feat(container): update image public.ecr.aws/emqx/emqx to v5.7.1 #368
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.6.1
->5.7.1
Release Notes
emqx/emqx (public.ecr.aws/emqx/emqx)
v5.7.1
: EMQX v5.7.1Compare Source
Enhancements
#12983 Add new rule engine event
$events/client_check_authn_complete
for authentication completion event.#13180 Improved client message handling performance when EMQX is running on Erlang/OTP 26 and increased message throughput by 10% in fan-in mode.
#13191 Upgraded EMQX Docker images to run on Erlang/OTP 26.
EMQX had been running on Erlang/OTP 26 since v5.5 except for docker images which were on Erlang/OTP 25. Now all releases are on Erlang/OTP 26.
#13242 Significantly increased the startup speed of EMQX dashboard listener.
Bug Fixes
#13156 Resolved an issue where the Dashboard Monitoring pages would crash following the update to EMQX v5.7.0.
#13164 Fixed HTTP authorization request body encoding.
Before this fix, the HTTP authorization request body encoding format was taken from the
accept
header. The fix is to respect thecontent-type
header instead. Also addedaccess
templating variable for v4 compatibility. The access code of SUBSCRIBE action is1
and PUBLISH action is2
.#13238 Improved the logged error messages when an HTTP authorization request with an unsupported content-type header is returned.
#13258 Fix an issue where the MQTT-SN gateway would not restart correctly due to incorrect startup order of gateway dependencies.
#13273 Fixed and improved handling of URIs in several configurations. The fix includes the following improvement details:
https://example.com?q=x
were mistakenly rejected. These URIs are now properly recognized as valid.#13276 Fixed an issue in the durable message storage mechanism where parts of the internal storage state were not correctly persisted during the setup of new storage generations. The concept of "generation" is used internally and is crucial for managing message expiration and cleanup. This could have manifested as messages being lost after a restart of EMQX.
#13291 Fixed an issue where durable storage sites that were down being reported as up.
#13290 Fixed an issue where the command
$ bin/emqx ctl rules show rule_0hyd
would produce no output when used to display rules with a data integration action attached.#13293 Improved the restoration process from data backups by automating the re-indexing of imported retained messages. Previously, re-indexing required manual intervention using the
emqx ctl retainer reindex start
CLI command after importing a data backup file.This fix also extended the functionality to allow exporting retained messages to a backup file when the
retainer.backend.storage_type
is configured asram
. Previously, only setups withdisc
as the storage type supported exporting retained messages.#13140 Fixed an issue that caused text traces for the republish action to crash and not display correctly.
#13148 Fixed an issue where a 500 HTTP status code could be returned by
/connectors/:connector-id/start
when there is a timeout waiting for the resource to be connected.#13181 EMQX now forcefully shut down the connector process when attempting to stop a connector, if such operation times out. This fix also improved the clarity of error messages when disabling an action or source fails due to an unresponsive underlying connector.
#13216 Respect
clientid_prefix
config for MQTT bridges. Since EMQX v5.4.1, the MQTT client IDs are restricted to a maximum of 23 bytes. Previously, the system factored theclientid_prefix
into the hash of the original, longer client ID, affecting the final shortened ID. The fix includes the following change details:v5.7.0
: EMQX v5.7.0Compare Source
Enhancements
Security
disconnect_after_expire
option. When enabled, the client will be disconnected after the JWT token expires.Note: This is a breaking change. This option is enabled by default, so the default behavior is changed. Previously, the clients with actual JWTs could connect to the broker and stay connected even after the JWT token expired. Now, the client will be disconnected after the JWT token expires. To preserve the previous behavior, set
disconnect_after_expire
tofalse
.Data Processing and Integration
unescape
function has been added to the rule engine SQL language to handle the expansion of escape sequences in strings. This addition has been done because string literals in the SQL language don't support any escape codes (e.g.,\n
and\t
). This enhancement allows for more flexible string manipulation within SQL expressions.Extensibility
#12872 Implemented Client Attributes feature. It allows setting additional properties for each client using key-value pairs. Property values can be generated from MQTT client connection information (such as username, client ID, TLS certificate) or set from data accompanying successful authentication returns. Properties can be used in EMQX for authentication, authorization, data integration, and MQTT extension functions. Compared to using static properties like client ID directly, client properties offer greater flexibility in various business scenarios, simplifying the development process and enhancing adaptability and efficiency in development work.
Initialization of
client_attrs
The
client_attrs
fields can be initially populated from one of the followingclientinfo
fields:cn
: The common name from the TLS client's certificate.dn
: The distinguished name from the TLS client's certificate, that is, the certificate "Subject".clientid
: The MQTT client ID provided by the client.username
: The username provided by the client.user_property
: Extract a property value from 'User-Property' of the MQTT CONNECT packet.Extension through Authentication Responses
Additional attributes may be merged into
client_attrs
from authentication responses. Supportedauthentication backends include:
client_attrs
field.client_attrs
claim within the JWT.Usage in Authentication and Authorization
If
client_attrs
is initialized before authentication, it can be used in external authenticationrequests. For instance,
${client_attrs.property1}
can be used within request templatesdirected at an HTTP server for authenticity validation.
client_attrs
can be utilized in authorization configurations or request templates, enhancingflexibility and control. Examples include: In
acl.conf
, use{allow, all, all, ["${client_attrs.namespace}/#"]}
to apply permissions based on thenamespace
attribute.${client_attrs.namespace}
can be used within request templates to dynamically include client attributes.#12910 Added plugin configuration management and schema validation. For EMQX enterprise edition, one can also annotate the schema with metadata to facilitate UI rendering in the Dashboard. See more details in the plugin template and plugin documentation.
Operations and Management
#12923 Provided more specific error when importing wrong format into builtin authenticate database.
#12940 Added
ignore_readonly
argument toPUT /configs
API.Before this change, EMQX would return 400 (BAD_REQUEST) if the raw config included read-only root keys (
cluster
,rpc
, andnode
).After this enhancement it can be called as
PUT /configs?ignore_readonly=true
, EMQX will in this case ignore readonly root config keys, and apply the rest. For observability purposes, an info level message is logged if any readonly keys are dropped.Also fixed an exception when config has bad HOCON syntax (returns 500). Now bad syntax will cause the API to return 400 (BAD_REQUEST).
#12957 Started building packages for macOS 14 (Apple Silicon) and Ubuntu 24.04 Noble Numbat (LTS).
Bug Fixes
Security
#12887 Fixed MQTT enhanced auth with sasl scram.
#12962 TLS clients can now verify server hostname against wildcard certificate. For example, if a certificate is issued for host
*.example.com
, TLS clients is able to verify server hostnames likesrv1.example.com
.MQTT
emqx_retainer
application. Previously, client disconnection while receiving retained messages could cause a process leak.Data Processing and Integration
#12653 The rule engine function
bin2hexstr
now supports bitstring inputs with a bit size that is not divisible by 8. Such bitstrings can be returned by the rule engine functionsubbits
.#12657 The rule engine SQL-based language previously did not allow putting any expressions as array elements in array literals (only constants and variable references were allowed). This has now been fixed so that one can use any expressions as array elements.
The following is now permitted, for example:
#12932 Previously, if a HTTP action request received a 503 (Service Unavailable) status, it was marked as a failure and the request was not retried. This has now been fixed so that the request is retried a configurable number of times.
#12948 Fixed an issue where sensitive HTTP header values like
Authorization
would be substituted by******
after updating a connector.#13118 Fix a performance issue in the rule engine template rendering.
Observability
subscribers.count
subscribers.max
contains shared-subscribers. It only contains non-shared subscribers previously.Operations and Management
#12812 Made resource health checks non-blocking operations. This means that operations such as updating or removing a resource won't be blocked by a lengthy running health check.
#12830 Made channel (action/source) health checks non-blocking operations. This means that operations such as updating or removing an action/source data integration won't be blocked by a lengthy running health check.
#12993 Fixed listener config update API when handling an unknown zone.
Before this fix, when a listener config is updated with an unknown zone, for example
{"zone": "unknown"}
, the change would be accepted, causing all clients to crash whens connected.After this fix, updating the listener with an unknown zone name will get a "Bad request" response.
#13012 The MQTT listerners config option
access_rules
has been improved in the following ways:#13041 Improved HTTP authentication error log message. If HTTP content-type header is missing for POST method, it now emits a meaningful error message instead of a less readable exception with stack trace.
#13077 This fix makes EMQX only read action configurations from the global configuration when the connector starts or restarts, and instead stores the latest configurations for the actions in the connector. Previously, updates to action configurations would sometimes not take effect without disabling and enabling the action. This means that an action could sometimes run with the old (previous) configuration even though it would look like the action configuration has been updated successfully.
#13090 Attempting to start an action or source whose connector is disabled will no longer attempt to start the connector itself.
Gateways
#12909 Fixed UDP listener process handling on errors or closure, The fix ensures the UDP listener is cleanly stopped and restarted as needed if these error conditions occur.
#13001 Fixed an issue where the syskeeper forwarder would never reconnect when the connection was lost.
#13010 Fixed the issue where the JT/T 808 gateway could not correctly reply to the REGISTER_ACK message when requesting authentication from the registration service failed.
Breaking Changes
#12947 For JWT authentication, a new boolean option
disconnect_after_expire
has been added with default value set totrue
. When enabled, the client will be disconnected after the JWT token expires.Previously, the clients with actual JWTs could connect to the broker and stay connected even after the JWT token expired. Now, the client will be disconnected after the JWT token expires. To preserve the previous behavior, set
disconnect_after_expire
tofalse
.#12957 Stopped building packages for macOS 12.
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Renovate Bot.