Reviews run for a minimum of one week. The outcome of the review is decided on this date. This is the last day to make comments or ask questions about this review.
This is a major release with breaking changes.
Listener security improvements
There are breaking changes to the way that Mosquitto configures listeners, in order that end users have to take an active decision in how clients can connect, in particular with some form of authentication.
When the Mosquitto broker is run without configuring any listeners it will now bind to the loopback interfaces 127.0.0.1 and/or ::1. This means that only connections from the local host will be possible. This means that local testing is straightforward, but starting a broker does not immediately open it to the entire internet.
Behaviour in different scenarios:
- Running the broker as mosquitto or mosquitto -p 1883 will bind to the loopback interface.
- Running the broker with a configuration file with no listeners configured will bind to the loopback interface with port 1883.
- Running the broker with a listener defined will bind by default to `0.0.0.0` / `::` and so will be accessible from any interface. It is still possible to bind to a specific address/interface.
- If the broker is run as mosquitto -c mosquitto.conf -p 1884, and a listener is defined in the configuration file, i.e. listeners are defined both in the configuration file and on the command line, then the port defined on the command line will be IGNORED, and no listener configured for it.
The internals of Mosquitto have been improved to give better performance across all situations, but particularly for the case where large numbers of clients are connected.
Anonymous clients must be explicitly allowed by the end user
This is a breaking change to how anonymous clients are handled in the broker configuration. An anonymous client is one that does not provide a username when connecting to the broker.
All listeners now default to allow_anonymous false unless explicitly set to true in the configuration file. This means that when configuring a listener the end user must either configure an authentication and access control method, or set allow_anonymous true. When the broker is run without a configured listener, and so binds to the loopback interface, anonymous connections are allowed but are only possible from the local machine.
New generic plugin interface
The existing plugin interface is entirely focussed on authentication and access control, and requires a plugin author to implement almost all of the plugin functionality even if only part of it is required. A new plugin interface has been developed which only requires the plugin to implement three functions, and it can then register callbacks to handle different events. The new approach allows greater ease of implementation for plugin writers, and is easier to extend in the future.
New functionality in the plugin interface includes the ability to:
- Interrogate and modify every message as it is processed, to do such tasks as attaching a timestamp property to each MQTT v5 message.
- Register as a handler for a $CONTROL/ topic, which is intended as an interface for controlling aspects of the broker and/or plugin.
- Receive a regular "tick" event for ancilliary processing.
- Receive a reload event, when the broker is told to reload configuration.
New dynamic authentication and access control plugin
A new plugin which makes use of the updated interface has been developed. The plugin handles authentication and access control, and can itself be configured via a topic $CONTROL/dynamic-security/v1 without restarting the broker. The plugin supports dynamic creation, modification, and deletion of clients, groups, and roles. A client can be a member of zero or more groups. Both clients and groups can have roles assigned to them. A role defines a set of different ACLs which affect how the client is able to publish/subscribe/unsubscribe. ACL types can be set as default accept or deny. Anonymous users can be automatically be placed in their own group with its own roles. For subscribing and unsubscribing, ACLs can be defined in terms of a literal string, so perhaps denying access to subscribe to the # topic, or a pattern, where wildcards are used to determine which range of topics are allowed.
New utility: mosquitto_ctrl
This command line utility is intended to be used to control various aspects of a running broker. At the moment it is limited to controlling the dynamic-security plugin, but future support for dynamic control of bridges and other features is planned.
Bridge support for MQTT v5
Bridges now support MQTT v5, with further v5 enhancements intended for future releases.
Support for Unix domain socket listeners
It is now possible to have Mosquitto listen on a Unix domain socket, using e.g. listener 0 /tmp/mosquitto.sock to define the listener in the configuration file. The mosquitto command line clients likewise can connect to Unix sockets.
Enhanced output format for mosquitto_sub
mosquitto_sub has a number of output improvements:
- Addition of --pretty to produce formatted/unformatted JSON, when using %j or %J.
- Added support for printing some MQTT v5 properties, e.g. %C to print the content-type property.
- Support for extra format specifiers for field width and precision for parameters where this makes sense.
- Addition of --random-filter, which will only print a certain percentage of matching messages. Useful where you want to keep an eye on a topic, but not see every message that is published.
Mosquitto 2.0 supports MQTT v5.0, v3.1.1, and v3.1. This release includes MQTT v5.0 support for bridges, which will be extended in further releases.
The Mosquitto community continues to expand. A Mosquitto channel has been created on the Eclipse IoT-WG Slack instance and is gradually growing, but is still fairly quiet and discussion has mostly been around the test.mosquitto.org public server.
Interactions on github have increased, in particular this release has seen good engagement with community members providing feedback on in-development code which is important for catching unusual bugs on a variety of platforms.
Mosquitto was one of the initial release of Ubuntu Appliances, which are complete disk images of particular applications intended for use as secure and up to date instances of that project.
Mosquitto has close ties with the Eclipse Streamsheets project, which uses the Mosquitto broker as a core part of its system.
Adoption can be difficult to measure, one example is Docker image pulls. In October 2019, the Mosquitto docker image was seeing around 250k pulls per day. In October 2020 it was around 750k pulls per day, and had reached over 350 million pulls in total.