuntu 24.04 on Azure User Guide

| Product: Rocket.Chat Community on Ubuntu 24.04 LTS on Azure

Overview

Rocket.Chat Community is an MIT-licensed, self-hosted team communication and chat platform - the open-source alternative to Slack. It gives your organisation channels, threads, direct messages, file sharing and a realtime web UI while keeping every conversation on infrastructure you control. The cloudimg image installs Rocket.Chat Community 8.6.0 (the free open-source build - no Enterprise license) to /opt/rocketchat and runs it as the dedicated non-root rocketchat system user on Node.js 22, backs it with a local MongoDB 8.0 single-node replica set, fronts it with nginx as a reverse proxy on port 80 (with the WebSocket upgrade headers Rocket.Chat's realtime channel needs), keeps all state on a dedicated Azure data disk, and generates a unique admin password on first boot. Backed by 24/7 cloudimg support.

What is included:

  • Rocket.Chat Community 8.6.0 (MIT-licensed open-source build) served by rocketchat.service as the non-root rocketchat user on the bundled-pinned Node.js 22 runtime
  • A local MongoDB 8.0 database running as a single-node replica set (rs0, wiredTiger) on loopback 127.0.0.1:27017 - Rocket.Chat requires a replica set for its realtime oplog, even single-node
  • nginx reverse proxy on port 80, proxying to Rocket.Chat on 127.0.0.1:3000 with WebSocket upgrade headers for /websocket and /sockjs
  • All state on a dedicated 40 GiB Azure data disk at /var/lib/rocketchat: the MongoDB data directory, which holds every message, user, setting and file upload
  • A unique per-VM admin account (admin, email admin@cloudimg.local) created non-interactively on first boot, with the password written to a root-only credentials file
  • Open registration disabled by default so only the seeded admin exists until you invite users
  • An unauthenticated GET /health endpoint on nginx for load-balancer and uptime checks
  • 24/7 cloudimg support

Rocket.Chat binds loopback 127.0.0.1:3000 only; customers reach it through the nginx reverse proxy on port 80. MongoDB is never exposed - it listens on 127.0.0.1:27017 only.

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet + subnet in the target region. Standard_B4ms (4 vCPU / 16 GiB RAM) is a good starting point - Rocket.Chat and MongoDB both want RAM. NSG inbound: allow 22/tcp from your management network and 80/tcp from the clients that will use Rocket.Chat. For production, front the VM with TLS (see the final step) and allow 443/tcp instead of plain 80.

Step 1 - Deploy from the Azure Marketplace

Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Rocket.Chat Community by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size (Standard_B4ms); under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Then Review + create -> Create.

Step 2 - Deploy from the Azure CLI

az vm create \
  --resource-group <your-rg> \
  --name rocketchat \
  --image <marketplace-image-urn> \
  --size Standard_B4ms \
  --admin-username azureuser \
  --ssh-key-values ~/.ssh/id_ed25519.pub \
  --vnet-name <your-vnet> --subnet <your-subnet> \
  --public-ip-sku Standard
az vm open-port --resource-group <your-rg> --name rocketchat --port 80 --priority 900

Step 3 - Connect to your VM

ssh azureuser@<vm-public-ip>

Step 4 - Confirm Rocket.Chat, MongoDB and nginx are running

systemctl is-active mongod rocketchat nginx

You should see three active lines:

active
active
active

Rocket.Chat binds loopback only and nginx fronts it on port 80 - confirm the listeners:

ss -tln | grep -E ':3000|:27017|:80'
LISTEN 0      511          0.0.0.0:80        0.0.0.0:*
LISTEN 0      511        127.0.0.1:3000      0.0.0.0:*
LISTEN 0      4096       127.0.0.1:27017     0.0.0.0:*

The Rocket.Chat API answers an unauthenticated info request with a 200, and nginx exposes a static /health endpoint for load balancers:

curl -s -o /dev/null -w '%{http_code}\n' http://127.0.0.1:3000/api/info
200
curl -s -o /dev/null -w '%{http_code}\n' http://localhost/health
200

Step 5 - Retrieve your per-VM admin password

Each VM generates its own unique admin password on first boot and writes it to a root-only credentials file:

sudo cat /root/rocketchat-credentials.txt

The file contains ROCKETCHAT_ADMIN_PASSWORD, the username (admin), the email (admin@cloudimg.local) and the web URL. Store the password in your secrets manager. In the commands below, <ROCKETCHAT_ADMIN_PASSWORD> stands for the value of ROCKETCHAT_ADMIN_PASSWORD.

Step 6 - Sign in to the Rocket.Chat web UI

Open http://<vm-public-ip>/ in a browser. Sign in with the username admin (or the email admin@cloudimg.local) and the per-VM password from Step 5.

The Rocket.Chat Community login page served by the VM on port 80

Once signed in you land in your workspace home, ready to add users and create channels.

The Rocket.Chat workspace home after signing in as the admin

Rocket.Chat keeps every conversation self-hosted on your own Azure VM - create channels, threads and direct messages just like any modern team messenger. The default #general channel is ready to use.

The Rocket.Chat #general channel view

Step 7 - Administer the workspace from the admin area

As the admin you can manage users, rooms, permissions, authentication and server settings from the administration area at http://<vm-public-ip>/admin. The Workspace page confirms you are running Rocket.Chat 8.6.0 Community.

The Rocket.Chat administration Workspace page showing the Community edition

Step 8 - Verify authentication from the API

The credentials file drives a real login round-trip. This reads the per-VM password from the file and posts it to the login API, which returns a JSON payload containing "status":"success" and an authToken for the correct password (and rejects a wrong one with 401):

PW=$(sudo grep '^ROCKETCHAT_ADMIN_PASSWORD=' /root/rocketchat-credentials.txt | cut -d= -f2-)
curl -s -o /dev/null -w 'login=%{http_code}\n' -X POST -H 'Content-Type: application/json' \
  -d "{\"user\":\"admin\",\"password\":\"$PW\"}" \
  http://127.0.0.1:3000/api/v1/login
login=200

Step 9 - Where your data lives

All Rocket.Chat state is in MongoDB, whose data directory is on the dedicated Azure data disk mounted at /var/lib/rocketchat, so it survives image updates and can be snapshotted independently:

df -h /var/lib/rocketchat | tail -1
/dev/sdc         40G  420M   37G   2% /var/lib/rocketchat

Every message, user, setting and uploaded file lives in MongoDB under /var/lib/rocketchat/mongo.

Step 10 - Put TLS in front for production

The image serves plain HTTP on port 80 so you can validate it immediately. Before exposing Rocket.Chat to real users, terminate TLS with your own domain and a certificate. A common approach is to point a DNS record at the VM, add a 443 inbound rule to the NSG, and use Certbot with the nginx plugin to obtain and install a certificate. Then set the admin area's Site URL (Administration -> Settings -> General) to your https:// URL so links and the realtime WebSocket use the correct host. You can also set the ROOT_URL in /etc/rocketchat/rocketchat.env and restart rocketchat.service.

Support

This image is maintained and supported by cloudimg with 24/7 support. Rocket.Chat Community is distributed under the MIT license. For product help, contact cloudimg support listed on the Azure Marketplace listing.