[oe] [PATCH 2/2] mosquitto: add default configuration file

nick83ola nick83ola at gmail.com
Tue Jun 5 13:37:17 UTC 2018 

Hi Khem,

please ignore my previous email.
I will repost the two patches with your suggestions

Thanks
Nicola Lunghi

On 5 June 2018 at 10:55, Nicola Lunghi <nicola.lunghi at jci.com> wrote:
> Hi Khem,
>
> the conf file is taken from the package itself (look in the zip for conf)
> with the options enabled in current Debian Package (that compile most of the
> functionality in)
>
> see the file directory debian/config/linux in
> http://http.debian.net/debian/pool/main/w/wpa/wpa_2.6-16.debian.tar.xz
>
> The options enabled can be disabled from the config file if they are
> compiled in.
>
> the standard conf file basically disable everything so for most option is
> useless.
>
> The purpose of having it into the recipe is to render simple to substitute
> it with a bbappend file.
> if you put a long series of sed/awk into the recipe is very difficult to
> read and to modify.
>
> The old config present in the yocto package was doing the same but was very
> old (look at the git history)
> and was never updated.
>
> Let me know what is the best approach to this.
>
> Thanks,
> Nick
>
>
> ________________________________
> From: Khem Raj <raj.khem at gmail.com>
> Sent: 01 June 2018 17:38:20
> To: Nicola Lunghi; openembedded-devel at lists.openembedded.org
> Cc: Nicola Lunghi
> Subject: Re: [oe] [PATCH 2/2] mosquitto: add default configuration file
>
> On 6/1/18 3:35 AM, Nicola Lunghi wrote:
>> From: Nicola Lunghi <nicola.lunghi at jci.com>
>>
>> Signed-off-by: Nicola Lunghi <nicola.lunghi at jci.com>
>> ---
>>  .../mosquitto/files/mosquitto.conf            | 837 ++++++++++++++++++
>>  .../mosquitto/mosquitto_1.4.14.bb             |   4 +
>>  2 files changed, 841 insertions(+)
>>  create mode 100644
>> meta-networking/recipes-connectivity/mosquitto/files/mosquitto.conf
>
> whats the source of this conf file ? if its adapted from some sample
> file, may be we can just use some sed/awk operations in do_install
> instead of adding this file explicitly.
>
>>
>> diff --git
>> a/meta-networking/recipes-connectivity/mosquitto/files/mosquitto.conf
>> b/meta-networking/recipes-connectivity/mosquitto/files/mosquitto.conf
>> new file mode 100644
>> index 0000000000..e4223c75d6
>> --- /dev/null
>> +++ b/meta-networking/recipes-connectivity/mosquitto/files/mosquitto.conf
>> @@ -0,0 +1,837 @@
>> +# Config file for mosquitto
>> +#
>> +# See mosquitto.conf(5) for more information.
>> +#
>> +# Default values are shown, uncomment to change.
>> +#
>> +# Use the # character to indicate a comment, but only if it is the
>> +# very first character on the line.
>> +
>> +# =================================================================
>> +# General configuration
>> +# =================================================================
>> +
>> +# Time in seconds to wait before resending an outgoing QoS=1 or
>> +# QoS=2 message.
>> +#retry_interval 20
>> +
>> +# Time in seconds between updates of the $SYS tree.
>> +# Set to 0 to disable the publishing of the $SYS tree.
>> +#sys_interval 10
>> +
>> +# Time in seconds between cleaning the internal message store of
>> +# unreferenced messages. Lower values will result in lower memory
>> +# usage but more processor time, higher values will have the
>> +# opposite effect.
>> +# Setting a value of 0 means the unreferenced messages will be
>> +# disposed of as quickly as possible.
>> +#store_clean_interval 10
>> +
>> +# Write process id to a file. Default is a blank string which means
>> +# a pid file shouldn't be written.
>> +# This should be set to /var/run/mosquitto.pid if mosquitto is
>> +# being run automatically on boot with an init script and
>> +# start-stop-daemon or similar.
>> +#pid_file
>> +
>> +# When run as root, drop privileges to this user and its primary
>> +# group.
>> +# Leave blank to stay as root, but this is not recommended.
>> +# If run as a non-root user, this setting has no effect.
>> +# Note that on Windows this has no effect and so mosquitto should
>> +# be started by the user you wish it to run as.
>> +#user mosquitto
>> +
>> +# The maximum number of QoS 1 and 2 messages currently inflight per
>> +# client.
>> +# This includes messages that are partway through handshakes and
>> +# those that are being retried. Defaults to 20. Set to 0 for no
>> +# maximum. Setting to 1 will guarantee in-order delivery of QoS 1
>> +# and 2 messages.
>> +#max_inflight_messages 20
>> +
>> +# The maximum number of QoS 1 and 2 messages to hold in a queue
>> +# above those that are currently in-flight.  Defaults to 100. Set
>> +# to 0 for no maximum (not recommended).
>> +# See also queue_qos0_messages.
>> +#max_queued_messages 100
>> +
>> +# Set to true to queue messages with QoS 0 when a persistent client is
>> +# disconnected. These messages are included in the limit imposed by
>> +# max_queued_messages.
>> +# Defaults to false.
>> +# This is a non-standard option for the MQTT v3.1 spec but is allowed in
>> +# v3.1.1.
>> +#queue_qos0_messages false
>> +
>> +# This option sets the maximum publish payload size that the broker will
>> allow.
>> +# Received messages that exceed this size will not be accepted by the
>> broker.
>> +# The default value is 0, which means that all valid MQTT messages are
>> +# accepted. MQTT imposes a maximum payload size of 268435455 bytes.
>> +#message_size_limit 0
>> +
>> +# This option controls whether a client is allowed to connect with a zero
>> +# length client id or not. This option only affects clients using MQTT
>> v3.1.1
>> +# and later. If set to false, clients connecting with a zero length
>> client id
>> +# are disconnected. If set to true, clients will be allocated a client id
>> by
>> +# the broker. This means it is only useful for clients with clean session
>> set
>> +# to true.
>> +#allow_zero_length_clientid true
>> +
>> +# If allow_zero_length_clientid is true, this option allows you to set a
>> prefix
>> +# to automatically generated client ids to aid visibility in logs.
>> +#auto_id_prefix
>> +
>> +# This option allows persistent clients (those with clean session set to
>> false)
>> +# to be removed if they do not reconnect within a certain time frame.
>> +#
>> +# This is a non-standard option in MQTT V3.1 but allowed in MQTT v3.1.1.
>> +#
>> +# Badly designed clients may set clean session to false whilst using a
>> randomly
>> +# generated client id. This leads to persistent clients that will never
>> +# reconnect. This option allows these clients to be removed.
>> +#
>> +# The expiration period should be an integer followed by one of h d w m y
>> for
>> +# hour, day, week, month and year respectively. For example
>> +#
>> +# persistent_client_expiration 2m
>> +# persistent_client_expiration 14d
>> +# persistent_client_expiration 1y
>> +#
>> +# The default if not set is to never expire persistent clients.
>> +#persistent_client_expiration
>> +
>> +# If a client is subscribed to multiple subscriptions that overlap, e.g.
>> foo/#
>> +# and foo/+/baz , then MQTT expects that when the broker receives a
>> message on
>> +# a topic that matches both subscriptions, such as foo/bar/baz, then the
>> client
>> +# should only receive the message once.
>> +# Mosquitto keeps track of which clients a message has been sent to in
>> order to
>> +# meet this requirement. The allow_duplicate_messages option allows this
>> +# behaviour to be disabled, which may be useful if you have a large
>> number of
>> +# clients subscribed to the same set of topics and are very concerned
>> about
>> +# minimising memory usage.
>> +# It can be safely set to true if you know in advance that your clients
>> will
>> +# never have overlapping subscriptions, otherwise your clients must be
>> able to
>> +# correctly deal with duplicate messages even when then have QoS=2.
>> +#allow_duplicate_messages false
>> +
>> +# The MQTT specification requires that the QoS of a message delivered to
>> a
>> +# subscriber is never upgraded to match the QoS of the subscription.
>> Enabling
>> +# this option changes this behaviour. If upgrade_outgoing_qos is set
>> true,
>> +# messages sent to a subscriber will always match the QoS of its
>> subscription.
>> +# This is a non-standard option explicitly disallowed by the spec.
>> +#upgrade_outgoing_qos false
>> +
>> +# =================================================================
>> +# Default listener
>> +# =================================================================
>> +
>> +# IP address/hostname to bind the default listener to. If not
>> +# given, the default listener will not be bound to a specific
>> +# address and so will be accessible to all network interfaces.
>> +# bind_address ip-address/host name
>> +#bind_address
>> +
>> +# Port to use for the default listener.
>> +#port 1883
>> +
>> +# The maximum number of client connections to allow. This is
>> +# a per listener setting.
>> +# Default is -1, which means unlimited connections.
>> +# Note that other process limits mean that unlimited connections
>> +# are not really possible. Typically the default maximum number of
>> +# connections possible is around 1024.
>> +#max_connections -1
>> +
>> +# Choose the protocol to use when listening.
>> +# This can be either mqtt or websockets.
>> +# Websockets support is currently disabled by default at compile time.
>> +# Certificate based TLS may be used with websockets, except that
>> +# only the cafile, certfile, keyfile and ciphers options are supported.
>> +#protocol mqtt
>> +
>> +# When a listener is using the websockets protocol, it is possible to
>> serve
>> +# http data as well. Set http_dir to a directory which contains the files
>> you
>> +# wish to serve. If this option is not specified, then no normal http
>> +# connections will be possible.
>> +#http_dir
>> +
>> +# Set use_username_as_clientid to true to replace the clientid that a
>> client
>> +# connected with with its username. This allows authentication to be tied
>> to
>> +# the clientid, which means that it is possible to prevent one client
>> +# disconnecting another by using the same clientid.
>> +# If a client connects with no username it will be disconnected as not
>> +# authorised when this option is set to true.
>> +# Do not use in conjunction with clientid_prefixes.
>> +# See also use_identity_as_username.
>> +#use_username_as_clientid
>> +
>> +# -----------------------------------------------------------------
>> +# Certificate based SSL/TLS support
>> +# -----------------------------------------------------------------
>> +# The following options can be used to enable SSL/TLS support for
>> +# this listener. Note that the recommended port for MQTT over TLS
>> +# is 8883, but this must be set manually.
>> +#
>> +# See also the mosquitto-tls man page.
>> +
>> +# At least one of cafile or capath must be defined. They both
>> +# define methods of accessing the PEM encoded Certificate
>> +# Authority certificates that have signed your server certificate
>> +# and that you wish to trust.
>> +# cafile defines the path to a file containing the CA certificates.
>> +# capath defines a directory that will be searched for files
>> +# containing the CA certificates. For capath to work correctly, the
>> +# certificate files must have ".crt" as the file ending and you must run
>> +# "c_rehash <path to capath>" each time you add/remove a certificate.
>> +#cafile
>> +#capath
>> +
>> +# Path to the PEM encoded server certificate.
>> +#certfile
>> +
>> +# Path to the PEM encoded keyfile.
>> +#keyfile
>> +
>> +# This option defines the version of the TLS protocol to use for this
>> listener.
>> +# The default value allows v1.2, v1.1 and v1.0, if they are all supported
>> by
>> +# the version of openssl that the broker was compiled against. For
>> openssl >=
>> +# 1.0.1 the valid values are tlsv1.2 tlsv1.1 and tlsv1. For openssl <
>> 1.0.1 the
>> +# valid values are tlsv1.
>> +#tls_version
>> +
>> +# By default a TLS enabled listener will operate in a similar fashion to
>> a
>> +# https enabled web server, in that the server has a certificate signed
>> by a CA
>> +# and the client will verify that it is a trusted certificate. The
>> overall aim
>> +# is encryption of the network traffic. By setting require_certificate to
>> true,
>> +# the client must provide a valid certificate in order for the network
>> +# connection to proceed. This allows access to the broker to be
>> controlled
>> +# outside of the mechanisms provided by MQTT.
>> +#require_certificate false
>> +
>> +# If require_certificate is true, you may set use_identity_as_username to
>> true
>> +# to use the CN value from the client certificate as a username. If this
>> is
>> +# true, the password_file option will not be used for this listener.
>> +#use_identity_as_username false
>> +
>> +# If you have require_certificate set to true, you can create a
>> certificate
>> +# revocation list file to revoke access to particular client
>> certificates. If
>> +# you have done this, use crlfile to point to the PEM encoded revocation
>> file.
>> +#crlfile
>> +
>> +# If you wish to control which encryption ciphers are used, use the
>> ciphers
>> +# option. The list of available ciphers can be optained using the
>> "openssl
>> +# ciphers" command and should be provided in the same format as the
>> output of
>> +# that command.
>> +# If unset defaults to
>> DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH
>> +#ciphers DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH
>> +
>> +# -----------------------------------------------------------------
>> +# Pre-shared-key based SSL/TLS support
>> +# -----------------------------------------------------------------
>> +# The following options can be used to enable PSK based SSL/TLS support
>> for
>> +# this listener. Note that the recommended port for MQTT over TLS is
>> 8883, but
>> +# this must be set manually.
>> +#
>> +# See also the mosquitto-tls man page and the "Certificate based SSL/TLS
>> +# support" section. Only one of certificate or PSK encryption support can
>> be
>> +# enabled for any listener.
>> +
>> +# The psk_hint option enables pre-shared-key support for this listener
>> and also
>> +# acts as an identifier for this listener. The hint is sent to clients
>> and may
>> +# be used locally to aid authentication. The hint is a free form string
>> that
>> +# doesn't have much meaning in itself, so feel free to be creative.
>> +# If this option is provided, see psk_file to define the pre-shared keys
>> to be
>> +# used or create a security plugin to handle them.
>> +#psk_hint
>> +
>> +# Set use_identity_as_username to have the psk identity sent by the
>> client used
>> +# as its username. Authentication will be carried out using the PSK
>> rather than
>> +# the MQTT username/password and so password_file will not be used for
>> this
>> +# listener.
>> +#use_identity_as_username false
>> +
>> +# When using PSK, the encryption ciphers used will be chosen from the
>> list of
>> +# available PSK ciphers. If you want to control which ciphers are
>> available,
>> +# use the "ciphers" option.  The list of available ciphers can be
>> optained
>> +# using the "openssl ciphers" command and should be provided in the same
>> format
>> +# as the output of that command.
>> +#ciphers
>> +
>> +# =================================================================
>> +# Extra listeners
>> +# =================================================================
>> +
>> +# Listen on a port/ip address combination. By using this variable
>> +# multiple times, mosquitto can listen on more than one port. If
>> +# this variable is used and neither bind_address nor port given,
>> +# then the default listener will not be started.
>> +# The port number to listen on must be given. Optionally, an ip
>> +# address or host name may be supplied as a second argument. In
>> +# this case, mosquitto will attempt to bind the listener to that
>> +# address and so restrict access to the associated network and
>> +# interface. By default, mosquitto will listen on all interfaces.
>> +# Note that for a websockets listener it is not possible to bind to a
>> host
>> +# name.
>> +# listener port-number [ip address/host name]
>> +#listener
>> +
>> +# The maximum number of client connections to allow. This is
>> +# a per listener setting.
>> +# Default is -1, which means unlimited connections.
>> +# Note that other process limits mean that unlimited connections
>> +# are not really possible. Typically the default maximum number of
>> +# connections possible is around 1024.
>> +#max_connections -1
>> +
>> +# The listener can be restricted to operating within a topic hierarchy
>> using
>> +# the mount_point option. This is achieved be prefixing the mount_point
>> string
>> +# to all topics for any clients connected to this listener. This
>> prefixing only
>> +# happens internally to the broker; the client will not see the prefix.
>> +#mount_point
>> +
>> +# Choose the protocol to use when listening.
>> +# This can be either mqtt or websockets.
>> +# Certificate based TLS may be used with websockets, except that only the
>> +# cafile, certfile, keyfile and ciphers options are supported.
>> +#protocol mqtt
>> +
>> +# When a listener is using the websockets protocol, it is possible to
>> serve
>> +# http data as well. Set http_dir to a directory which contains the files
>> you
>> +# wish to serve. If this option is not specified, then no normal http
>> +# connections will be possible.
>> +#http_dir
>> +
>> +# Set use_username_as_clientid to true to replace the clientid that a
>> client
>> +# connected with with its username. This allows authentication to be tied
>> to
>> +# the clientid, which means that it is possible to prevent one client
>> +# disconnecting another by using the same clientid.
>> +# If a client connects with no username it will be disconnected as not
>> +# authorised when this option is set to true.
>> +# Do not use in conjunction with clientid_prefixes.
>> +# See also use_identity_as_username.
>> +#use_username_as_clientid
>> +
>> +# -----------------------------------------------------------------
>> +# Certificate based SSL/TLS support
>> +# -----------------------------------------------------------------
>> +# The following options can be used to enable certificate based SSL/TLS
>> support
>> +# for this listener. Note that the recommended port for MQTT over TLS is
>> 8883,
>> +# but this must be set manually.
>> +#
>> +# See also the mosquitto-tls man page and the "Pre-shared-key based
>> SSL/TLS
>> +# support" section. Only one of certificate or PSK encryption support can
>> be
>> +# enabled for any listener.
>> +
>> +# At least one of cafile or capath must be defined to enable certificate
>> based
>> +# TLS encryption. They both define methods of accessing the PEM encoded
>> +# Certificate Authority certificates that have signed your server
>> certificate
>> +# and that you wish to trust.
>> +# cafile defines the path to a file containing the CA certificates.
>> +# capath defines a directory that will be searched for files
>> +# containing the CA certificates. For capath to work correctly, the
>> +# certificate files must have ".crt" as the file ending and you must run
>> +# "c_rehash <path to capath>" each time you add/remove a certificate.
>> +#cafile
>> +#capath
>> +
>> +# Path to the PEM encoded server certificate.
>> +#certfile
>> +
>> +# Path to the PEM encoded keyfile.
>> +#keyfile
>> +
>> +# By default an TLS enabled listener will operate in a similar fashion to
>> a
>> +# https enabled web server, in that the server has a certificate signed
>> by a CA
>> +# and the client will verify that it is a trusted certificate. The
>> overall aim
>> +# is encryption of the network traffic. By setting require_certificate to
>> true,
>> +# the client must provide a valid certificate in order for the network
>> +# connection to proceed. This allows access to the broker to be
>> controlled
>> +# outside of the mechanisms provided by MQTT.
>> +#require_certificate false
>> +
>> +# If require_certificate is true, you may set use_identity_as_username to
>> true
>> +# to use the CN value from the client certificate as a username. If this
>> is
>> +# true, the password_file option will not be used for this listener.
>> +#use_identity_as_username false
>> +
>> +# If you have require_certificate set to true, you can create a
>> certificate
>> +# revocation list file to revoke access to particular client
>> certificates. If
>> +# you have done this, use crlfile to point to the PEM encoded revocation
>> file.
>> +#crlfile
>> +
>> +# If you wish to control which encryption ciphers are used, use the
>> ciphers
>> +# option. The list of available ciphers can be optained using the
>> "openssl
>> +# ciphers" command and should be provided in the same format as the
>> output of
>> +# that command.
>> +#ciphers
>> +
>> +# -----------------------------------------------------------------
>> +# Pre-shared-key based SSL/TLS support
>> +# -----------------------------------------------------------------
>> +# The following options can be used to enable PSK based SSL/TLS support
>> for
>> +# this listener. Note that the recommended port for MQTT over TLS is
>> 8883, but
>> +# this must be set manually.
>> +#
>> +# See also the mosquitto-tls man page and the "Certificate based SSL/TLS
>> +# support" section. Only one of certificate or PSK encryption support can
>> be
>> +# enabled for any listener.
>> +
>> +# The psk_hint option enables pre-shared-key support for this listener
>> and also
>> +# acts as an identifier for this listener. The hint is sent to clients
>> and may
>> +# be used locally to aid authentication. The hint is a free form string
>> that
>> +# doesn't have much meaning in itself, so feel free to be creative.
>> +# If this option is provided, see psk_file to define the pre-shared keys
>> to be
>> +# used or create a security plugin to handle them.
>> +#psk_hint
>> +
>> +# Set use_identity_as_username to have the psk identity sent by the
>> client used
>> +# as its username. Authentication will be carried out using the PSK
>> rather than
>> +# the MQTT username/password and so password_file will not be used for
>> this
>> +# listener.
>> +#use_identity_as_username false
>> +
>> +# When using PSK, the encryption ciphers used will be chosen from the
>> list of
>> +# available PSK ciphers. If you want to control which ciphers are
>> available,
>> +# use the "ciphers" option.  The list of available ciphers can be
>> optained
>> +# using the "openssl ciphers" command and should be provided in the same
>> format
>> +# as the output of that command.
>> +#ciphers
>> +
>> +# =================================================================
>> +# Persistence
>> +# =================================================================
>> +
>> +# If persistence is enabled, save the in-memory database to disk
>> +# every autosave_interval seconds. If set to 0, the persistence
>> +# database will only be written when mosquitto exits. See also
>> +# autosave_on_changes.
>> +# Note that writing of the persistence database can be forced by
>> +# sending mosquitto a SIGUSR1 signal.
>> +#autosave_interval 1800
>> +
>> +# If true, mosquitto will count the number of subscription changes,
>> retained
>> +# messages received and queued messages and if the total exceeds
>> +# autosave_interval then the in-memory database will be saved to disk.
>> +# If false, mosquitto will save the in-memory database to disk by
>> treating
>> +# autosave_interval as a time in seconds.
>> +#autosave_on_changes false
>> +
>> +# Save persistent message data to disk (true/false).
>> +# This saves information about all messages, including
>> +# subscriptions, currently in-flight messages and retained
>> +# messages.
>> +# retained_persistence is a synonym for this option.
>> +#persistence false
>> +
>> +# The filename to use for the persistent database, not including
>> +# the path.
>> +#persistence_file mosquitto.db
>> +
>> +# Location for persistent database. Must include trailing /
>> +# Default is an empty string (current directory).
>> +# Set to e.g. /var/lib/mosquitto/ if running as a proper service on Linux
>> or
>> +# similar.
>> +#persistence_location
>> +
>> +# =================================================================
>> +# Logging
>> +# =================================================================
>> +
>> +# Places to log to. Use multiple log_dest lines for multiple
>> +# logging destinations.
>> +# Possible destinations are: stdout stderr syslog topic file
>> +#
>> +# stdout and stderr log to the console on the named output.
>> +#
>> +# syslog uses the userspace syslog facility which usually ends up
>> +# in /var/log/messages or similar.
>> +#
>> +# topic logs to the broker topic '$SYS/broker/log/<severity>',
>> +# where severity is one of D, E, W, N, I, M which are debug, error,
>> +# warning, notice, information and message. Message type severity is used
>> by
>> +# the subscribe/unsubscribe log_types and publishes log messages to
>> +# $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe.
>> +#
>> +# The file destination requires an additional parameter which is the file
>> to be
>> +# logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will
>> be
>> +# closed and reopened when the broker receives a HUP signal. Only a
>> single file
>> +# destination may be configured.
>> +#
>> +# Note that if the broker is running as a Windows service it will default
>> to
>> +# "log_dest none" and neither stdout nor stderr logging is available.
>> +# Use "log_dest none" if you wish to disable logging.
>> +#log_dest stderr
>> +
>> +# If using syslog logging (not on Windows), messages will be logged to
>> the
>> +# "daemon" facility by default. Use the log_facility option to choose
>> which of
>> +# local0 to local7 to log to instead. The option value should be an
>> integer
>> +# value, e.g. "log_facility 5" to use local5.
>> +#log_facility
>> +
>> +# Types of messages to log. Use multiple log_type lines for logging
>> +# multiple types of messages.
>> +# Possible types are: debug, error, warning, notice, information,
>> +# none, subscribe, unsubscribe, websockets, all.
>> +# Note that debug type messages are for decoding the incoming/outgoing
>> +# network packets. They are not logged in "topics".
>> +#log_type error
>> +#log_type warning
>> +#log_type notice
>> +#log_type information
>> +
>> +# Change the websockets logging level. This is a global option, it is not
>> +# possible to set per listener. This is an integer that is interpreted by
>> +# libwebsockets as a bit mask for its lws_log_levels enum. See the
>> +# libwebsockets documentation for more details. "log_type websockets"
>> must also
>> +# be enabled.
>> +#websockets_log_level 0
>> +
>> +# If set to true, client connection and disconnection messages will be
>> included
>> +# in the log.
>> +#connection_messages true
>> +
>> +# If set to true, add a timestamp value to each log message.
>> +#log_timestamp true
>> +
>> +# =================================================================
>> +# Security
>> +# =================================================================
>> +
>> +# If set, only clients that have a matching prefix on their
>> +# clientid will be allowed to connect to the broker. By default,
>> +# all clients may connect.
>> +# For example, setting "secure-" here would mean a client "secure-
>> +# client" could connect but another with clientid "mqtt" couldn't.
>> +#clientid_prefixes
>> +
>> +# Boolean value that determines whether clients that connect
>> +# without providing a username are allowed to connect. If set to
>> +# false then a password file should be created (see the
>> +# password_file option) to control authenticated client access.
>> +# Defaults to true.
>> +#allow_anonymous true
>> +
>> +# In addition to the clientid_prefixes, allow_anonymous and TLS
>> +# authentication options, username based authentication is also
>> +# possible. The default support is described in "Default
>> +# authentication and topic access control" below. The auth_plugin
>> +# allows another authentication method to be used.
>> +# Specify the path to the loadable plugin and see the
>> +# "Authentication and topic access plugin options" section below.
>> +#auth_plugin
>> +
>> +# If auth_plugin_deny_special_chars is true, the default, then before an
>> ACL
>> +# check is made, the username/client id of the client needing the check
>> is
>> +# searched for the presence of either a '+' or '#' character. If either
>> of
>> +# these characters is found in either the username or client id, then the
>> ACL
>> +# check is denied before it is sent to the plugin.o
>> +#
>> +# This check prevents the case where a malicious user could circumvent an
>> ACL
>> +# check by using one of these characters as their username or client id.
>> This
>> +# is the same issue as was reported with mosquitto itself as
>> CVE-2017-7650.
>> +#
>> +# If you are entirely sure that the plugin you are using is not
>> vulnerable to
>> +# this attack (i.e. if you never use usernames or client ids in topics)
>> then
>> +# you can disable this extra check and have all ACL checks delivered to
>> your
>> +# plugin by setting auth_plugin_deny_special_chars to false.
>> +#auth_plugin_deny_special_chars true
>> +
>> +# -----------------------------------------------------------------
>> +# Default authentication and topic access control
>> +# -----------------------------------------------------------------
>> +
>> +# Control access to the broker using a password file. This file can be
>> +# generated using the mosquitto_passwd utility. If TLS support is not
>> compiled
>> +# into mosquitto (it is recommended that TLS support should be included)
>> then
>> +# plain text passwords are used, in which case the file should be a text
>> file
>> +# with lines in the format:
>> +# username:password
>> +# The password (and colon) may be omitted if desired, although this
>> +# offers very little in the way of security.
>> +#
>> +# See the TLS client require_certificate and use_identity_as_username
>> options
>> +# for alternative authentication options.
>> +#password_file
>> +
>> +# Access may also be controlled using a pre-shared-key file. This
>> requires
>> +# TLS-PSK support and a listener configured to use it. The file should be
>> text
>> +# lines in the format:
>> +# identity:key
>> +# The key should be in hexadecimal format without a leading "0x".
>> +#psk_file
>> +
>> +# Control access to topics on the broker using an access control list
>> +# file. If this parameter is defined then only the topics listed will
>> +# have access.
>> +# If the first character of a line of the ACL file is a # it is treated
>> as a
>> +# comment.
>> +# Topic access is added with lines of the format:
>> +#
>> +# topic [read|write|readwrite] <topic>
>> +#
>> +# The access type is controlled using "read", "write" or "readwrite".
>> This
>> +# parameter is optional (unless <topic> contains a space character) - if
>> not
>> +# given then the access is read/write.  <topic> can contain the + or #
>> +# wildcards as in subscriptions.
>> +#
>> +# The first set of topics are applied to anonymous clients, assuming
>> +# allow_anonymous is true. User specific topic ACLs are added after a
>> +# user line as follows:
>> +#
>> +# user <username>
>> +#
>> +# The username referred to here is the same as in password_file. It is
>> +# not the clientid.
>> +#
>> +#
>> +# If is also possible to define ACLs based on pattern substitution within
>> the
>> +# topic. The patterns available for substition are:
>> +#
>> +# %c to match the client id of the client
>> +# %u to match the username of the client
>> +#
>> +# The substitution pattern must be the only text for that level of
>> hierarchy.
>> +#
>> +# The form is the same as for the topic keyword, but using pattern as the
>> +# keyword.
>> +# Pattern ACLs apply to all users even if the "user" keyword has
>> previously
>> +# been given.
>> +#
>> +# If using bridges with usernames and ACLs, connection messages can be
>> allowed
>> +# with the following pattern:
>> +# pattern write $SYS/broker/connection/%c/state
>> +#
>> +# pattern [read|write|readwrite] <topic>
>> +#
>> +# Example:
>> +#
>> +# pattern write sensor/%u/data
>> +#
>> +#acl_file
>> +
>> +# -----------------------------------------------------------------
>> +# Authentication and topic access plugin options
>> +# -----------------------------------------------------------------
>> +
>> +# If the auth_plugin option above is used, define options to pass to the
>> +# plugin here as described by the plugin instructions. All options named
>> +# using the format auth_opt_* will be passed to the plugin, for example:
>> +#
>> +# auth_opt_db_host
>> +# auth_opt_db_port
>> +# auth_opt_db_username
>> +# auth_opt_db_password
>> +
>> +
>> +# =================================================================
>> +# Bridges
>> +# =================================================================
>> +
>> +# A bridge is a way of connecting multiple MQTT brokers together.
>> +# Create a new bridge using the "connection" option as described below.
>> Set
>> +# options for the bridges using the remaining parameters. You must
>> specify the
>> +# address and at least one topic to subscribe to.
>> +# Each connection must have a unique name.
>> +# The address line may have multiple host address and ports specified.
>> See
>> +# below in the round_robin description for more details on bridge
>> behaviour if
>> +# multiple addresses are used.
>> +# The direction that the topic will be shared can be chosen by
>> +# specifying out, in or both, where the default value is out.
>> +# The QoS level of the bridged communication can be specified with the
>> next
>> +# topic option. The default QoS level is 0, to change the QoS the topic
>> +# direction must also be given.
>> +# The local and remote prefix options allow a topic to be remapped when
>> it is
>> +# bridged to/from the remote broker. This provides the ability to place a
>> topic
>> +# tree in an appropriate location.
>> +# For more details see the mosquitto.conf man page.
>> +# Multiple topics can be specified per connection, but be careful
>> +# not to create any loops.
>> +# If you are using bridges with cleansession set to false (the default),
>> then
>> +# you may get unexpected behaviour from incoming topics if you change
>> what
>> +# topics you are subscribing to. This is because the remote broker keeps
>> the
>> +# subscription for the old topic. If you have this problem, connect your
>> bridge
>> +# with cleansession set to true, then reconnect with cleansession set to
>> false
>> +# as normal.
>> +#connection <name>
>> +#address <host>[:<port>] [<host>[:<port>]]
>> +#topic <topic> [[[out | in | both] qos-level] local-prefix remote-prefix]
>> +
>> +# Set the version of the MQTT protocol to use with for this bridge. Can
>> be one
>> +# of mqttv31 or mqttv311. Defaults to mqttv31.
>> +#bridge_protocol_version mqttv31
>> +
>> +# If a bridge has topics that have "out" direction, the default behaviour
>> is to
>> +# send an unsubscribe request to the remote broker on that topic. This
>> means
>> +# that changing a topic direction from "in" to "out" will not keep
>> receiving
>> +# incoming messages. Sending these unsubscribe requests is not always
>> +# desirable, setting bridge_attempt_unsubscribe to false will disable
>> sending
>> +# the unsubscribe request.
>> +#bridge_attempt_unsubscribe true
>> +
>> +# If the bridge has more than one address given in the address/addresses
>> +# configuration, the round_robin option defines the behaviour of the
>> bridge on
>> +# a failure of the bridge connection. If round_robin is false, the
>> default
>> +# value, then the first address is treated as the main bridge connection.
>> If
>> +# the connection fails, the other secondary addresses will be attempted
>> in
>> +# turn. Whilst connected to a secondary bridge, the bridge will
>> periodically
>> +# attempt to reconnect to the main bridge until successful.
>> +# If round_robin is true, then all addresses are treated as equals. If a
>> +# connection fails, the next address will be tried and if successful will
>> +# remain connected until it fails
>> +#round_robin false
>> +
>> +# Set the client id to use on the remote end of this bridge connection.
>> If not
>> +# defined, this defaults to 'name.hostname' where name is the connection
>> name
>> +# and hostname is the hostname of this computer.
>> +# This replaces the old "clientid" option to avoid confusion. "clientid"
>> +# remains valid for the time being.
>> +#remote_clientid
>> +
>> +# Set the clientid to use on the local broker. If not defined, this
>> defaults to
>> +# 'local.<clientid>'. If you are bridging a broker to itself, it is
>> important
>> +# that local_clientid and clientid do not match.
>> +#local_clientid
>> +
>> +# Set the clean session variable for this bridge.
>> +# When set to true, when the bridge disconnects for any reason, all
>> +# messages and subscriptions will be cleaned up on the remote
>> +# broker. Note that with cleansession set to true, there may be a
>> +# significant amount of retained messages sent when the bridge
>> +# reconnects after losing its connection.
>> +# When set to false, the subscriptions and messages are kept on the
>> +# remote broker, and delivered when the bridge reconnects.
>> +#cleansession false
>> +
>> +# If set to true, publish notification messages to the local and remote
>> brokers
>> +# giving information about the state of the bridge connection. Retained
>> +# messages are published to the topic
>> $SYS/broker/connection/<clientid>/state
>> +# unless the notification_topic option is used.
>> +# If the message is 1 then the connection is active, or 0 if the
>> connection has
>> +# failed.
>> +#notifications true
>> +
>> +# Choose the topic on which notification messages for this bridge are
>> +# published. If not set, messages are published on the topic
>> +# $SYS/broker/connection/<clientid>/state
>> +#notification_topic
>> +
>> +# Set the keepalive interval for this bridge connection, in
>> +# seconds.
>> +#keepalive_interval 60
>> +
>> +# Set the start type of the bridge. This controls how the bridge starts
>> and
>> +# can be one of three types: automatic, lazy and once. Note that RSMB
>> provides
>> +# a fourth start type "manual" which isn't currently supported by
>> mosquitto.
>> +#
>> +# "automatic" is the default start type and means that the bridge
>> connection
>> +# will be started automatically when the broker starts and also restarted
>> +# after a short delay (30 seconds) if the connection fails.
>> +#
>> +# Bridges using the "lazy" start type will be started automatically when
>> the
>> +# number of queued messages exceeds the number set with the "threshold"
>> +# parameter. It will be stopped automatically after the time set by the
>> +# "idle_timeout" parameter. Use this start type if you wish the
>> connection to
>> +# only be active when it is needed.
>> +#
>> +# A bridge using the "once" start type will be started automatically when
>> the
>> +# broker starts but will not be restarted if the connection fails.
>> +#start_type automatic
>> +
>> +# Set the amount of time a bridge using the automatic start type will
>> wait
>> +# until attempting to reconnect.  Defaults to 30 seconds.
>> +#restart_timeout 30
>> +
>> +# Set the amount of time a bridge using the lazy start type must be idle
>> before
>> +# it will be stopped. Defaults to 60 seconds.
>> +#idle_timeout 60
>> +
>> +# Set the number of messages that need to be queued for a bridge with
>> lazy
>> +# start type to be restarted. Defaults to 10 messages.
>> +# Must be less than max_queued_messages.
>> +#threshold 10
>> +
>> +# If try_private is set to true, the bridge will attempt to indicate to
>> the
>> +# remote broker that it is a bridge not an ordinary client. If
>> successful, this
>> +# means that loop detection will be more effective and that retained
>> messages
>> +# will be propagated correctly. Not all brokers support this feature so
>> it may
>> +# be necessary to set try_private to false if your bridge does not
>> connect
>> +# properly.
>> +#try_private true
>> +
>> +# Set the username to use when connecting to a broker that requires
>> +# authentication.
>> +# This replaces the old "username" option to avoid confusion. "username"
>> +# remains valid for the time being.
>> +#remote_username
>> +
>> +# Set the password to use when connecting to a broker that requires
>> +# authentication. This option is only used if remote_username is also
>> set.
>> +# This replaces the old "password" option to avoid confusion. "password"
>> +# remains valid for the time being.
>> +#remote_password
>> +
>> +# -----------------------------------------------------------------
>> +# Certificate based SSL/TLS support
>> +# -----------------------------------------------------------------
>> +# Either bridge_cafile or bridge_capath must be defined to enable TLS
>> support
>> +# for this bridge.
>> +# bridge_cafile defines the path to a file containing the
>> +# Certificate Authority certificates that have signed the remote broker
>> +# certificate.
>> +# bridge_capath defines a directory that will be searched for files
>> containing
>> +# the CA certificates. For bridge_capath to work correctly, the
>> certificate
>> +# files must have ".crt" as the file ending and you must run "c_rehash
>> <path to
>> +# capath>" each time you add/remove a certificate.
>> +#bridge_cafile
>> +#bridge_capath
>> +
>> +# Path to the PEM encoded client certificate, if required by the remote
>> broker.
>> +#bridge_certfile
>> +
>> +# Path to the PEM encoded client private key, if required by the remote
>> broker.
>> +#bridge_keyfile
>> +
>> +# When using certificate based encryption, bridge_insecure disables
>> +# verification of the server hostname in the server certificate. This can
>> be
>> +# useful when testing initial server configurations, but makes it
>> possible for
>> +# a malicious third party to impersonate your server through DNS
>> spoofing, for
>> +# example. Use this option in testing only. If you need to resort to
>> using this
>> +# option in a production environment, your setup is at fault and there is
>> no
>> +# point using encryption.
>> +#bridge_insecure false
>> +
>> +# -----------------------------------------------------------------
>> +# PSK based SSL/TLS support
>> +# -----------------------------------------------------------------
>> +# Pre-shared-key encryption provides an alternative to certificate based
>> +# encryption. A bridge can be configured to use PSK with the
>> bridge_identity
>> +# and bridge_psk options. These are the client PSK identity, and
>> pre-shared-key
>> +# in hexadecimal format with no "0x". Only one of certificate and PSK
>> based
>> +# encryption can be used on one
>> +# bridge at once.
>> +#bridge_identity
>> +#bridge_psk
>> +
>> +
>> +# =================================================================
>> +# External config files
>> +# =================================================================
>> +
>> +# External configuration files may be included by using the
>> +# include_dir option. This defines a directory that will be searched
>> +# for config files. All files that end in '.conf' will be loaded as
>> +# a configuration file. It is best to have this as the last option
>> +# in the main file. This option will only be processed from the main
>> +# configuration file. The directory specified must not contain the
>> +# main configuration file.
>> +#include_dir
>> +
>> +# =================================================================
>> +# rsmb options - unlikely to ever be supported
>> +# =================================================================
>> +
>> +#ffdc_output
>> +#max_log_entries
>> +#trace_level
>> +#trace_output
>> diff --git
>> a/meta-networking/recipes-connectivity/mosquitto/mosquitto_1.4.14.bb
>> b/meta-networking/recipes-connectivity/mosquitto/mosquitto_1.4.14.bb
>> index ea76c36e61..9fea03a5c8 100644
>> --- a/meta-networking/recipes-connectivity/mosquitto/mosquitto_1.4.14.bb
>> +++ b/meta-networking/recipes-connectivity/mosquitto/mosquitto_1.4.14.bb
>> @@ -16,6 +16,7 @@ SRC_URI =
>> "http://mosquitto.org/files/source/mosquitto-${PV}.tar.gz \
>>
>> file://0003-makefile-remove-example-files-from-installation.patch \
>>             file://mosquitto.service \
>>             file://mosquitto.init \
>> +           file://mosquitto.conf \
>>  "
>>
>>  SRC_URI[md5sum] = "6b0966e93f118bc71ad7b61600a6c2d3"
>> @@ -49,6 +50,7 @@ do_install() {
>>      install -m 0644 ${WORKDIR}/mosquitto.service
>> ${D}${systemd_unitdir}/system/
>>
>>      install -d ${D}${sysconfdir}/mosquitto
>> +    install -m 0644 ${WORKDIR}/mosquitto.conf
>> ${D}${sysconfdir}/mosquitto/mosquitto.conf
>>
>>      install -d ${D}${sysconfdir}/init.d/
>>      install -m 0755 ${WORKDIR}/mosquitto.init
>> ${D}${sysconfdir}/init.d/mosquitto
>> @@ -76,6 +78,8 @@ FILES_${PN}-clients = "${bindir}/mosquitto_pub \
>>                         ${bindir}/mosquitto_sub \
>>  "
>>
>> +CONFFILES_${PN} = "${sysconfdir}/mosquitto"
>> +
>>  SYSTEMD_SERVICE_${PN} = "mosquitto.service"
>>
>>  INITSCRIPT_NAME = "mosquitto"
>>
>
>

More information about the Openembedded-devel mailing list