From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oi0-f52.google.com (mail-oi0-f52.google.com [209.85.218.52]) by mail.openembedded.org (Postfix) with ESMTP id 2BD9671CBD for ; Tue, 5 Jun 2018 13:37:37 +0000 (UTC) Received: by mail-oi0-f52.google.com with SMTP id t22-v6so2073712oih.6 for ; Tue, 05 Jun 2018 06:37:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=7g+SG+Wr0Ah9K8dbVQ0NCLQLW7PmqEJZDh2bQcVbxac=; b=ZzXtqKEvI4N3abF4BPQ7rUHArH4CR6cW/o10dE0syVYZK+Pryxo9oYdi/X/rjQTSEC ov6ayIXohjHlARaz4bw6uryFRD2hNy9hu2fBGUDN5SF4djZ2mMINiY9QGS4CX9Gv4Hiz VylpjufshPGejnAE2Fd4Vv/MGEuCwMJUVAwbdmkg8mSJoe3YmCIrqsENsevlWfBzOC/Q daZd4F2R4uUbSQz0AWB/C5IS+0Eekq0rzcz5LgB/5i3cM8hROaPRRzHLxqQ9VBt0ZSPN OLIRiVJEUwMMaukhjWtV/xJn8yHvS2A5UFXXFWVhSrIf5119YBmxEkbTiinZQmPvtWEV Z1FQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=7g+SG+Wr0Ah9K8dbVQ0NCLQLW7PmqEJZDh2bQcVbxac=; b=m/BEJCsUfgeL0G78k41rxWoooTRf4a14DWFZ1Pc0v9jypW5OVVZqBLSDncctOvO19L HGRz+nY10ZHuAIJkO6yKfc99IEte4sGjLJ/5J1MxKCDMsXqMyUz7snM411pLAh00HCil q4C4YHq1eI0ChGxkhrp3uMAHhxojcOyof50tgkSSJj2Bv8No72wPUTyn9DUQKzufPpGK D8I671ytNkDmT73kzG36RF5/vEfz47wBwfuJ17FoC5H9kmj3Duql0Uu4HswKOGOlXWnM RngjE2MasYLSXUfYGoyOmKHXGOVRw5p9FVTfJjTloLiNifgqdXJKup2fdeV9b+5zoHY8 zFAg== X-Gm-Message-State: ALKqPwfcipGmrUeNzfrahHy53bmLy5kTtujyIO1hUJjNF+PIIaVBmOPO 6LALE/j4PlnrWou35oLesDYgpwjXE7Zsq6oArDK42Q== X-Google-Smtp-Source: ADUXVKLTZKRB7jpIlTJpjiZT+q/37uwFk2QxVSiEFHh9CoZIVuEVR/Z0rRbx/tsYPpFafjdt2bU2eoAuYYrIaVRRx9Y= X-Received: by 2002:aca:ea55:: with SMTP id i82-v6mr15177960oih.260.1528205857785; Tue, 05 Jun 2018 06:37:37 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a9d:5f8d:0:0:0:0:0 with HTTP; Tue, 5 Jun 2018 06:37:17 -0700 (PDT) In-Reply-To: References: <20180601103540.13159-1-nick83ola@gmail.com> <20180601103540.13159-2-nick83ola@gmail.com> <85353b0a-1595-b1f3-937e-9c5d336780f7@gmail.com> From: nick83ola Date: Tue, 5 Jun 2018 14:37:17 +0100 Message-ID: To: raj.khem@gmail.com Cc: "openembedded-devel@lists.openembedded.org" Subject: Re: [PATCH 2/2] mosquitto: add default configuration file X-BeenThere: openembedded-devel@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Using the OpenEmbedded metadata to build Distributions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jun 2018 13:37:37 -0000 Content-Type: text/plain; charset="UTF-8" Hi Khem, please ignore my previous email. I will repost the two patches with your suggestions Thanks Nicola Lunghi On 5 June 2018 at 10:55, Nicola Lunghi wrote: > Hi Khem, > > the conf file is taken from the package itself (look in the zip for conf) > with the options enabled in current Debian Package (that compile most of the > functionality in) > > see the file directory debian/config/linux in > http://http.debian.net/debian/pool/main/w/wpa/wpa_2.6-16.debian.tar.xz > > The options enabled can be disabled from the config file if they are > compiled in. > > the standard conf file basically disable everything so for most option is > useless. > > The purpose of having it into the recipe is to render simple to substitute > it with a bbappend file. > if you put a long series of sed/awk into the recipe is very difficult to > read and to modify. > > The old config present in the yocto package was doing the same but was very > old (look at the git history) > and was never updated. > > Let me know what is the best approach to this. > > Thanks, > Nick > > > ________________________________ > From: Khem Raj > Sent: 01 June 2018 17:38:20 > To: Nicola Lunghi; openembedded-devel@lists.openembedded.org > Cc: Nicola Lunghi > Subject: Re: [oe] [PATCH 2/2] mosquitto: add default configuration file > > On 6/1/18 3:35 AM, Nicola Lunghi wrote: >> From: Nicola Lunghi >> >> Signed-off-by: Nicola Lunghi >> --- >> .../mosquitto/files/mosquitto.conf | 837 ++++++++++++++++++ >> .../mosquitto/mosquitto_1.4.14.bb | 4 + >> 2 files changed, 841 insertions(+) >> create mode 100644 >> meta-networking/recipes-connectivity/mosquitto/files/mosquitto.conf > > whats the source of this conf file ? if its adapted from some sample > file, may be we can just use some sed/awk operations in do_install > instead of adding this file explicitly. > >> >> diff --git >> a/meta-networking/recipes-connectivity/mosquitto/files/mosquitto.conf >> b/meta-networking/recipes-connectivity/mosquitto/files/mosquitto.conf >> new file mode 100644 >> index 0000000000..e4223c75d6 >> --- /dev/null >> +++ b/meta-networking/recipes-connectivity/mosquitto/files/mosquitto.conf >> @@ -0,0 +1,837 @@ >> +# Config file for mosquitto >> +# >> +# See mosquitto.conf(5) for more information. >> +# >> +# Default values are shown, uncomment to change. >> +# >> +# Use the # character to indicate a comment, but only if it is the >> +# very first character on the line. >> + >> +# ================================================================= >> +# General configuration >> +# ================================================================= >> + >> +# Time in seconds to wait before resending an outgoing QoS=1 or >> +# QoS=2 message. >> +#retry_interval 20 >> + >> +# Time in seconds between updates of the $SYS tree. >> +# Set to 0 to disable the publishing of the $SYS tree. >> +#sys_interval 10 >> + >> +# Time in seconds between cleaning the internal message store of >> +# unreferenced messages. Lower values will result in lower memory >> +# usage but more processor time, higher values will have the >> +# opposite effect. >> +# Setting a value of 0 means the unreferenced messages will be >> +# disposed of as quickly as possible. >> +#store_clean_interval 10 >> + >> +# Write process id to a file. Default is a blank string which means >> +# a pid file shouldn't be written. >> +# This should be set to /var/run/mosquitto.pid if mosquitto is >> +# being run automatically on boot with an init script and >> +# start-stop-daemon or similar. >> +#pid_file >> + >> +# When run as root, drop privileges to this user and its primary >> +# group. >> +# Leave blank to stay as root, but this is not recommended. >> +# If run as a non-root user, this setting has no effect. >> +# Note that on Windows this has no effect and so mosquitto should >> +# be started by the user you wish it to run as. >> +#user mosquitto >> + >> +# The maximum number of QoS 1 and 2 messages currently inflight per >> +# client. >> +# This includes messages that are partway through handshakes and >> +# those that are being retried. Defaults to 20. Set to 0 for no >> +# maximum. Setting to 1 will guarantee in-order delivery of QoS 1 >> +# and 2 messages. >> +#max_inflight_messages 20 >> + >> +# The maximum number of QoS 1 and 2 messages to hold in a queue >> +# above those that are currently in-flight. Defaults to 100. Set >> +# to 0 for no maximum (not recommended). >> +# See also queue_qos0_messages. >> +#max_queued_messages 100 >> + >> +# Set to true to queue messages with QoS 0 when a persistent client is >> +# disconnected. These messages are included in the limit imposed by >> +# max_queued_messages. >> +# Defaults to false. >> +# This is a non-standard option for the MQTT v3.1 spec but is allowed in >> +# v3.1.1. >> +#queue_qos0_messages false >> + >> +# This option sets the maximum publish payload size that the broker will >> allow. >> +# Received messages that exceed this size will not be accepted by the >> broker. >> +# The default value is 0, which means that all valid MQTT messages are >> +# accepted. MQTT imposes a maximum payload size of 268435455 bytes. >> +#message_size_limit 0 >> + >> +# This option controls whether a client is allowed to connect with a zero >> +# length client id or not. This option only affects clients using MQTT >> v3.1.1 >> +# and later. If set to false, clients connecting with a zero length >> client id >> +# are disconnected. If set to true, clients will be allocated a client id >> by >> +# the broker. This means it is only useful for clients with clean session >> set >> +# to true. >> +#allow_zero_length_clientid true >> + >> +# If allow_zero_length_clientid is true, this option allows you to set a >> prefix >> +# to automatically generated client ids to aid visibility in logs. >> +#auto_id_prefix >> + >> +# This option allows persistent clients (those with clean session set to >> false) >> +# to be removed if they do not reconnect within a certain time frame. >> +# >> +# This is a non-standard option in MQTT V3.1 but allowed in MQTT v3.1.1. >> +# >> +# Badly designed clients may set clean session to false whilst using a >> randomly >> +# generated client id. This leads to persistent clients that will never >> +# reconnect. This option allows these clients to be removed. >> +# >> +# The expiration period should be an integer followed by one of h d w m y >> for >> +# hour, day, week, month and year respectively. For example >> +# >> +# persistent_client_expiration 2m >> +# persistent_client_expiration 14d >> +# persistent_client_expiration 1y >> +# >> +# The default if not set is to never expire persistent clients. >> +#persistent_client_expiration >> + >> +# If a client is subscribed to multiple subscriptions that overlap, e.g. >> foo/# >> +# and foo/+/baz , then MQTT expects that when the broker receives a >> message on >> +# a topic that matches both subscriptions, such as foo/bar/baz, then the >> client >> +# should only receive the message once. >> +# Mosquitto keeps track of which clients a message has been sent to in >> order to >> +# meet this requirement. The allow_duplicate_messages option allows this >> +# behaviour to be disabled, which may be useful if you have a large >> number of >> +# clients subscribed to the same set of topics and are very concerned >> about >> +# minimising memory usage. >> +# It can be safely set to true if you know in advance that your clients >> will >> +# never have overlapping subscriptions, otherwise your clients must be >> able to >> +# correctly deal with duplicate messages even when then have QoS=2. >> +#allow_duplicate_messages false >> + >> +# The MQTT specification requires that the QoS of a message delivered to >> a >> +# subscriber is never upgraded to match the QoS of the subscription. >> Enabling >> +# this option changes this behaviour. If upgrade_outgoing_qos is set >> true, >> +# messages sent to a subscriber will always match the QoS of its >> subscription. >> +# This is a non-standard option explicitly disallowed by the spec. >> +#upgrade_outgoing_qos false >> + >> +# ================================================================= >> +# Default listener >> +# ================================================================= >> + >> +# IP address/hostname to bind the default listener to. If not >> +# given, the default listener will not be bound to a specific >> +# address and so will be accessible to all network interfaces. >> +# bind_address ip-address/host name >> +#bind_address >> + >> +# Port to use for the default listener. >> +#port 1883 >> + >> +# The maximum number of client connections to allow. This is >> +# a per listener setting. >> +# Default is -1, which means unlimited connections. >> +# Note that other process limits mean that unlimited connections >> +# are not really possible. Typically the default maximum number of >> +# connections possible is around 1024. >> +#max_connections -1 >> + >> +# Choose the protocol to use when listening. >> +# This can be either mqtt or websockets. >> +# Websockets support is currently disabled by default at compile time. >> +# Certificate based TLS may be used with websockets, except that >> +# only the cafile, certfile, keyfile and ciphers options are supported. >> +#protocol mqtt >> + >> +# When a listener is using the websockets protocol, it is possible to >> serve >> +# http data as well. Set http_dir to a directory which contains the files >> you >> +# wish to serve. If this option is not specified, then no normal http >> +# connections will be possible. >> +#http_dir >> + >> +# Set use_username_as_clientid to true to replace the clientid that a >> client >> +# connected with with its username. This allows authentication to be tied >> to >> +# the clientid, which means that it is possible to prevent one client >> +# disconnecting another by using the same clientid. >> +# If a client connects with no username it will be disconnected as not >> +# authorised when this option is set to true. >> +# Do not use in conjunction with clientid_prefixes. >> +# See also use_identity_as_username. >> +#use_username_as_clientid >> + >> +# ----------------------------------------------------------------- >> +# Certificate based SSL/TLS support >> +# ----------------------------------------------------------------- >> +# The following options can be used to enable SSL/TLS support for >> +# this listener. Note that the recommended port for MQTT over TLS >> +# is 8883, but this must be set manually. >> +# >> +# See also the mosquitto-tls man page. >> + >> +# At least one of cafile or capath must be defined. They both >> +# define methods of accessing the PEM encoded Certificate >> +# Authority certificates that have signed your server certificate >> +# and that you wish to trust. >> +# cafile defines the path to a file containing the CA certificates. >> +# capath defines a directory that will be searched for files >> +# containing the CA certificates. For capath to work correctly, the >> +# certificate files must have ".crt" as the file ending and you must run >> +# "c_rehash " each time you add/remove a certificate. >> +#cafile >> +#capath >> + >> +# Path to the PEM encoded server certificate. >> +#certfile >> + >> +# Path to the PEM encoded keyfile. >> +#keyfile >> + >> +# This option defines the version of the TLS protocol to use for this >> listener. >> +# The default value allows v1.2, v1.1 and v1.0, if they are all supported >> by >> +# the version of openssl that the broker was compiled against. For >> openssl >= >> +# 1.0.1 the valid values are tlsv1.2 tlsv1.1 and tlsv1. For openssl < >> 1.0.1 the >> +# valid values are tlsv1. >> +#tls_version >> + >> +# By default a TLS enabled listener will operate in a similar fashion to >> a >> +# https enabled web server, in that the server has a certificate signed >> by a CA >> +# and the client will verify that it is a trusted certificate. The >> overall aim >> +# is encryption of the network traffic. By setting require_certificate to >> true, >> +# the client must provide a valid certificate in order for the network >> +# connection to proceed. This allows access to the broker to be >> controlled >> +# outside of the mechanisms provided by MQTT. >> +#require_certificate false >> + >> +# If require_certificate is true, you may set use_identity_as_username to >> true >> +# to use the CN value from the client certificate as a username. If this >> is >> +# true, the password_file option will not be used for this listener. >> +#use_identity_as_username false >> + >> +# If you have require_certificate set to true, you can create a >> certificate >> +# revocation list file to revoke access to particular client >> certificates. If >> +# you have done this, use crlfile to point to the PEM encoded revocation >> file. >> +#crlfile >> + >> +# If you wish to control which encryption ciphers are used, use the >> ciphers >> +# option. The list of available ciphers can be optained using the >> "openssl >> +# ciphers" command and should be provided in the same format as the >> output of >> +# that command. >> +# If unset defaults to >> DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH >> +#ciphers DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH >> + >> +# ----------------------------------------------------------------- >> +# Pre-shared-key based SSL/TLS support >> +# ----------------------------------------------------------------- >> +# The following options can be used to enable PSK based SSL/TLS support >> for >> +# this listener. Note that the recommended port for MQTT over TLS is >> 8883, but >> +# this must be set manually. >> +# >> +# See also the mosquitto-tls man page and the "Certificate based SSL/TLS >> +# support" section. Only one of certificate or PSK encryption support can >> be >> +# enabled for any listener. >> + >> +# The psk_hint option enables pre-shared-key support for this listener >> and also >> +# acts as an identifier for this listener. The hint is sent to clients >> and may >> +# be used locally to aid authentication. The hint is a free form string >> that >> +# doesn't have much meaning in itself, so feel free to be creative. >> +# If this option is provided, see psk_file to define the pre-shared keys >> to be >> +# used or create a security plugin to handle them. >> +#psk_hint >> + >> +# Set use_identity_as_username to have the psk identity sent by the >> client used >> +# as its username. Authentication will be carried out using the PSK >> rather than >> +# the MQTT username/password and so password_file will not be used for >> this >> +# listener. >> +#use_identity_as_username false >> + >> +# When using PSK, the encryption ciphers used will be chosen from the >> list of >> +# available PSK ciphers. If you want to control which ciphers are >> available, >> +# use the "ciphers" option. The list of available ciphers can be >> optained >> +# using the "openssl ciphers" command and should be provided in the same >> format >> +# as the output of that command. >> +#ciphers >> + >> +# ================================================================= >> +# Extra listeners >> +# ================================================================= >> + >> +# Listen on a port/ip address combination. By using this variable >> +# multiple times, mosquitto can listen on more than one port. If >> +# this variable is used and neither bind_address nor port given, >> +# then the default listener will not be started. >> +# The port number to listen on must be given. Optionally, an ip >> +# address or host name may be supplied as a second argument. In >> +# this case, mosquitto will attempt to bind the listener to that >> +# address and so restrict access to the associated network and >> +# interface. By default, mosquitto will listen on all interfaces. >> +# Note that for a websockets listener it is not possible to bind to a >> host >> +# name. >> +# listener port-number [ip address/host name] >> +#listener >> + >> +# The maximum number of client connections to allow. This is >> +# a per listener setting. >> +# Default is -1, which means unlimited connections. >> +# Note that other process limits mean that unlimited connections >> +# are not really possible. Typically the default maximum number of >> +# connections possible is around 1024. >> +#max_connections -1 >> + >> +# The listener can be restricted to operating within a topic hierarchy >> using >> +# the mount_point option. This is achieved be prefixing the mount_point >> string >> +# to all topics for any clients connected to this listener. This >> prefixing only >> +# happens internally to the broker; the client will not see the prefix. >> +#mount_point >> + >> +# Choose the protocol to use when listening. >> +# This can be either mqtt or websockets. >> +# Certificate based TLS may be used with websockets, except that only the >> +# cafile, certfile, keyfile and ciphers options are supported. >> +#protocol mqtt >> + >> +# When a listener is using the websockets protocol, it is possible to >> serve >> +# http data as well. Set http_dir to a directory which contains the files >> you >> +# wish to serve. If this option is not specified, then no normal http >> +# connections will be possible. >> +#http_dir >> + >> +# Set use_username_as_clientid to true to replace the clientid that a >> client >> +# connected with with its username. This allows authentication to be tied >> to >> +# the clientid, which means that it is possible to prevent one client >> +# disconnecting another by using the same clientid. >> +# If a client connects with no username it will be disconnected as not >> +# authorised when this option is set to true. >> +# Do not use in conjunction with clientid_prefixes. >> +# See also use_identity_as_username. >> +#use_username_as_clientid >> + >> +# ----------------------------------------------------------------- >> +# Certificate based SSL/TLS support >> +# ----------------------------------------------------------------- >> +# The following options can be used to enable certificate based SSL/TLS >> support >> +# for this listener. Note that the recommended port for MQTT over TLS is >> 8883, >> +# but this must be set manually. >> +# >> +# See also the mosquitto-tls man page and the "Pre-shared-key based >> SSL/TLS >> +# support" section. Only one of certificate or PSK encryption support can >> be >> +# enabled for any listener. >> + >> +# At least one of cafile or capath must be defined to enable certificate >> based >> +# TLS encryption. They both define methods of accessing the PEM encoded >> +# Certificate Authority certificates that have signed your server >> certificate >> +# and that you wish to trust. >> +# cafile defines the path to a file containing the CA certificates. >> +# capath defines a directory that will be searched for files >> +# containing the CA certificates. For capath to work correctly, the >> +# certificate files must have ".crt" as the file ending and you must run >> +# "c_rehash " each time you add/remove a certificate. >> +#cafile >> +#capath >> + >> +# Path to the PEM encoded server certificate. >> +#certfile >> + >> +# Path to the PEM encoded keyfile. >> +#keyfile >> + >> +# By default an TLS enabled listener will operate in a similar fashion to >> a >> +# https enabled web server, in that the server has a certificate signed >> by a CA >> +# and the client will verify that it is a trusted certificate. The >> overall aim >> +# is encryption of the network traffic. By setting require_certificate to >> true, >> +# the client must provide a valid certificate in order for the network >> +# connection to proceed. This allows access to the broker to be >> controlled >> +# outside of the mechanisms provided by MQTT. >> +#require_certificate false >> + >> +# If require_certificate is true, you may set use_identity_as_username to >> true >> +# to use the CN value from the client certificate as a username. If this >> is >> +# true, the password_file option will not be used for this listener. >> +#use_identity_as_username false >> + >> +# If you have require_certificate set to true, you can create a >> certificate >> +# revocation list file to revoke access to particular client >> certificates. If >> +# you have done this, use crlfile to point to the PEM encoded revocation >> file. >> +#crlfile >> + >> +# If you wish to control which encryption ciphers are used, use the >> ciphers >> +# option. The list of available ciphers can be optained using the >> "openssl >> +# ciphers" command and should be provided in the same format as the >> output of >> +# that command. >> +#ciphers >> + >> +# ----------------------------------------------------------------- >> +# Pre-shared-key based SSL/TLS support >> +# ----------------------------------------------------------------- >> +# The following options can be used to enable PSK based SSL/TLS support >> for >> +# this listener. Note that the recommended port for MQTT over TLS is >> 8883, but >> +# this must be set manually. >> +# >> +# See also the mosquitto-tls man page and the "Certificate based SSL/TLS >> +# support" section. Only one of certificate or PSK encryption support can >> be >> +# enabled for any listener. >> + >> +# The psk_hint option enables pre-shared-key support for this listener >> and also >> +# acts as an identifier for this listener. The hint is sent to clients >> and may >> +# be used locally to aid authentication. The hint is a free form string >> that >> +# doesn't have much meaning in itself, so feel free to be creative. >> +# If this option is provided, see psk_file to define the pre-shared keys >> to be >> +# used or create a security plugin to handle them. >> +#psk_hint >> + >> +# Set use_identity_as_username to have the psk identity sent by the >> client used >> +# as its username. Authentication will be carried out using the PSK >> rather than >> +# the MQTT username/password and so password_file will not be used for >> this >> +# listener. >> +#use_identity_as_username false >> + >> +# When using PSK, the encryption ciphers used will be chosen from the >> list of >> +# available PSK ciphers. If you want to control which ciphers are >> available, >> +# use the "ciphers" option. The list of available ciphers can be >> optained >> +# using the "openssl ciphers" command and should be provided in the same >> format >> +# as the output of that command. >> +#ciphers >> + >> +# ================================================================= >> +# Persistence >> +# ================================================================= >> + >> +# If persistence is enabled, save the in-memory database to disk >> +# every autosave_interval seconds. If set to 0, the persistence >> +# database will only be written when mosquitto exits. See also >> +# autosave_on_changes. >> +# Note that writing of the persistence database can be forced by >> +# sending mosquitto a SIGUSR1 signal. >> +#autosave_interval 1800 >> + >> +# If true, mosquitto will count the number of subscription changes, >> retained >> +# messages received and queued messages and if the total exceeds >> +# autosave_interval then the in-memory database will be saved to disk. >> +# If false, mosquitto will save the in-memory database to disk by >> treating >> +# autosave_interval as a time in seconds. >> +#autosave_on_changes false >> + >> +# Save persistent message data to disk (true/false). >> +# This saves information about all messages, including >> +# subscriptions, currently in-flight messages and retained >> +# messages. >> +# retained_persistence is a synonym for this option. >> +#persistence false >> + >> +# The filename to use for the persistent database, not including >> +# the path. >> +#persistence_file mosquitto.db >> + >> +# Location for persistent database. Must include trailing / >> +# Default is an empty string (current directory). >> +# Set to e.g. /var/lib/mosquitto/ if running as a proper service on Linux >> or >> +# similar. >> +#persistence_location >> + >> +# ================================================================= >> +# Logging >> +# ================================================================= >> + >> +# Places to log to. Use multiple log_dest lines for multiple >> +# logging destinations. >> +# Possible destinations are: stdout stderr syslog topic file >> +# >> +# stdout and stderr log to the console on the named output. >> +# >> +# syslog uses the userspace syslog facility which usually ends up >> +# in /var/log/messages or similar. >> +# >> +# topic logs to the broker topic '$SYS/broker/log/', >> +# where severity is one of D, E, W, N, I, M which are debug, error, >> +# warning, notice, information and message. Message type severity is used >> by >> +# the subscribe/unsubscribe log_types and publishes log messages to >> +# $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe. >> +# >> +# The file destination requires an additional parameter which is the file >> to be >> +# logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will >> be >> +# closed and reopened when the broker receives a HUP signal. Only a >> single file >> +# destination may be configured. >> +# >> +# Note that if the broker is running as a Windows service it will default >> to >> +# "log_dest none" and neither stdout nor stderr logging is available. >> +# Use "log_dest none" if you wish to disable logging. >> +#log_dest stderr >> + >> +# If using syslog logging (not on Windows), messages will be logged to >> the >> +# "daemon" facility by default. Use the log_facility option to choose >> which of >> +# local0 to local7 to log to instead. The option value should be an >> integer >> +# value, e.g. "log_facility 5" to use local5. >> +#log_facility >> + >> +# Types of messages to log. Use multiple log_type lines for logging >> +# multiple types of messages. >> +# Possible types are: debug, error, warning, notice, information, >> +# none, subscribe, unsubscribe, websockets, all. >> +# Note that debug type messages are for decoding the incoming/outgoing >> +# network packets. They are not logged in "topics". >> +#log_type error >> +#log_type warning >> +#log_type notice >> +#log_type information >> + >> +# Change the websockets logging level. This is a global option, it is not >> +# possible to set per listener. This is an integer that is interpreted by >> +# libwebsockets as a bit mask for its lws_log_levels enum. See the >> +# libwebsockets documentation for more details. "log_type websockets" >> must also >> +# be enabled. >> +#websockets_log_level 0 >> + >> +# If set to true, client connection and disconnection messages will be >> included >> +# in the log. >> +#connection_messages true >> + >> +# If set to true, add a timestamp value to each log message. >> +#log_timestamp true >> + >> +# ================================================================= >> +# Security >> +# ================================================================= >> + >> +# If set, only clients that have a matching prefix on their >> +# clientid will be allowed to connect to the broker. By default, >> +# all clients may connect. >> +# For example, setting "secure-" here would mean a client "secure- >> +# client" could connect but another with clientid "mqtt" couldn't. >> +#clientid_prefixes >> + >> +# Boolean value that determines whether clients that connect >> +# without providing a username are allowed to connect. If set to >> +# false then a password file should be created (see the >> +# password_file option) to control authenticated client access. >> +# Defaults to true. >> +#allow_anonymous true >> + >> +# In addition to the clientid_prefixes, allow_anonymous and TLS >> +# authentication options, username based authentication is also >> +# possible. The default support is described in "Default >> +# authentication and topic access control" below. The auth_plugin >> +# allows another authentication method to be used. >> +# Specify the path to the loadable plugin and see the >> +# "Authentication and topic access plugin options" section below. >> +#auth_plugin >> + >> +# If auth_plugin_deny_special_chars is true, the default, then before an >> ACL >> +# check is made, the username/client id of the client needing the check >> is >> +# searched for the presence of either a '+' or '#' character. If either >> of >> +# these characters is found in either the username or client id, then the >> ACL >> +# check is denied before it is sent to the plugin.o >> +# >> +# This check prevents the case where a malicious user could circumvent an >> ACL >> +# check by using one of these characters as their username or client id. >> This >> +# is the same issue as was reported with mosquitto itself as >> CVE-2017-7650. >> +# >> +# If you are entirely sure that the plugin you are using is not >> vulnerable to >> +# this attack (i.e. if you never use usernames or client ids in topics) >> then >> +# you can disable this extra check and have all ACL checks delivered to >> your >> +# plugin by setting auth_plugin_deny_special_chars to false. >> +#auth_plugin_deny_special_chars true >> + >> +# ----------------------------------------------------------------- >> +# Default authentication and topic access control >> +# ----------------------------------------------------------------- >> + >> +# Control access to the broker using a password file. This file can be >> +# generated using the mosquitto_passwd utility. If TLS support is not >> compiled >> +# into mosquitto (it is recommended that TLS support should be included) >> then >> +# plain text passwords are used, in which case the file should be a text >> file >> +# with lines in the format: >> +# username:password >> +# The password (and colon) may be omitted if desired, although this >> +# offers very little in the way of security. >> +# >> +# See the TLS client require_certificate and use_identity_as_username >> options >> +# for alternative authentication options. >> +#password_file >> + >> +# Access may also be controlled using a pre-shared-key file. This >> requires >> +# TLS-PSK support and a listener configured to use it. The file should be >> text >> +# lines in the format: >> +# identity:key >> +# The key should be in hexadecimal format without a leading "0x". >> +#psk_file >> + >> +# Control access to topics on the broker using an access control list >> +# file. If this parameter is defined then only the topics listed will >> +# have access. >> +# If the first character of a line of the ACL file is a # it is treated >> as a >> +# comment. >> +# Topic access is added with lines of the format: >> +# >> +# topic [read|write|readwrite] >> +# >> +# The access type is controlled using "read", "write" or "readwrite". >> This >> +# parameter is optional (unless contains a space character) - if >> not >> +# given then the access is read/write. can contain the + or # >> +# wildcards as in subscriptions. >> +# >> +# The first set of topics are applied to anonymous clients, assuming >> +# allow_anonymous is true. User specific topic ACLs are added after a >> +# user line as follows: >> +# >> +# user >> +# >> +# The username referred to here is the same as in password_file. It is >> +# not the clientid. >> +# >> +# >> +# If is also possible to define ACLs based on pattern substitution within >> the >> +# topic. The patterns available for substition are: >> +# >> +# %c to match the client id of the client >> +# %u to match the username of the client >> +# >> +# The substitution pattern must be the only text for that level of >> hierarchy. >> +# >> +# The form is the same as for the topic keyword, but using pattern as the >> +# keyword. >> +# Pattern ACLs apply to all users even if the "user" keyword has >> previously >> +# been given. >> +# >> +# If using bridges with usernames and ACLs, connection messages can be >> allowed >> +# with the following pattern: >> +# pattern write $SYS/broker/connection/%c/state >> +# >> +# pattern [read|write|readwrite] >> +# >> +# Example: >> +# >> +# pattern write sensor/%u/data >> +# >> +#acl_file >> + >> +# ----------------------------------------------------------------- >> +# Authentication and topic access plugin options >> +# ----------------------------------------------------------------- >> + >> +# If the auth_plugin option above is used, define options to pass to the >> +# plugin here as described by the plugin instructions. All options named >> +# using the format auth_opt_* will be passed to the plugin, for example: >> +# >> +# auth_opt_db_host >> +# auth_opt_db_port >> +# auth_opt_db_username >> +# auth_opt_db_password >> + >> + >> +# ================================================================= >> +# Bridges >> +# ================================================================= >> + >> +# A bridge is a way of connecting multiple MQTT brokers together. >> +# Create a new bridge using the "connection" option as described below. >> Set >> +# options for the bridges using the remaining parameters. You must >> specify the >> +# address and at least one topic to subscribe to. >> +# Each connection must have a unique name. >> +# The address line may have multiple host address and ports specified. >> See >> +# below in the round_robin description for more details on bridge >> behaviour if >> +# multiple addresses are used. >> +# The direction that the topic will be shared can be chosen by >> +# specifying out, in or both, where the default value is out. >> +# The QoS level of the bridged communication can be specified with the >> next >> +# topic option. The default QoS level is 0, to change the QoS the topic >> +# direction must also be given. >> +# The local and remote prefix options allow a topic to be remapped when >> it is >> +# bridged to/from the remote broker. This provides the ability to place a >> topic >> +# tree in an appropriate location. >> +# For more details see the mosquitto.conf man page. >> +# Multiple topics can be specified per connection, but be careful >> +# not to create any loops. >> +# If you are using bridges with cleansession set to false (the default), >> then >> +# you may get unexpected behaviour from incoming topics if you change >> what >> +# topics you are subscribing to. This is because the remote broker keeps >> the >> +# subscription for the old topic. If you have this problem, connect your >> bridge >> +# with cleansession set to true, then reconnect with cleansession set to >> false >> +# as normal. >> +#connection >> +#address [:] [[:]] >> +#topic [[[out | in | both] qos-level] local-prefix remote-prefix] >> + >> +# Set the version of the MQTT protocol to use with for this bridge. Can >> be one >> +# of mqttv31 or mqttv311. Defaults to mqttv31. >> +#bridge_protocol_version mqttv31 >> + >> +# If a bridge has topics that have "out" direction, the default behaviour >> is to >> +# send an unsubscribe request to the remote broker on that topic. This >> means >> +# that changing a topic direction from "in" to "out" will not keep >> receiving >> +# incoming messages. Sending these unsubscribe requests is not always >> +# desirable, setting bridge_attempt_unsubscribe to false will disable >> sending >> +# the unsubscribe request. >> +#bridge_attempt_unsubscribe true >> + >> +# If the bridge has more than one address given in the address/addresses >> +# configuration, the round_robin option defines the behaviour of the >> bridge on >> +# a failure of the bridge connection. If round_robin is false, the >> default >> +# value, then the first address is treated as the main bridge connection. >> If >> +# the connection fails, the other secondary addresses will be attempted >> in >> +# turn. Whilst connected to a secondary bridge, the bridge will >> periodically >> +# attempt to reconnect to the main bridge until successful. >> +# If round_robin is true, then all addresses are treated as equals. If a >> +# connection fails, the next address will be tried and if successful will >> +# remain connected until it fails >> +#round_robin false >> + >> +# Set the client id to use on the remote end of this bridge connection. >> If not >> +# defined, this defaults to 'name.hostname' where name is the connection >> name >> +# and hostname is the hostname of this computer. >> +# This replaces the old "clientid" option to avoid confusion. "clientid" >> +# remains valid for the time being. >> +#remote_clientid >> + >> +# Set the clientid to use on the local broker. If not defined, this >> defaults to >> +# 'local.'. If you are bridging a broker to itself, it is >> important >> +# that local_clientid and clientid do not match. >> +#local_clientid >> + >> +# Set the clean session variable for this bridge. >> +# When set to true, when the bridge disconnects for any reason, all >> +# messages and subscriptions will be cleaned up on the remote >> +# broker. Note that with cleansession set to true, there may be a >> +# significant amount of retained messages sent when the bridge >> +# reconnects after losing its connection. >> +# When set to false, the subscriptions and messages are kept on the >> +# remote broker, and delivered when the bridge reconnects. >> +#cleansession false >> + >> +# If set to true, publish notification messages to the local and remote >> brokers >> +# giving information about the state of the bridge connection. Retained >> +# messages are published to the topic >> $SYS/broker/connection//state >> +# unless the notification_topic option is used. >> +# If the message is 1 then the connection is active, or 0 if the >> connection has >> +# failed. >> +#notifications true >> + >> +# Choose the topic on which notification messages for this bridge are >> +# published. If not set, messages are published on the topic >> +# $SYS/broker/connection//state >> +#notification_topic >> + >> +# Set the keepalive interval for this bridge connection, in >> +# seconds. >> +#keepalive_interval 60 >> + >> +# Set the start type of the bridge. This controls how the bridge starts >> and >> +# can be one of three types: automatic, lazy and once. Note that RSMB >> provides >> +# a fourth start type "manual" which isn't currently supported by >> mosquitto. >> +# >> +# "automatic" is the default start type and means that the bridge >> connection >> +# will be started automatically when the broker starts and also restarted >> +# after a short delay (30 seconds) if the connection fails. >> +# >> +# Bridges using the "lazy" start type will be started automatically when >> the >> +# number of queued messages exceeds the number set with the "threshold" >> +# parameter. It will be stopped automatically after the time set by the >> +# "idle_timeout" parameter. Use this start type if you wish the >> connection to >> +# only be active when it is needed. >> +# >> +# A bridge using the "once" start type will be started automatically when >> the >> +# broker starts but will not be restarted if the connection fails. >> +#start_type automatic >> + >> +# Set the amount of time a bridge using the automatic start type will >> wait >> +# until attempting to reconnect. Defaults to 30 seconds. >> +#restart_timeout 30 >> + >> +# Set the amount of time a bridge using the lazy start type must be idle >> before >> +# it will be stopped. Defaults to 60 seconds. >> +#idle_timeout 60 >> + >> +# Set the number of messages that need to be queued for a bridge with >> lazy >> +# start type to be restarted. Defaults to 10 messages. >> +# Must be less than max_queued_messages. >> +#threshold 10 >> + >> +# If try_private is set to true, the bridge will attempt to indicate to >> the >> +# remote broker that it is a bridge not an ordinary client. If >> successful, this >> +# means that loop detection will be more effective and that retained >> messages >> +# will be propagated correctly. Not all brokers support this feature so >> it may >> +# be necessary to set try_private to false if your bridge does not >> connect >> +# properly. >> +#try_private true >> + >> +# Set the username to use when connecting to a broker that requires >> +# authentication. >> +# This replaces the old "username" option to avoid confusion. "username" >> +# remains valid for the time being. >> +#remote_username >> + >> +# Set the password to use when connecting to a broker that requires >> +# authentication. This option is only used if remote_username is also >> set. >> +# This replaces the old "password" option to avoid confusion. "password" >> +# remains valid for the time being. >> +#remote_password >> + >> +# ----------------------------------------------------------------- >> +# Certificate based SSL/TLS support >> +# ----------------------------------------------------------------- >> +# Either bridge_cafile or bridge_capath must be defined to enable TLS >> support >> +# for this bridge. >> +# bridge_cafile defines the path to a file containing the >> +# Certificate Authority certificates that have signed the remote broker >> +# certificate. >> +# bridge_capath defines a directory that will be searched for files >> containing >> +# the CA certificates. For bridge_capath to work correctly, the >> certificate >> +# files must have ".crt" as the file ending and you must run "c_rehash >> > +# capath>" each time you add/remove a certificate. >> +#bridge_cafile >> +#bridge_capath >> + >> +# Path to the PEM encoded client certificate, if required by the remote >> broker. >> +#bridge_certfile >> + >> +# Path to the PEM encoded client private key, if required by the remote >> broker. >> +#bridge_keyfile >> + >> +# When using certificate based encryption, bridge_insecure disables >> +# verification of the server hostname in the server certificate. This can >> be >> +# useful when testing initial server configurations, but makes it >> possible for >> +# a malicious third party to impersonate your server through DNS >> spoofing, for >> +# example. Use this option in testing only. If you need to resort to >> using this >> +# option in a production environment, your setup is at fault and there is >> no >> +# point using encryption. >> +#bridge_insecure false >> + >> +# ----------------------------------------------------------------- >> +# PSK based SSL/TLS support >> +# ----------------------------------------------------------------- >> +# Pre-shared-key encryption provides an alternative to certificate based >> +# encryption. A bridge can be configured to use PSK with the >> bridge_identity >> +# and bridge_psk options. These are the client PSK identity, and >> pre-shared-key >> +# in hexadecimal format with no "0x". Only one of certificate and PSK >> based >> +# encryption can be used on one >> +# bridge at once. >> +#bridge_identity >> +#bridge_psk >> + >> + >> +# ================================================================= >> +# External config files >> +# ================================================================= >> + >> +# External configuration files may be included by using the >> +# include_dir option. This defines a directory that will be searched >> +# for config files. All files that end in '.conf' will be loaded as >> +# a configuration file. It is best to have this as the last option >> +# in the main file. This option will only be processed from the main >> +# configuration file. The directory specified must not contain the >> +# main configuration file. >> +#include_dir >> + >> +# ================================================================= >> +# rsmb options - unlikely to ever be supported >> +# ================================================================= >> + >> +#ffdc_output >> +#max_log_entries >> +#trace_level >> +#trace_output >> diff --git >> a/meta-networking/recipes-connectivity/mosquitto/mosquitto_1.4.14.bb >> b/meta-networking/recipes-connectivity/mosquitto/mosquitto_1.4.14.bb >> index ea76c36e61..9fea03a5c8 100644 >> --- a/meta-networking/recipes-connectivity/mosquitto/mosquitto_1.4.14.bb >> +++ b/meta-networking/recipes-connectivity/mosquitto/mosquitto_1.4.14.bb >> @@ -16,6 +16,7 @@ SRC_URI = >> "http://mosquitto.org/files/source/mosquitto-${PV}.tar.gz \ >> >> file://0003-makefile-remove-example-files-from-installation.patch \ >> file://mosquitto.service \ >> file://mosquitto.init \ >> + file://mosquitto.conf \ >> " >> >> SRC_URI[md5sum] = "6b0966e93f118bc71ad7b61600a6c2d3" >> @@ -49,6 +50,7 @@ do_install() { >> install -m 0644 ${WORKDIR}/mosquitto.service >> ${D}${systemd_unitdir}/system/ >> >> install -d ${D}${sysconfdir}/mosquitto >> + install -m 0644 ${WORKDIR}/mosquitto.conf >> ${D}${sysconfdir}/mosquitto/mosquitto.conf >> >> install -d ${D}${sysconfdir}/init.d/ >> install -m 0755 ${WORKDIR}/mosquitto.init >> ${D}${sysconfdir}/init.d/mosquitto >> @@ -76,6 +78,8 @@ FILES_${PN}-clients = "${bindir}/mosquitto_pub \ >> ${bindir}/mosquitto_sub \ >> " >> >> +CONFFILES_${PN} = "${sysconfdir}/mosquitto" >> + >> SYSTEMD_SERVICE_${PN} = "mosquitto.service" >> >> INITSCRIPT_NAME = "mosquitto" >> > >