add mosquitto configuration under the mosquitto packages conf.d folder

[reubenmiller]

Is your feature improvement request related to a problem? Please describe.

Currently in tedge <= 1.5.0, the mosquitto configuration files are stored under /etc/tedge/mosquitto-conf/, and an include_dir <path> directive is placed in the mosquitto.conf file like so:

file: /etc/mosquitto/mosquitto.conf

include_dir /etc/tedge/mosquitto-conf

The above relies on mosquitto having access to a path outside of the default /etc/mosquitto path which presents a problem when AppArmor is being used, as it will block any attempt by mosquitto to read the path. mosquitto will just log a "permission denied" error and then exit. Luckily, AppArmor does add an audit log entry to journald so that a user can see the reason for the permission denied (but if they don't look at the journald log, then the error can be very hard to spot as the standard linux permissions look ok).

Below shows an example of the log entry printed by AppArmor to journald:

May 07 15:12:44 32df1eef46c8 kernel: audit: type=1400 audit(1746630764.792:686): apparmor="DENIED" operation="open" class="file" profile="mosquitto" name="/etc/tedge/mosquitto-conf/" pid=419394 comm="mosquitto

In recent versions of Ubuntu, e.g. Ubuntu 25.04, its seems that the AppArmor policies are being more strictly enforced, and applications aren't allowed to even read files/folders outside of those defined in the AppArmor config (e.g. /etc/apparmor.d/). For an example of the AppArmor definition for mosquitto (mosquitto 2.0.20-1~bpo12+1) under Ubuntu 25.04, check out the "Additional Context" section.

Describe the solution you'd like

Pre-requisite

• Switch to using built-in bridge by default, otherwise the device's certificates will also have to be moved under /etc/mosquitto/ as they are currently located under /etc/tedge/device-certs/, which would suffer from the same AppArmor policy problem when using the mosquitto bridge to connect to the cloud

Changes

• Place mosquitto configuration files under /etc/mosquitto/conf.d instead of /etc/tedge/mosquitto-conf

Since the /etc/tedge/mosquitto-conf folder has been used for a long time under thin-edge.io, the change will also have to take care of migrating to the new folder structure. This generally would include:

• Move files from /etc/tedge/mosquitto-conf/* to /etc/mosquitto/conf.d/, though be aware that /etc/mosquitto/conf.d/ might not exist in older versions
• Ensure that include_dir /etc/mosquitto/conf.d/ is used in /etc/mosquitto/mosquitto.conf, and if not then add append it to the file
• Remove previous references to include_dir /etc/tedge/mosquitto-conf in /etc/mosquitto/mosquitto.conf

After the migration (most likely done in the postinst maintainer script for the tedge package), the mosquitto broker should be restarted, but the question is still "when".

Describe alternatives you've considered

Additional context

Example mosquitto apparmor.d/mosquitto definition

# cat /etc/apparmor.d/mosquitto
#------------------------------------------------------------------
#    Copyright (C) 2025 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#------------------------------------------------------------------
# vim: ft=apparmor
#
abi <abi/4.0>,

include <tunables/global>

profile mosquitto /usr/sbin/mosquitto {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  include <abstractions/hosts_access>

  # If run as a root user, drop privileges to mosquitto/nobody/custom-user
  capability setgid,
  capability setuid,

  network inet  stream,
  network inet6 stream,
  network inet  dgram,
  network inet6 dgram,
  network netlink raw,

  file @{run}/.nscd_socket rw,
  file @{run}/nscd/socket rw,

  # nss can be configured to use libvirt in host resolution
  file /var/lib/libvirt/dnsmasq/ r,
  file /var/lib/libvirt/dnsmasq/*.status r,

  file @{run}/systemd/notify w,
  file /usr/sbin/mosquitto mr,
  file @{run}/mosquitto/mosquitto.pid rw,

  file @{etc_ro}/mosquitto/* r,
  file @{etc_ro}/mosquitto/conf.d/ r,
  file @{etc_ro}/mosquitto/conf.d/** r,
  file @{etc_ro}/mosquitto/mosquitto.conf r,
  file @{etc_ro}/mosquitto/ca_certificates/** r,
  file @{etc_ro}/mosquitto/certs/** r,

  file /var/lib/mosquitto/mosquitto.db rwk,
  file /var/lib/mosquitto/mosquitto.db.new rwk,
  file /var/log/mosquitto/mosquitto.log w,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/mosquitto>
}

[reubenmiller]

Note: For users running docker to run a systemd enable container, if the container is started in privileged mode (e.g. docker run --rm --privileged -it ubuntu:18.04), the container inherits the AppArmor rules of the host, which means that the host's AppArmor rules can affect the behaviour of mosquitto within the container!

See the related moby ticket moby/moby#38420