Merge pull request #3909 from zmstone/chore-build-collect-app-config-from-app-dirs

chore(build): collect app config from app dirs
2020-12-14 10:10:16 +08:00 · 2020-12-14 10:10:16 +08:00 · 411e2c0022
parent 10dbb5bc96 c95e9add2d
commit 411e2c0022
60 changed files with 168 additions and 2457 deletions
--- a/.gitignore
+++ b/.gitignore
@ -36,3 +36,5 @@ _checkouts
 rebar.config.rendered
 /rebar3
 rebar.lock
 tmp/
 _packages
--- a/8
+++ b/8
@ -1,5 +1,8 @@
 REBAR_VERSION = 3.14.3-emqx-2
 REBAR = ./rebar3
 export PKG_VSN ?= $(shell git describe --tags --always)
 # comma separated versions
 export RELUP_BASE_VERSIONS ?=
 PROFILE ?= emqx
 PROFILES := emqx emqx-edge check test
@ -19,6 +22,11 @@ ensure-rebar3:
 $(REBAR): ensure-rebar3
 .PHONY: eunit
 eunit: $(REBAR)
 	$(REBAR) eunit
 .PHONY: ct
 ct: $(REBAR)
 	$(REBAR) ct
--- a/README.md
+++ b/README.md
@ -55,12 +55,15 @@ For earlier versions, release has to be built from another repo.
 git clone https://github.com/emqx/emqx-rel.git
 cd emqx-rel
 make
-_build/emqx/rel/emqx/bin console
+_build/emqx/rel/emqx/bin/emqx console
 ```
 ## Quick Start
-```
+If emqx is built from source, `cd _buid/emqx/rel/emqx`.
 Or change to the installation root directory if emqx is installed from a release package.
 ```bash
 # Start emqx
 ./bin/emqx start
@ -73,6 +76,24 @@ _build/emqx/rel/emqx/bin console
 To view the dashboard after running, use your browser to open: http://localhost:18083
 ## Test
 ### To test everything in one go
 ```
 make eunit ct
 ```
 ### To run subset of the common tests
 examples
 ```bash
 ./rebar3 ct --dir test,apps/emqx_sn,apps/emqx_coap
 ./rebar3 ct --suite test/emqx_SUITE.erl,apps/emqx_auth_http/test/emqx_auth_http_SUITE.erl
 ./rebar3 ct --suite test/emqx_SUITE.erl --testcase t_restart
 ```
 ## FAQ
 Visiting [EMQ X FAQ](https://docs.emqx.io/broker/latest/en/faq/faq.html) to get help of common problems.
--- a/apps/emqx_auth_http/src/emqx_auth_http.app.src
+++ b/apps/emqx_auth_http/src/emqx_auth_http.app.src
@ -3,7 +3,7 @@
  {vsn, "4.3.0"}, % strict semver, bump manually!
  {modules, []},
  {registered, [emqx_auth_http_sup]},
-  {applications, [kernel,stdlib,gproc,gun,emqx]},
+  {applications, [kernel,stdlib,gproc,gun]},
  {mod, {emqx_auth_http_app, []}},
  {env, []},
  {licenses, ["Apache-2.0"]},
--- a/apps/emqx_auth_jwt/src/emqx_auth_jwt.app.src
+++ b/apps/emqx_auth_jwt/src/emqx_auth_jwt.app.src
@ -3,7 +3,7 @@
  {vsn, "4.3.0"}, % strict semver, bump manually!
  {modules, []},
  {registered, [emqx_auth_jwt_sup]},
-  {applications, [kernel,stdlib,jose,emqx]},
+  {applications, [kernel,stdlib,jose]},
  {mod, {emqx_auth_jwt_app, []}},
  {env, []},
  {licenses, ["Apache-2.0"]},
--- a/apps/emqx_auth_mnesia/src/emqx_auth_mnesia.app.src
+++ b/apps/emqx_auth_mnesia/src/emqx_auth_mnesia.app.src
@ -3,7 +3,7 @@
  {vsn, "4.3.0"}, % strict semver, bump manually
  {modules, []},
  {registered, []},
-  {applications, [kernel,stdlib,mnesia,emqx]},
+  {applications, [kernel,stdlib,mnesia]},
  {mod, {emqx_auth_mnesia_app,[]}},
  {env, []},
  {licenses, ["Apache-2.0"]},
--- a/apps/emqx_auth_mongo/src/emqx_auth_mongo.app.src
+++ b/apps/emqx_auth_mongo/src/emqx_auth_mongo.app.src
@ -3,7 +3,7 @@
  {vsn, "4.3.0"}, % strict semver, bump manually!
  {modules, []},
  {registered, [emqx_auth_mongo_sup]},
-  {applications, [kernel,stdlib,mongodb,ecpool,emqx]},
+  {applications, [kernel,stdlib,mongodb,ecpool]},
  {mod, {emqx_auth_mongo_app,[]}},
  {env, []},
  {licenses, ["Apache-2.0"]},
--- a/apps/emqx_auth_pgsql/src/emqx_auth_pgsql.app.src
+++ b/apps/emqx_auth_pgsql/src/emqx_auth_pgsql.app.src
@ -3,7 +3,7 @@
  {vsn, "4.3.0"}, % strict semver, bump manually!
  {modules, []},
  {registered, [emqx_auth_pgsql_sup]},
-  {applications, [kernel,stdlib,epgsql,ecpool,emqx]},
+  {applications, [kernel,stdlib,epgsql,ecpool]},
  {mod, {emqx_auth_pgsql_app,[]}},
  {env, []},
  {licenses, ["Apache-2.0"]},
--- a/apps/emqx_auth_redis/src/emqx_auth_redis.app.src
+++ b/apps/emqx_auth_redis/src/emqx_auth_redis.app.src
@ -3,7 +3,7 @@
  {vsn, "4.3.0"}, % strict semver, bump manually!
  {modules, []},
  {registered, [emqx_auth_redis_sup]},
-  {applications, [kernel,stdlib,eredis,eredis_cluster,ecpool,emqx]},
+  {applications, [kernel,stdlib,eredis,eredis_cluster,ecpool]},
  {mod, {emqx_auth_redis_app, []}},
  {env, []},
  {licenses, ["Apache-2.0"]},
--- a/apps/emqx_bridge_mqtt/src/emqx_bridge_mqtt.app.src
+++ b/apps/emqx_bridge_mqtt/src/emqx_bridge_mqtt.app.src
@ -3,7 +3,7 @@
  {vsn, "4.3.0"}, % strict semver, bump manually!
  {modules, []},
  {registered, []},
-  {applications, [kernel,stdlib,replayq,emqtt,emqx]},
+  {applications, [kernel,stdlib,replayq,emqtt]},
  {mod, {emqx_bridge_mqtt_app, []}},
  {env, []},
  {licenses, ["Apache-2.0"]},
--- a/apps/emqx_coap/src/emqx_coap.app.src
+++ b/apps/emqx_coap/src/emqx_coap.app.src
@ -3,7 +3,7 @@
  {vsn, "4.3.0"}, % strict semver, bump manually!
  {modules, []},
  {registered, []},
-  {applications, [kernel,stdlib,gen_coap,emqx]},
+  {applications, [kernel,stdlib,gen_coap]},
  {mod, {emqx_coap_app, []}},
  {env, []},
  {licenses, ["Apache-2.0"]},
--- a/apps/emqx_dashboard/src/emqx_dashboard.app.src
+++ b/apps/emqx_dashboard/src/emqx_dashboard.app.src
@ -3,7 +3,7 @@
  {vsn, "4.3.0"}, % strict semver, bump manually!
  {modules, []},
  {registered, [emqx_dashboard_sup]},
-  {applications, [kernel,stdlib,mnesia,minirest,emqx]},
+  {applications, [kernel,stdlib,mnesia,minirest]},
  {mod, {emqx_dashboard_app,[]}},
  {env, []},
  {licenses, ["Apache-2.0"]},
--- a/apps/emqx_lua_hook/src/emqx_lua_hook.app.src
+++ b/apps/emqx_lua_hook/src/emqx_lua_hook.app.src
@ -3,7 +3,7 @@
  {vsn, "4.3.0"}, % strict semver, bump manually!
  {modules, []},
  {registered, []},
-  {applications, [kernel,stdlib,emqx]},
+  {applications, [kernel,stdlib]},
  {mod, {emqx_lua_hook_app,[]}},
  {env,[]},
  {licenses, ["Apache-2.0"]},
--- a/apps/emqx_lwm2m/src/emqx_lwm2m.app.src
+++ b/apps/emqx_lwm2m/src/emqx_lwm2m.app.src
@ -3,5 +3,5 @@
              {vsn, "4.3.0"}, % strict semver, bump manually!
              {modules,[]},
              {registered,[emqx_lwm2m_sup]},
-              {applications,[kernel,stdlib,lwm2m_coap,emqx]},
+              {applications,[kernel,stdlib,lwm2m_coap]},
              {mod,{emqx_lwm2m_app,[]}}]}.
--- a/apps/emqx_management/src/emqx_management.app.src
+++ b/apps/emqx_management/src/emqx_management.app.src
@ -3,7 +3,7 @@
  {vsn, "4.3.0"}, % strict semver, bump manually!
  {modules, []},
  {registered, [emqx_management_sup]},
-  {applications, [kernel,stdlib,minirest,emqx]},
+  {applications, [kernel,stdlib,minirest]},
  {mod, {emqx_mgmt_app,[]}},
  {env, []},
  {licenses, ["Apache-2.0"]},
--- a/apps/emqx_plugin_template/src/emqx_plugin_template.app.src
+++ b/apps/emqx_plugin_template/src/emqx_plugin_template.app.src
@ -3,7 +3,7 @@
  {vsn, "4.3.0"}, % strict semver, bump manually!
  {modules, []},
  {registered, [emqx_plugin_template_sup]},
-  {applications, [kernel,stdlib,emqx]},
+  {applications, [kernel,stdlib]},
  {mod, {emqx_plugin_template_app,[]}},
  {env, []},
  {licenses, ["Apache-2.0"]},
--- a/apps/emqx_prometheus/src/emqx_prometheus.app.src
+++ b/apps/emqx_prometheus/src/emqx_prometheus.app.src
@ -3,7 +3,7 @@
  {vsn, "4.3.0"}, % strict semver, bump manually!
  {modules, []},
  {registered, [emqx_prometheus_sup]},
-  {applications, [kernel,stdlib,prometheus,emqx]},
+  {applications, [kernel,stdlib,prometheus]},
  {mod, {emqx_prometheus_app,[]}},
  {env, []},
  {licenses, ["Apache-2.0"]},
--- a/apps/emqx_psk_file/src/emqx_psk_file.app.src
+++ b/apps/emqx_psk_file/src/emqx_psk_file.app.src
@ -3,7 +3,7 @@
  {vsn, "4.3.0"}, % strict semver, bump manually!
  {modules,[]},
  {registered,[emqx_psk_file_sup]},
-  {applications,[kernel,stdlib,emqx]},
+  {applications,[kernel,stdlib]},
  {mod,{emqx_psk_file_app,[]}},
  {env, []},
  {licenses, ["Apache-2.0"]},
--- a/apps/emqx_recon/src/emqx_recon.app.src
+++ b/apps/emqx_recon/src/emqx_recon.app.src
@ -3,7 +3,7 @@
  {vsn, "4.3.0"}, % strict semver, bump manually!
  {modules, []},
  {registered, []},
-  {applications, [kernel,stdlib,recon,emqx]},
+  {applications, [kernel,stdlib,recon]},
  {mod, {emqx_recon,[]}},
  {env, []},
  {licenses, ["Apache-2.0"]},
--- a/apps/emqx_retainer/src/emqx_retainer.app.src
+++ b/apps/emqx_retainer/src/emqx_retainer.app.src
@ -3,7 +3,7 @@
  {vsn, "4.3.0"}, % strict semver, bump manually!
  {modules, []},
  {registered, [emqx_retainer_sup]},
-  {applications, [kernel,stdlib,emqx]},
+  {applications, [kernel,stdlib]},
  {mod, {emqx_retainer_app,[]}},
  {env, []},
  {licenses, ["Apache-2.0"]},
--- a/apps/emqx_rule_engine/src/emqx_rule_engine.app.src
+++ b/apps/emqx_rule_engine/src/emqx_rule_engine.app.src
@ -3,7 +3,7 @@
  {vsn, "4.3.0"}, % strict semver, bump manually!
  {modules, []},
  {registered, [emqx_rule_engine_sup, emqx_rule_registry]},
-  {applications, [kernel,stdlib,rulesql,getopt,emqx]},
+  {applications, [kernel,stdlib,rulesql,getopt]},
  {mod, {emqx_rule_engine_app, []}},
  {env, []},
  {licenses, ["Apache-2.0"]},
--- a/apps/emqx_sasl/src/emqx_sasl.app.src
+++ b/apps/emqx_sasl/src/emqx_sasl.app.src
@ -3,7 +3,7 @@
  {vsn, "4.3.0"}, % strict semver, bump manually!
  {modules, []},
  {registered, [emqx_sasl_sup]},
-  {applications, [kernel,stdlib,pbkdf2,emqx]},
+  {applications, [kernel,stdlib,pbkdf2]},
  {mod, {emqx_sasl_app,[]}},
  {env, []},
  {licenses, ["Apache-2.0"]},
--- a/apps/emqx_sn/src/emqx_sn.app.src
+++ b/apps/emqx_sn/src/emqx_sn.app.src
@ -3,7 +3,7 @@
  {vsn, "4.3.0"}, % strict semver, bump manually!
  {modules, []},
  {registered, []},
-  {applications, [kernel,stdlib,esockd,emqx]},
+  {applications, [kernel,stdlib,esockd]},
  {mod, {emqx_sn_app,[]}},
  {env, []},
  {licenses, ["Apache-2.0"]},
--- a/apps/emqx_stomp/src/emqx_stomp.app.src
+++ b/apps/emqx_stomp/src/emqx_stomp.app.src
@ -3,7 +3,7 @@
  {vsn, "4.3.0"}, % strict semver, bump manually!
  {modules, []},
  {registered, [emqx_stomp_sup]},
-  {applications, [kernel,stdlib,emqx]},
+  {applications, [kernel,stdlib]},
  {mod, {emqx_stomp,[]}},
  {env, []},
  {licenses, ["Apache-2.0"]},
--- a/apps/emqx_telemetry/src/emqx_telemetry.app.src
+++ b/apps/emqx_telemetry/src/emqx_telemetry.app.src
@ -3,7 +3,7 @@
  {vsn, "4.3.0"}, % strict semver, bump manually!
  {modules, []},
  {registered, [emqx_telemetry_sup]},
-  {applications, [kernel,stdlib,emqx]},
+  {applications, [kernel,stdlib]},
  {mod, {emqx_telemetry_app,[]}},
  {env, []},
  {licenses, ["Apache-2.0"]},
--- a/apps/emqx_web_hook/src/emqx_web_hook.app.src
+++ b/apps/emqx_web_hook/src/emqx_web_hook.app.src
@ -3,7 +3,7 @@
  {vsn, "4.3.0"}, % strict semver, bump manually!
  {modules, []},
  {registered, [emqx_web_hook_sup]},
-  {applications, [kernel,stdlib,emqx]},
+  {applications, [kernel,stdlib]},
  {mod, {emqx_web_hook_app,[]}},
  {env, []},
  {licenses, ["Apache-2.0"]},
--- a/etc/emqx.d/emqx_auth_clientid.conf
+++ b/etc/emqx.d/emqx_auth_clientid.conf
@ -1,18 +0,0 @@
 ##--------------------------------------------------------------------
 ## ClientId Authentication Plugin
 ##--------------------------------------------------------------------
 ## Examples
 ##auth.client.1.clientid = id
 ##auth.client.1.password = passwd
 ##auth.client.2.clientid = dev:devid
 ##auth.client.2.password = passwd2
 ##auth.client.3.clientid = app:appid
 ##auth.client.3.password = passwd3
 ##auth.client.4.clientid = client~!@#$%^&*()_+
 ##auth.client.4.password = passwd~!@#$%^&*()_+
 ## Password hash.
 ##
 ## Value: plain | md5 | sha | sha256
 auth.client.password_hash = sha256
--- a/etc/emqx.d/emqx_auth_http.conf
+++ b/etc/emqx.d/emqx_auth_http.conf
@ -1,162 +0,0 @@
 ##--------------------------------------------------------------------
 ## HTTP Auth/ACL Plugin
 ##--------------------------------------------------------------------
 ##--------------------------------------------------------------------
 ## Authentication request.
 ## HTTP URL API path for authentication request
 ##
 ## Value: URL
 ##
 ## Examples: http://127.0.0.1:8991/mqtt/auth, https://[::1]:8991/mqtt/auth
 auth.http.auth_req = http://127.0.0.1:8991/mqtt/auth
 ## Value: post | get
 auth.http.auth_req.method = post
 ## It only works when method=post
 ## Value: json | x-www-form-urlencoded
 auth.http.auth_req.content_type = x-www-form-urlencoded
 ## Variables:
 ##  - %u: username
 ##  - %c: clientid
 ##  - %a: ipaddress
 ##  - %r: protocol
 ##  - %P: password
 ##  - %p: sockport of server accepted
 ##  - %C: common name of client TLS cert
 ##  - %d: subject of client TLS cert
 ##
 ## Value: Params
 auth.http.auth_req.params = clientid=%c,username=%u,password=%P
 ##--------------------------------------------------------------------
 ## Superuser request.
 ## HTTP URL API path for Superuser request
 ##
 ## Value: URL
 ##
 ## Examples: http://127.0.0.1:8991/mqtt/superuser, https://[::1]:8991/mqtt/superuser
 #auth.http.super_req = http://127.0.0.1:8991/mqtt/superuser
 ## Value: post | get
 #auth.http.super_req.method = post
 ## It only works when method=pos
 ## Value: json | x-www-form-urlencoded
 #auth.http.super_req.content_type = x-www-form-urlencoded
 ## Variables:
 ##  - %u: username
 ##  - %c: clientid
 ##  - %a: ipaddress
 ##  - %r: protocol
 ##  - %P: password
 ##  - %p: sockport of server accepted
 ##  - %C: common name of client TLS cert
 ##  - %d: subject of client TLS cert
 ##
 ## Value: Params
 #auth.http.super_req.params = clientid=%c,username=%u
 ##--------------------------------------------------------------------
 ## ACL request.
 ## HTTP URL API path for ACL request
 ##
 ## Value: URL
 ##
 ## Examples: http://127.0.0.1:8991/mqtt/acl, https://[::1]:8991/mqtt/acl
 auth.http.acl_req = http://127.0.0.1:8991/mqtt/acl
 ## Value: post | get
 auth.http.acl_req.method = get
 ## It only works when method=post
 ## Value: json | x-www-form-urlencoded
 auth.http.acl_req.content_type = x-www-form-urlencoded
 ## Variables:
 ##  - %A: 1 | 2, 1 = sub, 2 = pub
 ##  - %u: username
 ##  - %c: clientid
 ##  - %a: ipaddress
 ##  - %r: protocol
 ##  - %m: mountpoint
 ##  - %t: topic
 ##
 ## Value: Params
 auth.http.acl_req.params = access=%A,username=%u,clientid=%c,ipaddr=%a,topic=%t,mountpoint=%m
 ##------------------------------------------------------------------------------
 ## Http Reqeust options
 ## Time-out time for the http request, 0 is never timeout.
 ##
 ## Value: Duration
 ## -h: hour, e.g. '2h' for 2 hours
 ## -m: minute, e.g. '5m' for 5 minutes
 ## -s: second, e.g. '30s' for 30 seconds
 ##
 ## Default: 0
 ## auth.http.request.timeout = 0
 ## Connection time-out time, used during the initial request
 ## when the client is connecting to the server
 ##
 ## Value: Duration
 ##
 ## Default is same with the timeout option
 ## auth.http.request.connect_timeout = 0
 ## Re-send http reuqest times
 ##
 ## Value: integer
 ##
 ## Default: 3
 auth.http.request.retry_times = 3
 ## The interval for re-sending the http request
 ##
 ## Value: Duration
 ##
 ## Default: 1s
 auth.http.request.retry_interval = 1s
 ## The 'Exponential Backoff' mechanism for re-sending request. The actually
 ## re-send time interval is `interval * backoff ^ times`
 ##
 ## Value: float
 ##
 ## Default: 2.0
 auth.http.request.retry_backoff = 2.0
 ##------------------------------------------------------------------------------
 ## SSL options
 ## Path to the file containing PEM-encoded CA certificates. The CA certificates
 ## are used during server authentication and when building the client certificate chain.
 ##
 ## Value: File
 ## auth.http.ssl.cacertfile = {{ platform_etc_dir }}/certs/ca.pem
 ## The path to a file containing the client's certificate.
 ##
 ## Value: File
 ## auth.http.ssl.certfile = {{ platform_etc_dir }}/certs/client-cert.pem
 ## Path to a file containing the client's private PEM-encoded key.
 ##
 ## Value: File
 ## auth.http.ssl.keyfile = {{ platform_etc_dir }}/certs/client-key.pem
 ##--------------------------------------------------------------------
 ## HTTP Request Headers
 ##
 ## Example: auth.http.header.Accept-Encoding = *
 ##
 ## Value: String
 ## auth.http.header.Accept = */*
--- a/etc/emqx.d/emqx_auth_jwt.conf
+++ b/etc/emqx.d/emqx_auth_jwt.conf
@ -1,39 +0,0 @@
 ##--------------------------------------------------------------------
 ## JWT Auth Plugin
 ##--------------------------------------------------------------------
 ## HMAC Hash Secret.
 ##
 ## Value: String
 auth.jwt.secret = emqxsecret
 ## From where the JWT string can be got
 ##
 ## Value: username | password
 ## Default: password
 auth.jwt.from = password
 ## RSA or ECDSA public key file.
 ##
 ## Value: File
 ## auth.jwt.pubkey = etc/certs/jwt_public_key.pem
 ## Enable to verify claims fields
 ##
 ## Value: on | off
 auth.jwt.verify_claims = off
 ## The checklist of claims to validate
 ##
 ## Value: String
 ## auth.jwt.verify_claims.$name = expected
 ##
 ## Variables:
 ##  - %u: username
 ##  - %c: clientid
 # auth.jwt.verify_claims.username = %u
 ## The Signature format
 ##   - `der`: The erlang default format
 ##   - `raw`: Compatible with others platform maybe
 #auth.jwt.signature_format = der
--- a/etc/emqx.d/emqx_auth_mnesia.conf
+++ b/etc/emqx.d/emqx_auth_mnesia.conf
@ -1,20 +0,0 @@
 ## Examples:
 ##auth.mnesia.1.login = admin
 ##auth.mnesia.1.password = public
 ##auth.mnesia.1.is_superuser = true
 ##auth.mnesia.2.login = feng@emqtt.io
 ##auth.mnesia.2.password = public
 ##auth.mnesia.2.is_superuser = false
 ##auth.mnesia.3.login = name~!@#$%^&*()_+
 ##auth.mnesia.3.password = pwsswd~!@#$%^&*()_+
 ##auth.mnesia.3.is_superuser = false
 ## Password hash.
 ##
 ## Value: plain | md5 | sha | sha256 
 auth.mnesia.password_hash = sha256
 ## Auth as username or auth as clientid.
 ##
 ## Value: username | clientid
 auth.mnesia.as = username
--- a/etc/emqx.d/emqx_auth_mysql.conf
+++ b/etc/emqx.d/emqx_auth_mysql.conf
@ -1,116 +0,0 @@
 ##--------------------------------------------------------------------
 ## MySQL Auth/ACL Plugin
 ##--------------------------------------------------------------------
 ## MySQL server address.
 ##
 ## Value: Port | IP:Port
 ##
 ## Examples: 3306, 127.0.0.1:3306, localhost:3306
 auth.mysql.server = 127.0.0.1:3306
 ## MySQL pool size.
 ##
 ## Value: Number
 auth.mysql.pool = 8
 ## MySQL username.
 ##
 ## Value: String
 ## auth.mysql.username =
 ## MySQL password.
 ##
 ## Value: String
 ## auth.mysql.password =
 ## MySQL database.
 ##
 ## Value: String
 auth.mysql.database = mqtt
 ## MySQL query timeout
 ##
 ## Value: Duration
 ## auth.mysql.query_timeout = 5s
 ## Variables: %u = username, %c = clientid
 ## Authentication query.
 ##
 ## Note that column names should be 'password' and 'salt' (if used).
 ## In case column names differ in your DB - please use aliases,
 ## e.g. "my_column_name as password".
 ##
 ## Value: SQL
 ##
 ## Variables:
 ##  - %u: username
 ##  - %c: clientid
 ##  - %C: common name of client TLS cert
 ##  - %d: subject of client TLS cert
 ##
 auth.mysql.auth_query = select password from mqtt_user where username = '%u' limit 1
 ## auth.mysql.auth_query = select password_hash as password from mqtt_user where username = '%u' limit 1
 ## Password hash.
 ##
 ## Value: plain | md5 | sha | sha256 | bcrypt
 auth.mysql.password_hash = sha256
 ## sha256 with salt prefix
 ## auth.mysql.password_hash = salt,sha256
 ## bcrypt with salt only prefix
 ## auth.mysql.password_hash = salt,bcrypt
 ## sha256 with salt suffix
 ## auth.mysql.password_hash = sha256,salt
 ## pbkdf2 with macfun iterations dklen
 ## macfun: md4, md5, ripemd160, sha, sha224, sha256, sha384, sha512
 ## auth.mysql.password_hash = pbkdf2,sha256,1000,20
 ## Superuser query.
 ##
 ## Value: SQL
 ##
 ## Variables:
 ##  - %u: username
 ##  - %c: clientid
 ##  - %C: common name of client TLS cert
 ##  - %d: subject of client TLS cert
 ##
 auth.mysql.super_query = select is_superuser from mqtt_user where username = '%u' limit 1
 ## ACL query.
 ##
 ## Value: SQL
 ##
 ## Variables:
 ##  - %a: ipaddr
 ##  - %u: username
 ##  - %c: clientid
 ##
 ## Note: You can add the 'ORDER BY' statement to control the rules match order
 auth.mysql.acl_query = select allow, ipaddr, username, clientid, access, topic from mqtt_acl where ipaddr = '%a' or username = '%u' or username = '$all' or clientid = '%c'
 ## Mysql ssl configuration.
 ##
 ## Value: on | off
 auth.mysql.ssl = off
 ## CA certificate.
 ##
 ## Value: File
 ## auth.mysql.ssl.cafile  = path to your ca file
 ## Client ssl certificate.
 ##
 ## Value: File
 ## auth.mysql.ssl.certfile = path to your clientcert file
 ## Client ssl keyfile.
 ##
 ## Value: File
 ## auth.mysql.ssl.keyfile = path to your clientkey file
--- a/etc/emqx.d/emqx_auth_username.conf
+++ b/etc/emqx.d/emqx_auth_username.conf
@ -1,16 +0,0 @@
 ##--------------------------------------------------------------------
 ## Username Authentication Plugin
 ##--------------------------------------------------------------------
 ## Examples:
 ##auth.user.1.username = admin
 ##auth.user.1.password = public
 ##auth.user.2.username = feng@emqtt.io
 ##auth.user.2.password = public
 ##auth.user.3.username = name~!@#$%^&*()_+
 ##auth.user.3.password = pwsswd~!@#$%^&*()_+
 ## Password hash.
 ##
 ## Value: plain | md5 | sha | sha256 
 auth.user.password_hash = sha256
--- a/etc/emqx.d/emqx_bridge_mqtt.conf
+++ b/etc/emqx.d/emqx_bridge_mqtt.conf
@ -1,172 +0,0 @@
 ##====================================================================
 ## Configuration for EMQ X MQTT Broker Bridge
 ##====================================================================
 ##--------------------------------------------------------------------
 ## Bridges to aws
 ##--------------------------------------------------------------------
 ## Bridge address: node name for local bridge, host:port for remote.
 ##
 ## Value: String
 ## Example: emqx@127.0.0.1,  127.0.0.1:1883
 bridge.mqtt.aws.address = 127.0.0.1:1883
 ## Protocol version of the bridge.
 ##
 ## Value: Enum
 ## - mqttv5
 ## - mqttv4
 ## - mqttv3
 bridge.mqtt.aws.proto_ver = mqttv4
 ## Start type of the bridge.
 ##
 ## Value: enum
 ## manual
 ## auto
 bridge.mqtt.aws.start_type = manual
 ## Whether to enable bridge mode for mqtt bridge
 ##
 ## This option is prepared for the mqtt broker which does not
 ## support bridge_mode such as the mqtt-plugin of the rabbitmq
 ##
 ## Value: boolean
 #bridge.mqtt.aws.bridge_mode = false
 ## The ClientId of a remote bridge.
 ##
 ## Placeholders:
 ##  ${node}: Node name
 ##
 ## Value: String
 bridge.mqtt.aws.clientid = bridge_aws
 ## The Clean start flag of a remote bridge.
 ##
 ## Value: boolean
 ## Default: true
 ##
 ## NOTE: Some IoT platforms require clean_start
 ##       must be set to 'true'
 bridge.mqtt.aws.clean_start = true
 ## The username for a remote bridge.
 ##
 ## Value: String
 bridge.mqtt.aws.username = user
 ## The password for a remote bridge.
 ##
 ## Value: String
 bridge.mqtt.aws.password = passwd
 ## Topics that need to be forward to AWS IoTHUB
 ##
 ## Value: String
 ## Example: topic1/#,topic2/#
 bridge.mqtt.aws.forwards = topic1/#,topic2/#
 ## Forward messages to the mountpoint of an AWS IoTHUB
 ##
 ## Value: String
 bridge.mqtt.aws.forward_mountpoint = bridge/aws/${node}/
 ## Need to subscribe to AWS topics
 ##
 ## Value: String
 ## bridge.mqtt.aws.subscription.1.topic = cmd/topic1
 ## Need to subscribe to AWS topics QoS.
 ##
 ## Value: Number
 ## bridge.mqtt.aws.subscription.1.qos = 1
 ## A mountpoint that receives messages from AWS IoTHUB
 ##
 ## Value: String
 ## bridge.mqtt.aws.receive_mountpoint = receive/aws/
 ## Bribge to remote server via SSL.
 ##
 ## Value: on | off
 bridge.mqtt.aws.ssl = off
 ## PEM-encoded CA certificates of the bridge.
 ##
 ## Value: File
 bridge.mqtt.aws.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
 ## Client SSL Certfile of the bridge.
 ##
 ## Value: File
 bridge.mqtt.aws.certfile = {{ platform_etc_dir }}/certs/client-cert.pem
 ## Client SSL Keyfile of the bridge.
 ##
 ## Value: File
 bridge.mqtt.aws.keyfile = {{ platform_etc_dir }}/certs/client-key.pem
 ## SSL Ciphers used by the bridge.
 ##
 ## Value: String
 bridge.mqtt.aws.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
 ## Ciphers for TLS PSK.
 ## Note that 'bridge.${BridgeName}.ciphers' and 'bridge.${BridgeName}.psk_ciphers' cannot
 ## be configured at the same time.
 ## See 'https://tools.ietf.org/html/rfc4279#section-2'.
 #bridge.mqtt.aws.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
 ## Ping interval of a down bridge.
 ##
 ## Value: Duration
 ## Default: 10 seconds
 bridge.mqtt.aws.keepalive = 60s
 ## TLS versions used by the bridge.
 ##
 ## Value: String
 bridge.mqtt.aws.tls_versions = tlsv1.2,tlsv1.1,tlsv1
 ## Bridge reconnect time.
 ##
 ## Value: Duration
 ## Default: 30 seconds
 bridge.mqtt.aws.reconnect_interval = 30s
 ## Retry interval for bridge QoS1 message delivering.
 ##
 ## Value: Duration
 bridge.mqtt.aws.retry_interval = 20s
 ## Publish messages in batches, only RPC Bridge supports
 ##
 ## Value: Integer
 ## default: 32
 bridge.mqtt.aws.batch_size = 32
 ## Inflight size.
 ##
 ## Value: Integer
 bridge.mqtt.aws.max_inflight_size = 32
 ## Base directory for replayq to store messages on disk
 ## If this config entry is missing or set to undefined,
 ## replayq works in a mem-only manner.
 ##
 ## Value: String
 bridge.mqtt.aws.queue.replayq_dir = {{ platform_data_dir }}/replayq/emqx_aws_bridge/
 ## Replayq segment size
 ##
 ## Value: Bytesize
 bridge.mqtt.aws.queue.replayq_seg_bytes = 10MB
 ## Replayq max total size
 ##
 ## Value: Bytesize
 bridge.mqtt.aws.queue.max_total_size = 5GB
--- a/etc/emqx.d/emqx_coap.conf
+++ b/etc/emqx.d/emqx_coap.conf
@ -1,82 +0,0 @@
 ##--------------------------------------------------------------------
 ## CoAP Gateway
 ##--------------------------------------------------------------------
 ## The IP and UDP port that CoAP bind with.
 ##
 ## Default: 0.0.0.0:5683
 ##
 ## Examples:
 ##    coap.bind.udp.x = 0.0.0.0:5683 | :::5683 | 127.0.0.1:5683 | ::1:5683
 ##
 coap.bind.udp.1 = 0.0.0.0:5683
 ##coap.bind.udp.2 = 0.0.0.0:6683
 ## Whether to enable statistics for CoAP clients.
 ##
 ## Value: on | off
 coap.enable_stats = off
 ##------------------------------------------------------------------------------
 ## DTLS options
 ## The DTLS port that CoAP is listening on.
 ##
 ## Default: 0.0.0.0:5684
 ##
 ## Examples:
 ##    coap.bind.dtls.x = 0.0.0.0:5684 | :::5684 | 127.0.0.1:5684 | ::1:5684
 ##
 coap.bind.dtls.1 = 0.0.0.0:5684
 ##coap.bind.dtls.2 = 0.0.0.0:6684
 ## A server only does x509-path validation in mode verify_peer,
 ## as it then sends a certificate request to the client (this
 ## message is not sent if the verify option is verify_none).
 ## You can then also want to specify option fail_if_no_peer_cert.
 ## More information at: http://erlang.org/doc/man/ssl.html
 ##
 ## Value: verify_peer | verify_none
 ## coap.dtls.verify = verify_peer
 ## Private key file for DTLS
 ##
 ## Value: File
 coap.dtls.keyfile = {{ platform_etc_dir }}/certs/key.pem
 ## Server certificate for DTLS.
 ##
 ## Value: File
 coap.dtls.certfile = {{ platform_etc_dir }}/certs/cert.pem
 ## PEM-encoded CA certificates for DTLS
 ##
 ## Value: File
 ## coap.dtls.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
 ## Used together with {verify, verify_peer} by an SSL server. If set to true,
 ## the server fails if the client does not have a certificate to send, that is,
 ## sends an empty certificate.
 ##
 ## Value: true | false
 ## coap.dtls.fail_if_no_peer_cert = false
 ## This is the single most important configuration option of an Erlang SSL
 ## application. Ciphers (and their ordering) define the way the client and
 ## server encrypt information over the wire, from the initial Diffie-Helman
 ## key exchange, the session key encryption ## algorithm and the message
 ## digest algorithm. Selecting a good cipher suite is critical for the
 ## application’s data security, confidentiality and performance.
 ##
 ## The cipher list above offers:
 ##
 ## A good balance between compatibility with older browsers.
 ## It can get stricter for Machine-To-Machine scenarios.
 ## Perfect Forward Secrecy.
 ## No old/insecure encryption and HMAC algorithms
 ##
 ## Most of it was copied from Mozilla’s Server Side TLS article
 ##
 ## Value: Ciphers
 coap.dtls.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
--- a/etc/emqx.d/emqx_dashboard.conf
+++ b/etc/emqx.d/emqx_dashboard.conf
@ -1,129 +0,0 @@
 ##--------------------------------------------------------------------
 ## EMQ X Dashboard
 ##--------------------------------------------------------------------
 ## Default user's login name.
 ##
 ## Value: String
 dashboard.default_user.login = admin
 ## Default user's password.
 ##
 ## Value: String
 dashboard.default_user.password = public
 ##--------------------------------------------------------------------
 ## HTTP Listener
 ## The port that the Dashboard HTTP listener will bind.
 ##
 ## Value: Port
 ##
 ## Examples: 18083
 dashboard.listener.http = 18083
 ## The acceptor pool for external Dashboard HTTP listener.
 ##
 ## Value: Number
 dashboard.listener.http.acceptors = 4
 ## Maximum number of concurrent Dashboard HTTP connections.
 ##
 ## Value: Number
 dashboard.listener.http.max_clients = 512
 ## Set up the socket for IPv6.
 ##
 ## Value: false | true
 dashboard.listener.http.inet6 = false
 ## Listen on IPv4 and IPv6 (false) or only on IPv6 (true). Use with inet6.
 ##
 ## Value: false | true
 dashboard.listener.http.ipv6_v6only = false
 ##--------------------------------------------------------------------
 ## HTTPS Listener
 ## The port that the Dashboard HTTPS listener will bind.
 ##
 ## Value: Port
 ##
 ## Examples: 18084
 ## dashboard.listener.https = 18084
 ## The acceptor pool for external Dashboard HTTPS listener.
 ##
 ## Value: Number
 ## dashboard.listener.https.acceptors = 2
 ## Maximum number of concurrent Dashboard HTTPS connections.
 ##
 ## Value: Number
 ## dashboard.listener.https.max_clients = 512
 ## Set up the socket for IPv6.
 ##
 ## Value: false | true
 ## dashboard.listener.https.inet6 = false
 ## Listen on IPv4 and IPv6 (false) or only on IPv6 (true). Use with inet6.
 ##
 ## Value: false | true
 ## dashboard.listener.https.ipv6_v6only = false
 ## Path to the file containing the user's private PEM-encoded key.
 ##
 ## Value: File
 ## dashboard.listener.https.keyfile = etc/certs/key.pem
 ## Path to a file containing the user certificate.
 ##
 ## Value: File
 ## dashboard.listener.https.certfile = etc/certs/cert.pem
 ## Path to the file containing PEM-encoded CA certificates.
 ##
 ## Value: File
 ## dashboard.listener.https.cacertfile = etc/certs/cacert.pem
 ## See: 'listener.ssl.<name>.dhfile' in emq.conf
 ##
 ## Value: File
 ## dashboard.listener.https.dhfile = {{ platform_etc_dir }}/certs/dh-params.pem
 ## See: 'listener.ssl.<name>.vefify' in emq.conf
 ##
 ## Value: vefify_peer | verify_none
 ## dashboard.listener.https.verify = verify_peer
 ## See: 'listener.ssl.<name>.fail_if_no_peer_cert' in emq.conf
 ##
 ## Value: false | true
 ## dashboard.listener.https.fail_if_no_peer_cert = true
 ## TLS versions only to protect from POODLE attack.
 ##
 ## Value: String, seperated by ','
 ## dashboard.listener.https.tls_versions = tlsv1.2,tlsv1.1,tlsv1
 ## See: 'listener.ssl.<name>.ciphers' in emq.conf
 ##
 ## Value: Ciphers
 ## dashboard.listener.https.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
 ## See: 'listener.ssl.<name>.secure_renegotiate' in emq.conf
 ##
 ## Value: on | off
 ## dashboard.listener.https.secure_renegotiate = off
 ## See: 'listener.ssl.<name>.reuse_sessions' in emq.conf
 ##
 ## Value: on | off
 ## dashboard.listener.https.reuse_sessions = on
 ## See: 'listener.ssl.<name>.honor_cipher_order' in emq.conf
 ##
 ## Value: on | off
 ## dashboard.listener.https.honor_cipher_order = on
--- a/etc/emqx.d/emqx_management.conf
+++ b/etc/emqx.d/emqx_management.conf
@ -1,52 +0,0 @@
 ##--------------------------------------------------------------------
 ## EMQ X Management Plugin
 ##--------------------------------------------------------------------
 ## Max Row Limit
 management.max_row_limit = 10000
 ## Application default secret
 ##
 ## Value: String
 ## management.application.default_secret = public
 ## Default Application ID
 ##
 ## Value: String
 management.default_application.id = admin
 ## Default Application Secret
 ##
 ## Value: String
 management.default_application.secret = public
 ##--------------------------------------------------------------------
 ## HTTP Listener
 management.listener.http = 8081
 management.listener.http.acceptors = 2
 management.listener.http.max_clients = 512
 management.listener.http.backlog = 512
 management.listener.http.send_timeout = 15s
 management.listener.http.send_timeout_close = on
 management.listener.http.inet6 = false
 management.listener.http.ipv6_v6only = false
 ##--------------------------------------------------------------------
 ## HTTPS Listener
 ## management.listener.https = 8081
 ## management.listener.https.acceptors = 2
 ## management.listener.https.max_clients = 512
 ## management.listener.https.backlog = 512
 ## management.listener.https.send_timeout = 15s
 ## management.listener.https.send_timeout_close = on
 ## management.listener.https.certfile = etc/certs/cert.pem
 ## management.listener.https.keyfile = etc/certs/key.pem
 ## management.listener.https.cacertfile = etc/certs/cacert.pem
 ## management.listener.https.verify = verify_peer
 ## management.listener.https.tls_versions = tlsv1.2,tlsv1.1,tlsv1
 ## management.listener.https.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
 ## management.listener.https.fail_if_no_peer_cert = true
 ## management.listener.https.inet6 = false
 ## management.listener.https.ipv6_v6only = false
--- a/etc/emqx.d/emqx_recon.conf
+++ b/etc/emqx.d/emqx_recon.conf
@ -1,4 +0,0 @@
 ##--------------------------------------------------------------------
 ## Recon Plugin
 ##--------------------------------------------------------------------
--- a/etc/emqx.d/emqx_retainer.conf
+++ b/etc/emqx.d/emqx_retainer.conf
@ -1,41 +0,0 @@
 ##--------------------------------------------------------------------
 ## EMQ X Retainer
 ##--------------------------------------------------------------------
 ## Where to store the retained messages.
 ##
 ## Notice that all nodes in the same cluster have to be configured to
 ## use the same storage_type.
 ##
 ## Value: ram | disc | disc_only
 ##  - ram: memory only
 ##  - disc: both memory and disc
 ##  - disc_only: disc only
 ##
 ## Default: ram
 retainer.storage_type = ram
 ## Maximum number of retained messages. 0 means no limit.
 ##
 ## Value: Number >= 0
 retainer.max_retained_messages = 0
 ## Maximum retained message size.
 ##
 ## Value: Bytes
 retainer.max_payload_size = 1MB
 ## Expiry interval of the retained messages. Never expire if the value is 0.
 ##
 ## Value: Duration
 ##  - h: hour
 ##  - m: minute
 ##  - s: second
 ##
 ## Examples:
 ##  - 2h:  2 hours
 ##  - 30m: 30 minutes
 ##  - 20s: 20 seconds
 ##
 ## Defaut: 0
 retainer.expiry_interval = 0
--- a/etc/emqx.d/emqx_rule_engine.conf
+++ b/etc/emqx.d/emqx_rule_engine.conf
@ -1,42 +0,0 @@
 ##====================================================================
 ## Rule Engine for EMQ X R4.0
 ##====================================================================
 rule_engine.ignore_sys_message = on
 ## Event Messages
 ##
 ## If enabled (on), rule engine publishes the event as an MQTT message
 ## with topic='$events/<event-name>' on the occurrence of an emqx event.
 ##
 ## If disabled, rule engine stops publishing the event messages, but
 ## the event message can still be processed by the rule SQL. e.g. rule SQL:
 ##
 ##   SELECT * FROM "$events/client_connected"
 ##
 ## will still work even if 'rule_engine.events.client_connected' is set to 'off'
 ##
 ## EMQ Event to event message mapping:
 ##
 ##   - client.connected      -> $events/client_connected
 ##   - client.disconnected   -> $events/client_disconnected
 ##   - session.subscribed    -> $events/session_subscribed
 ##   - session.unsubscribed  -> $events/session_unsubscribed
 ##   - message.delivered     -> $events/message_delivered
 ##   - message.acked         -> $events/message_acked
 ##   - message.dropped       -> $events/message_dropped
 ##
 ## Config Value Format: Toggle, QoS-Level
 ##
 ## Toggle: on/off
 ##
 ## QoS-Level: qos0/qos1/qos2
 #rule_engine.events.client_connected = on, qos1
 rule_engine.events.client_connected = off
 rule_engine.events.client_disconnected = off
 rule_engine.events.session_subscribed = off
 rule_engine.events.session_unsubscribed = off
 rule_engine.events.message_delivered = off
 rule_engine.events.message_acked = off
 rule_engine.events.message_dropped = off
--- a/etc/emqx.d/emqx_sasl.conf
+++ b/etc/emqx.d/emqx_sasl.conf
--- a/etc/emqx.d/emqx_sn.conf
+++ b/etc/emqx.d/emqx_sn.conf
@ -1,53 +0,0 @@
 ##--------------------------------------------------------------------
 ## MQTT-SN
 ##--------------------------------------------------------------------
 ## The UDP port which emq-sn is listening on.
 ##
 ## Value: IP:Port | Port
 ##
 ## Examples: 1884, 127.0.0.1:1884, ::1:1884
 mqtt.sn.port = 1884
 ## The duration that emqx-sn broadcast ADVERTISE message through.
 ##
 ## Value: Duration
 mqtt.sn.advertise_duration = 15m
 ## The MQTT-SN Gateway id in ADVERTISE message.
 ##
 ## Value: Number
 mqtt.sn.gateway_id = 1
 ## To control whether write statistics data into ETS table for dashbord to read.
 ##
 ## Value: on | off
 mqtt.sn.enable_stats = off
 ## To control whether accept and process the received publish message with qos=-1.
 ##
 ## Value: on | off
 mqtt.sn.enable_qos3 = off
 ## MQTT SN idle timeout, specified in seconds.
 ##
 ## Value: Duration
 mqtt.sn.idle_timeout = 30s
 ## The pre-defined topic name corresponding to the pre-defined topic id of N.
 ## Note that the pre-defined topic id of 0 is reserved.
 mqtt.sn.predefined.topic.0 = reserved
 mqtt.sn.predefined.topic.1 = /predefined/topic/name/hello
 mqtt.sn.predefined.topic.2 = /predefined/topic/name/nice
 ## Default username for MQTT-SN. This parameter is optional. If specified,
 ## emq-sn will connect EMQ core with this username. It is useful if any auth
 ## plug-in is enabled.
 ##
 ## Value: String
 mqtt.sn.username = mqtt_sn_user
 ## This parameter is optional. Pair with username above.
 ##
 ## Value: String
 mqtt.sn.password = abc
--- a/etc/emqx.d/emqx_stomp.conf
+++ b/etc/emqx.d/emqx_stomp.conf
@ -1,123 +0,0 @@
 ##--------------------------------------------------------------------
 ## Stomp Plugin
 ##--------------------------------------------------------------------
 ##--------------------------------------------------------------------
 ## Stomp listener
 ## The Port that stomp listener will bind.
 ##
 ## Value: Port
 stomp.listener = 61613
 ## The acceptor pool for stomp listener.
 ##
 ## Value: Number
 stomp.listener.acceptors = 4
 ## Maximum number of concurrent stomp connections.
 ##
 ## Value: Number
 stomp.listener.max_connections = 512
 ## Whether to enable SSL.
 ##
 ## Value: on | off
 ## stomp.listener.ssl = off
 ## Path to the file containing the user's private PEM-encoded key.
 ##
 ## Value: File
 ## stomp.listener.keyfile = etc/certs/key.pem
 ## Path to a file containing the user certificate.
 ##
 ## Value: File
 ## stomp.listener.certfile = etc/certs/cert.pem
 ## Path to the file containing PEM-encoded CA certificates.
 ##
 ## Value: File
 ## stomp.listener.cacertfile = etc/certs/cacert.pem
 ## See: 'listener.ssl.<name>.dhfile' in emq.conf
 ##
 ## Value: File
 ## stomp.listener.dhfile = etc/certs/dh-params.pem
 ## See: 'listener.ssl.<name>.vefify' in emq.conf
 ##
 ## Value: vefify_peer | verify_none
 ## stomp.listener.verify = verify_peer
 ## See: 'listener.ssl.<name>.fail_if_no_peer_cert' in emq.conf
 ##
 ## Value: false | true
 ## stomp.listener.fail_if_no_peer_cert = true
 ## TLS versions only to protect from POODLE attack.
 ##
 ## Value: String, seperated by ','
 ## stomp.listener.tls_versions = tlsv1.2,tlsv1.1,tlsv1
 ## SSL Handshake timeout.
 ##
 ## Value: Duration
 ## stomp.listener.handshake_timeout = 15s
 ## See: 'listener.ssl.<name>.ciphers' in emq.conf
 ##
 ## Value: Ciphers
 ## stomp.listener.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
 ## See: 'listener.ssl.<name>.secure_renegotiate' in emq.conf
 ##
 ## Value: on | off
 ## stomp.listener.secure_renegotiate = off
 ## See: 'listener.ssl.<name>.reuse_sessions' in emq.conf
 ##
 ## Value: on | off
 ## stomp.listener.reuse_sessions = on
 ## See: 'listener.ssl.<name>.honor_cipher_order' in emq.conf
 ##
 ## Value: on | off
 ## stomp.listener.honor_cipher_order = on
 ##--------------------------------------------------------------------
 ## Stomp login user and password
 ## Default login user
 ##
 ## Value: String
 stomp.default_user.login = guest
 ## Default login password
 ##
 ## Value: String
 stomp.default_user.passcode = guest
 ## Allow anonymous authentication.
 ##
 ## Value: true | false
 stomp.allow_anonymous = true
 ##--------------------------------------------------------------------
 ## Stomp frame
 ## Maximum numbers of frame headers.
 ##
 ## Value: Number
 stomp.frame.max_headers = 10
 ## Maximum length of frame header.
 ##
 ## Value: Number
 stomp.frame.max_header_length = 1024
 ## Maximum body length of frame.
 ##
 ## Value: Number
 stomp.frame.max_body_length = 8192
--- a/etc/emqx.d/emqx_telemetry.conf
+++ b/etc/emqx.d/emqx_telemetry.conf
@ -1,28 +0,0 @@
 ##--------------------------------------------------------------------
 ## Telemetry
 ##--------------------------------------------------------------------
 ## Enable telemetry
 ##
 ## Value: true | false
 ##
 ## Default: true
 telemetry.enabled = true
 ## The destination URL for the telemetry data report
 ##
 ## Value: String
 ##
 ## Default: https://telemetry.emqx.io/api/telemetry
 telemetry.url = https://telemetry.emqx.io/api/telemetry
 ## Interval for reporting telemetry data
 ##
 ## Value: Duration
 ## -d: day
 ## -h: hour
 ## -m: minute
 ## -s: second
 ##
 ## Default: 7d
 telemetry.report_interval = 7d
--- a/etc/emqx.d/emqx_web_hook.conf
+++ b/etc/emqx.d/emqx_web_hook.conf
@ -1,66 +0,0 @@
 ##====================================================================
 ## WebHook
 ##====================================================================
 ## The web services URL for Hook request
 ##
 ## Value: String
 web.hook.api.url = http://127.0.0.1:8080
 ##--------------------------------------------------------------------
 ## HTTP Request Headers
 ##
 ## The header params what you extra need
 ## Format:
 ##    web.hook.headers.<param> = your-param
 ## Example:
 ## 1. web.hook.headers.token = your-token
 ## 2. web.hook.headers.other = others-param
 ##
 ## Value: String
 ## web.hook.headers.token = your-token
 ##--------------------------------------------------------------------
 ## Encode message payload field
 ##
 ## Value: base64 | base62
 ## web.hook.encode_payload = base64
 ## Mysql ssl configuration.
 ##
 ## Value: on | off
 ## web.hook.ssl = off
 ##--------------------------------------------------------------------
 ## CA certificate.
 ##
 ## Value: File
 ## web.hook.ssl.cafile  = path to your ca file
 ## Client ssl certificate.
 ##
 ## Value: File
 ## web.hook.ssl.certfile = path to your clientcert file
 ##--------------------------------------------------------------------
 ## Client ssl keyfile.
 ##
 ## Value: File
 ## web.hook.ssl.keyfile = path to your clientkey file
 ##--------------------------------------------------------------------
 ## Hook Rules
 ## These configuration items represent a list of events should be forwarded
 ##
 ## Format:
 ##   web.hook.rule.<HookName>.<No> = <Spec>
 #web.hook.rule.client.connect.1       = {"action": "on_client_connect"}
 #web.hook.rule.client.connack.1       = {"action": "on_client_connack"}
 #web.hook.rule.client.connected.1     = {"action": "on_client_connected"}
 #web.hook.rule.client.disconnected.1  = {"action": "on_client_disconnected"}
 #web.hook.rule.client.subscribe.1     = {"action": "on_client_subscribe"}
 #web.hook.rule.client.unsubscribe.1   = {"action": "on_client_unsubscribe"}
 #web.hook.rule.session.subscribed.1   = {"action": "on_session_subscribed"}
 #web.hook.rule.session.unsubscribed.1 = {"action": "on_session_unsubscribed"}
 #web.hook.rule.session.terminated.1   = {"action": "on_session_terminated"}
 #web.hook.rule.message.publish.1      = {"action": "on_message_publish"}
 #web.hook.rule.message.delivered.1    = {"action": "on_message_delivered"}
 #web.hook.rule.message.acked.1        = {"action": "on_message_acked"}
--- a/etc/emqx_cloud.d/emqx_auth_ldap.conf
+++ b/etc/emqx_cloud.d/emqx_auth_ldap.conf
@ -1,78 +0,0 @@
 ##--------------------------------------------------------------------
 ## LDAP Auth Plugin
 ##--------------------------------------------------------------------
 ## LDAP server list, seperated by ','.
 ##
 ## Value: String
 auth.ldap.servers = 127.0.0.1
 ## LDAP server port.
 ##
 ## Value: Port
 auth.ldap.port = 389
 ## LDAP pool size
 ##
 ## Value: String
 auth.ldap.pool = 8
 ## LDAP Bind DN.
 ##
 ## Value: DN
 auth.ldap.bind_dn = cn=root,dc=emqx,dc=io
 ## LDAP Bind Password.
 ##
 ## Value: String
 auth.ldap.bind_password = public
 ## LDAP query timeout.
 ##
 ## Value: Number
 auth.ldap.timeout = 30s
 ## Device DN.
 ##
 ## Variables:
 ##
 ## Value: DN
 auth.ldap.device_dn = ou=device,dc=emqx,dc=io
 ## Specified ObjectClass
 ##
 ## Variables:
 ##
 ## Value: string
 auth.ldap.match_objectclass = mqttUser
 ## attributetype for username
 ##
 ## Variables:
 ##
 ## Value: string
 auth.ldap.username.attributetype = uid
 ## attributetype for password
 ##
 ## Variables:
 ##
 ## Value: string
 auth.ldap.password.attributetype = userPassword
 ## Whether to enable SSL.
 ##
 ## Value: true | false
 auth.ldap.ssl = false
 #auth.ldap.ssl.certfile = etc/certs/cert.pem
 #auth.ldap.ssl.keyfile = etc/certs/key.pem
 #auth.ldap.ssl.cacertfile = etc/certs/cacert.pem
 #auth.ldap.ssl.verify = verify_peer
 #auth.ldap.ssl.fail_if_no_peer_cert = true
 #auth.ldap.ssl.server_name_indication = your_server_name
--- a/etc/emqx_cloud.d/emqx_auth_mongo.conf
+++ b/etc/emqx_cloud.d/emqx_auth_mongo.conf
@ -1,172 +0,0 @@
 ##--------------------------------------------------------------------
 ## MongoDB Auth/ACL Plugin
 ##--------------------------------------------------------------------
 ## MongoDB Topology Type.
 ##
 ## Value: single | unknown | sharded | rs
 auth.mongo.type = single
 ## The set name if type is rs.
 ##
 ## Value: String
 ## auth.mongo.rs_set_name =
 ## MongoDB server list.
 ##
 ## Value: String
 ##
 ## Examples: 127.0.0.1:27017,127.0.0.2:27017...
 auth.mongo.server = 127.0.0.1:27017
 ## MongoDB pool size
 ##
 ## Value: Number
 auth.mongo.pool = 8
 ## MongoDB login user.
 ##
 ## Value: String
 ## auth.mongo.login =
 ## MongoDB password.
 ##
 ## Value: String
 ## auth.mongo.password =
 ## MongoDB AuthSource
 ##
 ## Value: String
 ## Default: mqtt
 ## auth.mongo.auth_source = admin
 ## MongoDB database
 ##
 ## Value: String
 auth.mongo.database = mqtt
 ## MongoDB query timeout
 ##
 ## Value: Duration
 ## auth.mongo.query_timeout = 5s
 ## Whether to enable SSL connection.
 ##
 ## Value: true | false
 ## auth.mongo.ssl = false
 ## SSL keyfile.
 ##
 ## Value: File
 ## auth.mongo.ssl_opts.keyfile =
 ## SSL certfile.
 ##
 ## Value: File
 ## auth.mongo.ssl_opts.certfile =
 ## SSL cacertfile.
 ##
 ## Value: File
 ## auth.mongo.ssl_opts.cacertfile =
 ## MongoDB write mode.
 ##
 ## Value: unsafe | safe
 ## auth.mongo.w_mode =
 ## Mongo read mode.
 ##
 ## Value: master | slave_ok
 ## auth.mongo.r_mode =
 ## MongoDB topology options.
 auth.mongo.topology.pool_size = 1
 auth.mongo.topology.max_overflow = 0
 ## auth.mongo.topology.overflow_ttl = 1000
 ## auth.mongo.topology.overflow_check_period = 1000
 ## auth.mongo.topology.local_threshold_ms = 1000
 ## auth.mongo.topology.connect_timeout_ms = 20000
 ## auth.mongo.topology.socket_timeout_ms = 100
 ## auth.mongo.topology.server_selection_timeout_ms = 30000
 ## auth.mongo.topology.wait_queue_timeout_ms = 1000
 ## auth.mongo.topology.heartbeat_frequency_ms = 10000
 ## auth.mongo.topology.min_heartbeat_frequency_ms = 1000
 ## -------------------------------------------------
 ## Auth Query
 ## -------------------------------------------------
 ## Password hash.
 ##
 ## Value: plain | md5 | sha | sha256 | bcrypt
 auth.mongo.auth_query.password_hash = sha256
 ## sha256 with salt suffix
 ## auth.mongo.auth_query.password_hash = sha256,salt
 ## sha256 with salt prefix
 ## auth.mongo.auth_query.password_hash = salt,sha256
 ## bcrypt with salt prefix
 ## auth.mongo.auth_query.password_hash = salt,bcrypt
 ## pbkdf2 with macfun iterations dklen
 ## macfun: md4, md5, ripemd160, sha, sha224, sha256, sha384, sha512
 ## auth.mongo.auth_query.password_hash = pbkdf2,sha256,1000,20
 ## Authentication query.
 auth.mongo.auth_query.collection = mqtt_user
 ## Password mainly fields
 ##
 ## Value:  password | password,salt
 auth.mongo.auth_query.password_field = password
 ## Authentication Selector.
 ##
 ## Variables:
 ##  - %u: username
 ##  - %c: clientid
 ##  - %C: common name of client TLS cert
 ##  - %d: subject of client TLS cert
 ##
 ## auth.mongo.auth_query.selector = {Field}={Placeholder}
 auth.mongo.auth_query.selector = username=%u
 ## -------------------------------------------------
 ## Super User Query
 ## -------------------------------------------------
 auth.mongo.super_query.collection = mqtt_user
 auth.mongo.super_query.super_field = is_superuser
 #auth.mongo.super_query.selector = username=%u, clientid=%c
 auth.mongo.super_query.selector = username=%u
 ## ACL Selector.
 ##
 ## Multiple selectors could be combined with '$or'
 ##   when query acl from mongo.
 ##
 ## e.g.
 ##
 ## With following 2 selectors configured:
 ##
 ## auth.mongo.acl_query.selector.1 = username=%u
 ## auth.mongo.acl_query.selector.2 = username=$all
 ##
 ## And if a client connected using username 'ilyas',
 ##   then the following mongo command will be used to
 ##   retrieve acl entries:
 ##
 ## db.mqtt_acl.find({$or: [{username: "ilyas"},  {username: "$all"}]});
 ##
 ## Variables:
 ##  - %u: username
 ##  - %c: clientid
 ##
 ## Examples:
 ##
 ## auth.mongo.acl_query.selector.1 = username=%u,clientid=%c
 ## auth.mongo.acl_query.selector.2 = username=$all
 ## auth.mongo.acl_query.selector.3 = clientid=$all
 auth.mongo.acl_query.collection = mqtt_acl
 auth.mongo.acl_query.selector = username=%u
--- a/etc/emqx_cloud.d/emqx_auth_pgsql.conf
+++ b/etc/emqx_cloud.d/emqx_auth_pgsql.conf
@ -1,110 +0,0 @@
 ##--------------------------------------------------------------------
 ## PostgreSQL Auth/ACL Plugin
 ##--------------------------------------------------------------------
 ## PostgreSQL server address.
 ##
 ## Value: Port | IP:Port
 ##
 ## Examples: 5432, 127.0.0.1:5432, localhost:5432
 auth.pgsql.server = 127.0.0.1:5432
 ## PostgreSQL pool size.
 ##
 ## Value: Number
 auth.pgsql.pool = 8
 ## PostgreSQL username.
 ##
 ## Value: String
 auth.pgsql.username = root
 ## PostgreSQL password.
 ##
 ## Value: String
 ## auth.pgsql.password =
 ## PostgreSQL database.
 ##
 ## Value: String
 auth.pgsql.database = mqtt
 ## PostgreSQL database encoding.
 ##
 ## Value: String
 auth.pgsql.encoding = utf8
 ## Whether to enable SSL connection.
 ##
 ## Value: true | false
 auth.pgsql.ssl = false
 ## SSL keyfile.
 ##
 ## Value: File
 ## auth.pgsql.ssl_opts.keyfile =
 ## SSL certfile.
 ##
 ## Value: File
 ## auth.pgsql.ssl_opts.certfile =
 ## SSL cacertfile.
 ##
 ## Value: File
 ## auth.pgsql.ssl_opts.cacertfile =
 ## Authentication query.
 ##
 ## Value: SQL
 ##
 ## Variables:
 ##  - %u: username
 ##  - %c: clientid
 ##  - %C: common name of client TLS cert
 ##  - %d: subject of client TLS cert
 ##
 auth.pgsql.auth_query = select password from mqtt_user where username = '%u' limit 1
 ## Password hash.
 ##
 ## Value: plain | md5 | sha | sha256 | bcrypt
 auth.pgsql.password_hash = sha256
 ## sha256 with salt prefix
 ## auth.pgsql.password_hash = salt,sha256
 ## sha256 with salt suffix
 ## auth.pgsql.password_hash = sha256,salt
 ## bcrypt with salt prefix
 ## auth.pgsql.password_hash = salt,bcrypt
 ## pbkdf2 with macfun iterations dklen
 ## macfun: md4, md5, ripemd160, sha, sha224, sha256, sha384, sha512
 ## auth.pgsql.password_hash = pbkdf2,sha256,1000,20
 ## Superuser query.
 ##
 ## Value: SQL
 ##
 ## Variables:
 ##  - %u: username
 ##  - %c: clientid
 ##  - %C: common name of client TLS cert
 ##  - %d: subject of client TLS cert
 ##
 auth.pgsql.super_query = select is_superuser from mqtt_user where username = '%u' limit 1
 ## ACL query. Comment this query, the ACL will be disabled.
 ##
 ## Value: SQL
 ##
 ## Variables:
 ##  - %a: ipaddress
 ##  - %u: username
 ##  - %c: clientid
 ##
 ## Note: You can add the 'ORDER BY' statement to control the rules match order
 auth.pgsql.acl_query = select allow, ipaddr, username, clientid, access, topic from mqtt_acl where ipaddr = '%a' or username = '%u' or username = '$all' or clientid = '%c'
--- a/etc/emqx_cloud.d/emqx_auth_redis.conf
+++ b/etc/emqx_cloud.d/emqx_auth_redis.conf
@ -1,97 +0,0 @@
 ##--------------------------------------------------------------------
 ## Redis Auth/ACL Plugin
 ##--------------------------------------------------------------------
 ## Redis Server cluster type
 ## single    Single redis server
 ## sentinel  Redis cluster through sentinel
 ## cluster   Redis through cluster
 auth.redis.type = single
 ## Redis server address.
 ##
 ## Value: Port | IP:Port
 ##
 ## Single Redis Server: 127.0.0.1:6379, localhost:6379
 ## Redis Sentinel: 127.0.0.1:26379,127.0.0.2:26379,127.0.0.3:26379
 ## Redis Cluster: 127.0.0.1:6379,127.0.0.2:6379,127.0.0.3:6379
 auth.redis.server = 127.0.0.1:6379
 ## Redis sentinel cluster name.
 ##
 ## Value: String
 ## auth.redis.sentinel = mymaster
 ## Redis pool size.
 ##
 ## Value: Number
 auth.redis.pool = 8
 ## Redis database no.
 ##
 ## Value: Number
 auth.redis.database = 0
 ## Redis password.
 ##
 ## Value: String
 ## auth.redis.password =
 ## Redis query timeout
 ##
 ## Value: Duration
 ## auth.redis.query_timeout = 5s
 ## Authentication query command.
 ##
 ## Value: Redis cmd
 ##
 ## Variables:
 ##  - %u: username
 ##  - %c: clientid
 ##  - %C: common name of client TLS cert
 ##  - %d: subject of client TLS cert
 ##
 ## Examples:
 ##  - HGET mqtt_user:%u password
 ##  - HMGET mqtt_user:%u password
 ##  - HMGET mqtt_user:%u password salt
 auth.redis.auth_cmd = HMGET mqtt_user:%u password
 ## Password hash.
 ##
 ## Value: plain | md5 | sha | sha256 | bcrypt
 auth.redis.password_hash = plain
 ## sha256 with salt prefix
 ## auth.redis.password_hash = salt,sha256
 ## sha256 with salt suffix
 ## auth.redis.password_hash = sha256,salt
 ## bcrypt with salt prefix
 ## auth.redis.password_hash = salt,bcrypt
 ## pbkdf2 with macfun iterations dklen
 ## macfun: md4, md5, ripemd160, sha, sha224, sha256, sha384, sha512
 ## auth.redis.password_hash = pbkdf2,sha256,1000,20
 ## Superuser query command.
 ##
 ## Value: Redis cmd
 ##
 ## Variables:
 ##  - %u: username
 ##  - %c: clientid
 ##  - %C: common name of client TLS cert
 ##  - %d: subject of client TLS cert
 auth.redis.super_cmd = HGET mqtt_user:%u is_superuser
 ## ACL query command.
 ##
 ## Value: Redis cmd
 ##
 ## Variables:
 ##  - %u: username
 ##  - %c: clientid
 auth.redis.acl_cmd = HGETALL mqtt_acl:%u
--- a/etc/emqx_cloud.d/emqx_exhook.conf
+++ b/etc/emqx_cloud.d/emqx_exhook.conf
@ -1,15 +0,0 @@
 ##====================================================================
 ## EMQ X Hooks
 ##====================================================================
 ##--------------------------------------------------------------------
 ## Server Address
 ## The gRPC server url
 ##
 ## exhook.server.$name.url = url()
 exhook.server.default.url = http://127.0.0.1:9000
 #exhook.server.default.ssl.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
 #exhook.server.default.ssl.certfile = {{ platform_etc_dir }}/certs/cert.pem
 #exhook.server.default.ssl.keyfile = {{ platform_etc_dir }}/certs/key.pem
--- a/etc/emqx_cloud.d/emqx_exproto.conf
+++ b/etc/emqx_cloud.d/emqx_exproto.conf
@ -1,252 +0,0 @@
 ##====================================================================
 ## EMQ X ExProto
 ##====================================================================
 exproto.server.http.port = 9100
 exproto.server.https.port = 9101
 exproto.server.https.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
 exproto.server.https.certfile = {{ platform_etc_dir }}/certs/cert.pem
 exproto.server.https.keyfile = {{ platform_etc_dir }}/certs/key.pem
 ##--------------------------------------------------------------------
 ## Listeners
 ##--------------------------------------------------------------------
 ##--------------------------------------------------------------------
 ## MQTT/TCP - External TCP Listener for MQTT Protocol
 ## The IP address and port that the listener will bind.
 ##
 ## Value: <tcp|ssl|udp|dtls>://<ip>:<port>
 ##
 ## Examples: tcp://0.0.0.0:7993 | ssl://127.0.0.1:7994
 exproto.listener.protoname = tcp://0.0.0.0:7993
 ## The ConnectionHandler server address
 ##
 exproto.listener.protoname.connection_handler_url = http://127.0.0.1:9001
 #exproto.listener.protoname.connection_handler_certfile =
 #exproto.listener.protoname.connection_handler_cacertfile =
 #exproto.listener.protoname.connection_handler_keyfile =
 ## The acceptor pool for external MQTT/TCP listener.
 ##
 ## Value: Number
 exproto.listener.protoname.acceptors = 8
 ## Maximum number of concurrent MQTT/TCP connections.
 ##
 ## Value: Number
 exproto.listener.protoname.max_connections = 1024000
 ## Maximum external connections per second.
 ##
 ## Value: Number
 exproto.listener.protoname.max_conn_rate = 1000
 ## Specify the {active, N} option for the external MQTT/TCP Socket.
 ##
 ## Value: Number
 exproto.listener.protoname.active_n = 100
 ## Idle timeout
 ##
 ## Value: Duration
 exproto.listener.protoname.idle_timeout = 30s
 ## The access control rules for the MQTT/TCP listener.
 ##
 ## See: https://github.com/emqtt/esockd#allowdeny
 ##
 ## Value: ACL Rule
 ##
 ## Example: allow 192.168.0.0/24
 exproto.listener.protoname.access.1 = allow all
 ## Enable the Proxy Protocol V1/2 if the EMQ X cluster is deployed
 ## behind HAProxy or Nginx.
 ##
 ## See: https://www.haproxy.com/blog/haproxy/proxy-protocol/
 ##
 ## Value: on | off
 ## exproto.listener.protoname.proxy_protocol = on
 ## Sets the timeout for proxy protocol. EMQ X will close the TCP connection
 ## if no proxy protocol packet recevied within the timeout.
 ##
 ## Value: Duration
 #exproto.listener.protoname.proxy_protocol_timeout = 3s
 ## The TCP backlog defines the maximum length that the queue of pending
 ## connections can grow to.
 ##
 ## Value: Number >= 0
 exproto.listener.protoname.backlog = 1024
 ## The TCP send timeout for external MQTT connections.
 ##
 ## Value: Duration
 exproto.listener.protoname.send_timeout = 15s
 ## Close the TCP connection if send timeout.
 ##
 ## Value: on | off
 exproto.listener.protoname.send_timeout_close = on
 ## The TCP receive buffer(os kernel) for MQTT connections.
 ##
 ## See: http://erlang.org/doc/man/inet.html
 ##
 ## Value: Bytes
 #exproto.listener.protoname.recbuf = 2KB
 ## The TCP send buffer(os kernel) for MQTT connections.
 ##
 ## See: http://erlang.org/doc/man/inet.html
 ##
 ## Value: Bytes
 #exproto.listener.protoname.sndbuf = 2KB
 ## The size of the user-level software buffer used by the driver.
 ## Not to be confused with options sndbuf and recbuf, which correspond
 ## to the Kernel socket buffers. It is recommended to have val(buffer)
 ## >= max(val(sndbuf),val(recbuf)) to avoid performance issues because
 ## of unnecessary copying. val(buffer) is automatically set to the above
 ## maximum when values sndbuf or recbuf are set.
 ##
 ## See: http://erlang.org/doc/man/inet.html
 ##
 ## Value: Bytes
 #exproto.listener.protoname.buffer = 2KB
 ## Sets the 'buffer = max(sndbuf, recbuf)' if this option is enabled.
 ##
 ## Value: on | off
 #exproto.listener.protoname.tune_buffer = off
 ## The TCP_NODELAY flag for MQTT connections. Small amounts of data are
 ## sent immediately if the option is enabled.
 ##
 ## Value: true | false
 exproto.listener.protoname.nodelay = true
 ## The SO_REUSEADDR flag for TCP listener.
 ##
 ## Value: true | false
 exproto.listener.protoname.reuseaddr = true
 ##--------------------------------------------------------------------
 ## TLS/DTLS options
 ## TLS versions only to protect from POODLE attack.
 ##
 ## See: http://erlang.org/doc/man/ssl.html
 ##
 ## Value: String, seperated by ','
 #exproto.listener.protoname.tls_versions = tlsv1.2,tlsv1.1,tlsv1
 ## Path to the file containing the user's private PEM-encoded key.
 ##
 ## See: http://erlang.org/doc/man/ssl.html
 ##
 ## Value: File
 #exproto.listener.protoname.keyfile = {{ platform_etc_dir }}/certs/key.pem
 ## Path to a file containing the user certificate.
 ##
 ## See: http://erlang.org/doc/man/ssl.html
 ##
 ## Value: File
 #exproto.listener.protoname.certfile = {{ platform_etc_dir }}/certs/cert.pem
 ## Path to the file containing PEM-encoded CA certificates. The CA certificates
 ## are used during server authentication and when building the client certificate chain.
 ##
 ## Value: File
 #exproto.listener.protoname.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
 ## The Ephemeral Diffie-Helman key exchange is a very effective way of
 ## ensuring Forward Secrecy by exchanging a set of keys that never hit
 ## the wire. Since the DH key is effectively signed by the private key,
 ## it needs to be at least as strong as the private key. In addition,
 ## the default DH groups that most of the OpenSSL installations have
 ## are only a handful (since they are distributed with the OpenSSL
 ## package that has been built for the operating system it’s running on)
 ## and hence predictable (not to mention, 1024 bits only).
 ## In order to escape this situation, first we need to generate a fresh,
 ## strong DH group, store it in a file and then use the option above,
 ## to force our SSL application to use the new DH group. Fortunately,
 ## OpenSSL provides us with a tool to do that. Simply run:
 ## openssl dhparam -out dh-params.pem 2048
 ##
 ## Value: File
 #exproto.listener.protoname.dhfile = {{ platform_etc_dir }}/certs/dh-params.pem
 ## A server only does x509-path validation in mode verify_peer,
 ## as it then sends a certificate request to the client (this
 ## message is not sent if the verify option is verify_none).
 ## You can then also want to specify option fail_if_no_peer_cert.
 ## More information at: http://erlang.org/doc/man/ssl.html
 ##
 ## Value: verify_peer | verify_none
 #exproto.listener.protoname.verify = verify_peer
 ## Used together with {verify, verify_peer} by an SSL server. If set to true,
 ## the server fails if the client does not have a certificate to send, that is,
 ## sends an empty certificate.
 ##
 ## Value: true | false
 #exproto.listener.protoname.fail_if_no_peer_cert = true
 ## This is the single most important configuration option of an Erlang SSL
 ## application. Ciphers (and their ordering) define the way the client and
 ## server encrypt information over the wire, from the initial Diffie-Helman
 ## key exchange, the session key encryption ## algorithm and the message
 ## digest algorithm. Selecting a good cipher suite is critical for the
 ## application’s data security, confidentiality and performance.
 ##
 ## The cipher list above offers:
 ##
 ## A good balance between compatibility with older browsers.
 ## It can get stricter for Machine-To-Machine scenarios.
 ## Perfect Forward Secrecy.
 ## No old/insecure encryption and HMAC algorithms
 ##
 ## Most of it was copied from Mozilla’s Server Side TLS article
 ##
 ## Value: Ciphers
 #exproto.listener.protoname.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
 ## Ciphers for TLS PSK.
 ## Note that 'listener.ssl.external.ciphers' and 'listener.ssl.external.psk_ciphers' cannot
 ## be configured at the same time.
 ## See 'https://tools.ietf.org/html/rfc4279#section-2'.
 #exproto.listener.protoname.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
 ## SSL parameter renegotiation is a feature that allows a client and a server
 ## to renegotiate the parameters of the SSL connection on the fly.
 ## RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation,
 ## you drop support for the insecure renegotiation, prone to MitM attacks.
 ##
 ## Value: on | off
 #exproto.listener.protoname.secure_renegotiate = off
 ## A performance optimization setting, it allows clients to reuse
 ## pre-existing sessions, instead of initializing new ones.
 ## Read more about it here.
 ##
 ## See: http://erlang.org/doc/man/ssl.html
 ##
 ## Value: on | off
 #exproto.listener.protoname.reuse_sessions = on
 ## An important security setting, it forces the cipher to be set based
 ## on the server-specified order instead of the client-specified order,
 ## hence enforcing the (usually more properly configured) security
 ## ordering of the server administrator.
 ##
 ## Value: on | off
 #exproto.listener.protoname.honor_cipher_order = on
--- a/etc/emqx_cloud.d/emqx_lua_hook.conf
+++ b/etc/emqx_cloud.d/emqx_lua_hook.conf
@ -1,4 +0,0 @@
 ##--------------------------------------------------------------------
 ## EMQ X Lua Hook
 ##--------------------------------------------------------------------
--- a/etc/emqx_cloud.d/emqx_lwm2m.conf
+++ b/etc/emqx_cloud.d/emqx_lwm2m.conf
@ -1,136 +0,0 @@
 ##--------------------------------------------------------------------
 ## LwM2M Gateway
 ##--------------------------------------------------------------------
 ##--------------------------------------------------------------------
 ## Protocols
 # To Limit the range of lifetime, in seconds
 lwm2m.lifetime_min = 1s
 lwm2m.lifetime_max = 86400s
 # The time window for Q Mode, indicating that after how long time
 #   the downlink commands sent to the client will be cached.
 #lwm2m.qmode_time_window = 22
 # Auto send observer command to device
 # on | off
 #lwm2m.auto_observe = off
 # The topic subscribed by the lwm2m client after it is connected
 # Placeholders supported:
 #    '%e': Endpoint Name
 #    '%a': IP Address
 lwm2m.mountpoint = lwm2m/%e/
 # The topic subscribed by the lwm2m client after it is connected
 # Placeholders supported:
 #    '%e': Endpoint Name
 #    '%a': IP Address
 lwm2m.topics.command = dn/#
 # The topic to which the lwm2m client's response is published
 lwm2m.topics.response = up/resp
 # The topic to which the lwm2m client's notify message is published
 lwm2m.topics.notify = up/notify
 # The topic to which the lwm2m client's register message is published
 lwm2m.topics.register = up/resp
 # The topic to which the lwm2m client's update message is published
 lwm2m.topics.update = up/resp
 # Dir where the object definition files can be found
 lwm2m.xml_dir =  {{ platform_etc_dir }}/lwm2m_xml
 ##--------------------------------------------------------------------
 ## UDP Listener options
 ## The IP and port of the LwM2M Gateway
 ##
 ## Default: 0.0.0.0:5683
 ## Examples:
 ##     lwm2m.bind.udp.x = 0.0.0.0:5683 | :::5683 | 127.0.0.1:5683 | ::1:5683
 lwm2m.bind.udp.1 = 0.0.0.0:5683
 #lwm2m.bind.udp.2 = 0.0.0.0:6683
 ## Socket options, used for performance tuning
 ##
 ## Examples:
 ##     lwm2m.opts.$name = $value
 ## See: https://erlang.org/doc/man/gen_udp.html#type-option
 lwm2m.opts.buffer = 1024KB
 lwm2m.opts.recbuf = 1024KB
 lwm2m.opts.sndbuf = 1024KB
 lwm2m.opts.read_packets = 20
 ##--------------------------------------------------------------------
 ## DTLS Listener Options
 ## The DTLS port that LwM2M is listening on.
 ##
 ## Default: 0.0.0.0:5684
 ##
 ## Examples:
 ##    lwm2m.bind.dtls.x = 0.0.0.0:5684 | :::5684 | 127.0.0.1:5684 | ::1:5684
 ##
 lwm2m.bind.dtls.1 = 0.0.0.0:5684
 #lwm2m.bind.dtls.2 = 0.0.0.0:6684
 ## A server only does x509-path validation in mode verify_peer,
 ## as it then sends a certificate request to the client (this
 ## message is not sent if the verify option is verify_none).
 ## You can then also want to specify option fail_if_no_peer_cert.
 ## More information at: http://erlang.org/doc/man/ssl.html
 ##
 ## Value: verify_peer | verify_none
 #lwm2m.dtls.verify = verify_peer
 ## Private key file for DTLS
 ##
 ## Value: File
 lwm2m.dtls.keyfile = {{ platform_etc_dir }}/certs/key.pem
 ## Server certificate for DTLS.
 ##
 ## Value: File
 lwm2m.dtls.certfile = {{ platform_etc_dir }}/certs/cert.pem
 ## PEM-encoded CA certificates for DTLS
 ##
 ## Value: File
 #lwm2m.dtls.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
 ## Used together with {verify, verify_peer} by an SSL server. If set to true,
 ## the server fails if the client does not have a certificate to send, that is,
 ## sends an empty certificate.
 ##
 ## Value: true | false
 #lwm2m.dtls.fail_if_no_peer_cert = false
 ## This is the single most important configuration option of an Erlang SSL
 ## application. Ciphers (and their ordering) define the way the client and
 ## server encrypt information over the wire, from the initial Diffie-Helman
 ## key exchange, the session key encryption ## algorithm and the message
 ## digest algorithm. Selecting a good cipher suite is critical for the
 ## application’s data security, confidentiality and performance.
 ##
 ## The cipher list above offers:
 ##
 ## A good balance between compatibility with older browsers.
 ## It can get stricter for Machine-To-Machine scenarios.
 ## Perfect Forward Secrecy.
 ## No old/insecure encryption and HMAC algorithms
 ##
 ## Most of it was copied from Mozilla’s Server Side TLS article
 ##
 ## Value: Ciphers
 lwm2m.dtls.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
 ## Ciphers for TLS PSK.
 ##
 ## Note that 'lwm2m.dtls.ciphers' and 'lwm2m.dtls.psk_ciphers' cannot
 ## be configured at the same time.
 ## See 'https://tools.ietf.org/html/rfc4279#section-2'.
 #lwm2m.dtls.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
--- a/etc/emqx_cloud.d/emqx_prometheus.conf
+++ b/etc/emqx_cloud.d/emqx_prometheus.conf
@ -1,13 +0,0 @@
 ##--------------------------------------------------------------------
 ## emqx_prometheus for EMQ X
 ##--------------------------------------------------------------------
 ## The Prometheus Push Gateway URL address
 ##
 ## Note: You can comment out this line to disable it
 prometheus.push.gateway.server = http://127.0.0.1:9091
 ## The metrics data push interval (millisecond)
 ##
 ## Default: 15000
 prometheus.interval = 15000
--- a/etc/emqx_cloud.d/emqx_psk_file.conf
+++ b/etc/emqx_cloud.d/emqx_psk_file.conf
@ -1,2 +0,0 @@
 psk.file.path = {{ platform_etc_dir }}/psk.txt
 psk.file.delimiter = :
--- a/etc/emqx_edge.d/vm.args.edge
+++ b/etc/emqx_edge.d/vm.args.edge
--- a/etc/vm.args
+++ b/etc/vm.args
@ -1,115 +0,0 @@
 ######################################################################
 ## Erlang VM Args for EMQ X Broker
 ######################################################################
 ## NOTE:
 ##
 ## Arguments configured in this file might be overridden by configs from `emqx.conf`.
 ##
 ## Some basic VM arguments are to be configured in `emqx.conf`,
 ## such as `node.name` for `-name` and `node.cooke` for `-setcookie`.
 ## Sets the maximum number of simultaneously existing processes for this system.
 +P 2097152
 ## Sets the maximum number of simultaneously existing ports for this system.
 +Q 1048576
 ## Sets the maximum number of ETS tables
 +e 262144
 ## Sets the maximum number of atoms the virtual machine can handle.
 #+t 1048576
 ## Set the location of crash dumps
 #-env ERL_CRASH_DUMP {{ platform_log_dir }}/crash.dump
 ## Set how many times generational garbages collections can be done without
 ## forcing a fullsweep collection.
 -env ERL_FULLSWEEP_AFTER 1000
 ## Heartbeat management; auto-restarts VM if it dies or becomes unresponsive
 ## (Disabled by default..use with caution!)
 #-heart
 ## Specify the erlang distributed protocol.
 ## Can be one of: inet_tcp, inet6_tcp, inet_tls
 #-proto_dist inet_tcp
 ## Specify SSL Options in the file if using SSL for Erlang Distribution.
 ## Used only when -proto_dist set to inet_tls
 #-ssl_dist_optfile {{ platform_etc_dir }}/ssl_dist.conf
 ## Specifies the net_kernel tick time in seconds.
 ## This is the approximate time a connected node may be unresponsive until
 ## it is considered down and thereby disconnected.
 -kernel net_ticktime 120
 ## Sets the distribution buffer busy limit (dist_buf_busy_limit).
 #+zdbbl 8192
 ## Sets default scheduler hint for port parallelism.
 +spp true
 ## Sets the number of threads in async thread pool. Valid range is 0-1024.
 ## Increase the parameter if there are many simultaneous file I/O operations.
 +A 4
 ## Sets the default heap size of processes to the size Size.
 #+hms 233
 ## Sets the default binary virtual heap size of processes to the size Size.
 #+hmbs 46422
 ## Sets the default maximum heap size of processes to the size Size.
 ## Defaults to 0, which means that no maximum heap size is used.
 ##For more information, see process_flag(max_heap_size, MaxHeapSize).
 #+hmax 0
 ## Sets the default value for process flag message_queue_data. Defaults to on_heap.
 #+hmqd on_heap | off_heap
 ## Sets the number of IO pollsets to use when polling for I/O.
 #+IOp 1
 ## Sets the number of IO poll threads to use when polling for I/O.
 ## Increase this for the busy systems with many concurrent connection.
 +IOt 4
 ## Sets the number of scheduler threads to create and scheduler threads to set online.
 #+S 8:8
 ## Sets the number of dirty CPU scheduler threads to create and dirty CPU scheduler threads to set online.
 #+SDcpu 8:8
 ## Sets the number of dirty I/O scheduler threads to create.
 +SDio 8
 ## Suggested stack size, in kilowords, for scheduler threads.
 #+sss 32
 ## Suggested stack size, in kilowords, for dirty CPU scheduler threads.
 #+sssdcpu 40
 ## Suggested stack size, in kilowords, for dirty IO scheduler threads.
 #+sssdio 40
 ## Sets scheduler bind type.
 ## Can be one of: u, ns, ts, ps, s, nnts, nnps, tnnps, db
 #+sbt db
 ## Sets a user-defined CPU topology.
 #+sct L0-3c0-3p0N0:L4-7c0-3p1N1
 ## Sets the mapping of warning messages for error_logger
 #+W w
 ## Sets time warp mode: no_time_warp | single_time_warp | multi_time_warp
 #+C no_time_warp
 ## Prevents loading information about source filenames and line numbers.
 #+L
 ## Specifies how long time (in milliseconds) to spend shutting down the system.
 ## See: http://erlang.org/doc/man/erl.html
 -shutdown_time 30000
--- a/etc/vm.args.edge
+++ b/etc/vm.args.edge
@ -1,114 +0,0 @@
 ######################################################################
 ## Erlang VM Args for EMQ X Edge
 ######################################################################
 ## NOTE:
 ##
 ## Arguments configured in this file might be overridden by configs from `emqx.conf`.
 ##
 ## Some basic VM arguments are to be configured in `emqx.conf`,
 ## such as `node.name` for `-name` and `node.cooke` for `-setcookie`.
 ## Sets the maximum number of simultaneously existing processes for this system.
 +P 16384
 ## Sets the maximum number of simultaneously existing ports for this system.
 +Q 4096
 ## Sets the maximum number of ETS tables
 +e 512
 ## Sets the maximum number of atoms the virtual machine can handle.
 +t 262144
 ## Set the location of crash dumps
 -env ERL_CRASH_DUMP {{ platform_log_dir }}/crash.dump
 ## Set how many times generational garbages collections can be done without
 ## forcing a fullsweep collection.
 -env ERL_FULLSWEEP_AFTER 0
 ## Heartbeat management; auto-restarts VM if it dies or becomes unresponsive
 ## (Disabled by default..use with caution!)
 -heart
 ## Specify the erlang distributed protocol.
 ## Can be one of: inet_tcp, inet6_tcp, inet_tls
 #-proto_dist inet_tcp
 ## Specify SSL Options in the file if using SSL for Erlang Distribution.
 ## Used only when -proto_dist set to inet_tls
 #-ssl_dist_optfile {{ platform_etc_dir }}/ssl_dist.conf
 ## Specifies the net_kernel tick time in seconds.
 ## This is the approximate time a connected node may be unresponsive until
 ## it is considered down and thereby disconnected.
 #-kernel net_ticktime 60
 ## Sets the distribution buffer busy limit (dist_buf_busy_limit).
 +zdbbl 1024
 ## Sets default scheduler hint for port parallelism.
 +spp false
 ## Sets the number of threads in async thread pool. Valid range is 0-1024.
 ## Increase the parameter if there are many simultaneous file I/O operations.
 +A 1
 ## Sets the default heap size of processes to the size Size.
 #+hms 233
 ## Sets the default binary virtual heap size of processes to the size Size.
 #+hmbs 46422
 ## Sets the default maximum heap size of processes to the size Size.
 ## Defaults to 0, which means that no maximum heap size is used.
 ##For more information, see process_flag(max_heap_size, MaxHeapSize).
 #+hmax 0
 ## Sets the default value for process flag message_queue_data. Defaults to on_heap.
 #+hmqd on_heap | off_heap
 ## Sets the number of IO pollsets to use when polling for I/O.
 +IOp 1
 ## Sets the number of IO poll threads to use when polling for I/O.
 +IOt 1
 ## Sets the number of scheduler threads to create and scheduler threads to set online.
 +S 1:1
 ## Sets the number of dirty CPU scheduler threads to create and dirty CPU scheduler threads to set online.
 +SDcpu 1:1
 ## Sets the number of dirty I/O scheduler threads to create.
 +SDio 1
 ## Suggested stack size, in kilowords, for scheduler threads.
 #+sss 32
 ## Suggested stack size, in kilowords, for dirty CPU scheduler threads.
 #+sssdcpu 40
 ## Suggested stack size, in kilowords, for dirty IO scheduler threads.
 #+sssdio 40
 ## Sets scheduler bind type.
 ## Can be one of: u, ns, ts, ps, s, nnts, nnps, tnnps, db
 #+sbt db
 ## Sets a user-defined CPU topology.
 #+sct L0-3c0-3p0N0:L4-7c0-3p1N1
 ## Sets the mapping of warning messages for error_logger
 #+W w
 ## Sets time warp mode: no_time_warp | single_time_warp | multi_time_warp
 #+C no_time_warp
 ## Prevents loading information about source filenames and line numbers.
 +L
 ## Specifies how long time (in milliseconds) to spend shutting down the system.
 ## See: http://erlang.org/doc/man/erl.html
 -shutdown_time 10000
--- a/packages.mk
+++ b/packages.mk
@ -31,12 +31,14 @@ endif
 .PHONY: $(PROFILES:%=relup-%)
 $(PROFILES:%=relup-%): $(REBAR)
 ifneq ($(RELUP_BASE_VERSIONS),)
 ifneq ($(OS),Windows_NT)
 	@if [ ! -z $$(ls | grep -E "$(@:relup-%=%)-$(SYSTEM)-(.*)-$$(uname -m).zip" | head -1 ) ]; then \
 		mkdir -p tmp/relup_packages/$(@:relup-%=%); \
 		cp $(@:relup-%=%)-$(SYSTEM)-*-$$(uname -m).zip tmp/relup_packages/$(@:relup-%=%); \
 	fi
-	$(REBAR) as $(@:relup-%=%) relup
+	$(REBAR) as $(@:relup-%=%) relup --relname emqx --relvsn $(PKG_VSN) --upfrom $(RELUP_BASE_VERSIONS)
 endif
 endif
 .PHONY: $(PROFILES:%=%-tar) $(PKG_PROFILES:%=%-tar)
--- a/rebar.config.erl
+++ b/rebar.config.erl
@ -33,17 +33,17 @@ test_deps() ->
    ].
 profiles() ->
-    [ {'emqx',          [ {relx, relx('emqx')}
+    [ {'emqx',          [ {erl_opts, [no_debug_info]}
-                        , {erl_opts, [no_debug_info]}
+                        , {relx, relx('emqx')}
                        ]}
-    , {'emqx-pkg',      [ {relx, relx('emqx-pkg')}
+    , {'emqx-pkg',      [ {erl_opts, [no_debug_info]}
-                        , {erl_opts, [no_debug_info]}
+                        , {relx, relx('emqx-pkg')}
                        ]}
-    , {'emqx-edge',     [ {relx, relx('emqx-edge')}
+    , {'emqx-edge',     [ {erl_opts, [no_debug_info]}
-                        , {erl_opts, [no_debug_info]}
+                        , {relx, relx('emqx-edge')}
                        ]}
-    , {'emqx-edge-pkg', [ {relx, relx('emqx-edge-pkg')}
+    , {'emqx-edge-pkg', [ {erl_opts, [no_debug_info]}
-                        , {erl_opts, [no_debug_info]}
+                        , {relx, relx('emqx-edge-pkg')}
                        ]}
    , {check,           [ {erl_opts, [debug_info]}
                        ]}
@ -99,47 +99,56 @@ relx_apps(ReleaseType) ->
    , emqx
    , {mnesia, load}
    , {ekka, load}
-    , {emqx_retainer, load}
+    ]
-    , {emqx_management, load}
+    ++ [bcrypt || provide_bcrypt_release(ReleaseType)]
-    , {emqx_dashboard, load}
+    ++ relx_apps_per_rel(ReleaseType)
-    , {emqx_bridge_mqtt, load}
+    ++ [{N, load} || N <- relx_plugin_apps(ReleaseType)].
    , {emqx_sn, load}
    , {emqx_coap, load}
    , {emqx_stomp, load}
    , {emqx_auth_http, load}
    , {emqx_auth_mysql, load}
    , {emqx_auth_jwt, load}
    , {emqx_auth_mnesia, load}
    , {emqx_web_hook, load}
    , {emqx_recon, load}
    , {emqx_rule_engine, load}
    , {emqx_sasl, load}
    , {emqx_telemetry, load}
    ] ++ do_relx_apps(ReleaseType) ++ [bcrypt || provide_bcrypt_release(ReleaseType)].
-do_relx_apps(cloud) ->
+relx_apps_per_rel(cloud) ->
-    [ {emqx_lwm2m, load}
+    [ {observer, load}
    , {emqx_auth_ldap, load}
    , {emqx_auth_pgsql, load}
    , {emqx_auth_redis, load}
    , {emqx_auth_mongo, load}
    , {emqx_lua_hook, load}
    , {emqx_exhook, load}
    , {emqx_exproto, load}
    , {emqx_prometheus, load}
    , {emqx_psk_file, load}
    , {emqx_plugin_template, load}
    , {observer, load}
    , luerl
    , xmerl
    ];
-do_relx_apps(_) ->
+relx_apps_per_rel(edge) ->
    [].
 relx_plugin_apps(ReleaseType) ->
    [ emqx_retainer
    , emqx_management
    , emqx_dashboard
    , emqx_bridge_mqtt
    , emqx_sn
    , emqx_coap
    , emqx_stomp
    , emqx_auth_http
    , emqx_auth_mysql
    , emqx_auth_jwt
    , emqx_auth_mnesia
    , emqx_web_hook
    , emqx_recon
    , emqx_rule_engine
    , emqx_sasl
    , emqx_telemetry
    ] ++ relx_plugin_apps_per_rel(ReleaseType).
 relx_plugin_apps_per_rel(cloud) ->
    [ emqx_lwm2m
    , emqx_auth_ldap
    , emqx_auth_pgsql
    , emqx_auth_redis
    , emqx_auth_mongo
    , emqx_lua_hook
    , emqx_exhook
    , emqx_exproto
    , emqx_prometheus
    , emqx_psk_file
    , emqx_plugin_template
    ];
 relx_plugin_apps_per_rel(edge) ->
    [].
 relx_overlay(ReleaseType) ->
-    [ {mkdir,"etc/"}
+    [ {mkdir,"log/"}
    , {mkdir,"etc/emqx.d/"}
    , {mkdir,"log/"}
    , {mkdir,"data/"}
    , {mkdir,"data/mnesia"}
    , {mkdir,"data/configs"}
@ -147,30 +156,69 @@ relx_overlay(ReleaseType) ->
    , {template, "data/loaded_plugins.tmpl", "data/loaded_plugins"}
    , {template, "data/loaded_modules.tmpl", "data/loaded_modules"}
    , {template,"data/emqx_vars","releases/emqx_vars"}
-    , {copy,"_build/default/lib/cuttlefish/cuttlefish","bin/"}
+    , {copy,"bin/emqx","bin/emqx"}
-    , {copy,"bin/*","bin/"}
+    , {copy,"bin/emqx_ctl","bin/emqx_ctl"}
-    , {template,"etc/*.conf","etc/"}
+    , {copy,"bin/install_upgrade.escript", "bin/install_upgrade.escript"}
-    , {template,"etc/emqx.d/*.conf","etc/emqx.d/"}
+    , {copy,"bin/emqx","bin/emqx-{{release_version}}"} %% for relup
-    , {copy,"priv/emqx.schema","releases/{{release_version}}/"}
+    , {copy,"bin/emqx_ctl","bin/emqx_ctl-{{release_version}}"} %% for relup
-    , {copy, "etc/certs","etc/"}
+    , {copy,"bin/install_upgrade.escript", "bin/install_upgrade.escript-{{release_version}}"} %% for relup
-    , {copy,"bin/emqx.cmd","bin/emqx.cmd-{{release_version}}"}
+    , {template,"bin/emqx.cmd","bin/emqx.cmd"}
-    , {copy,"bin/emqx_ctl.cmd","bin/emqx_ctl.cmd-{{release_version}}"}
+    , {template,"bin/emqx_ctl.cmd","bin/emqx_ctl.cmd"}
-    , {copy,"bin/emqx","bin/emqx-{{release_version}}"}
+    , {copy,"bin/nodetool","bin/nodetool"}
    , {copy,"bin/emqx_ctl","bin/emqx_ctl-{{release_version}}"}
    , {copy,"bin/install_upgrade.escript", "bin/install_upgrade.escript-{{release_version}}"}
    , {copy,"bin/nodetool","bin/nodetool-{{release_version}}"}
    , {copy,"_build/default/lib/cuttlefish/cuttlefish","bin/cuttlefish"}
    , {copy,"_build/default/lib/cuttlefish/cuttlefish","bin/cuttlefish-{{release_version}}"}
-    ] ++ do_relx_overlay(ReleaseType).
+    , {copy,"priv/emqx.schema","releases/{{release_version}}/"}
    ] ++ etc_overlay(ReleaseType).
-do_relx_overlay(cloud) ->
+etc_overlay(ReleaseType) ->
-    [ {template,"etc/emqx_cloud.d/*.conf","etc/emqx.d/"}
+    PluginApps = relx_plugin_apps(ReleaseType),
-    , {template,"etc/emqx_cloud.d/vm.args","etc/vm.args"}
+    Templates = emqx_etc_overlay(ReleaseType) ++
                lists:append([plugin_etc_overlays(App) || App <- PluginApps]),
    [ {mkdir, "etc/"}
    , {mkdir, "etc/plugins"}
    , {copy, "{{base_dir}}/lib/emqx/etc/certs","etc/"}
    ] ++
    lists:map(
      fun({From, To}) -> {template, From, To};
         (FromTo)     -> {template, FromTo, FromTo}
      end, Templates)
    ++ extra_overlay(ReleaseType).
 extra_overlay(cloud) ->
    [ {copy,"{{base_dir}}/lib/emqx_lwm2m/lwm2m_xml","etc/"}
    , {copy, "{{base_dir}}/lib/emqx_psk_file/etc/psk.txt", "etc/psk.txt"}
    ];
-do_relx_overlay(edge) ->
+extra_overlay(edge) ->
-    [ {template,"etc/emqx_edge.d/*.conf","etc/emqx.d/"}
+    [].
-    , {template,"etc/emqx_edge.d/vm.args.edge","etc/vm.args"}
+emqx_etc_overlay(cloud) ->
    emqx_etc_overlay_common() ++
    [ {"etc/emqx_cloud.d/vm.args","etc/vm.args"}
    ];
 emqx_etc_overlay(edge) ->
    emqx_etc_overlay_common() ++
    [ {"etc/emqx_edge.d/vm.args","etc/vm.args"}
    ].
 emqx_etc_overlay_common() ->
    ["etc/acl.conf", "etc/emqx.conf", "etc/ssl_dist.conf",
     %% TODO: check why it has to end with .paho
     %% and why it is put to etc/plugins dir
     {"etc/acl.conf.paho", "etc/plugins/acl.conf.paho"}].
 plugin_etc_overlays(App0) ->
    App = atom_to_list(App0),
    ConfFiles = find_conf_files(App),
    %% NOTE: not filename:join here since relx translates it for windows
    [{"{{base_dir}}/lib/"++ App ++"/etc/" ++ F, "etc/plugins/" ++ F}
     || F <- ConfFiles].
 %% NOTE: for apps fetched as rebar dependency (there is so far no such an app)
 %% the overlay should be hand-coded but not to rely on build-time wildcards.
 find_conf_files(App) ->
    Dir = filename:join(["apps", App, "etc"]),
    filelib:wildcard("*.conf", Dir).
 env(Name, Default) ->
    case os:getenv(Name) of
        "" -> Default;
--- a/sync-apps.sh
+++ b/sync-apps.sh
@ -1,99 +0,0 @@
 #!/bin/bash
 set -euo pipefail
 force="${1:-no}"
 apps=(
 "emqx_auth_http"
 "emqx_auth_jwt"
 "emqx_auth_ldap"
 "emqx_auth_mongo"
 "emqx_auth_mysql"
 "emqx_auth_pgsql"
 "emqx_auth_redis"
 "emqx_bridge_mqtt"
 "emqx_coap"
 "emqx_dashboard"
 "emqx_exhook"
 "emqx_exproto"
 "emqx_lua_hook"
 "emqx_lwm2m"
 "emqx_management"
 "emqx_plugin_template"
 "emqx_prometheus"
 "emqx_psk_file"
 "emqx_recon"
 "emqx_retainer"
 "emqx_rule_engine"
 "emqx_sasl"
 "emqx_sn"
 "emqx_stomp"
 "emqx_telemetry"
 "emqx_web_hook")
 if git status --porcelain | grep -qE 'apps/'; then
    echo 'apps dir is not git-clear, refuse to sync'
 #    exit 1
 fi
 rm -rf apps/emqx_*
 mkdir -p tmp/
 download_zip() {
    local app="$1"
    local ref="$2"
    local vsn="$(echo "$ref" | tr '/' '-')"
    local file="tmp/${app}-${vsn}.zip"
    if [ -f "$file" ] && [ "$force" != "force" ]; then
        return 0
    fi
    local repo="$(echo "$app" | sed 's#_#-#g')"
    local url="https://github.com/emqx/$repo/archive/$ref.zip"
    echo "downloading ${url}"
    curl -fLsS -o "$file" "$url"
 }
 default_vsn="dev/v4.3.0"
 download_zip "emqx_auth_mnesia" "e4.2.2"
 for app in ${apps[@]}; do
    download_zip "$app" "$default_vsn"
 done
 extract_zip(){
    local app="$1"
    local ref="$2"
    local vsn_arg="${3:-}"
    local vsn_dft="$(echo "$ref" | tr '/' '-')"
    local vsn
    if [ -n "$vsn_arg" ]; then
        vsn="$vsn_arg"
    else
        vsn="$vsn_dft"
    fi
    local file="tmp/${app}-${vsn_dft}.zip"
    local repo="$(echo "$app" | sed 's#_#-#g')"
    unzip "$file" -d apps/
    mv "apps/${repo}-${vsn}/" "apps/$app/"
 }
 extract_zip "emqx_auth_mnesia" "e4.2.2" "e4.2.2"
 for app in ${apps[@]}; do
    extract_zip "$app" "$default_vsn"
 done
 cleanup_app(){
    local app="$1"
    pushd "apps/$app"
    rm -f Makefile rebar.config.script LICENSE src/*.app.src.script src/*.appup.src
    rm -rf ".github"
    # restore rebar.config and app.src
    git checkout rebar.config
    git checkout src/*.app.src
    popd
 }
 apps+=( "emqx_auth_mnesia" )
 for app in ${apps[@]}; do
    cleanup_app $app
 done
		`@ -1,2 +0,0 @@`
			`psk.file.path = {{ platform_etc_dir }}/psk.txt`
			`psk.file.delimiter = :`