rabbitmq/rabbitmq-server v4.3.0-rc.1

RabbitMQ 4.3.0-rc.1

on GitHub

RabbitMQ 4.3.0-rc.1

RabbitMQ 4.3.0-rc.1 is a new feature release candidate.

Breaking Changes and Compatibility Notes

Mnesia and Parition Handling Strategies are Removed

Since only 4.2.x clusters can upgrade to 4.3.0 in place, this
won't be a breaking change for nearly all instalations but it will affect community
plugins that use Mnesia.

All partition handling-related keys in rabbitmq.conf will be
accepted by 4.3.0 nodes but won't have any effect:

• cluster_partition_handling
• cluster_partition_handling.pause_if_all_down.recover
• cluster_partition_handling.pause_if_all_down.nodes.$name

Team RabbitMQ recommends removing the above keys from rabbitmq.conf before or shortly after upgrading.

Deprecated Features are Now Disabled by Default

A number of deprecated features are now disabled
by default and require the user to opt-in in order to use them.

This includes non-durable (transient) non-exclusive queues:
attempts to declare a queue with such property combination will be rejected by default.

Use durable queues or transient exclusive queues instead.

Classic Queues v1 Storage (CQv1) is Removed

This release removes the original classic queue storage implementation these days
known as CQv1. A 2nd generation implementation called CQv2 has been adopted
as the default starting with 4.2.0.

This means that attempts to declare a queue using the following optional queue arguments will fail:

• x-queue-mode set to any value
• x-queue-version set to 1

Existing classic queues upgraded to CQv2 during an earlier upgrade to 4.2.x will continue
operating as usual.

Consumer Timeouts are No Longer Evaluated for Classic Queues and Streams

This release moves consumer timeout handling responsibility into the queues
themselves. Also, all protocols (except for the stream protocol) now evaluate
consumer timeout for queue types that support them. Classic queues and streams
never evaluate consumer timeouts as their use cases largely avoid the need for
such as feature.

Release Highlights

Khepri is Now The Only Metadata Store

As of this release, Khepri is the only metadata store supported
by RabbitMQ: Mnesia was removed completely.

In practical operational terms, this means that

1. For a cluster to be available, a majority of nodes must be online at all times
2. Failure and partition recovery in a RabbitMQ cluster is now significantly
   simpler and uniform: all components that have replicated state (Khepri, quorum queues, streams)
   recover per Raft recovery semantics

Quorum Queues Enhancements

This release upgrades the Ra dependency to 3.x and introduces
a new (8th) version of the quorum queue state machine with several new features and optimisations:

• Strict priority queues with per-priority message counts, correct
  redelivery ordering, and priority-aware message expiration
• Delayed retry for quorum queues: configurable increasing backoff when
  messages are returned
• Consumer timeout for quorum queues: configurable timeout for
  unacknowledged messages, with protocol-specific handling for AMQP 1.0 and
  MQTT
• Recovery snapshots and snapshot throttling to reduce recovery time
  and improve snapshotting decisions
• Memory optimisations including compact message references, optimised
  tuple storage for delayed keys, and removal of rabbit_fifo_index usage

Upgrading to 4.3.0

Documentation Guides on Upgrades

See the Upgrading guide for documentation on upgrades and GitHub releases
for release notes of individual releases.

This release series supports upgrades from 4.2.x. Upgrades from earlier series are not supported:
users must upgrade to the latest available 4.2.x patch release before upgrading to 4.3.0.

New Required Feature Flags

All feature flags introduced in 4.2.0 and earlier are required, including the following:

• rabbitmq_4.2.0
• rabbitmq_4.1.0
• rabbitmq_4.0.0
• khepri_db
• quorum_queue_non_voters
• message_containers_deaths_v2

Enable all required feature flags before upgrading to 4.3.0.

If your RabbitMQ cluster had plugin rabbitmq_amqp1_0 enabled in RabbitMQ 3.13.x (and your cluster still serves AMQP 1.0 client connections in 4.x), your cluster should do at least one rolling update after enabling feature flag rabbitmq_4.0.0 but before upgrading to 4.3.0.

Deprecated Features

In 4.3.0 the deprecation phase of the following features advanced from permitted_by_default to denied_by_default:

• amqp_address_v1
• amqp_filter_set_bug
• global_qos
• queue_master_locator
• transient_nonexcl_queues

And the deprecated feature ram_node_type has been removed.

Mixed Version Cluster Compatibility

RabbitMQ 4.3.0 nodes can run alongside 4.2.x in the same cluster.

Mixed version clusters are a mechanism that allows rolling upgrades and are not meant to be run for extended
periods of time (no more than a few hours).

Recommended Post-upgrade Procedures

This version does not require any additional post-upgrade procedures
compared to other versions.

Changes Worth Mentioning

Core Server

Enhancements

• When a message is rejected by a queue, RabbitMQ now provides the queue name and rejection reason to AMQP 1.0 publishers
  in the Rejected outcome. This is particularly useful when multiple queues are bound to an exchange, as it allows
  publishers to identify which specific queue out of several target queues rejected the message and why
  (e.g., maximum queue length reached or queue unavailable). Previously, publishers had no way to determine which queue
  rejected their message or the reason for rejection.

  The queue name and reason are included in the info field of the Rejected outcome's error field:

  • queue: <queue name>
  • reason: maxlen | unavailable

  GitHub issue: #15075

• Quorum queues now support strict priority queues with per-priority message counts,
  correct redelivery ordering across priorities, and priority-aware message expiration scans.

  GitHub issue: #13885

• Quorum queues now support delayed retry with configurable backoff based on delivery count. When messages
  are returned (via reject, nack, or modify), they can be held in a delayed state before becoming
  available again. The delay is based on delivery count: min(min_delay * delivery_count, max_delay).

  Configuration is available via queue arguments (x-delayed-retry-type, x-delayed-retry-min,
  x-delayed-retry-max) or policy keys (delayed-retry-type, delayed-retry-min,
  delayed-retry-max). The retry type can be set to disabled, all, failed, or returned.

  GitHub issue: #13885

• Quorum queues now support a configurable consumer timeout. When a consumer holds unacknowledged
  messages beyond the timeout, the messages are returned to the queue. For AMQP 1.0 clients,
  timed-out deliveries are released via DISPOSITION(state=released) instead of detaching the link,
  allowing the consumer to recover without re-attaching. MQTT consumers are also supported.

  The timeout can be set via the x-consumer-timeout consumer argument, queue argument, consumer-timeout
  policy key, or the global consumer_timeout setting in rabbitmq.conf.

  GitHub issue: #13885

• A new consumer_disconnected_timeout setting controls how long quorum queues wait before returning
  messages when a consumer's node becomes unreachable due to a network partition. The default is 60 seconds.
  Configurable via consumer_disconnected_timeout in rabbitmq.conf, the consumer-disconnected-timeout
  policy key, or the x-consumer-disconnected-timeout queue argument.

  GitHub issue: #13885

• Quorum queue recovery snapshots reduce recovery time after a member restart by avoiding
  the need to replay all enqueue commands from the log.

  GitHub issue: #13885

• Quorum queue snapshot throttling now uses WAL fill ratio and reclaimable byte tracking
  to make smarter snapshotting decisions, yielding roughly one snapshot per queue per WAL cycle
  instead of excessive snapshots in shallow, fast-flowing queues.

  GitHub issue: #13885

• Quorum queue memory optimisations: message references now use a compact packed integer
  representation ("compact" means up to 59-bit) when possible, halving per-message
  memory overhead in many scenarios. The rabbit_fifo_index module is no longer used by the
  main state machine.

  GitHub issue: #13885

• Quorum queues now allow unlimited explicit message returns. The delivery limit is based on
  delivery-count rather than acquired-count, so messages can be explicitly returned to the
  queue without counting towards the delivery limit.

  GitHub issue: #13885

• The x-modulus-hash exchange type, previously provided by the sharding plugin, was moved
  into the core and reworked to provide stable message routing (distribution)
  assuming a stable set of bindings, including between node restarts.

  GitHub issue: #15849

• When quorum queue members (replicas) are deleted from a node, either manually
  via rabbitmq-queues shrink or as part of rabbitmqctl forget_cluster_node,
  the members are stopped in parallel.

  GitHub issue: #15081

• Purging a quorum queue now also removes at-least-once dead-lettered messages that were pending delivery.

  GitHub issue: #13885

• AMQP 0-9-1: when a connection's credentials are refreshed, the permissions cache is now
  cleared and consumer permissions are re-validated immediately

  GitHub issue: #16092

• Quorum queue delivery limit can now be changed via policy without queue redeclaration

  GitHub issue: #16035

• Khepri topic exchange routing projection (v4): replaced the internal representation with a trie
  backed by an ordered_set ETS table, significantly improving routing performance
  for topic exchanges with many bindings

  GitHub commit: 8929bc5ab4

• Quorum queues notify AMQP 1.0 clients of Single Active Consumer state changes

  GitHub commit: 817a4d4351

• More rabbitmq.conf keys now accept tagged values (e.g., encrypted:...)

  GitHub issue: #15808

• Startup banner no longer includes the Erlang cookie hash

  GitHub issue: #16087

• Optimised AMQP 1.0 message container annotation handling during modify outcomes

  GitHub issue: #15743

• Bulk queue delete with Khepri has been optimized

  GitHub issue: #14902

• Optimised quorum queue message expiry scanning

  GitHub issue: #15846

• AMQP 0-9-1: configure permission checks now apply to passive queue and exchange declarations,
  matching the behavior of their regular counterparts

  GitHub issue: #16085

• Khepri snapshot interval is now configurable in rabbitmq.conf

  GitHub issue: #16011

• Quorum queue Raft settings: additional configuration settings are now exposed in rabbitmq.conf,
  including maximum segment size

  GitHub issue: #15962

Bug Fixes

• If a quorum queue with a large backlog terminated abnormally, node memory
  footprint could spike.

  GitHub issue: #15837

• rabbitmqctl forget_cluster_node now removes all quorum queue and stream members (replicas)
  before proceeding to leave the metadata store cluster.

  This order minimizes the risk of some replicas being left behind on the leaving node.

  GitHub issue: #15729

• Quorum queue at-most-once dead lettering for the overflow behaviour drop-head now happens in the correct order.

  GitHub issue: #14926

• Feature flag state in the registry and on disk were not consistent for a period of time during node boot.

  GitHub issue: #14943

• Classic queues now implement AMQP 1.0 delivery-count and first-acquirer headers properly.

  GitHub issue: #15020

• Quorum queues returned an incorrect consumer count in the response to a passive
  queue.declare operation

  GitHub issue: #16185

• Classic queue shared store could leave stale index entries after segment removal or rollover,
  causing unnecessary disk space usage

  GitHub issue: #16142

• Bindings targeting Direct Reply-to pseudo-queues are now rejected instead of
  being silently accepted without any functional effect

  GitHub issue: #15935

• AMQP 1.0 sessions could grant too many credits in certain failure and recovery scenarios

  GitHub commit: 1898ac1f3f

• Quorum queues: acquired-count is now correctly preserved when dead-lettering

  GitHub commit: 8a9cd3ee24

• AMQP 1.0: attaching with a link handle already in use on the same session is now rejected
  with a handle-in-use session error, as required by the specification

  GitHub commit: 4b59c19641

• Quorum queues: Single Active Consumer could incorrectly report multiple active consumers
  in certain timing scenarios

  GitHub issue: #15733

• Quorum queues: consumer timeout could fail to trigger under certain conditions

  GitHub issue: #15805

• The channel limit exceeded error message now correctly identifies the per-user limit
  as the source of the constraint

  GitHub issue: #15750

Stream Plugin

Bug Fixes

• stream.read_ahead is a new setting that controls how much data is prefetched from disk
  for stream reads (consumption).

  GitHub issue: #14948

• Stream deletion is now more resilient and can handle certain mid-deletion failure scenarios.

  GitHub issue: #14852

• new_stream coordinator command is now idempotent. Previously, concurrent or retried
  stream declarations could produce spurious errors even though the stream was created
  successfully

  GitHub issue: #15706

Prometheus Plugin

Enhancements

• /metrics/detailed endpoint now supports filtering queue metrics by queue name

  GitHub issue: #15689

Grafana Dashboards

Enhancements

• The dashboards were updated for the most recent RabbitMQ release series.

• Replaced explicit rate intervals with $__rate_interval for better
  compatibility across different scrape intervals

  GitHub issue: #15978

Management Plugin

Enhancements

• GET /api/queues/{vhost} requests no longer perform unnecessary virtual host permission checks
  and log less (at debug level) as a result.

  GitHub issue: #14923

• Quorum queue delayed retry configuration and status, per-priority message counts, and consumer
  timeout state are now displayed in the management UI.

  GitHub issue: #13885

• GET /users/{user}/queues has been added.

  GitHub issue: #15074

• HTTP API displays static connection info (peer address, TLS details, auth mechanism)
  even when stats collection is disabled via rabbitmq.conf

  GitHub issue: #16009

Bug Fixes

• effective_policy_definition in HTTP API responses now returns an empty JSON object
  (not an array or empty string) when no policy applies to a queue

  GitHub issue: #16017

• Management UI: OAuth 2 used side by side with Basic Auth could fail to reload provider
  configuration correctly

  GitHub issue: #15793

• Management UI: preference cookie expiry now respects the configured session timeout
  setting rather than using a hardcoded value

  GitHub issue: #15814

• Management UI: users were presented with a 401 error after changing their own password
  via the UI. The session is now refreshed automatically

  GitHub issue: #15730

• The deprecated, unused GET /api/auth endpoint was removed.

  It has been out of use since 3.11 but never removed.

  GitHub issue: #16083

• POST /api/users/bulk-delete now respects the protected_users configuration,
  matching the behavior of the single-user DELETE /api/users/:name endpoint

  GitHub issue: #16143

MQTT Plugin

Enhancements

• For MQTT 5.0 publishers, when a message is rejected because the target queue's maximum length is exceeded,
  RabbitMQ now returns a Quota exceeded reason code in the PUBACK packet. This provides publishers with
  actionable information about why their message was rejected.

  GitHub issue: #15075

• MQTT QoS 0 queue type now reports member information in management API responses

  GitHub issue: #15656

Web MQTT Plugin

Enhancements

• A default max_frame_size is now set on WebSocket connections, bounding decompressed frame sizes.
  The limit starts at mqtt.max_packet_size_unauthenticated and is raised after successful CONNECT

  GitHub issue: #16180

• A login_timeout is now enforced for WebSocket connections, matching the TCP listener behavior

  GitHub issue: #16120

• WebSocket Origin header will be validated web_mqtt.allow_origins

  GitHub issue: #16158

STOMP Plugin

Enhancements

• For certain destinations that previously used non-durable (transient) queues,
  STOMP subscriptions now use exclusive queues, as non-exclusive transient queues
  are a deprecated property combination disabled by default as of this release

  GitHub issue: #13016

Web STOMP Plugin

Enhancements

• WebSocket Origin header validation is now available via web_stomp.allow_origins

  GitHub issue: #16158

Federation Plugin

Enhancements

• Federation links and their connections are now stopped in parallel.

  This significantly improves shutdown time for nodes with many (into thousands) federation links.

  GitHub issue: #15271

• Federation links no longer restart during plugin or node shutdown.

  For nodes with hundreds or thousands of federation links, link recovery could
  significantly delay node shutdown.

  GitHub issue: #15258

Federation Management Plugin

Bug Fixes

• Federation link restart operations now require the policymaker tag

  GitHub issue: #16051

Shovel Plugin

Enhancements

• An optional src-consumer-name property can be specified to define the consumer tag
  (amqp091 and local src-protocol) or link identifier (amqp10 protocol)

Bug Fixes

• Improved target node resource alarm handling for AMQP 1.0 and local shovels.

  GitHub issue: #14886

• Local shovels could run into an exception that would cause a shovel restart.

  GitHub issue: #14872

• AMQP 1.0 shovels ignored the sasl URI parameter.

  GitHub issue: #14867

Shovel Management Plugin

Bug Fixes

• Shovel management: DELETE operations now require the policymaker tag, matching the
  federation plugin counterpart

  GitHub issue: #16051

OAuth 2 Plugin

Bug Fixes

• A usability improvement allows the plugin to automatically load the trusted system x.509 (TLS) certificates.

  GitHub issue: #14927

• The auth cache backend now correctly delegates token expiry timestamps to the wrapped backend,
  ensuring connections are closed when tokens expire

  GitHub issue: #16100

LDAP Plugin

Enhancements

• LDAP queries, including multi-line ones, can now be specified in rabbitmq.conf.

  GitHub issue: #14868

Bug Fixes

• A usability improvement allows the plugin to automatically load the trusted system certificates
  when the user only enables TLS for the LDAP client but does not configure any other settings.

  GitHub issue: #14937

• DN values are now handled per RFC 4514

  GitHub issue: #16101

HTTP Auth Backend Plugin

Enhancements

• The HTTP Auth Backend can now optionally provide a custom authorization denial reason to AMQP clients.

  To opt in, return deny <Reason> (instead of only deny) in the HTTP response body of your HTTP auth backend and set the following in your rabbitmq.conf file:

auth_http.authorization_failure_disclosure = true

See the README for more information.

GitHub issue: #14641

Sharding Plugin

Enhancements

• The x-modulus-hash exchange type, previously provided by the sharding plugin, was moved
  into the core and reworked to provide stable message routing (distribution)
  assuming a stable set of bindings, including between node restarts.

  GitHub issue: #15849

Trust Store Plugin

Enhancements

• Refactored certificate identification to avoid (unlikely) conflicts

  GitHub issue: #16116

• The plugin now provides CLI commands for trust store certificate management have been introduced

  GitHub issue: #15746

• Rejected certificates are now logged with additional diagnostic details

  GitHub issue: #15889

Tracing Plugin

Bug Fixes

• Trace file downloads now set the charset to UTF-8 when serving trace files.

  GitHub issue: #13952

Dependency Changes

• ra was upgraded to 3.1.5
• khepri was upgraded to 0.18.0
• osiris was upgraded to 1.3.1
• gen_batch_server was upgraded to 0.9.2
• cuttlefish was upgraded to 3.6.0

Source Code Archives

To obtain source code of the entire distribution, please download the archive named rabbitmq-server-4.3.0.tar.xz
instead of the source tarball produced by GitHub.