From e1a6d1e4b231abb07b8203d988489caf7902093d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 17 Nov 2021 17:21:15 +0200 Subject: [PATCH] Upgrade Synapse (1.46.0 -> 1.47.0) We had to remove UID/GID environment variables that we used to pass to the Synapse container, because it was causing a problem after https://github.com/matrix-org/synapse/pull/11209 We were using both `--user` and UID/GID environment variables until now. --- roles/matrix-synapse/defaults/main.yml | 4 +-- .../tasks/synapse/setup_install.yml | 2 -- .../templates/synapse/homeserver.yaml.j2 | 31 ++++++++++++++----- .../systemd/matrix-synapse-worker.service.j2 | 2 -- .../synapse/systemd/matrix-synapse.service.j2 | 2 -- roles/matrix-synapse/vars/workers.yml | 18 ++++++----- 6 files changed, 36 insertions(+), 23 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index a6feb1ab..e48e3e89 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.46.0 -matrix_synapse_version_arm64: v1.46.0 +matrix_synapse_version: v1.47.0 +matrix_synapse_version_arm64: v1.47.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/tasks/synapse/setup_install.yml b/roles/matrix-synapse/tasks/synapse/setup_install.yml index b658cfff..09ec798d 100644 --- a/roles/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/matrix-synapse/tasks/synapse/setup_install.yml @@ -67,8 +67,6 @@ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --cap-drop=ALL --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data - -e UID={{ matrix_user_uid }} - -e GID={{ matrix_user_gid }} -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml -e SYNAPSE_SERVER_NAME={{ matrix_server_fqn_matrix }} -e SYNAPSE_REPORT_STATS=no diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 1f699ee2..1780fb91 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -66,8 +66,28 @@ pid_file: /homeserver.pid # Otherwise, it should be the URL to reach Synapse's client HTTP listener (see # 'listeners' below). # +# Defaults to 'https:///'. +# public_baseurl: https://{{ matrix_server_fqn_matrix }}/ +# Uncomment the following to tell other servers to send federation traffic on +# port 443. +# +# By default, other servers will try to reach our server on port 8448, which can +# be inconvenient in some environments. +# +# Provided 'https:///' on port 443 is routed to Synapse, this +# option configures Synapse to serve a file at +# 'https:///.well-known/matrix/server'. This will tell other +# servers to send traffic to port 443 instead. +# +# See https://matrix-org.github.io/synapse/latest/delegate.html for more +# information. +# +# Defaults to 'false'. +# +#serve_server_wellknown: true + # Set the soft limit on the number of file descriptors synapse can use # Zero is used to indicate synapse should set the soft limit to the # hard limit. @@ -1271,7 +1291,7 @@ allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }} # in on this server. # # (By default, no suggestion is made, so it is left up to the client. -# This setting is ignored unless public_baseurl is also set.) +# This setting is ignored unless public_baseurl is also explicitly set.) # #default_identity_server: https://matrix.org @@ -1296,8 +1316,6 @@ allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }} # by the Matrix Identity Service API specification: # https://matrix.org/docs/spec/identity_service/latest # -# If a delegate is specified, the config option public_baseurl must also be filled out. -# account_threepid_delegates: email: {{ matrix_synapse_account_threepid_delegates_email|to_json }} msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }} @@ -1990,11 +2008,10 @@ sso: # phishing attacks from evil.site. To avoid this, include a slash after the # hostname: "https://my.client/". # - # If public_baseurl is set, then the login fallback page (used by clients - # that don't natively support the required login flows) is whitelisted in - # addition to any URLs in this list. + # The login fallback page (used by clients that don't natively support the + # required login flows) is whitelisted in addition to any URLs in this list. # - # By default, this list is empty. + # By default, this list contains only the login fallback page. # #client_whitelist: # - https://riot.im/develop diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 index 6c90c9a3..43dc42d1 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 @@ -17,8 +17,6 @@ ExecStartPre={{ matrix_host_command_sleep }} 5 ExecStart={{ matrix_host_command_docker }} run --rm --name {{ matrix_synapse_worker_container_name }} \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - -e UID={{ matrix_user_uid }} \ - -e GID={{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 7fec6649..188db5ef 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -33,8 +33,6 @@ ExecStartPre={{ matrix_host_command_sleep }} 3 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --env=UID={{ matrix_user_uid }} \ - --env=GID={{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml index fda7227c..ad9a7315 100644 --- a/roles/matrix-synapse/vars/workers.yml +++ b/roles/matrix-synapse/vars/workers.yml @@ -271,19 +271,19 @@ matrix_synapse_workers_media_repository_endpoints: # expose the `media` resource. For example: # ```yaml - # worker_listeners: - # - type: http - # port: 8085 - # resources: - # - names: - # - media + # worker_listeners: + # - type: http + # port: 8085 + # resources: + # - names: + # - media # ``` # Note that if running multiple media repositories they must be on the same server # and you must configure a single instance to run the background tasks, e.g.: # ```yaml - # media_instance_running_background_jobs: "media-repository-1" + # media_instance_running_background_jobs: "media-repository-1" # ``` # Note that if a reverse proxy is used , then `/_matrix/media/` must be routed for both inbound client and federation requests (if they are handled separately). @@ -319,7 +319,9 @@ matrix_synapse_workers_frontend_proxy_endpoints: # the `worker_main_http_uri` setting in the `frontend_proxy` worker configuration # file. For example: - # worker_main_http_uri: http://127.0.0.1:{{ matrix_synapse_container_client_api_port }} + # ```yaml + # worker_main_http_uri: http://127.0.0.1:8008 + # ``` matrix_synapse_workers_avail_list: - appservice