release-notes/4.3.0.md
RabbitMQ 4.3.0 is a new feature release.
Since only 4.2.x clusters can upgrade to 4.3.0 in place, this
won't be a breaking change for nearly all instalations but it will affect community
plugins that use Mnesia.
All partition handling-related keys in rabbitmq.conf will be
accepted by 4.3.0 nodes but won't have any effect:
cluster_partition_handlingcluster_partition_handling.pause_if_all_down.recovercluster_partition_handling.pause_if_all_down.nodes.$nameTeam RabbitMQ recommends removing the above keys from rabbitmq.conf before or shortly after upgrading.
A number of deprecated features are now disabled by default and require the user to opt-in in order to use them.
This includes non-durable (transient) non-exclusive queues: attempts to declare a queue with such property combination will be rejected by default. Use durable queues or transient exclusive queues instead.
To explicitly allow transient non-exclusive queues, make sure that
all nodes in the cluster include the following rabbitmq.conf key
and were restarted so that all nodes have a consistent view of the deprecated
feature settings:
# Enables deprecated non-durable (transient) non-exclusive queues
# (disabled by default as of RabbitMQ `4.3.0`, will be removed in a later version).
#
# Must be effective on all cluster nodes BEFORE
# the cluster is upgraded to `4.3.0`.
# If only some nodes have the setting configured, it will not have the desired effect.
deprecated_features.permit.transient_nonexcl_queues = true
If only some nodes have setting configured, it will not have the desired effect.
This release removes the original classic queue storage implementation these days
known as CQv1. A 2nd generation implementation called CQv2 has been adopted
as the default starting with 4.2.0.
This means that attempts to declare a queue using the following optional queue arguments will fail:
x-queue-mode set to any valuex-queue-version set to 1Existing classic queues upgraded to CQv2 during an earlier upgrade to 4.2.x will continue
operating as usual.
This release moves consumer timeout handling responsibility into the queues themselves. Also, all protocols (except for the stream protocol) now evaluate consumer timeout for queue types that support them. Classic queues and streams never evaluate consumer timeouts as their use cases largely avoid the need for such as feature.
rabbitmqadmin v1 Download Endpoint is RemovedEnvironments that still rely on rabbitmqadmin v1 have two migration options:
rabbitmqadmin v2rabbitmqadmin v1 from the v4.2.x branch on GitHubAs of this release, Khepri is the only metadata store supported by RabbitMQ: Mnesia was removed completely.
In practical operational terms, this means that
This release upgrades the Ra dependency to 3.x and introduces
a new (8th) version of the quorum queue state machine with several new features and optimisations:
rabbit_fifo_index usageSee the Upgrading guide for documentation on upgrades and GitHub releases for release notes of individual releases.
This release series supports upgrades from 4.2.x. Upgrades from earlier series are not supported:
users must upgrade to the latest available 4.2.x patch release before upgrading to 4.3.0.
All feature flags introduced in 4.2.0 and earlier are required, including the following:
rabbitmq_4.2.0rabbitmq_4.1.0rabbitmq_4.0.0khepri_dbquorum_queue_non_votersmessage_containers_deaths_v2Enable all required feature flags before upgrading to 4.3.0.
If your RabbitMQ cluster had plugin rabbitmq_amqp1_0 enabled in RabbitMQ 3.13.x (and your cluster still serves AMQP 1.0 client connections in 4.x), your cluster should do at least one rolling update after enabling feature flag rabbitmq_4.0.0 but before upgrading to 4.3.0.
In 4.3.0 the deprecation phase of the following features advanced from permitted_by_default to denied_by_default:
amqp_address_v1amqp_filter_set_bugglobal_qosqueue_master_locatortransient_nonexcl_queuesAnd the deprecated feature ram_node_type has been removed.
RabbitMQ 4.3.0 nodes can run alongside 4.2.x in the same cluster.
Mixed version clusters are a mechanism that allows rolling upgrades and are not meant to be run for extended periods of time (no more than a few hours).
This version does not require any additional post-upgrade procedures compared to other versions.
When a message is rejected by a queue, RabbitMQ now provides the queue name and rejection reason to AMQP 1.0 publishers
in the Rejected outcome. This is particularly useful when multiple queues are bound to an exchange, as it allows
publishers to identify which specific queue out of several target queues rejected the message and why
(e.g., maximum queue length reached or queue unavailable). Previously, publishers had no way to determine which queue
rejected their message or the reason for rejection.
The queue name and reason are included in the info field of the Rejected outcome's error field:
queue: <queue name>reason: maxlen | unavailableGitHub issue: #15075
Quorum queues now support strict priority queues with per-priority message counts, correct redelivery ordering across priorities, and priority-aware message expiration scans.
GitHub issue: #13885
Quorum queues now support delayed retry with configurable backoff based on delivery count. When messages
are returned (via reject, nack, or modify), they can be held in a delayed state before becoming
available again. The delay is based on delivery count: min(min_delay * delivery_count, max_delay).
Configuration is available via queue arguments (x-delayed-retry-type, x-delayed-retry-min,
x-delayed-retry-max) or policy keys (delayed-retry-type, delayed-retry-min,
delayed-retry-max). The retry type can be set to disabled, all, failed, or returned.
GitHub issue: #13885
Quorum queues now support a configurable consumer timeout. When a consumer holds unacknowledged
messages beyond the timeout, the messages are returned to the queue. For AMQP 1.0 clients,
timed-out deliveries are released via DISPOSITION(state=released) instead of detaching the link,
allowing the consumer to recover without re-attaching. MQTT consumers are also supported.
The timeout can be set via the x-consumer-timeout consumer argument, queue argument, consumer-timeout
policy key, or the global consumer_timeout setting in rabbitmq.conf.
GitHub issue: #13885
A new consumer_disconnected_timeout setting controls how long quorum queues wait before returning
messages when a consumer's node becomes unreachable due to a network partition. The default is 60 seconds.
Configurable via consumer_disconnected_timeout in rabbitmq.conf, the consumer-disconnected-timeout
policy key, or the x-consumer-disconnected-timeout queue argument.
GitHub issue: #13885
Quorum queue recovery snapshots reduce recovery time after a member restart by avoiding the need to replay all enqueue commands from the log.
GitHub issue: #13885
Quorum queue snapshot throttling now uses WAL fill ratio and reclaimable byte tracking to make smarter snapshotting decisions, yielding roughly one snapshot per queue per WAL cycle instead of excessive snapshots in shallow, fast-flowing queues.
GitHub issue: #13885
Quorum queue memory optimisations: message references now use a compact packed integer
representation ("compact" means up to 59-bit) when possible, halving per-message
memory overhead in many scenarios. The rabbit_fifo_index module is no longer used by the
main state machine.
GitHub issue: #13885
Quorum queues now allow unlimited explicit message returns. The delivery limit is based on
delivery-count rather than acquired-count, so messages can be explicitly returned to the
queue without counting towards the delivery limit.
GitHub issue: #13885
The x-modulus-hash exchange type, previously provided by the sharding plugin, was moved
into the core and reworked to provide stable message routing (distribution)
assuming a stable set of bindings, including between node restarts.
GitHub issue: #15849
When quorum queue members (replicas) are deleted from a node, either manually
via rabbitmq-queues shrink or as part of rabbitmqctl forget_cluster_node,
the members are stopped in parallel.
GitHub issue: #15081
Purging a quorum queue now also removes at-least-once dead-lettered messages that were pending delivery.
GitHub issue: #13885
AMQP 0-9-1: when a connection's credentials are refreshed, the permissions cache is now cleared and consumer permissions are re-validated immediately
GitHub issue: #16092
Quorum queue delivery limit can now be changed via policy without queue redeclaration
GitHub issue: #16035
Khepri topic exchange routing projection (v4): replaced the internal representation with a trie
backed by an ordered_set ETS table, significantly improving routing performance
for topic exchanges with many bindings
GitHub issue: #15619
Quorum queues notify AMQP 1.0 clients of Single Active Consumer state changes
GitHub issue: #15736
More rabbitmq.conf keys now accept tagged values (e.g., encrypted:...)
GitHub issue: #15808
Startup banner no longer includes the Erlang cookie hash
GitHub issue: #16087
Optimised AMQP 1.0 message container annotation handling during modify outcomes
GitHub issue: #15743
Bulk queue delete with Khepri has been optimized
GitHub issue: #14902
Optimised quorum queue message expiry scanning
GitHub issue: #15846
AMQP 0-9-1: configure permission checks now apply to passive queue and exchange declarations,
matching the behavior of their regular counterparts
GitHub issue: #16085
Khepri snapshot interval is now configurable in rabbitmq.conf
GitHub issue: #16011
Quorum queue Raft settings: additional configuration settings are now exposed in rabbitmq.conf,
including maximum segment size
GitHub issue: #15962
If a quorum queue with a large backlog terminated abnormally, node memory footprint could spike.
GitHub issue: #15837
rabbitmqctl forget_cluster_node now removes all quorum queue and stream members (replicas)
before proceeding to leave the metadata store cluster.
This order minimizes the risk of some replicas being left behind on the leaving node.
GitHub issue: #15729
Quorum queue at-most-once dead lettering for the overflow behaviour drop-head now happens in the correct order.
GitHub issue: #14926
Feature flag state in the registry and on disk were not consistent for a period of time during node boot.
GitHub issue: #14943
Classic queues now implement AMQP 1.0 delivery-count and first-acquirer headers properly.
GitHub issue: #15020
Quorum queues returned an incorrect consumer count in the response to a passive
queue.declare operation
GitHub issue: #16185
Classic queue shared store could leave stale index entries after segment removal or rollover, causing unnecessary disk space usage
GitHub issue: #16142
Bindings targeting Direct Reply-to pseudo-queues are now rejected instead of being silently accepted without any functional effect
GitHub issue: #15935
AMQP 1.0 sessions could grant too many credits in certain failure and recovery scenarios
GitHub issue: #15883
Quorum queues: acquired-count is now correctly preserved when dead-lettering
GitHub issue: #16039
AMQP 1.0: attaching with a link handle already in use on the same session is now rejected
with a handle-in-use session error, as required by the specification
GitHub issue: #16039
Quorum queues: Single Active Consumer could incorrectly report multiple active consumers in certain timing scenarios
GitHub issue: #15733
Quorum queues: consumer timeout could fail to trigger under certain conditions
GitHub issue: #15805
The channel limit exceeded error message now correctly identifies the per-user limit as the source of the constraint
GitHub issue: #15750
stream.read_ahead is a new setting that controls how much data is prefetched from disk
for stream reads (consumption).
GitHub issue: #14948
Stream deletion is now more resilient and can handle certain mid-deletion failure scenarios.
GitHub issue: #14852
new_stream coordinator command is now idempotent. Previously, concurrent or retried
stream declarations could produce spurious errors even though the stream was created
successfully
GitHub issue: #15706
/metrics/detailed endpoint now supports filtering queue metrics by queue name
GitHub issue: #15689
The dashboards were updated for the most recent RabbitMQ release series.
Replaced explicit rate intervals with $__rate_interval for better
compatibility across different scrape intervals
GitHub issue: #15978
GET /api/queues/{vhost} requests no longer perform unnecessary virtual host permission checks
and log less (at debug level) as a result.
GitHub issue: #14923
Quorum queue delayed retry configuration and status, per-priority message counts, and consumer timeout state are now displayed in the management UI.
GitHub issue: #13885
GET /users/{user}/queues has been added.
GitHub issue: #15074
HTTP API displays static connection info (peer address, TLS details, auth mechanism)
even when stats collection is disabled via rabbitmq.conf
GitHub issue: #16009
effective_policy_definition in HTTP API responses now returns an empty JSON object
(not an array or empty string) when no policy applies to a queue
GitHub issue: #16017
Management UI: OAuth 2 used side by side with Basic Auth could fail to reload provider configuration correctly
GitHub issue: #15793
Management UI: preference cookie expiry now respects the configured session timeout setting rather than using a hardcoded value
GitHub issue: #15814
Management UI: users were presented with a 401 error after changing their own password via the UI. The session is now refreshed automatically
GitHub issue: #15730
The deprecated, unused GET /api/auth endpoint was removed.
It has been out of use since 3.11 but never removed.
GitHub issue: #16083
POST /api/users/bulk-delete now respects the protected_users configuration,
matching the behavior of the single-user DELETE /api/users/:name endpoint
GitHub issue: #16143
For MQTT 5.0 publishers, when a message is rejected because the target queue's maximum length is exceeded,
RabbitMQ now returns a Quota exceeded reason code in the PUBACK packet. This provides publishers with
actionable information about why their message was rejected.
GitHub issue: #15075
MQTT QoS 0 queue type now reports member information in management API responses
GitHub issue: #15656
A default max_frame_size is now set on WebSocket connections, bounding decompressed frame sizes.
The limit starts at mqtt.max_packet_size_unauthenticated and is raised after successful CONNECT
GitHub issue: #16180
A login_timeout is now enforced for WebSocket connections, matching the TCP listener behavior
GitHub issue: #16120
WebSocket Origin header will be validated web_mqtt.allow_origins
GitHub issue: #16158
For certain destinations that previously used non-durable (transient) queues, STOMP subscriptions now use exclusive queues, as non-exclusive transient queues are a deprecated property combination disabled by default as of this release
GitHub issue: #13016
WebSocket Origin header validation is now available via web_stomp.allow_origins
GitHub issue: #16158
Federation links and their connections are now stopped in parallel.
This significantly improves shutdown time for nodes with many (into thousands) federation links.
GitHub issue: #15271
Federation links no longer restart during plugin or node shutdown.
For nodes with hundreds or thousands of federation links, link recovery could significantly delay node shutdown.
GitHub issue: #15258
Federation link restart operations now require the policymaker tag
GitHub issue: #16051
src-consumer-name property can be specified to define the consumer tag
(amqp091 and local src-protocol) or link identifier (amqp10 protocol)Improved target node resource alarm handling for AMQP 1.0 and local shovels.
GitHub issue: #14886
Local shovels could run into an exception that would cause a shovel restart.
GitHub issue: #14872
AMQP 1.0 shovels ignored the sasl URI parameter.
GitHub issue: #14867
Shovel management: DELETE operations now require the policymaker tag, matching the
federation plugin counterpart
GitHub issue: #16051
A usability improvement allows the plugin to automatically load the trusted system x.509 (TLS) certificates.
GitHub issue: #14927
The auth cache backend now correctly delegates token expiry timestamps to the wrapped backend, ensuring connections are closed when tokens expire
GitHub issue: #16100
LDAP queries, including multi-line ones, can now be specified in rabbitmq.conf.
GitHub issue: #14868
A usability improvement allows the plugin to automatically load the trusted system certificates when the user only enables TLS for the LDAP client but does not configure any other settings.
GitHub issue: #14937
DN values are now handled per RFC 4514
GitHub issue: #16101
The HTTP Auth Backend can now optionally provide a custom authorization denial reason to AMQP clients.
To opt in, return deny <Reason> (instead of only deny) in the HTTP response body of your HTTP auth backend and set the following in your rabbitmq.conf file:
auth_http.authorization_failure_disclosure = true
See the README for more information.
GitHub issue: #14641
The x-modulus-hash exchange type, previously provided by the sharding plugin, was moved
into the core and reworked to provide stable message routing (distribution)
assuming a stable set of bindings, including between node restarts.
GitHub issue: #15849
Refactored certificate identification to avoid (unlikely) conflicts
GitHub issue: #16116
The plugin now provides CLI commands for trust store certificate management have been introduced
GitHub issue: #15746
Rejected certificates are now logged with additional diagnostic details
GitHub issue: #15889
Trace file downloads now set the charset to UTF-8 when serving trace files.
GitHub issue: #13952
ra was upgraded to 3.1.6khepri was upgraded to 0.18.0osiris was upgraded to 1.3.1gen_batch_server was upgraded to 0.9.2cuttlefish was upgraded to 3.6.0To obtain source code of the entire distribution, please download the archive named rabbitmq-server-4.3.0.tar.xz
instead of the source tarball produced by GitHub.