fix(container): update image public.ecr.aws/emqx/emqx ( 5.8.2 → 5.8.8 ) #5430
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=80&v=4){kind=small}
--- kubernetes/cluster-0/apps/db/emqx/cluster Kustomization: flux-system/emqx-cluster EMQX: db/emqx
+++ kubernetes/cluster-0/apps/db/emqx/cluster Kustomization: flux-system/emqx-cluster EMQX: db/emqx
@@ -53,13 +53,13 @@
subPath: init-acl
extraVolumes:
- name: init-user
secret:
secretName: emqx-init-user-secret
replicas: 3
- image: public.ecr.aws/emqx/emqx:5.8.2
+ image: public.ecr.aws/emqx/emqx:5.8.6
listenersServiceTemplate:
metadata:
annotations:
external-dns.alpha.kubernetes.io/hostname: mqtt.holthome.net
lbipam.cilium.io/ips: 10.45.10.11
spec: |
🦙 MegaLinter status: ❌ ERROR
See detailed report in MegaLinter reports
|
renovate
bot
force-pushed
the
renovate/cluster-0-public.ecr.aws-emqx-emqx-5.x
branch
from
2da0d6d to
70e4725
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/cluster-0-public.ecr.aws-emqx-emqx-5.x
branch
from
70e4725 to
034eb61
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/cluster-0-public.ecr.aws-emqx-emqx-5.x
branch
from
034eb61 to
a538b02
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/cluster-0-public.ecr.aws-emqx-emqx-5.x
branch
from
a538b02 to
ff8a359
Compare
renovate
bot
changed the title
| datasource | package | from | to | | ---------- | ------------------------ | ----- | ----- | | docker | public.ecr.aws/emqx/emqx | 5.8.2 | 5.8.8 |
renovate
bot
force-pushed
the
renovate/cluster-0-public.ecr.aws-emqx-emqx-5.x
branch
from
ff8a359 to
1336fe3
Compare
renovate
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.8.2->5.8.8Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
emqx/emqx (public.ecr.aws/emqx/emqx)
v5.8.8: EMQX v5.8.8Compare Source
Enhancements
Deployment
Core MQTT Functionalities
137(Server Busy) in theCONNACKwith Reason-String"THROTTLED", and should retry after the cleanup completes.137instead of133.Observability
Performance
node.global_gc_intervalconfiguration by default to improve overall performance stability, as it caused CPU fluctuations and higher message latency while providing little benefit over Erlang’s built-in garbage collector.+zdbbl 32768) to preventbusy_dist_port alarmsduring intensive Mnesia operations.+sbwt none +sbwtdcpu none +sbwtdio none) to lower CPU usage reported by the operating system.+stbt db) to reduce message latency.Bug Fixes
Deployment
#15580 Added a new
emqxLicenseSecretRefvariable to the EMQX Enterprise Helm chart. This allows users to specify a Kubernetes Secret containing the EMQX license key, so the license is applied automatically.This replaces the non-functional
emqxLicenseSecretNamevariable, which created and mounted a secret file but did not pass the license to EMQX.Clustering
data/certsordata/authzdirectories.Security
bad_certificate/invalid_signature error.Observability
packets.subscribe.auth_errormetric was not incremented when subscription authentication failed.Gateway
unknown:global, causing conflicts between gateways.ExHook
v5.8.7: EMQX v5.8.7Compare Source
Bug Fixes
v5.8.6: EMQX v5.8.6Compare Source
Enhancement
#14869 Added the
connected_attimestamp field to the$events/client_disconnectedevent payload. This enhancement enables tracking the original connection session time for disconnected clients, preventing outdated disconnect events from overriding newer connection states.Previously, when clients frequently reconnected due to unstable networks, delayed disconnect events could lead to incorrect session tracking. With this update, the
connected_atfield is now included in the event payload, aligning its behavior with system topics and ensuring accurate session state management.Bug Fixes
Core MQTT Functionalities
Installation and Deployment
#14797 Fixed macOS release package startup issue due to OpenSSL dynamic linking (backport #14624).
Previously, the EMQX ZIP package on macOS could fail to start because the
quicerapplication dynamically linked to the system-installed OpenSSL, which was not signed during the EMQX build process. Now we have disabled dynamic linking for OpenSSL, aligning with the OTP shipped on macOS. This ensures EMQX starts reliably on macOS 13 and later.Authentication
REST API
Content-Typeheader when downloading data backup files. Previously, the response header for downloaded backup files incorrectly usedapplication/jsoninstead ofapplication/octet-stream.Rule Engine
detailskey in alarm events. Previously, when testingalarm_activatedoralarm_deactivatedevents in the SQL Rule Tester, certain values in thedetailskey could cause an HTTP 500 error due to improper handling of nested map keys.Observability
#14800 Throttled
warninglevel logdropped_qos0_msg.#14793 Added trace log for
protocol_errorin MQTT connections.Previously, when a client sent invalid or unexpected MQTT packets causing a
protocol_error, EMQX logs provided limited details, making it difficult to diagnose the issue.For example, if a client sent a second
CONNECTpacket while already connected, EMQX would logsocket_force_closedwithprotocol_error, but without indicating the exact cause.With this update, EMQX now logs
unexpected_connect_packetwithconn_state=connectedbeforesocket_force_closed, providing clearer context for debugging protocol violations.Plugin
#14802 Introduced a new CLI command for plugins:
Breaking Changes
#14802 Starting from this version, plugin installation via the REST API or Dashboard requires explicit permission. Users must obtain this permission using the following CLI command before installing.
This change enhances security by preventing unauthorized plugin installations. Users managing plugins via the API or Dashboard must adjust their workflows accordingly.
v5.8.5: EMQX v5.8.5Compare Source
Enhancements
Core MQTT Functionalities
#14454 Introduced
max_publish_rateoption for the retainer. The option controls the maximum allowed rate of publishing retained messages in each node. Any messages published beyond this limit will still be delivered but will not be stored as retained.This option is useful to limit the load on the configured retained message storage.
#14456 Introduced a simple firewall script,
bin/emqx_fw, to protect EMQX listeners from SYN flooding attacks. This feature is available for Linux only.#14496 Added extra validation for the
root_keysparameters inPOST /data/exportAPI. Now, invalid root keys will result in an error instead of being silently ignored.Access Control
#14494 Enhanced MongoDB authorization with support for complex queries.
$orderbyoperator in selector filter configuration, enabling sorting of query results in authorization checks.skipandlimitoptions for better pagination and control over query results in MongoDB-based authorization.#14570 Added support for using placeholders in HTTP Headers for HTTP Authentication and Authorization configurations.
#14665 Added support for client attributes as ACL rule pre-conditions. You can now create ACL rules based on client attributes, allowing more fine-grained control over access.
For example, the following rule allows clients with a
"type"attribute set to"internal"to publish or subscribe to all topics:{allow, {client_attr, "type", "internal"}, all, ["#"]}.And the rule below denies clients with a
"type"attribute prefixed with"external-"from publishi any messages:{deny, {client_attr, "type", {re, "external-.*"}}, publish, ["#"]}.Rule Engine
$events/sys/alarm_activatedand$events/sys/alarm_deactivated. These are triggered when system alarms are activated and deactivated.Data Integration
no-localflag to MQTT Source. Theno-localflag can now be configured in MQTT Source settings to prevent messages published by a client from being received by that same client.GET /actions_summaryandGET /sources_summary. These new APIs provide a more concise overview of actions and sources, similar to the existingGET /actionsandGET /sourcesAPIs, but without returning the full configurations of the entities, making them faster and less resource-intensive.Observability
emqx_vm_mnesia_tm_mailbox_sizeandemqx_vm_broker_pool_max_mailbox_size. These gauges track the mailbox sizes of internal EMQX processes that can indicate system overload. Additionally, alarms will be raised when mailbox sizes surpass certain high watermarks.debugandwarninglevels, respectively.MQTT over QUIC
#14583 The QUIC listener now supports dumping TLS secrets to the
SSLKEYLOGFILEenvironment variable, enabling tools like Wireshark to decrypt live or captured QUIC traffic. This allows for decoding MQTT packets within the QUIC traffic.Example configuration:
EMQX_LISTENERS__QUIC__DEFAULT__SSLKEYLOGFILE=/tmp/EMQX_SSLKEYLOGFILENote: This is a hidden configuration intended for troubleshooting purposes only.
#14597 Asynchronous abort stream read during connection termination.
In scenarios where a session is "taken over", "discarded", or "kicked", the previous connection termination process involved a graceful stream shutdown. This could result in blocking delays of up to 3 seconds if the old client was unresponsive.
This issue occurred because graceful shutdown relies on cooperative signaling between both endpoints, ensuring the MQTT.DISCONNECT packet is delivered to the peer before the transport is closed. If the peer was unresponsive, this approach caused unnecessary delays.
With this improvement, the stream is now half-closed during termination. The read (recv) operation aborted, while the write (send) operation remains open. This adjustment ensures that the MQTT.DISCONNECT packet is still delivered to the peer, properly signaling the shutdown, without unnecessary delays.
Benefits:
Bug Fixes
Core MQTT Functionalities
#14405 Converted
256MBto268435455bytes formqtt.max_packet_size.EMQX previously allowed setting
256MBformqtt.max_packet_sizeconfig, which is in fact one byte more than what the protocol specification allows. For backward compatibility,mqtt.max_packet_size=256MBis still allowed from configurations but will be silently converted to268435455.#14508 Improved the EMQX performance when large numbers of clients reconnect.
#14608 Enforced First-In-First-Out (FIFO) semantics in MQTT session message queue. The MQTT session message queue now strictly follows FIFO semantics when it reaches its capacity. When the queue is full, the oldest message will be dropped first.
#14609 Corrected high memory threshold for overload protection to use
sysmon.os.sysmem_high_watermark. The high memory threshold is now properly updated during the boot process or wheneversysmon.os.sysmem_high_watermarkis changed. This ensures the memory overload protection threshold is dynamic and reflects changes to the system memory settings.#14654 Clients can now reconnect successfully even if the maximum session limit has been reached, as long as their previous sessions remain active (i.e., not expired or cleaned up).
#14588 Improved memory usage reporting when EMQX runs in a containerized environment. In containerized environments like Amazon Elastic Kubernetes Service (AWS EKS), the accuracy of memory usage readings can be influenced by factors such as the host kernel version, cgroup version, and how the container management service mounts cgroupfs. This update improves the accuracy of memory usage reporting when EMQX runs in AWS EKS, specifically addressing discrepancies caused by the container environment.
Authentication
Gateway
#14484 Fixed an issue where the Exproto gateway did not support using hostname in the server endpoint.
#14489 Fixed issue where accessing the
api/v5/gatewaysendpoint resulted in a 500 error if the gateway was not enabled on the node in the cluster. Now, such requests return a more appropriate response, preventing crashes and improving the stability of the API in these scenarios.#14501 Fixed issue where the gateway client query HTTP API always returned a keepalive value of 0. The correct keepalive value is now returned by the HTTP API, and the gateway adheres to the configured idle timeout, properly reflecting the client's heartbeat settings.
#14503 Returns an empty list instead of a 404 error if no listener exists at the gateway. Previously, when accessing the listeners page of a gateway (such as LwM2M) through the API, a 404 error would be returned if no listeners were configured. This fix changes the behavior to return an empty list when no listeners exist.
#14511 Eliminated unnecessary log printing by the Stomp gateway when client authentication fails.
#14653 Fixed stomp gateway keepalive behavior. Previously, the STOMP connection's heartbeat mechanism would fail to keep the connection alive if the heartbeat packet was received slightly after the check timer. This update introduces tolerance for minor delays, ensuring that the connection will stay alive. On average, the connection closure now occurs at approximately 1.5 times the heartbeat interval, providing more reliable keepalive functionality.
Data Integration
#14518 This update ensures that Connectors are now started asynchronously when loading from configuration, whether via CLI or HTTP API. Previously, if a connector hung during startup, it could cause the entire configuration import process to time out.
Additionally, connectors are now started asynchronously when (re)starting a node, resulting in faster boot-up times. This release also fixes a potential issue where a Source could be added to the configuration before its corresponding Connector, ensuring correct initialization order during configuration import.
#14550 Fixed an issue where MQTT clients in the connection pool of an MQTT Connector would fail to reconnect automatically if only a few clients were disconnected. The fix ensures clients are automatically reconnected when disconnected, improving connection reliability.
#14555 Fixed an issue with MQTT Source where shared topics were not properly unsubscribed from when a source was removed or updated.
#14671 Fixed an issue in MQTT Action. Before the fix, messages could fail to be sent or retried due to a rare race condition when the MQTT Connector's connection was closed. This update ensures that TCP connection closures (
tcp_closed) and client disconnections are handled as recoverable errors.#14695 Improved HTTP API error messages when attempting to update a Connector and a validation error occurs.
#14697 Fixed a problem in which, when a Source and an Action shared the same name and used the same connector, one could not delete the Action or Source if there were rule dependencies on the dual Source/Action.
Clustering
#14536 Fixed rare race condition in cluster management operations. Before the fix, the race condition caused certain cluster management operations to hang, making cluster changes impossible until a node restarts. This issue was addressed by tightening the global lock guarding
mria:join/1operations. The stricter locking prevents concurrent joins from interfering with each other.#14548 Fixed an issue where a node would crash during reboot if a new node joined the cluster while it was down, resulting in a
** FATAL ** Failed to merge schema: {aborted,function_clause}error. This fix ensures that nodes can now restart smoothly without requiring a rejoin to the cluster.#14662 Fixed an issue where a running replicant node, after rejoining a cluster in which all core nodes had their internal databases wiped, would fail to participate in certain Remote Procedure Call (RPC) call operations.
Administration
Breaking changes
force_shutdown.max_heap_size, which is now set to128GB. If themax_heap_sizewas previously set to a value exceeding 128GB, this could lead to issues after upgrading, such as during configuration reloading or updates.v5.8.4: EMQX v5.8.4Compare Source
5.8.4
Make sure to check the breaking changes and known issues before upgrading to EMQX 5.8.4.
Enhancements
Core MQTT Functionalities
#13739 Added support for clearing monitor (statistics) data for the whole cluster. You can now send a
DELETErequest to theapi/v5/monitorendpoint to clear all collected monitoring metrics.#14247 Log the client attribute
tnsif it exists in the client metadata.If the
client_attrs.tnsattribute is present, it will now be included in the log metadata. However, if the client ID is already prefixed with thetnsvalue, it will not be logged again to avoid duplication.#14353 Improved robustness of session rebalance and evacuation process. Previously, the session evacuation process could enter a dead loop under certain clustering errors.
Rule Engine
is_empty: Returntrueif the map or array is empty.map_size: Return the size of a map.Configuration Files
#14269 Added
etc/base.hoconconfig file. In this release, we introduced a new configuration file,etc/base.hocon, to enhance configuration management and clarity.Previously,
emqx.confwas the only place for manually configured settings. However, because it was the top-most layer of the configuration override hierarchy, it caused some confusion. While mutable (not read-only) configurations set inemqx.confcould be changed through the UI, API, or CLI and take effect immediately, those changes would not persist after a node restart, leading to inconsistent behavior.To address this, we added
etc/base.hoconas a foundational configuration layer. The updated configuration precedence order, from top to bottom, is now as follows:etc/emqx.confdata/configs/cluster.hoconetc/base.hoconThe
etc/base.hoconfile serves as the base layer for configurations. While configurations in this file can still be modified after the node starts, it ensures consistent behavior and proper configuration overriding.Observability
#14360 Added listener shutdown counts labeled by shutdown reason to Prometheus metrics, under the
emqx_client_disconnected_reasoncounters. Example output:Currently, this feature is limited to TCP and TLS listeners only.
Bug Fixes
Core MQTT Functionalities
auto_subscribeconfiguration loaded via the CLI showed a success message but failed to take effect.unexpected_infowarnings.REST API
Data Integration
#14318 Fixed an issue with the initialization of the HTTP connector state. This fix resolves crashes related to the
function_clauseerror that could occur when an HTTP action processed incoming traffic while its underlying connector was being restarted. Before this fix, the logs would show cryptic error messages like:#14319 Refactored the internal state machine for resource management, eliminating several race condition bugs. One example is the HTTP action, which, when handling incoming traffic and experiencing health check flapping, could previously result in errors like the following:
#14362 Refactored the resource manager state machine to prevent race conditions that could lead to inconsistent states.
#14429 Fixed the handling of rule action metrics when the underlying connector is disabled. Previously, the failed counter would increment twice for each message—once under the
unknowncategory and once underout_of_service. With this fix, only theout_of_servicecounter is incremented, providing more accurate metrics.Command Line Interface
bin/emqx helpcommand. This fix ensures that the help command now displays the correct usage information. Now, the help command displays the proper details, making it easier for users to understand how to use the command.Configuration File
undefinedornullas the literal strings"undefined"or"null". Now, these values are correctly displayed as empty strings, providing cleaner and more intuitive outputs when variables are not set or have no value"${EMQX_LOG_DIR}", ensuring smoother operation without errors.Observability
#14267 Modified the logging behavior to avoid redacting secrets in logs and HTTP responses when the secret string is a file path (e.g.,
file:///path/to/the/secret).Resolve the
function_clauseerror that occurs when retrieving theemqx_license_expiry_atPrometheus value for a perpetual license.Breaking Changes
clienttop-level key will now always be an array of JSON objects, rather than a single JSON object. This change may affect how your monitoring tools process the data.v5.8.3: EMQX v5.8.3Compare Source
v5.8.3
Make sure to check the breaking changes and known issues before upgrading to EMQX 5.8.3.
Enhancements
Core MQTT Functionalities
#14219 Enhanced Connection Rate Limiter for Improved System Resilience.
Improved system stability and responsiveness under high connection rates: Previously, when the connection rate limit was exceeded, listener acceptors would ignore new connection attempts, potentially resulting in an unrecoverable state if a large number of clients connected or reconnected frequently within a short period. Listeners now accept pending connections but immediately close them if the rate limit is reached. This reduces resource strain and improves system resilience during peak loads.
New listener option
nolingerintroduced: When set totrue, a TCP-RST is sent immediately upon socket closure, helping to mitigate SYN flood attacks and further enhancing connection-handling efficiency.max_connectionconfiguration for MQTT listeners now capped by system limits: Themax_connectionvalue for MQTT listeners is now constrained by the system's limits (e.g.,ulimitfrom the OS andnode.process_limit). If configured toinfinityor a value greater than the system limit, it will automatically be adjusted to match the system's maximum limit.SSL listeners'
ssl_optionsnow validated before changes: Previously, invalid SSL options (such as unsupported TLS versions) could be accepted, causing client connection failures after a listener reconfiguration. With this update:400status code.Configuration
#14195 Added support for client ID override.
EMQX now provides greater flexibility by allowing custom client ID overrides using the
mqtt.clientid_override={Expression}configuration. This introduces a more dynamic approach to client ID management. As part of this update, theuse_userid_as_clientidandpeer_cert_as_clientidoptions are deprecated, though they will remain available for compatibility until version 6.0.MQTT over QUIC
quicerto 0.1.9.Bug Fixes
Core MQTT Functionalities
check_gcwarning from appearing when a WebSocket connection encounters a rate limit.error: {{case_clause,#{invalid_property_code => 51}},[{cowboy_websocket...}}.emqttfrom version 1.13.0 to 1.13.5. For more details, please refer to the emqtt changelog.Durable Sessions
$symbol, in accordance with the MQTT specification.REST API
Usersendpoint was incorrectly listed as supportingBasicAuthentication.Data Integration
#14172 Resolved a potential race condition where testing a connector using the HTTP API could leave lingering resources if the HTTP request timed out.
#14178 Fixed an issue where configuration synchronization could become stuck on a particular node due to simultaneous deletion of rules across different nodes in the cluster.
#14226 Mitigated a scenario where, under high load, a node could lose track of resource metrics (e.g., action/source) and fail to recover without a restart. Now, when restarting a resource or resetting its metrics, the system attempts to recreate the lost metrics.
Additionally, warning logs related to metric failures, such as those for "hot-path" metrics like
matched, are now throttled to prevent excessive log flooding. Example of throttled log:#14265 Fixed an issue where a
badkeyerror would occur when stopping a connector if the MQTT Source action failed to subscribe successfully.#14296 Prevented
ecpool_supfrom being blocked by a slow-startingecpool_worker.Configuration
#14180 Fixed an issue with variform expressions returning
'undefined'when a variable is bound to the valueundefinedornull. Now, an empty string is returned instead.#14289 Resolved a log file path issue when importing configurations from a different environment. The
EMQX_LOG_DIRenvironment variable is set to/opt/emqx/login Docker but/var/log/emqx/when installed via RPM/DEB packages. Prior to this fix, log file paths (default file handler and audit handler) are environment-variable interpolated when being exported. This could cause crashes when importing configs into a different environment where the directory didn’t exist.With this fix, log file paths are no longer environment-variable interpolated during export. Additionally, absolute log directory paths from older versions are now converted back to environment variables if the path doesn’t exist in the new environment.
Extension
client.connecthook was not being triggered for some gateways.MQTT over QUIC
#14258 Reduced the QUIC connection shutdown timeout. Previously, QUIC connections had a 5-second timeout for graceful shutdown. If the client was unresponsive, EMQX would log warnings like:
or potentially cause a timeout on the Dashboard when attempting to disconnect the client. The timeout has now been reduced to 1 second for "kick" actions and 3 seconds for other scenarios.
Breaking Changes
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.