Update Broker to RabbitMQ version 4.1.8

[tobybellwood]

This pull request updates the base image version for RabbitMQ in the services/broker/Dockerfile to improve stability and security.

Dependency update:

• Updated the RabbitMQ base image from rabbitmq:4.1.0-management-alpine to rabbitmq:4.1.8-management-alpine in services/broker/Dockerfile.

[github-actions]

Overview

Image reference	testlagoon/broker:main	lagoon/broker:ci-latest
- digest	3e82fb0d95cb	2a710d2bce04
- tag	main	ci-latest
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	107 MB	105 MB (-2.6 MB)
- packages	85	70 (-15)
Base Image	rabbitmq:4-management-alpine also known as: • 4.1-management-alpine • management-alpine	rabbitmq:4.1-management-alpine also known as: • 4.1.8-management-alpine
- vulnerabilities

Environment Variables (2 changes)

• + 1 added
• ± 1 changed
• 17 unchanged

 ERLANG_INSTALL_PATH_PREFIX=/opt/erlang
 HOME=/var/lib/rabbitmq
 LAGOON_VERSION=development
 LANG=C.UTF-8
 LANGUAGE=C.UTF-8
 LC_ALL=C.UTF-8
 OPENSSL_INSTALL_PATH_PREFIX=/opt/openssl
 PATH=/opt/rabbitmq/sbin:/opt/erlang/bin:/opt/openssl/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 RABBITMQ_DATA_DIR=/var/lib/rabbitmq
 RABBITMQ_DEFAULT_HA_PATTERN=^lagoon-
 RABBITMQ_DEFAULT_PASS=guest
 RABBITMQ_DEFAULT_USER=guest
 RABBITMQ_DEFAULT_VHOST=/
 RABBITMQ_ERLANG_COOKIE=5188fd99edf19acfefcbb29a16f3d373aa01f66bfe89929852dfad2674d36af2
 RABBITMQ_HOME=/opt/rabbitmq
 RABBITMQ_PGP_KEY_ID=0x0A9AF2115F4687BD29803A206B73A36E6026DFCA
-RABBITMQ_VERSION=4.1.0
+RABBITMQ_VERSION=4.1.8
+RUNNING_UNDER_SYSTEMD=true
 SERVICE_NAME=0.0.0.0

Packages and Vulnerabilities (65 package changes and 13 vulnerability changes)

• ➕ 2 packages added
• ➖ 17 packages removed
• ♾️ 46 packages changed
• 21 packages unchanged

• ✔️ 13 vulnerabilities removed

Changes for packages of type apk (63 changes)

	Package	Version testlagoon/broker:main	Version lagoon/broker:ci-latest
♾️	.otp-run-deps	20250530.230929	20260312.234130
♾️	alpine-base	3.22.0-r0	3.23.3-r0
♾️	alpine-baselayout	3.7.0-r0	3.7.1-r8
♾️	alpine-baselayout-data	3.7.0-r0	3.7.1-r8
♾️	alpine-keys	2.5-r0	2.6-r0
♾️	alpine-release	3.22.0-r0	3.23.3-r0
♾️	apk-tools	2.14.9-r2	3.0.3-r1
♾️	bash	5.2.37-r0	5.3.3-r1
♾️	brotli	1.1.0-r2	1.2.0-r0
♾️	brotli-libs	1.1.0-r2	1.2.0-r0
♾️	busybox	1.37.0-r18	1.37.0-r30
♾️	busybox-binsh	1.37.0-r18	1.37.0-r30
➖	bzip2	1.0.8-r6
♾️	ca-certificates	20241121-r2	20251003-r0
♾️	ca-certificates-bundle	20241121-r2	20251003-r0
♾️	curl	8.14.1-r2	8.17.0-r1
➖	expat	2.7.1-r0
		Removed vulnerabilities (2):
♾️	gcc	14.2.0-r6	15.2.0-r2
➖	gdbm	1.24-r0
♾️	gettext	0.24.1-r0	0.24.1-r1
♾️	gojq	0.12.17-r10	0.12.17-r13
➕	libapk		3.0.3-r1
➖	libapk2	2.14.9-r2
➖	libbz2	1.0.8-r6
♾️	libcrypto3	3.5.0-r0	3.5.5-r0
♾️	libcurl	8.14.1-r2	8.17.0-r1
➖	libexpat	2.7.1-r0
➖	libffi	3.4.8-r0
♾️	libgcc	14.2.0-r6	15.2.0-r2
♾️	libidn2	2.3.7-r0	2.3.8-r0
♾️	libintl	0.24.1-r0	0.24.1-r1
♾️	libncursesw	6.5_p20250503-r0	6.5_p20251123-r0
➖	libpanelw	6.5_p20250503-r0
♾️	libproc2	4.0.4-r3	4.0.5-r0
♾️	libssl3	3.5.0-r0	3.5.5-r0
♾️	libstdc++	14.2.0-r6	15.2.0-r2
♾️	libunistring	1.3-r0	1.4.1-r0
➖	mpdecimal	4.0.1-r0
♾️	musl	1.2.5-r10	1.2.5-r21
♾️	musl-utils	1.2.5-r10	1.2.5-r21
♾️	ncurses	6.5_p20250503-r0	6.5_p20251123-r0
♾️	ncurses-terminfo-base	6.5_p20250503-r0	6.5_p20251123-r0
♾️	nghttp2	1.65.0-r0	1.68.0-r0
♾️	nghttp2-libs	1.65.0-r0	1.68.0-r0
➕	nghttp3		1.13.1-r0
♾️	openssl	3.5.0-r0	3.5.5-r0
		Removed vulnerabilities (5):
♾️	pax-utils	1.3.8-r1	1.3.8-r2
♾️	procps-ng	4.0.4-r3	4.0.5-r0
➖	pyc	3.12.10-r1
➖	python3	3.12.10-r1
		Removed vulnerabilities (3):
➖	python3-pyc	3.12.10-r1
➖	python3-pycache-pyc0	3.12.10-r1
♾️	readline	8.2.13-r1	8.3.1-r0
♾️	scanelf	1.3.8-r1	1.3.8-r2
➖	sqlite	3.49.2-r0
		Removed vulnerabilities (1):
➖	sqlite-libs	3.49.2-r0
♾️	ssl_client	1.37.0-r18	1.37.0-r30
♾️	su-exec	0.2-r3	0.3-r0
♾️	tzdata	2025b-r0	2026a-r0
➖	xz	5.8.1-r0
➖	xz-libs	5.8.1-r0
♾️	zstd	1.5.7-r0	1.5.7-r2
♾️	zstd-libs	1.5.7-r0	1.5.7-r2

Changes for packages of type generic (2 changes)

	Package	Version testlagoon/broker:main	Version lagoon/broker:ci-latest
♾️	erlang	27.3.4	27.3.4.9
♾️	openssl	3.3.3	3.5.5

[tobybellwood]

RabbitMQ Broker Upgrade Impact Report: 4.1.0 → 4.1.8

Branch: broker-upgrade
PR: #4068
Date: April 2026

---

Summary

This is a patch-series upgrade from 4.1.0 (current main) to 4.1.8. All intermediate releases (4.1.1–4.1.8) are maintenance releases containing bug fixes and minor enhancements only. There are no breaking changes in any of these patch releases for Lagoon's usage of RabbitMQ.

---

Breaking Changes

None. The breaking changes introduced in 4.1.0 (documented below for completeness) were already addressed when main moved from 4.0.x to 4.1.0.

4.1.0 Breaking Changes (already resolved on main)

Change	Impact on Lagoon	Status
amqplib must be >= 0.10.7 due to increased initial AMQP 0-9-1 frame size (4096 → 8192 bytes)	All Node.js packages (commons, webhook-handler, webhooks2tasks, api) already pin amqplib: "^0.10.7"	✅ Resolved
Management API "one true health check" is now a no-op	Lagoon uses TCP wait-for checks, not the management health endpoint	✅ No impact
rabbitmqctl force_reset deprecated (Khepri-incompatible)	Single-node local dev only; not used in production workflows	✅ No impact
Default MQTT Maximum Packet Size reduced from 256 MiB to 16 MiB	Lagoon does not use the MQTT plugin	✅ No impact
OAuth 2 plugin requires explicit provider configuration (no defaults for Azure Entra, auth0)	Lagoon does not use the RabbitMQ OAuth 2 plugin	✅ No impact

---

Relevant Bug Fixes (4.1.1–4.1.8)

High Relevance

Release	Fix	Why it matters to Lagoon
4.1.5	Classic queues could run into a rare message store exception resulting in loss of a few messages when a message was routed to multiple queues	Lagoon routes messages across multiple consumers via lagoon-actions, lagoon-webhooks, and lagoon-logs direct exchanges — all backed by classic durable queues
4.1.5	Messages routed to quorum queues during or immediately before a network partition were not re-republished internally in some cases	Relevant for production cluster deployments
4.1.1	Classic queue message store compaction could fall behind under very busy publishers	Relevant under high build/deploy load
4.1.1	Classic queue message store could run into a rare exception when a message was routed to multiple queues	Direct relevance to Lagoon's fanout publish patterns

Medium Relevance

Release	Fix	Why it matters to Lagoon
4.1.6	Feature flag state in the registry and on disk were not consistent during node boot	broker-job.sh enables feature flags at startup — inconsistency here could cause flaky startup behaviour
4.1.6	Enabling khepri_db feature flag while the Log Exchange was enabled could cause a node to run out of memory and crash	Relevant if Khepri migration is ever attempted
4.1.8	Default queue type handling now more defensive — avoids PRECONDITION_FAILED when no DQT is set on a vhost	Prevents unexpected errors on first-run or fresh DB scenarios
4.1.8	When a client that owns an exclusive queue disconnects and immediately reconnects and redeclares the same queue, the node could delete the new queue	Relevant to services that use auto-reconnect logic (all of Lagoon's Go and Node.js services do)
4.1.3	Quorum queue file descriptor leak fix	Relevant if Lagoon ever migrates to quorum queues
4.1.2	Channels consuming from quorum queues could leak file handles when those queues were deleted	As above

Low Relevance

Release	Fix
4.1.1	Quorum queue failed to recover from rare timeout during cluster formation
4.1.1	Private key password could appear in certain exceptions at failed boot
4.1.2	Higher-priority SAC consumer was never activated in certain requeue scenarios
4.1.4	Import of definition files containing topic exchange permissions failed
4.1.5	Classic queue message loss during classic queue message store compaction (separate issue from 4.1.1)
4.1.8	Topic exchange binding deletions could leave orphaned trie edges in Khepri projection (memory leak)

---

Enhancements of Note

Release	Enhancement
4.1.4	RABBITMQ_MAX_OPEN_FILES environment variable supported by the startup script — useful in Kubernetes environments where soft limits are lower than hard limits
4.1.1	New health check endpoints: GET /api/health/checks/ready-to-serve-clients and GET /api/health/checks/below-node-connection-limit
4.1.0	Larger JWT tokens (up to 8192 bytes) supported before authentication — relevant to Lagoon's Keycloak-issued tokens

---

Lagoon Service Inventory

Services that connect to RabbitMQ and their protocols:

Service	Language	Library	Queue Type
webhook-handler	Node.js	amqp-connection-manager / amqplib ^0.10.7	Classic durable
webhooks2tasks	Node.js	amqp-connection-manager / amqplib ^0.10.7	Classic durable
commons (shared)	Node.js	amqp-connection-manager / amqplib ^0.10.7	Classic durable
api	Node.js	amqp-connection-manager / amqplib ^0.10.7	Classic durable
actions-handler	Go	cheshir/go-mq (AMQP 0-9-1)	Classic durable
logs2notifications	Go	cheshir/go-mq (AMQP 0-9-1)	Classic durable
backup-handler	Go	isayme/go-amqp-reconnect / streadway/amqp (AMQP 0-9-1)	Classic durable

All services use AMQP 0-9-1 with classic durable queues and direct exchanges. None use MQTT, streams, quorum queues, or AMQP 1.0.

---

Plugins

Plugin	Version	Notes
rabbitmq_delayed_message_exchange	4.1.0	Used for lagoon-actions-delay and lagoon-webhooks-delay exchanges. No changes required — plugin version is compatible with RabbitMQ 4.1.x.

---

Upgrade Path

This is a single-node local development broker (not a cluster). The upgrade path from 4.1.0 → 4.1.8 requires:

1. make build/broker to rebuild the image
2. make down && make up (or equivalent) to replace the running container

No data migration, feature flag enabling, or post-upgrade procedures are required for the 4.1.0 → 4.1.8 patch upgrade.

---

Verdict

Safe to upgrade. No action required beyond rebuilding the image. The 4.1.5 classic queue message loss bug fix is the most significant improvement and is a meaningful reliability gain for Lagoon's messaging pipeline.