From c6fe7a330829d5214eca17c33572bcbba1ffd70e Mon Sep 17 00:00:00 2001 From: Volodymyr Vorobiov Date: Wed, 17 Mar 2021 14:58:45 +0200 Subject: [MTX-3843] mPower R. Apr 2021: GP-1039 Security - MQTT - Config for TLS Update mosquitto to v 1.6.14 --- .../mosquitto/mosquitto-mlinux/mosquitto.conf | 988 +++++++++++++++++++++ .../mosquitto/mosquitto-mlinux/mosquitto.default | 2 + .../mosquitto/mosquitto-mlinux/mosquitto.init | 96 ++ .../mosquitto-mlinux/mosquitto.logrotate.conf | 7 + .../mosquitto/mosquitto/1571.patch | 22 + .../mosquitto/mosquitto/install-protocol.patch | 14 + .../mosquitto/mosquitto/mosquitto.conf | 988 --------------------- .../mosquitto/mosquitto/mosquitto.default | 2 - .../mosquitto/mosquitto/mosquitto.init | 7 - .../mosquitto/mosquitto/mosquitto.logrotate.conf | 7 - .../mosquitto/mosquitto_1.6.10.bbappend | 36 - recipes-connectivity/mosquitto/mosquitto_1.6.14.bb | 87 ++ .../mosquitto/mosquitto_1.6.14.bbappend | 36 + 13 files changed, 1252 insertions(+), 1040 deletions(-) create mode 100644 recipes-connectivity/mosquitto/mosquitto-mlinux/mosquitto.conf create mode 100644 recipes-connectivity/mosquitto/mosquitto-mlinux/mosquitto.default create mode 100755 recipes-connectivity/mosquitto/mosquitto-mlinux/mosquitto.init create mode 100644 recipes-connectivity/mosquitto/mosquitto-mlinux/mosquitto.logrotate.conf create mode 100644 recipes-connectivity/mosquitto/mosquitto/1571.patch create mode 100644 recipes-connectivity/mosquitto/mosquitto/install-protocol.patch delete mode 100644 recipes-connectivity/mosquitto/mosquitto/mosquitto.conf delete mode 100644 recipes-connectivity/mosquitto/mosquitto/mosquitto.default mode change 100755 => 100644 recipes-connectivity/mosquitto/mosquitto/mosquitto.init delete mode 100644 recipes-connectivity/mosquitto/mosquitto/mosquitto.logrotate.conf delete mode 100644 recipes-connectivity/mosquitto/mosquitto_1.6.10.bbappend create mode 100644 recipes-connectivity/mosquitto/mosquitto_1.6.14.bb create mode 100644 recipes-connectivity/mosquitto/mosquitto_1.6.14.bbappend (limited to 'recipes-connectivity') diff --git a/recipes-connectivity/mosquitto/mosquitto-mlinux/mosquitto.conf b/recipes-connectivity/mosquitto/mosquitto-mlinux/mosquitto.conf new file mode 100644 index 0000000..6b861d6 --- /dev/null +++ b/recipes-connectivity/mosquitto/mosquitto-mlinux/mosquitto.conf @@ -0,0 +1,988 @@ +# Config file for mosquitto +# +# See mosquitto.conf(5) for more information. +# +# Default values are shown, uncomment to change. +# +# Use the # character to indicate a comment, but only if it is the +# very first character on the line. + +# ================================================================= +# General configuration +# ================================================================= + +# Use per listener security settings. +# +# It is recommended this option be set before any other options. +# +# If this option is set to true, then all authentication and access control +# options are controlled on a per listener basis. The following options are +# affected: +# +# password_file acl_file psk_file auth_plugin auth_opt_* allow_anonymous +# auto_id_prefix allow_zero_length_clientid +# +# Note that if set to true, then a durable client (i.e. with clean session set +# to false) that has disconnected will use the ACL settings defined for the +# listener that it was most recently connected to. +# +# The default behaviour is for this to be set to false, which maintains the +# setting behaviour from previous versions of mosquitto. +#per_listener_settings false + + +# If a client is subscribed to multiple subscriptions that overlap, e.g. foo/# +# and foo/+/baz , then MQTT expects that when the broker receives a message on +# a topic that matches both subscriptions, such as foo/bar/baz, then the client +# should only receive the message once. +# Mosquitto keeps track of which clients a message has been sent to in order to +# meet this requirement. The allow_duplicate_messages option allows this +# behaviour to be disabled, which may be useful if you have a large number of +# clients subscribed to the same set of topics and are very concerned about +# minimising memory usage. +# It can be safely set to true if you know in advance that your clients will +# never have overlapping subscriptions, otherwise your clients must be able to +# correctly deal with duplicate messages even when then have QoS=2. +#allow_duplicate_messages false + +# This option controls whether a client is allowed to connect with a zero +# length client id or not. This option only affects clients using MQTT v3.1.1 +# and later. If set to false, clients connecting with a zero length client id +# are disconnected. If set to true, clients will be allocated a client id by +# the broker. This means it is only useful for clients with clean session set +# to true. +#allow_zero_length_clientid true + +# If allow_zero_length_clientid is true, this option allows you to set a prefix +# to automatically generated client ids to aid visibility in logs. +# Defaults to 'auto-' +#auto_id_prefix auto- + +# This option affects the scenario when a client subscribes to a topic that has +# retained messages. It is possible that the client that published the retained +# message to the topic had access at the time they published, but that access +# has been subsequently removed. If check_retain_source is set to true, the +# default, the source of a retained message will be checked for access rights +# before it is republished. When set to false, no check will be made and the +# retained message will always be published. This affects all listeners. +#check_retain_source true + +# QoS 1 and 2 messages will be allowed inflight per client until this limit +# is exceeded. Defaults to 0. (No maximum) +# See also max_inflight_messages +#max_inflight_bytes 0 + +# The maximum number of QoS 1 and 2 messages currently inflight per +# client. +# This includes messages that are partway through handshakes and +# those that are being retried. Defaults to 20. Set to 0 for no +# maximum. Setting to 1 will guarantee in-order delivery of QoS 1 +# and 2 messages. +#max_inflight_messages 20 + +# For MQTT v5 clients, it is possible to have the server send a "server +# keepalive" value that will override the keepalive value set by the client. +# This is intended to be used as a mechanism to say that the server will +# disconnect the client earlier than it anticipated, and that the client should +# use the new keepalive value. The max_keepalive option allows you to specify +# that clients may only connect with keepalive less than or equal to this +# value, otherwise they will be sent a server keepalive telling them to use +# max_keepalive. This only applies to MQTT v5 clients. The maximum value +# allowable is 65535. Do not set below 10. +#max_keepalive 65535 + +# For MQTT v5 clients, it is possible to have the server send a "maximum packet +# size" value that will instruct the client it will not accept MQTT packets +# with size greater than max_packet_size bytes. This applies to the full MQTT +# packet, not just the payload. Setting this option to a positive value will +# set the maximum packet size to that number of bytes. If a client sends a +# packet which is larger than this value, it will be disconnected. This applies +# to all clients regardless of the protocol version they are using, but v3.1.1 +# and earlier clients will of course not have received the maximum packet size +# information. Defaults to no limit. Setting below 20 bytes is forbidden +# because it is likely to interfere with ordinary client operation, even with +# very small payloads. +#max_packet_size 0 + +# QoS 1 and 2 messages above those currently in-flight will be queued per +# client until this limit is exceeded. Defaults to 0. (No maximum) +# See also max_queued_messages. +# If both max_queued_messages and max_queued_bytes are specified, packets will +# be queued until the first limit is reached. +#max_queued_bytes 0 + +# The maximum number of QoS 1 and 2 messages to hold in a queue per client +# above those that are currently in-flight. Defaults to 100. Set +# to 0 for no maximum (not recommended). +# See also queue_qos0_messages. +# See also max_queued_bytes. +#max_queued_messages 100 +# +# This option sets the maximum number of heap memory bytes that the broker will +# allocate, and hence sets a hard limit on memory use by the broker. Memory +# requests that exceed this value will be denied. The effect will vary +# depending on what has been denied. If an incoming message is being processed, +# then the message will be dropped and the publishing client will be +# disconnected. If an outgoing message is being sent, then the individual +# message will be dropped and the receiving client will be disconnected. +# Defaults to no limit. +#memory_limit 0 + +# This option sets the maximum publish payload size that the broker will allow. +# Received messages that exceed this size will not be accepted by the broker. +# The default value is 0, which means that all valid MQTT messages are +# accepted. MQTT imposes a maximum payload size of 268435455 bytes. +#message_size_limit 0 + +# This option allows persistent clients (those with clean session set to false) +# to be removed if they do not reconnect within a certain time frame. +# +# This is a non-standard option in MQTT V3.1 but allowed in MQTT v3.1.1. +# +# Badly designed clients may set clean session to false whilst using a randomly +# generated client id. This leads to persistent clients that will never +# reconnect. This option allows these clients to be removed. +# +# The expiration period should be an integer followed by one of h d w m y for +# hour, day, week, month and year respectively. For example +# +# persistent_client_expiration 2m +# persistent_client_expiration 14d +# persistent_client_expiration 1y +# +# The default if not set is to never expire persistent clients. +#persistent_client_expiration + +# Write process id to a file. Default is a blank string which means +# a pid file shouldn't be written. +# This should be set to /var/run/mosquitto.pid if mosquitto is +# being run automatically on boot with an init script and +# start-stop-daemon or similar. +#pid_file + +# Set to true to queue messages with QoS 0 when a persistent client is +# disconnected. These messages are included in the limit imposed by +# max_queued_messages and max_queued_bytes +# Defaults to false. +# This is a non-standard option for the MQTT v3.1 spec but is allowed in +# v3.1.1. +#queue_qos0_messages false + +# Set to false to disable retained message support. If a client publishes a +# message with the retain bit set, it will be disconnected if this is set to +# false. +#retain_available true + +# Disable Nagle's algorithm on client sockets. This has the effect of reducing +# latency of individual messages at the potential cost of increasing the number +# of packets being sent. +#set_tcp_nodelay false + +# Time in seconds between updates of the $SYS tree. +# Set to 0 to disable the publishing of the $SYS tree. +#sys_interval 10 + +# The MQTT specification requires that the QoS of a message delivered to a +# subscriber is never upgraded to match the QoS of the subscription. Enabling +# this option changes this behaviour. If upgrade_outgoing_qos is set true, +# messages sent to a subscriber will always match the QoS of its subscription. +# This is a non-standard option explicitly disallowed by the spec. +#upgrade_outgoing_qos false + +# When run as root, drop privileges to this user and its primary +# group. +# Set to root to stay as root, but this is not recommended. +# If run as a non-root user, this setting has no effect. +# Note that on Windows this has no effect and so mosquitto should +# be started by the user you wish it to run as. +user root + +# ================================================================= +# Default listener +# ================================================================= + +# IP address/hostname to bind the default listener to. If not +# given, the default listener will not be bound to a specific +# address and so will be accessible to all network interfaces. +# bind_address ip-address/host name +bind_address 127.0.0.1 + +# Port to use for the default listener. +port 1883 + +# Bind the listener to a specific interface. This is similar to +# bind_address above but is useful when an interface has multiple addresses or +# the address may change. It is valid to use this with the bind_address option, +# but take care that the interface you are binding to contains the address you +# are binding to, otherwise you will not be able to connect. +# Example: bind_interface eth0 +#bind_interface + +# When a listener is using the websockets protocol, it is possible to serve +# http data as well. Set http_dir to a directory which contains the files you +# wish to serve. If this option is not specified, then no normal http +# connections will be possible. +#http_dir + +# The maximum number of client connections to allow. This is +# a per listener setting. +# Default is -1, which means unlimited connections. +# Note that other process limits mean that unlimited connections +# are not really possible. Typically the default maximum number of +# connections possible is around 1024. +#max_connections -1 + +# Choose the protocol to use when listening. +# This can be either mqtt or websockets. +# Websockets support is currently disabled by default at compile time. +# Certificate based TLS may be used with websockets, except that +# only the cafile, certfile, keyfile and ciphers options are supported. +protocol mqtt + +# Set use_username_as_clientid to true to replace the clientid that a client +# connected with with its username. This allows authentication to be tied to +# the clientid, which means that it is possible to prevent one client +# disconnecting another by using the same clientid. +# If a client connects with no username it will be disconnected as not +# authorised when this option is set to true. +# Do not use in conjunction with clientid_prefixes. +# See also use_identity_as_username. +#use_username_as_clientid + +# ----------------------------------------------------------------- +# Certificate based SSL/TLS support +# ----------------------------------------------------------------- +# The following options can be used to enable SSL/TLS support for +# this listener. Note that the recommended port for MQTT over TLS +# is 8883, but this must be set manually. +# +# See also the mosquitto-tls man page. + +# At least one of cafile or capath must be defined. They both +# define methods of accessing the PEM encoded Certificate +# Authority certificates that have signed your server certificate +# and that you wish to trust. +# cafile defines the path to a file containing the CA certificates. +# capath defines a directory that will be searched for files +# containing the CA certificates. For capath to work correctly, the +# certificate files must have ".crt" as the file ending and you must run +# "openssl rehash " each time you add/remove a certificate. +#cafile +#capath + +# Path to the PEM encoded server certificate. +#certfile + +# Path to the PEM encoded keyfile. +#keyfile + + +# If you have require_certificate set to true, you can create a certificate +# revocation list file to revoke access to particular client certificates. If +# you have done this, use crlfile to point to the PEM encoded revocation file. +#crlfile + +# If you wish to control which encryption ciphers are used, use the ciphers +# option. The list of available ciphers can be obtained using the "openssl +# ciphers" command and should be provided in the same format as the output of +# that command. +# If unset defaults to DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH +#ciphers DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH + +# To allow the use of ephemeral DH key exchange, which provides forward +# security, the listener must load DH parameters. This can be specified with +# the dhparamfile option. The dhparamfile can be generated with the command +# e.g. "openssl dhparam -out dhparam.pem 2048" +#dhparamfile + +# By default a TLS enabled listener will operate in a similar fashion to a +# https enabled web server, in that the server has a certificate signed by a CA +# and the client will verify that it is a trusted certificate. The overall aim +# is encryption of the network traffic. By setting require_certificate to true, +# the client must provide a valid certificate in order for the network +# connection to proceed. This allows access to the broker to be controlled +# outside of the mechanisms provided by MQTT. +#require_certificate false + +# This option defines the version of the TLS protocol to use for this listener. +# The default value allows all of v1.3, v1.2 and v1.1. The valid values are +# tlsv1.3 tlsv1.2 and tlsv1.1. +#tls_version + +# If require_certificate is true, you may set use_identity_as_username to true +# to use the CN value from the client certificate as a username. If this is +# true, the password_file option will not be used for this listener. +# This takes priority over use_subject_as_username. +# See also use_subject_as_username. +#use_identity_as_username false + +# If require_certificate is true, you may set use_subject_as_username to true +# to use the complete subject value from the client certificate as a username. +# If this is true, the password_file option will not be used for this listener. +# See also use_identity_as_username +#use_subject_as_username false + +# ----------------------------------------------------------------- +# Pre-shared-key based SSL/TLS support +# ----------------------------------------------------------------- +# The following options can be used to enable PSK based SSL/TLS support for +# this listener. Note that the recommended port for MQTT over TLS is 8883, but +# this must be set manually. +# +# See also the mosquitto-tls man page and the "Certificate based SSL/TLS +# support" section. Only one of certificate or PSK encryption support can be +# enabled for any listener. + +# The psk_hint option enables pre-shared-key support for this listener and also +# acts as an identifier for this listener. The hint is sent to clients and may +# be used locally to aid authentication. The hint is a free form string that +# doesn't have much meaning in itself, so feel free to be creative. +# If this option is provided, see psk_file to define the pre-shared keys to be +# used or create a security plugin to handle them. +#psk_hint + +# When using PSK, the encryption ciphers used will be chosen from the list of +# available PSK ciphers. If you want to control which ciphers are available, +# use the "ciphers" option. The list of available ciphers can be obtained +# using the "openssl ciphers" command and should be provided in the same format +# as the output of that command. +#ciphers + +# Set use_identity_as_username to have the psk identity sent by the client used +# as its username. Authentication will be carried out using the PSK rather than +# the MQTT username/password and so password_file will not be used for this +# listener. +#use_identity_as_username false + + +# ================================================================= +# Extra listeners +# ================================================================= + +# Listen on a port/ip address combination. By using this variable +# multiple times, mosquitto can listen on more than one port. If +# this variable is used and neither bind_address nor port given, +# then the default listener will not be started. +# The port number to listen on must be given. Optionally, an ip +# address or host name may be supplied as a second argument. In +# this case, mosquitto will attempt to bind the listener to that +# address and so restrict access to the associated network and +# interface. By default, mosquitto will listen on all interfaces. +# Note that for a websockets listener it is not possible to bind to a host +# name. +# listener port-number [ip address/host name] +#listener + +# Bind the listener to a specific interface. This is similar to +# the [ip address/host name] part of the listener definition, but is useful +# when an interface has multiple addresses or the address may change. It is +# valid to use this with the [ip address/host name] part of the listener +# definition, but take care that the interface you are binding to contains the +# address you are binding to, otherwise you will not be able to connect. +# Only available on Linux and requires elevated privileges. +# +# Example: bind_interface eth0 +#bind_interface + +# When a listener is using the websockets protocol, it is possible to serve +# http data as well. Set http_dir to a directory which contains the files you +# wish to serve. If this option is not specified, then no normal http +# connections will be possible. +#http_dir + +# The maximum number of client connections to allow. This is +# a per listener setting. +# Default is -1, which means unlimited connections. +# Note that other process limits mean that unlimited connections +# are not really possible. Typically the default maximum number of +# connections possible is around 1024. +#max_connections -1 + +# The listener can be restricted to operating within a topic hierarchy using +# the mount_point option. This is achieved be prefixing the mount_point string +# to all topics for any clients connected to this listener. This prefixing only +# happens internally to the broker; the client will not see the prefix. +#mount_point + +# Choose the protocol to use when listening. +# This can be either mqtt or websockets. +# Certificate based TLS may be used with websockets, except that only the +# cafile, certfile, keyfile and ciphers options are supported. +protocol mqtt + +# Set use_username_as_clientid to true to replace the clientid that a client +# connected with with its username. This allows authentication to be tied to +# the clientid, which means that it is possible to prevent one client +# disconnecting another by using the same clientid. +# If a client connects with no username it will be disconnected as not +# authorised when this option is set to true. +# Do not use in conjunction with clientid_prefixes. +# See also use_identity_as_username. +#use_username_as_clientid + +# Change the websockets headers size. This is a global option, it is not +# possible to set per listener. This option sets the size of the buffer used in +# the libwebsockets library when reading HTTP headers. If you are passing large +# header data such as cookies then you may need to increase this value. If left +# unset, or set to 0, then the default of 1024 bytes will be used. +#websockets_headers_size + +# ----------------------------------------------------------------- +# Certificate based SSL/TLS support +# ----------------------------------------------------------------- +# The following options can be used to enable certificate based SSL/TLS support +# for this listener. Note that the recommended port for MQTT over TLS is 8883, +# but this must be set manually. +# +# See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS +# support" section. Only one of certificate or PSK encryption support can be +# enabled for any listener. + +# At least one of cafile or capath must be defined to enable certificate based +# TLS encryption. They both define methods of accessing the PEM encoded +# Certificate Authority certificates that have signed your server certificate +# and that you wish to trust. +# cafile defines the path to a file containing the CA certificates. +# capath defines a directory that will be searched for files +# containing the CA certificates. For capath to work correctly, the +# certificate files must have ".crt" as the file ending and you must run +# "openssl rehash " each time you add/remove a certificate. +#cafile +#capath + +# Path to the PEM encoded server certificate. +#certfile + +# Path to the PEM encoded keyfile. +#keyfile + + +# If you wish to control which encryption ciphers are used, use the ciphers +# option. The list of available ciphers can be optained using the "openssl +# ciphers" command and should be provided in the same format as the output of +# that command. +#ciphers + +# If you have require_certificate set to true, you can create a certificate +# revocation list file to revoke access to particular client certificates. If +# you have done this, use crlfile to point to the PEM encoded revocation file. +#crlfile + +# To allow the use of ephemeral DH key exchange, which provides forward +# security, the listener must load DH parameters. This can be specified with +# the dhparamfile option. The dhparamfile can be generated with the command +# e.g. "openssl dhparam -out dhparam.pem 2048" +#dhparamfile + +# By default an TLS enabled listener will operate in a similar fashion to a +# https enabled web server, in that the server has a certificate signed by a CA +# and the client will verify that it is a trusted certificate. The overall aim +# is encryption of the network traffic. By setting require_certificate to true, +# the client must provide a valid certificate in order for the network +# connection to proceed. This allows access to the broker to be controlled +# outside of the mechanisms provided by MQTT. +#require_certificate false + +# If require_certificate is true, you may set use_identity_as_username to true +# to use the CN value from the client certificate as a username. If this is +# true, the password_file option will not be used for this listener. +#use_identity_as_username false + +# ----------------------------------------------------------------- +# Pre-shared-key based SSL/TLS support +# ----------------------------------------------------------------- +# The following options can be used to enable PSK based SSL/TLS support for +# this listener. Note that the recommended port for MQTT over TLS is 8883, but +# this must be set manually. +# +# See also the mosquitto-tls man page and the "Certificate based SSL/TLS +# support" section. Only one of certificate or PSK encryption support can be +# enabled for any listener. + +# The psk_hint option enables pre-shared-key support for this listener and also +# acts as an identifier for this listener. The hint is sent to clients and may +# be used locally to aid authentication. The hint is a free form string that +# doesn't have much meaning in itself, so feel free to be creative. +# If this option is provided, see psk_file to define the pre-shared keys to be +# used or create a security plugin to handle them. +#psk_hint + +# When using PSK, the encryption ciphers used will be chosen from the list of +# available PSK ciphers. If you want to control which ciphers are available, +# use the "ciphers" option. The list of available ciphers can be optained +# using the "openssl ciphers" command and should be provided in the same format +# as the output of that command. +#ciphers + +# Set use_identity_as_username to have the psk identity sent by the client used +# as its username. Authentication will be carried out using the PSK rather than +# the MQTT username/password and so password_file will not be used for this +# listener. +#use_identity_as_username false + + +# ================================================================= +# Persistence +# ================================================================= + +# If persistence is enabled, save the in-memory database to disk +# every autosave_interval seconds. If set to 0, the persistence +# database will only be written when mosquitto exits. See also +# autosave_on_changes. +# Note that writing of the persistence database can be forced by +# sending mosquitto a SIGUSR1 signal. +#autosave_interval 1800 + +# If true, mosquitto will count the number of subscription changes, retained +# messages received and queued messages and if the total exceeds +# autosave_interval then the in-memory database will be saved to disk. +# If false, mosquitto will save the in-memory database to disk by treating +# autosave_interval as a time in seconds. +#autosave_on_changes false + +# Save persistent message data to disk (true/false). +# This saves information about all messages, including +# subscriptions, currently in-flight messages and retained +# messages. +# retained_persistence is a synonym for this option. +#persistence false + +# The filename to use for the persistent database, not including +# the path. +#persistence_file mosquitto.db + +# Location for persistent database. Must include trailing / +# Default is an empty string (current directory). +# Set to e.g. /var/lib/mosquitto/ if running as a proper service on Linux or +# similar. +#persistence_location + + +# ================================================================= +# Logging +# ================================================================= + +# Places to log to. Use multiple log_dest lines for multiple +# logging destinations. +# Possible destinations are: stdout stderr syslog topic file +# +# stdout and stderr log to the console on the named output. +# +# syslog uses the userspace syslog facility which usually ends up +# in /var/log/messages or similar. +# +# topic logs to the broker topic '$SYS/broker/log/', +# where severity is one of D, E, W, N, I, M which are debug, error, +# warning, notice, information and message. Message type severity is used by +# the subscribe/unsubscribe log_types and publishes log messages to +# $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe. +# +# The file destination requires an additional parameter which is the file to be +# logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will be +# closed and reopened when the broker receives a HUP signal. Only a single file +# destination may be configured. +# +# Note that if the broker is running as a Windows service it will default to +# "log_dest none" and neither stdout nor stderr logging is available. +# Use "log_dest none" if you wish to disable logging. +log_dest file /var/log/mosquitto.log + +# Types of messages to log. Use multiple log_type lines for logging +# multiple types of messages. +# Possible types are: debug, error, warning, notice, information, +# none, subscribe, unsubscribe, websockets, all. +# Note that debug type messages are for decoding the incoming/outgoing +# network packets. They are not logged in "topics". +log_type error +log_type warning +log_type notice +log_type information + + +# If set to true, client connection and disconnection messages will be included +# in the log. +connection_messages true + +# If using syslog logging (not on Windows), messages will be logged to the +# "daemon" facility by default. Use the log_facility option to choose which of +# local0 to local7 to log to instead. The option value should be an integer +# value, e.g. "log_facility 5" to use local5. +#log_facility + +# If set to true, add a timestamp value to each log message. +log_timestamp true + +# Set the format of the log timestamp. If left unset, this is the number of +# seconds since the Unix epoch. +# This is a free text string which will be passed to the strftime function. To +# get an ISO 8601 datetime, for example: +# log_timestamp_format %Y-%m-%dT%H:%M:%S +#log_timestamp_format + +# Change the websockets logging level. This is a global option, it is not +# possible to set per listener. This is an integer that is interpreted by +# libwebsockets as a bit mask for its lws_log_levels enum. See the +# libwebsockets documentation for more details. "log_type websockets" must also +# be enabled. +#websockets_log_level 0 + + +# ================================================================= +# Security +# ================================================================= + +# If set, only clients that have a matching prefix on their +# clientid will be allowed to connect to the broker. By default, +# all clients may connect. +# For example, setting "secure-" here would mean a client "secure- +# client" could connect but another with clientid "mqtt" couldn't. +#clientid_prefixes + +# Boolean value that determines whether clients that connect +# without providing a username are allowed to connect. If set to +# false then a password file should be created (see the +# password_file option) to control authenticated client access. +# +# Defaults to true if no other security options are set. If `password_file` or +# `psk_file` is set, or if an authentication plugin is loaded which implements +# username/password or TLS-PSK checks, then `allow_anonymous` defaults to +# false. +# +#allow_anonymous true + +# ----------------------------------------------------------------- +# Default authentication and topic access control +# ----------------------------------------------------------------- + +# Control access to the broker using a password file. This file can be +# generated using the mosquitto_passwd utility. If TLS support is not compiled +# into mosquitto (it is recommended that TLS support should be included) then +# plain text passwords are used, in which case the file should be a text file +# with lines in the format: +# username:password +# The password (and colon) may be omitted if desired, although this +# offers very little in the way of security. +# +# See the TLS client require_certificate and use_identity_as_username options +# for alternative authentication options. If an auth_plugin is used as well as +# password_file, the auth_plugin check will be made first. +#password_file + +# Access may also be controlled using a pre-shared-key file. This requires +# TLS-PSK support and a listener configured to use it. The file should be text +# lines in the format: +# identity:key +# The key should be in hexadecimal format without a leading "0x". +# If an auth_plugin is used as well, the auth_plugin check will be made first. +#psk_file + +# Control access to topics on the broker using an access control list +# file. If this parameter is defined then only the topics listed will +# have access. +# If the first character of a line of the ACL file is a # it is treated as a +# comment. +# Topic access is added with lines of the format: +# +# topic [read|write|readwrite] +# +# The access type is controlled using "read", "write" or "readwrite". This +# parameter is optional (unless contains a space character) - if not +# given then the access is read/write. can contain the + or # +# wildcards as in subscriptions. +# +# The first set of topics are applied to anonymous clients, assuming +# allow_anonymous is true. User specific topic ACLs are added after a +# user line as follows: +# +# user +# +# The username referred to here is the same as in password_file. It is +# not the clientid. +# +# +# If is also possible to define ACLs based on pattern substitution within the +# topic. The patterns available for substition are: +# +# %c to match the client id of the client +# %u to match the username of the client +# +# The substitution pattern must be the only text for that level of hierarchy. +# +# The form is the same as for the topic keyword, but using pattern as the +# keyword. +# Pattern ACLs apply to all users even if the "user" keyword has previously +# been given. +# +# If using bridges with usernames and ACLs, connection messages can be allowed +# with the following pattern: +# pattern write $SYS/broker/connection/%c/state +# +# pattern [read|write|readwrite] +# +# Example: +# +# pattern write sensor/%u/data +# +# If an auth_plugin is used as well as acl_file, the auth_plugin check will be +# made first. +#acl_file + +# ----------------------------------------------------------------- +# External authentication and topic access plugin options +# ----------------------------------------------------------------- + +# External authentication and access control can be supported with the +# auth_plugin option. This is a path to a loadable plugin. See also the +# auth_opt_* options described below. +# +# The auth_plugin option can be specified multiple times to load multiple +# plugins. The plugins will be processed in the order that they are specified +# here. If the auth_plugin option is specified alongside either of +# password_file or acl_file then the plugin checks will be made first. +# +#auth_plugin + +# If the auth_plugin option above is used, define options to pass to the +# plugin here as described by the plugin instructions. All options named +# using the format auth_opt_* will be passed to the plugin, for example: +# +# auth_opt_db_host +# auth_opt_db_port +# auth_opt_db_username +# auth_opt_db_password + + +# ================================================================= +# Bridges +# ================================================================= + +# A bridge is a way of connecting multiple MQTT brokers together. +# Create a new bridge using the "connection" option as described below. Set +# options for the bridges using the remaining parameters. You must specify the +# address and at least one topic to subscribe to. +# +# Each connection must have a unique name. +# +# The address line may have multiple host address and ports specified. See +# below in the round_robin description for more details on bridge behaviour if +# multiple addresses are used. Note that if you use an IPv6 address, then you +# are required to specify a port. +# +# The direction that the topic will be shared can be chosen by +# specifying out, in or both, where the default value is out. +# The QoS level of the bridged communication can be specified with the next +# topic option. The default QoS level is 0, to change the QoS the topic +# direction must also be given. +# +# The local and remote prefix options allow a topic to be remapped when it is +# bridged to/from the remote broker. This provides the ability to place a topic +# tree in an appropriate location. +# +# For more details see the mosquitto.conf man page. +# +# Multiple topics can be specified per connection, but be careful +# not to create any loops. +# +# If you are using bridges with cleansession set to false (the default), then +# you may get unexpected behaviour from incoming topics if you change what +# topics you are subscribing to. This is because the remote broker keeps the +# subscription for the old topic. If you have this problem, connect your bridge +# with cleansession set to true, then reconnect with cleansession set to false +# as normal. +#connection +#address [:] [[:]] +#topic [[[out | in | both] qos-level] local-prefix remote-prefix] + + +# If a bridge has topics that have "out" direction, the default behaviour is to +# send an unsubscribe request to the remote broker on that topic. This means +# that changing a topic direction from "in" to "out" will not keep receiving +# incoming messages. Sending these unsubscribe requests is not always +# desirable, setting bridge_attempt_unsubscribe to false will disable sending +# the unsubscribe request. +#bridge_attempt_unsubscribe true + +# Set the version of the MQTT protocol to use with for this bridge. Can be one +# of mqttv311 or mqttv11. Defaults to mqttv311. +#bridge_protocol_version mqttv311 + +# Set the clean session variable for this bridge. +# When set to true, when the bridge disconnects for any reason, all +# messages and subscriptions will be cleaned up on the remote +# broker. Note that with cleansession set to true, there may be a +# significant amount of retained messages sent when the bridge +# reconnects after losing its connection. +# When set to false, the subscriptions and messages are kept on the +# remote broker, and delivered when the bridge reconnects. +#cleansession false + +# Set the amount of time a bridge using the lazy start type must be idle before +# it will be stopped. Defaults to 60 seconds. +#idle_timeout 60 + +# Set the keepalive interval for this bridge connection, in +# seconds. +#keepalive_interval 60 + +# Set the clientid to use on the local broker. If not defined, this defaults to +# 'local.'. If you are bridging a broker to itself, it is important +# that local_clientid and clientid do not match. +#local_clientid + +# If set to true, publish notification messages to the local and remote brokers +# giving information about the state of the bridge connection. Retained +# messages are published to the topic $SYS/broker/connection//state +# unless the notification_topic option is used. +# If the message is 1 then the connection is active, or 0 if the connection has +# failed. +# This uses the last will and testament feature. +#notifications true + +# Choose the topic on which notification messages for this bridge are +# published. If not set, messages are published on the topic +# $SYS/broker/connection//state +#notification_topic + +# Set the client id to use on the remote end of this bridge connection. If not +# defined, this defaults to 'name.hostname' where name is the connection name +# and hostname is the hostname of this computer. +# This replaces the old "clientid" option to avoid confusion. "clientid" +# remains valid for the time being. +#remote_clientid + +# Set the password to use when connecting to a broker that requires +# authentication. This option is only used if remote_username is also set. +# This replaces the old "password" option to avoid confusion. "password" +# remains valid for the time being. +#remote_password + +# Set the username to use when connecting to a broker that requires +# authentication. +# This replaces the old "username" option to avoid confusion. "username" +# remains valid for the time being. +#remote_username + +# Set the amount of time a bridge using the automatic start type will wait +# until attempting to reconnect. +# This option can be configured to use a constant delay time in seconds, or to +# use a backoff mechanism based on "Decorrelated Jitter", which adds a degree +# of randomness to when the restart occurs. +# +# Set a constant timeout of 20 seconds: +# restart_timeout 20 +# +# Set backoff with a base (start value) of 10 seconds and a cap (upper limit) of +# 60 seconds: +# restart_timeout 10 30 +# +# Defaults to jitter with a base of 5 and cap of 30 +#restart_timeout 5 30 + +# If the bridge has more than one address given in the address/addresses +# configuration, the round_robin option defines the behaviour of the bridge on +# a failure of the bridge connection. If round_robin is false, the default +# value, then the first address is treated as the main bridge connection. If +# the connection fails, the other secondary addresses will be attempted in +# turn. Whilst connected to a secondary bridge, the bridge will periodically +# attempt to reconnect to the main bridge until successful. +# If round_robin is true, then all addresses are treated as equals. If a +# connection fails, the next address will be tried and if successful will +# remain connected until it fails +#round_robin false + +# Set the start type of the bridge. This controls how the bridge starts and +# can be one of three types: automatic, lazy and once. Note that RSMB provides +# a fourth start type "manual" which isn't currently supported by mosquitto. +# +# "automatic" is the default start type and means that the bridge connection +# will be started automatically when the broker starts and also restarted +# after a short delay (30 seconds) if the connection fails. +# +# Bridges using the "lazy" start type will be started automatically when the +# number of queued messages exceeds the number set with the "threshold" +# parameter. It will be stopped automatically after the time set by the +# "idle_timeout" parameter. Use this start type if you wish the connection to +# only be active when it is needed. +# +# A bridge using the "once" start type will be started automatically when the +# broker starts but will not be restarted if the connection fails. +#start_type automatic + +# Set the number of messages that need to be queued for a bridge with lazy +# start type to be restarted. Defaults to 10 messages. +# Must be less than max_queued_messages. +#threshold 10 + +# If try_private is set to true, the bridge will attempt to indicate to the +# remote broker that it is a bridge not an ordinary client. If successful, this +# means that loop detection will be more effective and that retained messages +# will be propagated correctly. Not all brokers support this feature so it may +# be necessary to set try_private to false if your bridge does not connect +# properly. +#try_private true + +# ----------------------------------------------------------------- +# Certificate based SSL/TLS support +# ----------------------------------------------------------------- +# Either bridge_cafile or bridge_capath must be defined to enable TLS support +# for this bridge. +# bridge_cafile defines the path to a file containing the +# Certificate Authority certificates that have signed the remote broker +# certificate. +# bridge_capath defines a directory that will be searched for files containing +# the CA certificates. For bridge_capath to work correctly, the certificate +# files must have ".crt" as the file ending and you must run "openssl rehash +# " each time you add/remove a certificate. +#bridge_cafile +#bridge_capath + + +# If the remote broker has more than one protocol available on its port, e.g. +# MQTT and WebSockets, then use bridge_alpn to configure which protocol is +# requested. Note that WebSockets support for bridges is not yet available. +#bridge_alpn + +# When using certificate based encryption, bridge_insecure disables +# verification of the server hostname in the server certificate. This can be +# useful when testing initial server configurations, but makes it possible for +# a malicious third party to impersonate your server through DNS spoofing, for +# example. Use this option in testing only. If you need to resort to using this +# option in a production environment, your setup is at fault and there is no +# point using encryption. +#bridge_insecure false + +# Path to the PEM encoded client certificate, if required by the remote broker. +#bridge_certfile + +# Path to the PEM encoded client private key, if required by the remote broker. +#bridge_keyfile + +# ----------------------------------------------------------------- +# PSK based SSL/TLS support +# ----------------------------------------------------------------- +# Pre-shared-key encryption provides an alternative to certificate based +# encryption. A bridge can be configured to use PSK with the bridge_identity +# and bridge_psk options. These are the client PSK identity, and pre-shared-key +# in hexadecimal format with no "0x". Only one of certificate and PSK based +# encryption can be used on one +# bridge at once. +#bridge_identity +#bridge_psk + + +# ================================================================= +# External config files +# ================================================================= + +# External configuration files may be included by using the +# include_dir option. This defines a directory that will be searched +# for config files. All files that end in '.conf' will be loaded as +# a configuration file. It is best to have this as the last option +# in the main file. This option will only be processed from the main +# configuration file. The directory specified must not contain the +# main configuration file. +# Files within include_dir will be loaded sorted in case-sensitive +# alphabetical order, with capital letters ordered first. If this option is +# given multiple times, all of the files from the first instance will be +# processed before the next instance. See the man page for examples. +#include_dir diff --git a/recipes-connectivity/mosquitto/mosquitto-mlinux/mosquitto.default b/recipes-connectivity/mosquitto/mosquitto-mlinux/mosquitto.default new file mode 100644 index 0000000..be7dcd5 --- /dev/null +++ b/recipes-connectivity/mosquitto/mosquitto-mlinux/mosquitto.default @@ -0,0 +1,2 @@ +# set to "yes" or "no" to control starting on boot +ENABLED="yes" diff --git a/recipes-connectivity/mosquitto/mosquitto-mlinux/mosquitto.init b/recipes-connectivity/mosquitto/mosquitto-mlinux/mosquitto.init new file mode 100755 index 0000000..21bffe6 --- /dev/null +++ b/recipes-connectivity/mosquitto/mosquitto-mlinux/mosquitto.init @@ -0,0 +1,96 @@ +#! /bin/sh + +# Based on the Debian initscript for mosquitto + +### BEGIN INIT INFO +# Provides: mosquitto +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: mosquitto MQTT message broker +# Description: +# This is a message broker that supports version 3.1/3.1.1 of the MQ Telemetry +# Transport (MQTT) protocol. +# +# MQTT provides a method of carrying out messaging using a publish/subscribe +# model. It is lightweight, both in terms of bandwidth usage and ease of +# implementation. This makes it particularly useful at the edge of the network +# where a sensor or other simple device may be implemented using an arduino for +# example. +### END INIT INFO + +## mlinux +ENABLED="yes" + +[ -f /etc/default/mosquitto ] && . /etc/default/mosquitto +[ "$ENABLED" = "yes" ] || exit +## mlinux + +set -e + +PIDFILE=@LOCALSTATEDIR@/run/mosquitto.pid +DAEMON=@SBINDIR@/mosquitto + +# start and stop the mosquitto MQTT message broker + +test -x ${DAEMON} || exit 0 + +umask 022 + +. @SYSCONFDIR@/init.d/functions + +export PATH="${PATH:+$PATH:}@SBINDIR@:@BASE_SBINDIR@" + +case "$1" in + start) + echo "Starting Mosquitto message broker" "mosquitto" + if start-stop-daemon --start --quiet --oknodo --background --make-pidfile --pidfile ${PIDFILE} --exec ${DAEMON} -- -c @SYSCONFDIR@/mosquitto/mosquitto.conf ; then + exit 0 + else + exit 1 + fi + ;; + stop) + echo "Stopping Mosquitto message broker" "mosquitto" + if start-stop-daemon --stop --quiet --oknodo --pidfile ${PIDFILE}; then + rm -f ${PIDFILE} + exit 0 + else + exit 1 + fi + ;; + + + reload|force-reload) + if [ -f ${PIDFILE} ] ; then + echo "Reloading configuration for mosquitto" + pid=`cat ${PIDFILE}` + kill -HUP $pid + else + echo "mosquitto does not seem to be running" + fi + ;; + + restart) + echo "Restarting Mosquitto message broker" "mosquitto" + if start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile ${PIDFILE}; then + rm -f ${PIDFILE} + fi + if start-stop-daemon --start --quiet --oknodo --background --make-pidfile --pidfile ${PIDFILE} --exec ${DAEMON} -- -c @SYSCONFDIR@/mosquitto/mosquitto.conf ; then + exit 0 + else + exit 1 + fi + ;; + + status) + status ${DAEMON} && exit 0 || exit $? + ;; + + *) + echo "Usage: $0 {start|stop|reload|force-reload|restart|status}" + exit 1 +esac + +exit 0 diff --git a/recipes-connectivity/mosquitto/mosquitto-mlinux/mosquitto.logrotate.conf b/recipes-connectivity/mosquitto/mosquitto-mlinux/mosquitto.logrotate.conf new file mode 100644 index 0000000..5f4779b --- /dev/null +++ b/recipes-connectivity/mosquitto/mosquitto-mlinux/mosquitto.logrotate.conf @@ -0,0 +1,7 @@ +/var/log/mosquitto.log { + size 512k + rotate 4 + compress + copytruncate + missingok +} diff --git a/recipes-connectivity/mosquitto/mosquitto/1571.patch b/recipes-connectivity/mosquitto/mosquitto/1571.patch new file mode 100644 index 0000000..93ff6bc --- /dev/null +++ b/recipes-connectivity/mosquitto/mosquitto/1571.patch @@ -0,0 +1,22 @@ +Upstream-Status: Submitted [https://github.com/eclipse/mosquitto/pull/1571] +From 3fe5468f1bdca1bff1d18cf43c9e338f41aa9e32 Mon Sep 17 00:00:00 2001 +From: Gianfranco Costamagna +Date: Wed, 22 Jan 2020 12:39:49 +0100 +Subject: [PATCH] Add dynamic symbols linking with cmake too + +Signed-off-by: Gianfranco Costamagna +--- + lib/CMakeLists.txt | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/lib/CMakeLists.txt ++++ b/lib/CMakeLists.txt +@@ -89,6 +89,8 @@ + OUTPUT_NAME mosquitto + VERSION ${VERSION} + SOVERSION 1 ++ LINK_DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/linker.version ++ LINK_FLAGS "-Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/linker.version" + ) + + install(TARGETS libmosquitto RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}" LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}") diff --git a/recipes-connectivity/mosquitto/mosquitto/install-protocol.patch b/recipes-connectivity/mosquitto/mosquitto/install-protocol.patch new file mode 100644 index 0000000..1397fc6 --- /dev/null +++ b/recipes-connectivity/mosquitto/mosquitto/install-protocol.patch @@ -0,0 +1,14 @@ +Description: Also install mqtt_protocol.h, as is done in Makefile +Author: Gianfranco Costamagna +Bug-Debian: https://bugs.debian.org/951116 +Forwarded: https://github.com/eclipse/mosquitto/pull/1599 +Last-Update: 2020-02-15 + +--- a/lib/CMakeLists.txt ++++ b/lib/CMakeLists.txt +@@ -114,4 +114,4 @@ + install(TARGETS libmosquitto_static ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}") + endif (WITH_STATIC_LIBRARIES) + +-install(FILES mosquitto.h DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}") ++install(FILES mqtt_protocol.h mosquitto.h DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}") diff --git a/recipes-connectivity/mosquitto/mosquitto/mosquitto.conf b/recipes-connectivity/mosquitto/mosquitto/mosquitto.conf deleted file mode 100644 index 6b861d6..0000000 --- a/recipes-connectivity/mosquitto/mosquitto/mosquitto.conf +++ /dev/null @@ -1,988 +0,0 @@ -# Config file for mosquitto -# -# See mosquitto.conf(5) for more information. -# -# Default values are shown, uncomment to change. -# -# Use the # character to indicate a comment, but only if it is the -# very first character on the line. - -# ================================================================= -# General configuration -# ================================================================= - -# Use per listener security settings. -# -# It is recommended this option be set before any other options. -# -# If this option is set to true, then all authentication and access control -# options are controlled on a per listener basis. The following options are -# affected: -# -# password_file acl_file psk_file auth_plugin auth_opt_* allow_anonymous -# auto_id_prefix allow_zero_length_clientid -# -# Note that if set to true, then a durable client (i.e. with clean session set -# to false) that has disconnected will use the ACL settings defined for the -# listener that it was most recently connected to. -# -# The default behaviour is for this to be set to false, which maintains the -# setting behaviour from previous versions of mosquitto. -#per_listener_settings false - - -# If a client is subscribed to multiple subscriptions that overlap, e.g. foo/# -# and foo/+/baz , then MQTT expects that when the broker receives a message on -# a topic that matches both subscriptions, such as foo/bar/baz, then the client -# should only receive the message once. -# Mosquitto keeps track of which clients a message has been sent to in order to -# meet this requirement. The allow_duplicate_messages option allows this -# behaviour to be disabled, which may be useful if you have a large number of -# clients subscribed to the same set of topics and are very concerned about -# minimising memory usage. -# It can be safely set to true if you know in advance that your clients will -# never have overlapping subscriptions, otherwise your clients must be able to -# correctly deal with duplicate messages even when then have QoS=2. -#allow_duplicate_messages false - -# This option controls whether a client is allowed to connect with a zero -# length client id or not. This option only affects clients using MQTT v3.1.1 -# and later. If set to false, clients connecting with a zero length client id -# are disconnected. If set to true, clients will be allocated a client id by -# the broker. This means it is only useful for clients with clean session set -# to true. -#allow_zero_length_clientid true - -# If allow_zero_length_clientid is true, this option allows you to set a prefix -# to automatically generated client ids to aid visibility in logs. -# Defaults to 'auto-' -#auto_id_prefix auto- - -# This option affects the scenario when a client subscribes to a topic that has -# retained messages. It is possible that the client that published the retained -# message to the topic had access at the time they published, but that access -# has been subsequently removed. If check_retain_source is set to true, the -# default, the source of a retained message will be checked for access rights -# before it is republished. When set to false, no check will be made and the -# retained message will always be published. This affects all listeners. -#check_retain_source true - -# QoS 1 and 2 messages will be allowed inflight per client until this limit -# is exceeded. Defaults to 0. (No maximum) -# See also max_inflight_messages -#max_inflight_bytes 0 - -# The maximum number of QoS 1 and 2 messages currently inflight per -# client. -# This includes messages that are partway through handshakes and -# those that are being retried. Defaults to 20. Set to 0 for no -# maximum. Setting to 1 will guarantee in-order delivery of QoS 1 -# and 2 messages. -#max_inflight_messages 20 - -# For MQTT v5 clients, it is possible to have the server send a "server -# keepalive" value that will override the keepalive value set by the client. -# This is intended to be used as a mechanism to say that the server will -# disconnect the client earlier than it anticipated, and that the client should -# use the new keepalive value. The max_keepalive option allows you to specify -# that clients may only connect with keepalive less than or equal to this -# value, otherwise they will be sent a server keepalive telling them to use -# max_keepalive. This only applies to MQTT v5 clients. The maximum value -# allowable is 65535. Do not set below 10. -#max_keepalive 65535 - -# For MQTT v5 clients, it is possible to have the server send a "maximum packet -# size" value that will instruct the client it will not accept MQTT packets -# with size greater than max_packet_size bytes. This applies to the full MQTT -# packet, not just the payload. Setting this option to a positive value will -# set the maximum packet size to that number of bytes. If a client sends a -# packet which is larger than this value, it will be disconnected. This applies -# to all clients regardless of the protocol version they are using, but v3.1.1 -# and earlier clients will of course not have received the maximum packet size -# information. Defaults to no limit. Setting below 20 bytes is forbidden -# because it is likely to interfere with ordinary client operation, even with -# very small payloads. -#max_packet_size 0 - -# QoS 1 and 2 messages above those currently in-flight will be queued per -# client until this limit is exceeded. Defaults to 0. (No maximum) -# See also max_queued_messages. -# If both max_queued_messages and max_queued_bytes are specified, packets will -# be queued until the first limit is reached. -#max_queued_bytes 0 - -# The maximum number of QoS 1 and 2 messages to hold in a queue per client -# above those that are currently in-flight. Defaults to 100. Set -# to 0 for no maximum (not recommended). -# See also queue_qos0_messages. -# See also max_queued_bytes. -#max_queued_messages 100 -# -# This option sets the maximum number of heap memory bytes that the broker will -# allocate, and hence sets a hard limit on memory use by the broker. Memory -# requests that exceed this value will be denied. The effect will vary -# depending on what has been denied. If an incoming message is being processed, -# then the message will be dropped and the publishing client will be -# disconnected. If an outgoing message is being sent, then the individual -# message will be dropped and the receiving client will be disconnected. -# Defaults to no limit. -#memory_limit 0 - -# This option sets the maximum publish payload size that the broker will allow. -# Received messages that exceed this size will not be accepted by the broker. -# The default value is 0, which means that all valid MQTT messages are -# accepted. MQTT imposes a maximum payload size of 268435455 bytes. -#message_size_limit 0 - -# This option allows persistent clients (those with clean session set to false) -# to be removed if they do not reconnect within a certain time frame. -# -# This is a non-standard option in MQTT V3.1 but allowed in MQTT v3.1.1. -# -# Badly designed clients may set clean session to false whilst using a randomly -# generated client id. This leads to persistent clients that will never -# reconnect. This option allows these clients to be removed. -# -# The expiration period should be an integer followed by one of h d w m y for -# hour, day, week, month and year respectively. For example -# -# persistent_client_expiration 2m -# persistent_client_expiration 14d -# persistent_client_expiration 1y -# -# The default if not set is to never expire persistent clients. -#persistent_client_expiration - -# Write process id to a file. Default is a blank string which means -# a pid file shouldn't be written. -# This should be set to /var/run/mosquitto.pid if mosquitto is -# being run automatically on boot with an init script and -# start-stop-daemon or similar. -#pid_file - -# Set to true to queue messages with QoS 0 when a persistent client is -# disconnected. These messages are included in the limit imposed by -# max_queued_messages and max_queued_bytes -# Defaults to false. -# This is a non-standard option for the MQTT v3.1 spec but is allowed in -# v3.1.1. -#queue_qos0_messages false - -# Set to false to disable retained message support. If a client publishes a -# message with the retain bit set, it will be disconnected if this is set to -# false. -#retain_available true - -# Disable Nagle's algorithm on client sockets. This has the effect of reducing -# latency of individual messages at the potential cost of increasing the number -# of packets being sent. -#set_tcp_nodelay false - -# Time in seconds between updates of the $SYS tree. -# Set to 0 to disable the publishing of the $SYS tree. -#sys_interval 10 - -# The MQTT specification requires that the QoS of a message delivered to a -# subscriber is never upgraded to match the QoS of the subscription. Enabling -# this option changes this behaviour. If upgrade_outgoing_qos is set true, -# messages sent to a subscriber will always match the QoS of its subscription. -# This is a non-standard option explicitly disallowed by the spec. -#upgrade_outgoing_qos false - -# When run as root, drop privileges to this user and its primary -# group. -# Set to root to stay as root, but this is not recommended. -# If run as a non-root user, this setting has no effect. -# Note that on Windows this has no effect and so mosquitto should -# be started by the user you wish it to run as. -user root - -# ================================================================= -# Default listener -# ================================================================= - -# IP address/hostname to bind the default listener to. If not -# given, the default listener will not be bound to a specific -# address and so will be accessible to all network interfaces. -# bind_address ip-address/host name -bind_address 127.0.0.1 - -# Port to use for the default listener. -port 1883 - -# Bind the listener to a specific interface. This is similar to -# bind_address above but is useful when an interface has multiple addresses or -# the address may change. It is valid to use this with the bind_address option, -# but take care that the interface you are binding to contains the address you -# are binding to, otherwise you will not be able to connect. -# Example: bind_interface eth0 -#bind_interface - -# When a listener is using the websockets protocol, it is possible to serve -# http data as well. Set http_dir to a directory which contains the files you -# wish to serve. If this option is not specified, then no normal http -# connections will be possible. -#http_dir - -# The maximum number of client connections to allow. This is -# a per listener setting. -# Default is -1, which means unlimited connections. -# Note that other process limits mean that unlimited connections -# are not really possible. Typically the default maximum number of -# connections possible is around 1024. -#max_connections -1 - -# Choose the protocol to use when listening. -# This can be either mqtt or websockets. -# Websockets support is currently disabled by default at compile time. -# Certificate based TLS may be used with websockets, except that -# only the cafile, certfile, keyfile and ciphers options are supported. -protocol mqtt - -# Set use_username_as_clientid to true to replace the clientid that a client -# connected with with its username. This allows authentication to be tied to -# the clientid, which means that it is possible to prevent one client -# disconnecting another by using the same clientid. -# If a client connects with no username it will be disconnected as not -# authorised when this option is set to true. -# Do not use in conjunction with clientid_prefixes. -# See also use_identity_as_username. -#use_username_as_clientid - -# ----------------------------------------------------------------- -# Certificate based SSL/TLS support -# ----------------------------------------------------------------- -# The following options can be used to enable SSL/TLS support for -# this listener. Note that the recommended port for MQTT over TLS -# is 8883, but this must be set manually. -# -# See also the mosquitto-tls man page. - -# At least one of cafile or capath must be defined. They both -# define methods of accessing the PEM encoded Certificate -# Authority certificates that have signed your server certificate -# and that you wish to trust. -# cafile defines the path to a file containing the CA certificates. -# capath defines a directory that will be searched for files -# containing the CA certificates. For capath to work correctly, the -# certificate files must have ".crt" as the file ending and you must run -# "openssl rehash " each time you add/remove a certificate. -#cafile -#capath - -# Path to the PEM encoded server certificate. -#certfile - -# Path to the PEM encoded keyfile. -#keyfile - - -# If you have require_certificate set to true, you can create a certificate -# revocation list file to revoke access to particular client certificates. If -# you have done this, use crlfile to point to the PEM encoded revocation file. -#crlfile - -# If you wish to control which encryption ciphers are used, use the ciphers -# option. The list of available ciphers can be obtained using the "openssl -# ciphers" command and should be provided in the same format as the output of -# that command. -# If unset defaults to DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH -#ciphers DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH - -# To allow the use of ephemeral DH key exchange, which provides forward -# security, the listener must load DH parameters. This can be specified with -# the dhparamfile option. The dhparamfile can be generated with the command -# e.g. "openssl dhparam -out dhparam.pem 2048" -#dhparamfile - -# By default a TLS enabled listener will operate in a similar fashion to a -# https enabled web server, in that the server has a certificate signed by a CA -# and the client will verify that it is a trusted certificate. The overall aim -# is encryption of the network traffic. By setting require_certificate to true, -# the client must provide a valid certificate in order for the network -# connection to proceed. This allows access to the broker to be controlled -# outside of the mechanisms provided by MQTT. -#require_certificate false - -# This option defines the version of the TLS protocol to use for this listener. -# The default value allows all of v1.3, v1.2 and v1.1. The valid values are -# tlsv1.3 tlsv1.2 and tlsv1.1. -#tls_version - -# If require_certificate is true, you may set use_identity_as_username to true -# to use the CN value from the client certificate as a username. If this is -# true, the password_file option will not be used for this listener. -# This takes priority over use_subject_as_username. -# See also use_subject_as_username. -#use_identity_as_username false - -# If require_certificate is true, you may set use_subject_as_username to true -# to use the complete subject value from the client certificate as a username. -# If this is true, the password_file option will not be used for this listener. -# See also use_identity_as_username -#use_subject_as_username false - -# ----------------------------------------------------------------- -# Pre-shared-key based SSL/TLS support -# ----------------------------------------------------------------- -# The following options can be used to enable PSK based SSL/TLS support for -# this listener. Note that the recommended port for MQTT over TLS is 8883, but -# this must be set manually. -# -# See also the mosquitto-tls man page and the "Certificate based SSL/TLS -# support" section. Only one of certificate or PSK encryption support can be -# enabled for any listener. - -# The psk_hint option enables pre-shared-key support for this listener and also -# acts as an identifier for this listener. The hint is sent to clients and may -# be used locally to aid authentication. The hint is a free form string that -# doesn't have much meaning in itself, so feel free to be creative. -# If this option is provided, see psk_file to define the pre-shared keys to be -# used or create a security plugin to handle them. -#psk_hint - -# When using PSK, the encryption ciphers used will be chosen from the list of -# available PSK ciphers. If you want to control which ciphers are available, -# use the "ciphers" option. The list of available ciphers can be obtained -# using the "openssl ciphers" command and should be provided in the same format -# as the output of that command. -#ciphers - -# Set use_identity_as_username to have the psk identity sent by the client used -# as its username. Authentication will be carried out using the PSK rather than -# the MQTT username/password and so password_file will not be used for this -# listener. -#use_identity_as_username false - - -# ================================================================= -# Extra listeners -# ================================================================= - -# Listen on a port/ip address combination. By using this variable -# multiple times, mosquitto can listen on more than one port. If -# this variable is used and neither bind_address nor port given, -# then the default listener will not be started. -# The port number to listen on must be given. Optionally, an ip -# address or host name may be supplied as a second argument. In -# this case, mosquitto will attempt to bind the listener to that -# address and so restrict access to the associated network and -# interface. By default, mosquitto will listen on all interfaces. -# Note that for a websockets listener it is not possible to bind to a host -# name. -# listener port-number [ip address/host name] -#listener - -# Bind the listener to a specific interface. This is similar to -# the [ip address/host name] part of the listener definition, but is useful -# when an interface has multiple addresses or the address may change. It is -# valid to use this with the [ip address/host name] part of the listener -# definition, but take care that the interface you are binding to contains the -# address you are binding to, otherwise you will not be able to connect. -# Only available on Linux and requires elevated privileges. -# -# Example: bind_interface eth0 -#bind_interface - -# When a listener is using the websockets protocol, it is possible to serve -# http data as well. Set http_dir to a directory which contains the files you -# wish to serve. If this option is not specified, then no normal http -# connections will be possible. -#http_dir - -# The maximum number of client connections to allow. This is -# a per listener setting. -# Default is -1, which means unlimited connections. -# Note that other process limits mean that unlimited connections -# are not really possible. Typically the default maximum number of -# connections possible is around 1024. -#max_connections -1 - -# The listener can be restricted to operating within a topic hierarchy using -# the mount_point option. This is achieved be prefixing the mount_point string -# to all topics for any clients connected to this listener. This prefixing only -# happens internally to the broker; the client will not see the prefix. -#mount_point - -# Choose the protocol to use when listening. -# This can be either mqtt or websockets. -# Certificate based TLS may be used with websockets, except that only the -# cafile, certfile, keyfile and ciphers options are supported. -protocol mqtt - -# Set use_username_as_clientid to true to replace the clientid that a client -# connected with with its username. This allows authentication to be tied to -# the clientid, which means that it is possible to prevent one client -# disconnecting another by using the same clientid. -# If a client connects with no username it will be disconnected as not -# authorised when this option is set to true. -# Do not use in conjunction with clientid_prefixes. -# See also use_identity_as_username. -#use_username_as_clientid - -# Change the websockets headers size. This is a global option, it is not -# possible to set per listener. This option sets the size of the buffer used in -# the libwebsockets library when reading HTTP headers. If you are passing large -# header data such as cookies then you may need to increase this value. If left -# unset, or set to 0, then the default of 1024 bytes will be used. -#websockets_headers_size - -# ----------------------------------------------------------------- -# Certificate based SSL/TLS support -# ----------------------------------------------------------------- -# The following options can be used to enable certificate based SSL/TLS support -# for this listener. Note that the recommended port for MQTT over TLS is 8883, -# but this must be set manually. -# -# See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS -# support" section. Only one of certificate or PSK encryption support can be -# enabled for any listener. - -# At least one of cafile or capath must be defined to enable certificate based -# TLS encryption. They both define methods of accessing the PEM encoded -# Certificate Authority certificates that have signed your server certificate -# and that you wish to trust. -# cafile defines the path to a file containing the CA certificates. -# capath defines a directory that will be searched for files -# containing the CA certificates. For capath to work correctly, the -# certificate files must have ".crt" as the file ending and you must run -# "openssl rehash " each time you add/remove a certificate. -#cafile -#capath - -# Path to the PEM encoded server certificate. -#certfile - -# Path to the PEM encoded keyfile. -#keyfile - - -# If you wish to control which encryption ciphers are used, use the ciphers -# option. The list of available ciphers can be optained using the "openssl -# ciphers" command and should be provided in the same format as the output of -# that command. -#ciphers - -# If you have require_certificate set to true, you can create a certificate -# revocation list file to revoke access to particular client certificates. If -# you have done this, use crlfile to point to the PEM encoded revocation file. -#crlfile - -# To allow the use of ephemeral DH key exchange, which provides forward -# security, the listener must load DH parameters. This can be specified with -# the dhparamfile option. The dhparamfile can be generated with the command -# e.g. "openssl dhparam -out dhparam.pem 2048" -#dhparamfile - -# By default an TLS enabled listener will operate in a similar fashion to a -# https enabled web server, in that the server has a certificate signed by a CA -# and the client will verify that it is a trusted certificate. The overall aim -# is encryption of the network traffic. By setting require_certificate to true, -# the client must provide a valid certificate in order for the network -# connection to proceed. This allows access to the broker to be controlled -# outside of the mechanisms provided by MQTT. -#require_certificate false - -# If require_certificate is true, you may set use_identity_as_username to true -# to use the CN value from the client certificate as a username. If this is -# true, the password_file option will not be used for this listener. -#use_identity_as_username false - -# ----------------------------------------------------------------- -# Pre-shared-key based SSL/TLS support -# ----------------------------------------------------------------- -# The following options can be used to enable PSK based SSL/TLS support for -# this listener. Note that the recommended port for MQTT over TLS is 8883, but -# this must be set manually. -# -# See also the mosquitto-tls man page and the "Certificate based SSL/TLS -# support" section. Only one of certificate or PSK encryption support can be -# enabled for any listener. - -# The psk_hint option enables pre-shared-key support for this listener and also -# acts as an identifier for this listener. The hint is sent to clients and may -# be used locally to aid authentication. The hint is a free form string that -# doesn't have much meaning in itself, so feel free to be creative. -# If this option is provided, see psk_file to define the pre-shared keys to be -# used or create a security plugin to handle them. -#psk_hint - -# When using PSK, the encryption ciphers used will be chosen from the list of -# available PSK ciphers. If you want to control which ciphers are available, -# use the "ciphers" option. The list of available ciphers can be optained -# using the "openssl ciphers" command and should be provided in the same format -# as the output of that command. -#ciphers - -# Set use_identity_as_username to have the psk identity sent by the client used -# as its username. Authentication will be carried out using the PSK rather than -# the MQTT username/password and so password_file will not be used for this -# listener. -#use_identity_as_username false - - -# ================================================================= -# Persistence -# ================================================================= - -# If persistence is enabled, save the in-memory database to disk -# every autosave_interval seconds. If set to 0, the persistence -# database will only be written when mosquitto exits. See also -# autosave_on_changes. -# Note that writing of the persistence database can be forced by -# sending mosquitto a SIGUSR1 signal. -#autosave_interval 1800 - -# If true, mosquitto will count the number of subscription changes, retained -# messages received and queued messages and if the total exceeds -# autosave_interval then the in-memory database will be saved to disk. -# If false, mosquitto will save the in-memory database to disk by treating -# autosave_interval as a time in seconds. -#autosave_on_changes false - -# Save persistent message data to disk (true/false). -# This saves information about all messages, including -# subscriptions, currently in-flight messages and retained -# messages. -# retained_persistence is a synonym for this option. -#persistence false - -# The filename to use for the persistent database, not including -# the path. -#persistence_file mosquitto.db - -# Location for persistent database. Must include trailing / -# Default is an empty string (current directory). -# Set to e.g. /var/lib/mosquitto/ if running as a proper service on Linux or -# similar. -#persistence_location - - -# ================================================================= -# Logging -# ================================================================= - -# Places to log to. Use multiple log_dest lines for multiple -# logging destinations. -# Possible destinations are: stdout stderr syslog topic file -# -# stdout and stderr log to the console on the named output. -# -# syslog uses the userspace syslog facility which usually ends up -# in /var/log/messages or similar. -# -# topic logs to the broker topic '$SYS/broker/log/', -# where severity is one of D, E, W, N, I, M which are debug, error, -# warning, notice, information and message. Message type severity is used by -# the subscribe/unsubscribe log_types and publishes log messages to -# $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe. -# -# The file destination requires an additional parameter which is the file to be -# logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will be -# closed and reopened when the broker receives a HUP signal. Only a single file -# destination may be configured. -# -# Note that if the broker is running as a Windows service it will default to -# "log_dest none" and neither stdout nor stderr logging is available. -# Use "log_dest none" if you wish to disable logging. -log_dest file /var/log/mosquitto.log - -# Types of messages to log. Use multiple log_type lines for logging -# multiple types of messages. -# Possible types are: debug, error, warning, notice, information, -# none, subscribe, unsubscribe, websockets, all. -# Note that debug type messages are for decoding the incoming/outgoing -# network packets. They are not logged in "topics". -log_type error -log_type warning -log_type notice -log_type information - - -# If set to true, client connection and disconnection messages will be included -# in the log. -connection_messages true - -# If using syslog logging (not on Windows), messages will be logged to the -# "daemon" facility by default. Use the log_facility option to choose which of -# local0 to local7 to log to instead. The option value should be an integer -# value, e.g. "log_facility 5" to use local5. -#log_facility - -# If set to true, add a timestamp value to each log message. -log_timestamp true - -# Set the format of the log timestamp. If left unset, this is the number of -# seconds since the Unix epoch. -# This is a free text string which will be passed to the strftime function. To -# get an ISO 8601 datetime, for example: -# log_timestamp_format %Y-%m-%dT%H:%M:%S -#log_timestamp_format - -# Change the websockets logging level. This is a global option, it is not -# possible to set per listener. This is an integer that is interpreted by -# libwebsockets as a bit mask for its lws_log_levels enum. See the -# libwebsockets documentation for more details. "log_type websockets" must also -# be enabled. -#websockets_log_level 0 - - -# ================================================================= -# Security -# ================================================================= - -# If set, only clients that have a matching prefix on their -# clientid will be allowed to connect to the broker. By default, -# all clients may connect. -# For example, setting "secure-" here would mean a client "secure- -# client" could connect but another with clientid "mqtt" couldn't. -#clientid_prefixes - -# Boolean value that determines whether clients that connect -# without providing a username are allowed to connect. If set to -# false then a password file should be created (see the -# password_file option) to control authenticated client access. -# -# Defaults to true if no other security options are set. If `password_file` or -# `psk_file` is set, or if an authentication plugin is loaded which implements -# username/password or TLS-PSK checks, then `allow_anonymous` defaults to -# false. -# -#allow_anonymous true - -# ----------------------------------------------------------------- -# Default authentication and topic access control -# ----------------------------------------------------------------- - -# Control access to the broker using a password file. This file can be -# generated using the mosquitto_passwd utility. If TLS support is not compiled -# into mosquitto (it is recommended that TLS support should be included) then -# plain text passwords are used, in which case the file should be a text file -# with lines in the format: -# username:password -# The password (and colon) may be omitted if desired, although this -# offers very little in the way of security. -# -# See the TLS client require_certificate and use_identity_as_username options -# for alternative authentication options. If an auth_plugin is used as well as -# password_file, the auth_plugin check will be made first. -#password_file - -# Access may also be controlled using a pre-shared-key file. This requires -# TLS-PSK support and a listener configured to use it. The file should be text -# lines in the format: -# identity:key -# The key should be in hexadecimal format without a leading "0x". -# If an auth_plugin is used as well, the auth_plugin check will be made first. -#psk_file - -# Control access to topics on the broker using an access control list -# file. If this parameter is defined then only the topics listed will -# have access. -# If the first character of a line of the ACL file is a # it is treated as a -# comment. -# Topic access is added with lines of the format: -# -# topic [read|write|readwrite] -# -# The access type is controlled using "read", "write" or "readwrite". This -# parameter is optional (unless contains a space character) - if not -# given then the access is read/write. can contain the + or # -# wildcards as in subscriptions. -# -# The first set of topics are applied to anonymous clients, assuming -# allow_anonymous is true. User specific topic ACLs are added after a -# user line as follows: -# -# user -# -# The username referred to here is the same as in password_file. It is -# not the clientid. -# -# -# If is also possible to define ACLs based on pattern substitution within the -# topic. The patterns available for substition are: -# -# %c to match the client id of the client -# %u to match the username of the client -# -# The substitution pattern must be the only text for that level of hierarchy. -# -# The form is the same as for the topic keyword, but using pattern as the -# keyword. -# Pattern ACLs apply to all users even if the "user" keyword has previously -# been given. -# -# If using bridges with usernames and ACLs, connection messages can be allowed -# with the following pattern: -# pattern write $SYS/broker/connection/%c/state -# -# pattern [read|write|readwrite] -# -# Example: -# -# pattern write sensor/%u/data -# -# If an auth_plugin is used as well as acl_file, the auth_plugin check will be -# made first. -#acl_file - -# ----------------------------------------------------------------- -# External authentication and topic access plugin options -# ----------------------------------------------------------------- - -# External authentication and access control can be supported with the -# auth_plugin option. This is a path to a loadable plugin. See also the -# auth_opt_* options described below. -# -# The auth_plugin option can be specified multiple times to load multiple -# plugins. The plugins will be processed in the order that they are specified -# here. If the auth_plugin option is specified alongside either of -# password_file or acl_file then the plugin checks will be made first. -# -#auth_plugin - -# If the auth_plugin option above is used, define options to pass to the -# plugin here as described by the plugin instructions. All options named -# using the format auth_opt_* will be passed to the plugin, for example: -# -# auth_opt_db_host -# auth_opt_db_port -# auth_opt_db_username -# auth_opt_db_password - - -# ================================================================= -# Bridges -# ================================================================= - -# A bridge is a way of connecting multiple MQTT brokers together. -# Create a new bridge using the "connection" option as described below. Set -# options for the bridges using the remaining parameters. You must specify the -# address and at least one topic to subscribe to. -# -# Each connection must have a unique name. -# -# The address line may have multiple host address and ports specified. See -# below in the round_robin description for more details on bridge behaviour if -# multiple addresses are used. Note that if you use an IPv6 address, then you -# are required to specify a port. -# -# The direction that the topic will be shared can be chosen by -# specifying out, in or both, where the default value is out. -# The QoS level of the bridged communication can be specified with the next -# topic option. The default QoS level is 0, to change the QoS the topic -# direction must also be given. -# -# The local and remote prefix options allow a topic to be remapped when it is -# bridged to/from the remote broker. This provides the ability to place a topic -# tree in an appropriate location. -# -# For more details see the mosquitto.conf man page. -# -# Multiple topics can be specified per connection, but be careful -# not to create any loops. -# -# If you are using bridges with cleansession set to false (the default), then -# you may get unexpected behaviour from incoming topics if you change what -# topics you are subscribing to. This is because the remote broker keeps the -# subscription for the old topic. If you have this problem, connect your bridge -# with cleansession set to true, then reconnect with cleansession set to false -# as normal. -#connection -#address [:] [[:]] -#topic [[[out | in | both] qos-level] local-prefix remote-prefix] - - -# If a bridge has topics that have "out" direction, the default behaviour is to -# send an unsubscribe request to the remote broker on that topic. This means -# that changing a topic direction from "in" to "out" will not keep receiving -# incoming messages. Sending these unsubscribe requests is not always -# desirable, setting bridge_attempt_unsubscribe to false will disable sending -# the unsubscribe request. -#bridge_attempt_unsubscribe true - -# Set the version of the MQTT protocol to use with for this bridge. Can be one -# of mqttv311 or mqttv11. Defaults to mqttv311. -#bridge_protocol_version mqttv311 - -# Set the clean session variable for this bridge. -# When set to true, when the bridge disconnects for any reason, all -# messages and subscriptions will be cleaned up on the remote -# broker. Note that with cleansession set to true, there may be a -# significant amount of retained messages sent when the bridge -# reconnects after losing its connection. -# When set to false, the subscriptions and messages are kept on the -# remote broker, and delivered when the bridge reconnects. -#cleansession false - -# Set the amount of time a bridge using the lazy start type must be idle before -# it will be stopped. Defaults to 60 seconds. -#idle_timeout 60 - -# Set the keepalive interval for this bridge connection, in -# seconds. -#keepalive_interval 60 - -# Set the clientid to use on the local broker. If not defined, this defaults to -# 'local.'. If you are bridging a broker to itself, it is important -# that local_clientid and clientid do not match. -#local_clientid - -# If set to true, publish notification messages to the local and remote brokers -# giving information about the state of the bridge connection. Retained -# messages are published to the topic $SYS/broker/connection//state -# unless the notification_topic option is used. -# If the message is 1 then the connection is active, or 0 if the connection has -# failed. -# This uses the last will and testament feature. -#notifications true - -# Choose the topic on which notification messages for this bridge are -# published. If not set, messages are published on the topic -# $SYS/broker/connection//state -#notification_topic - -# Set the client id to use on the remote end of this bridge connection. If not -# defined, this defaults to 'name.hostname' where name is the connection name -# and hostname is the hostname of this computer. -# This replaces the old "clientid" option to avoid confusion. "clientid" -# remains valid for the time being. -#remote_clientid - -# Set the password to use when connecting to a broker that requires -# authentication. This option is only used if remote_username is also set. -# This replaces the old "password" option to avoid confusion. "password" -# remains valid for the time being. -#remote_password - -# Set the username to use when connecting to a broker that requires -# authentication. -# This replaces the old "username" option to avoid confusion. "username" -# remains valid for the time being. -#remote_username - -# Set the amount of time a bridge using the automatic start type will wait -# until attempting to reconnect. -# This option can be configured to use a constant delay time in seconds, or to -# use a backoff mechanism based on "Decorrelated Jitter", which adds a degree -# of randomness to when the restart occurs. -# -# Set a constant timeout of 20 seconds: -# restart_timeout 20 -# -# Set backoff with a base (start value) of 10 seconds and a cap (upper limit) of -# 60 seconds: -# restart_timeout 10 30 -# -# Defaults to jitter with a base of 5 and cap of 30 -#restart_timeout 5 30 - -# If the bridge has more than one address given in the address/addresses -# configuration, the round_robin option defines the behaviour of the bridge on -# a failure of the bridge connection. If round_robin is false, the default -# value, then the first address is treated as the main bridge connection. If -# the connection fails, the other secondary addresses will be attempted in -# turn. Whilst connected to a secondary bridge, the bridge will periodically -# attempt to reconnect to the main bridge until successful. -# If round_robin is true, then all addresses are treated as equals. If a -# connection fails, the next address will be tried and if successful will -# remain connected until it fails -#round_robin false - -# Set the start type of the bridge. This controls how the bridge starts and -# can be one of three types: automatic, lazy and once. Note that RSMB provides -# a fourth start type "manual" which isn't currently supported by mosquitto. -# -# "automatic" is the default start type and means that the bridge connection -# will be started automatically when the broker starts and also restarted -# after a short delay (30 seconds) if the connection fails. -# -# Bridges using the "lazy" start type will be started automatically when the -# number of queued messages exceeds the number set with the "threshold" -# parameter. It will be stopped automatically after the time set by the -# "idle_timeout" parameter. Use this start type if you wish the connection to -# only be active when it is needed. -# -# A bridge using the "once" start type will be started automatically when the -# broker starts but will not be restarted if the connection fails. -#start_type automatic - -# Set the number of messages that need to be queued for a bridge with lazy -# start type to be restarted. Defaults to 10 messages. -# Must be less than max_queued_messages. -#threshold 10 - -# If try_private is set to true, the bridge will attempt to indicate to the -# remote broker that it is a bridge not an ordinary client. If successful, this -# means that loop detection will be more effective and that retained messages -# will be propagated correctly. Not all brokers support this feature so it may -# be necessary to set try_private to false if your bridge does not connect -# properly. -#try_private true - -# ----------------------------------------------------------------- -# Certificate based SSL/TLS support -# ----------------------------------------------------------------- -# Either bridge_cafile or bridge_capath must be defined to enable TLS support -# for this bridge. -# bridge_cafile defines the path to a file containing the -# Certificate Authority certificates that have signed the remote broker -# certificate. -# bridge_capath defines a directory that will be searched for files containing -# the CA certificates. For bridge_capath to work correctly, the certificate -# files must have ".crt" as the file ending and you must run "openssl rehash -# " each time you add/remove a certificate. -#bridge_cafile -#bridge_capath - - -# If the remote broker has more than one protocol available on its port, e.g. -# MQTT and WebSockets, then use bridge_alpn to configure which protocol is -# requested. Note that WebSockets support for bridges is not yet available. -#bridge_alpn - -# When using certificate based encryption, bridge_insecure disables -# verification of the server hostname in the server certificate. This can be -# useful when testing initial server configurations, but makes it possible for -# a malicious third party to impersonate your server through DNS spoofing, for -# example. Use this option in testing only. If you need to resort to using this -# option in a production environment, your setup is at fault and there is no -# point using encryption. -#bridge_insecure false - -# Path to the PEM encoded client certificate, if required by the remote broker. -#bridge_certfile - -# Path to the PEM encoded client private key, if required by the remote broker. -#bridge_keyfile - -# ----------------------------------------------------------------- -# PSK based SSL/TLS support -# ----------------------------------------------------------------- -# Pre-shared-key encryption provides an alternative to certificate based -# encryption. A bridge can be configured to use PSK with the bridge_identity -# and bridge_psk options. These are the client PSK identity, and pre-shared-key -# in hexadecimal format with no "0x". Only one of certificate and PSK based -# encryption can be used on one -# bridge at once. -#bridge_identity -#bridge_psk - - -# ================================================================= -# External config files -# ================================================================= - -# External configuration files may be included by using the -# include_dir option. This defines a directory that will be searched -# for config files. All files that end in '.conf' will be loaded as -# a configuration file. It is best to have this as the last option -# in the main file. This option will only be processed from the main -# configuration file. The directory specified must not contain the -# main configuration file. -# Files within include_dir will be loaded sorted in case-sensitive -# alphabetical order, with capital letters ordered first. If this option is -# given multiple times, all of the files from the first instance will be -# processed before the next instance. See the man page for examples. -#include_dir diff --git a/recipes-connectivity/mosquitto/mosquitto/mosquitto.default b/recipes-connectivity/mosquitto/mosquitto/mosquitto.default deleted file mode 100644 index be7dcd5..0000000 --- a/recipes-connectivity/mosquitto/mosquitto/mosquitto.default +++ /dev/null @@ -1,2 +0,0 @@ -# set to "yes" or "no" to control starting on boot -ENABLED="yes" diff --git a/recipes-connectivity/mosquitto/mosquitto/mosquitto.init b/recipes-connectivity/mosquitto/mosquitto/mosquitto.init old mode 100755 new mode 100644 index 21bffe6..9d5963c --- a/recipes-connectivity/mosquitto/mosquitto/mosquitto.init +++ b/recipes-connectivity/mosquitto/mosquitto/mosquitto.init @@ -20,13 +20,6 @@ # example. ### END INIT INFO -## mlinux -ENABLED="yes" - -[ -f /etc/default/mosquitto ] && . /etc/default/mosquitto -[ "$ENABLED" = "yes" ] || exit -## mlinux - set -e PIDFILE=@LOCALSTATEDIR@/run/mosquitto.pid diff --git a/recipes-connectivity/mosquitto/mosquitto/mosquitto.logrotate.conf b/recipes-connectivity/mosquitto/mosquitto/mosquitto.logrotate.conf deleted file mode 100644 index 5f4779b..0000000 --- a/recipes-connectivity/mosquitto/mosquitto/mosquitto.logrotate.conf +++ /dev/null @@ -1,7 +0,0 @@ -/var/log/mosquitto.log { - size 512k - rotate 4 - compress - copytruncate - missingok -} diff --git a/recipes-connectivity/mosquitto/mosquitto_1.6.10.bbappend b/recipes-connectivity/mosquitto/mosquitto_1.6.10.bbappend deleted file mode 100644 index a03e26e..0000000 --- a/recipes-connectivity/mosquitto/mosquitto_1.6.10.bbappend +++ /dev/null @@ -1,36 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI += "file://mosquitto.conf \ - file://mosquitto.default \ - file://mosquitto.logrotate.conf \ - " -RDEPENDS_${PN} += "logrotate" - -INITSCRIPT_PARAMS = "defaults 70 30" - -EXTRA_OECMAKE += " -DWITH_STATIC_LIBRARIES=ON" - -do_install_append() { - install -d ${D}${sysconfdir}/mosquitto - install -m 0644 ${WORKDIR}/mosquitto.conf ${D}${sysconfdir}/mosquitto/ - - install -d ${D}${sysconfdir}/default - install -m 0644 ${WORKDIR}/mosquitto.default ${D}${sysconfdir}/default/mosquitto - - install -d ${D}${sysconfdir}/logrotate.d - install -m 0644 ${WORKDIR}/mosquitto.logrotate.conf ${D}${sysconfdir}/logrotate.d/mosquitto.conf -} - - - -PACKAGES += "${PN}-python" - -CONFFILES_${PN} = "${sysconfdir}/mosquitto.conf ${sysconfdir}/default/mosquitto" - -FILES_${PN} += "${sysconfdir}/default \ - ${sysconfdir}/logrotate.d \ - " - -FILES_${PN}-staticdev += "${libdir}/libmosquitto.a" - -FILES_${PN}-python = "/usr/lib/python2.7/site-packages" \ No newline at end of file diff --git a/recipes-connectivity/mosquitto/mosquitto_1.6.14.bb b/recipes-connectivity/mosquitto/mosquitto_1.6.14.bb new file mode 100644 index 0000000..fffe7de --- /dev/null +++ b/recipes-connectivity/mosquitto/mosquitto_1.6.14.bb @@ -0,0 +1,87 @@ +SUMMARY = "Open source MQTT implementation" +DESCRIPTION = "Mosquitto is an open source (Eclipse licensed) message broker \ +that implements the MQ Telemetry Transport protocol version 3.1, 3.1.1 and \ +5, providing both an MQTT broker and several command-line clients. MQTT \ +provides a lightweight method of carrying out messaging using a \ +publish/subscribe model. " +HOMEPAGE = "http://mosquitto.org/" +SECTION = "console/network" +LICENSE = "EPL-1.0 | EDL-1.0" +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=62ddc846179e908dc0c8efec4a42ef20 \ + file://edl-v10;md5=c09f121939f063aeb5235972be8c722c \ + file://epl-v10;md5=8d383c379e91d20ba18a52c3e7d3a979 \ + file://notice.html;md5=a00d6f9ab542be7babc2d8b80d5d2a4c \ +" +DEPENDS = "uthash" + +SRC_URI = "http://mosquitto.org/files/source/mosquitto-${PV}.tar.gz \ + file://mosquitto.init \ + file://1571.patch \ + file://install-protocol.patch \ +" + +SRC_URI[md5sum] = "f1746b2a074f6a576e4bc302f3fffee0" +SRC_URI[sha256sum] = "5ea7e342bfbd212a0addb915036be168040dea945e5de5fe739c43c5ff3823e4" + +inherit systemd update-rc.d useradd cmake + +PACKAGECONFIG ??= "ssl dlt websockets \ + ${@bb.utils.filter('DISTRO_FEATURES','systemd', d)} \ + " + +PACKAGECONFIG[dns-srv] = "-DWITH_SRV=ON,-DWITH_SRV=OFF,c-ares" +PACKAGECONFIG[ssl] = "-DWITH_TLS=ON -DWITH_TLS_PSK=ON -DWITH_EC=ON,-DWITH_TLS=OFF -DWITH_TLS_PSK=OFF -DWITH_EC_OFF,openssl" +PACKAGECONFIG[systemd] = "-DWITH_SYSTEMD=ON,-DWITH_SYSTEMD=OFF,systemd" +PACKAGECONFIG[websockets] = "-DWITH_WEBSOCKETS=ON,-DWITH_WEBSOCKETS=OFF,libwebsockets" +PACKAGECONFIG[dlt] = "-DWITH_DLT=ON,-DWITH_DLT=OFF,dlt-daemon" + +EXTRA_OECMAKE = " \ + -DWITH_BUNDLED_DEPS=OFF \ + -DWITH_ADNS=ON \ +" + +do_install_append() { + install -d ${D}${systemd_unitdir}/system/ + install -m 0644 ${S}/service/systemd/mosquitto.service.notify ${D}${systemd_unitdir}/system/mosquitto.service + + install -d ${D}${sysconfdir}/init.d/ + install -m 0755 ${WORKDIR}/mosquitto.init ${D}${sysconfdir}/init.d/mosquitto + sed -i -e 's,@SBINDIR@,${sbindir},g' \ + -e 's,@BASE_SBINDIR@,${base_sbindir},g' \ + -e 's,@LOCALSTATEDIR@,${localstatedir},g' \ + -e 's,@SYSCONFDIR@,${sysconfdir},g' \ + ${D}${sysconfdir}/init.d/mosquitto +} + +PACKAGES += "libmosquitto1 libmosquittopp1 ${PN}-clients" + +PACKAGE_BEFORE_PN = "${PN}-examples" + +FILES_${PN} = "${sbindir}/mosquitto \ + ${bindir}/mosquitto_passwd \ + ${sysconfdir}/mosquitto \ + ${sysconfdir}/init.d \ + ${systemd_unitdir}/system/mosquitto.service \ +" + +CONFFILES_${PN} += "${sysconfdir}/mosquitto/mosquitto.conf" + +FILES_libmosquitto1 = "${libdir}/libmosquitto.so.*" + +FILES_libmosquittopp1 = "${libdir}/libmosquittopp.so.*" + +FILES_${PN}-clients = "${bindir}/mosquitto_pub \ + ${bindir}/mosquitto_sub \ + ${bindir}/mosquitto_rr \ +" + +FILES_${PN}-examples = "${sysconfdir}/mosquitto/*.example" + +SYSTEMD_SERVICE_${PN} = "mosquitto.service" + +INITSCRIPT_NAME = "mosquitto" +INITSCRIPT_PARAMS = "defaults 30" + +USERADD_PACKAGES = "${PN}" +USERADD_PARAM_${PN} = "--system --no-create-home --shell /bin/false \ + --user-group mosquitto" diff --git a/recipes-connectivity/mosquitto/mosquitto_1.6.14.bbappend b/recipes-connectivity/mosquitto/mosquitto_1.6.14.bbappend new file mode 100644 index 0000000..76906f7 --- /dev/null +++ b/recipes-connectivity/mosquitto/mosquitto_1.6.14.bbappend @@ -0,0 +1,36 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}-mlinux:" + +SRC_URI += "file://mosquitto.conf \ + file://mosquitto.default \ + file://mosquitto.logrotate.conf \ + " +RDEPENDS_${PN} += "logrotate" + +INITSCRIPT_PARAMS = "defaults 70 30" + +EXTRA_OECMAKE += " -DWITH_STATIC_LIBRARIES=ON" + +do_install_append() { + install -d ${D}${sysconfdir}/mosquitto + install -m 0644 ${WORKDIR}/mosquitto.conf ${D}${sysconfdir}/mosquitto/ + + install -d ${D}${sysconfdir}/default + install -m 0644 ${WORKDIR}/mosquitto.default ${D}${sysconfdir}/default/mosquitto + + install -d ${D}${sysconfdir}/logrotate.d + install -m 0644 ${WORKDIR}/mosquitto.logrotate.conf ${D}${sysconfdir}/logrotate.d/mosquitto.conf +} + + + +PACKAGES += "${PN}-python" + +CONFFILES_${PN} = "${sysconfdir}/mosquitto.conf ${sysconfdir}/default/mosquitto" + +FILES_${PN} += "${sysconfdir}/default \ + ${sysconfdir}/logrotate.d \ + " + +FILES_${PN}-staticdev += "${libdir}/libmosquitto.a" + +FILES_${PN}-python = "/usr/lib/python2.7/site-packages" \ No newline at end of file -- cgit v1.2.3