fix(container): update image public.ecr.aws/emqx/emqx to v5.8.9

[renovate]

This PR contains the following updates:

Package	Update	Change
public.ecr.aws/emqx/emqx (source)	patch	5.8.5 → 5.8.9

---

Release Notes

emqx/emqx (public.ecr.aws/emqx/emqx)

v5.8.9: EMQX v5.8.9

Compare Source

Enhancements

• #​16491 Start releasing packages for macOS 15 (Sequoia)

• #​15911 Now, for the HTTP Action, the HTTP request timeout is taken to be the same as resource_opts.request_ttl. Previously, it was a fixed, non-configurable value of 30 seconds.

• #​15845 Extended the static_clientids configuration of MQTT Connector to allow specifying usernames and passwords associated with each clientid.

Bug Fixes

Core MQTT Functionalities

• #​16349 Fixed a crash in MQTT v5 connections caused by a type mismatch when processing the request-response-information property.

• #​16081 Fixed an issue where, if a client used extended authentication mechanisms and memory sessions, they could crash with an session_stepdown_request_exception error and calling_self reason.

  e.g.:

  2025-09-24T07:13:08.973954+08:00 [error] clientid: someclientid, msg: session_stepdown_request_exception, peername: 127.0.0.1:41782, username: admin, error: exit, reason: calling_self, stacktrace: [{gen_server,call,3,[{file,"gen_server.erl"},{line,1222}]},{emqx_cm,request_stepdown,4,[{file,"emqx_cm.erl"},{line,427}]},{emqx_cm,do_takeover_begin,2,[{file,"emqx_cm.erl"},{line,398}]},{emqx_cm,takeover_session,2,[{file,"emqx_cm.erl"},{line,384}]},{emqx_cm,takeover_session_begin,2,[{file,"emqx_cm.erl"},{line,305}]},{emqx_session_mem,open,4,[{file,"emqx_session_mem.erl"},{line,210}]},{emqx_session,open,3,[{file,"emqx_session.erl"},{line,263}]},{emqx_cm,'-open_session/4-fun-1-',4,[{file,"emqx_cm.erl"},{line,290}]},{emqx_cm_locker,trans,2,[{file,"emqx_cm_locker.erl"},{line,32}]},{emqx_channel,post_process_connect,2,[{file,"emqx_channel.erl"},{line,575}]},{emqx_connection,with_channel,3,[{file,"emqx_connection.erl"},{line,852}]},{emqx_connection,process_msg,2,[{file,"emqx_connection.erl"},{line,470}]},{emqx_connection,process_msgs,2,[{file,"emqx_connection.erl"},{line,462}]},{emqx_connection,handle_recv,3,[{file,"emqx_connection.erl"},{line,406}]},{proc_lib,wake_up,3,[{file,"proc_lib.erl"},{line,340}]}], action: {takeover,'begin'}, ...
  

• #​15872 Eliminate warning log unclean_terminate when disconnected after CONNACK is sent with a non-zero reason code.

• #​15902 Upgraded MQTT client library to 1.13.8

  This improves MQTT bridge connectivity with:

  • Connector will automatically reconnect when peer broker does not reply PINGRESP.
  • Bridge over TLS failure is more promptly handled if connection breaks while waiting for CONNACK.

• #​15884 Resolved an issue where, in rare cases, the global routing table could indefinitely retain routing information for nodes that had long since left the cluster.

  This also fixes a race condition that could cause accumulating inconsistencies in the routing table and shared subscription state when a large number of shared subscribers disconnect simultaneously.

Clustering

• #​16452 Upgraded gen_rpc to 3.5.1.

  Prior to the gen_rpc upgrade, EMQX may experience long tail of crash logs due to connect timeout if a peer node is unreachable.
  The new version gen_rpc no longer has the long tail and converted crash logs to more readable error logs,
  and the frequent log "failed_to_connect_server" is also throttled to avoid spamming.

Security and Authentication

• #​15844 Added validation to forbid adding empty usernames to the built-in database authenticator. Such users cannot be deleted via the HTTP API later, since they mess up the API path.

  If you have such an user and wish to delete it, run the following in an EMQX console:

  mria:transaction(emqx_authn_shard, fun() -> mnesia:delete(emqx_authn_mnesia, {'mqtt:global',<<>>}, write) end).

• #​15818 Corrected handling of {allow|deny, all} ACL rules.

  Previously, these rules were internally translated to match #, which incorrectly failed to match topics prefixed with $ (e.g. $testtopic/1) due to MQTT spec restrictions.
  Now, a special internal value is used to ensure {allow|deny, all} rules correctly match any topic, including $-prefixed ones.

• #​15899 Improved memory usage: authorization (authz) cache is now cleared immediately when a client disconnects, reducing unnecessary memory consumption.

Rule Engine

• #​16028 Fixed rule engine jq function memory leak.

  Previously if jq built-in function index is used (e.g. .key | index("name")), it would result in memory leak.

Durable Storage

• #​14674 Limited the number and size of RocksDB info log files created by EMQX durable storage.

Breaking Changes

• #​16491 Stop releasing packages for macOS 13 (Ventura)

v5.8.8: EMQX v5.8.8

Compare Source

Enhancements

Deployment

• #​15813 Added package release for Debian 13 (Trixie), and updated Docker images to use Debian 13 as the base.

Core MQTT Functionalities

• #​15773 Throttled client ID registration during reconnects.
  • When a previous session cleanup is still in progress, new connections using the same client ID are now throttled. This prevents instability when clients reconnect aggressively.
  • Affected clients receive reason code 137 (Server Busy) in the CONNACK with Reason-String "THROTTLED", and should retry after the cleanup completes.
  • Fixed the reason code returned when another connection registers the same client ID; now correctly returns 137 instead of 133.

Observability

• #​15499 Added a force deactivate alarm API endpoint to allow administrators to forcibly deactivate active alarms.

Performance

• #​15536 Disabled the node.global_gc_interval configuration by default to improve overall performance stability, as it caused CPU fluctuations and higher message latency while providing little benefit over Erlang’s built-in garbage collector.
• #​15539 Optimized Erlang VM parameters to improve performance and stability:
  • Increased buffer size for distributed channels to 32 MB (+zdbbl 32768) to prevent busy_dist_port alarms during intensive Mnesia operations.
  • Disabled scheduler busy-waiting (+sbwt none +sbwtdcpu none +sbwtdio none) to lower CPU usage reported by the operating system.
  • Set scheduler binding type to db (+stbt db) to reduce message latency.

Bug Fixes

Deployment

• #​15580 Added a new emqxLicenseSecretRef variable to the EMQX Enterprise Helm chart. This allows users to specify a Kubernetes Secret containing the EMQX license key, so the license is applied automatically.

  This replaces the non-functional emqxLicenseSecretName variable, which created and mounted a secret file but did not pass the license to EMQX.

Clustering

• #​14778 Fixed an issue where a node could not join a running cluster if that node had broken symlinks in its data/certs or data/authz directories.

Security

• #​15581 Upgraded Erlang/OTP version from 26.2.5.2 to 26.2.5.14. This upgrade includes two TLS-related fixes from OTP that affect EMQX:
  • Fixed a crash in TLS connections caused by a race condition during certificate renewal.
  • Added support for RSA certificates signed with RSASSA-PSS parameters. Previously, such certificates could cause TLS handshakes to fail with a bad_certificate / invalid_signature error.

Observability

• #​15639 Fixed an issue where the packets.subscribe.auth_error metric was not incremented when subscription authentication failed.

Gateway

• #​15679 Fixed incorrect global chain names for the ExProto gateways. Built-in authentication data for these gateways was previously grouped under unknown:global, causing conflicts between gateways.
• #​15699 Fixed an issue where built-in authentication data for gateways (e.g., CoAP) was incorrectly removed when a node was stopped or restarted.

ExHook

• #​15683 Fixed ExHook TLS options so that gRPC clients can correctly verify the server hostname during the TLS handshake.

v5.8.7: EMQX v5.8.7

Compare Source

Bug Fixes

• #​15383 Fixed a potential resource leak in the MQTT bridge. When the bridge failed to start, the topic index table was not properly cleaned up. This fix ensures that the index table is correctly deleted to prevent resource leaks.

v5.8.6: EMQX v5.8.6

Compare Source

Enhancement

• #​14869 Added the connected_at timestamp field to the $events/client_disconnected event payload. This enhancement enables tracking the original connection session time for disconnected clients, preventing outdated disconnect events from overriding newer connection states.

  Previously, when clients frequently reconnected due to unstable networks, delayed disconnect events could lead to incorrect session tracking. With this update, the connected_at field is now included in the event payload, aligning its behavior with system topics and ensuring accurate session state management.

Bug Fixes

Core MQTT Functionalities

• #​14815 Fixed packet ID release for QoS 2 messages. Previously, if a client failed to send a PUBREL for the maximum configured number of pending QoS 2 messages and then disconnected, the packet IDs remained occupied even after exceeding the configured Max Awaiting PUBREL Timeout.

Installation and Deployment

• #​14797 Fixed macOS release package startup issue due to OpenSSL dynamic linking (backport #​14624).

  Previously, the EMQX ZIP package on macOS could fail to start because the quicer application dynamically linked to the system-installed OpenSSL, which was not signed during the EMQX build process. Now we have disabled dynamic linking for OpenSSL, aligning with the OTP shipped on macOS. This ensures EMQX starts reliably on macOS 13 and later.

Authentication

• #​14847 Fixed JWKS authentication failure for wildcard HTTPS endpoints. Previously, JWKS authentication failed to retrieve keys from HTTPS endpoints that used wildcard hostnames, preventing successful authentication.
• #​14786 Fixed JWT authentication settings update when using an external JWKS endpoint. Previously, when updating JWT authentication settings with JWKS (key server) enabled in both the old and new configurations, some settings were not correctly applied.

REST API

• #​14834 Fixed incorrect Content-Type header when downloading data backup files. Previously, the response header for downloaded backup files incorrectly used application/json instead of application/octet-stream.

Rule Engine

• #​14824 Fixed HTTP 500 error in SQL Rule Tester when handling details key in alarm events. Previously, when testing alarm_activated or alarm_deactivated events in the SQL Rule Tester, certain values in the details key could cause an HTTP 500 error due to improper handling of nested map keys.

Observability

• #​14800 Throttled warning level log dropped_qos0_msg.

• #​14793 Added trace log for protocol_error in MQTT connections.

  Previously, when a client sent invalid or unexpected MQTT packets causing a protocol_error, EMQX logs provided limited details, making it difficult to diagnose the issue.

  For example, if a client sent a second CONNECT packet while already connected, EMQX would log socket_force_closed with protocol_error, but without indicating the exact cause.

  With this update, EMQX now logs unexpected_connect_packet with conn_state=connected before socket_force_closed, providing clearer context for debugging protocol violations.

Plugin

• #​14802 Introduced a new CLI command for plugins:

   emqx ctl plugins allow NAME-VSN

Breaking Changes

• #​14802 Starting from this version, plugin installation via the REST API or Dashboard requires explicit permission. Users must obtain this permission using the following CLI command before installing.

  emqx ctl plugins allow NAME-VSN

  This change enhances security by preventing unauthorized plugin installations. Users managing plugins via the API or Dashboard must adjust their workflows accordingly.

---

Configuration

📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

--- kubernetes/apps/database/emqx/cluster Kustomization: flux-system/emqx-cluster EMQX: database/emqx

+++ kubernetes/apps/database/emqx/cluster Kustomization: flux-system/emqx-cluster EMQX: database/emqx

@@ -52,13 +52,13 @@

         accessModes:
         - ReadWriteOnce
         resources:
           requests:
             storage: 200Mi
         storageClassName: openebs-hostpath
-  image: public.ecr.aws/emqx/emqx:5.8.5
+  image: public.ecr.aws/emqx/emqx:5.8.9
   listenersServiceTemplate:
     metadata:
       annotations:
         lbipam.cilium.io/ips: 192.168.20.135
     spec:
       type: LoadBalancer