diff --git a/docker/Dockerfile-workers b/docker/Dockerfile-workers index 2ceb6ab67c..9caf9a6646 100644 --- a/docker/Dockerfile-workers +++ b/docker/Dockerfile-workers @@ -1,67 +1,62 @@ # syntax=docker/dockerfile:1 ARG SYNAPSE_VERSION=latest -ARG FROM=matrixdotorg/synapse:$SYNAPSE_VERSION +ARG SYNAPSE_IMAGE=docker.io/matrixdotorg/synapse:$SYNAPSE_VERSION -# first of all, we create a base image with an nginx which we can copy into the -# target image. For repeated rebuilds, this is much faster than apt installing -# each time. +ARG MAS_VERSION=latest +ARG MAS_IMAGE=ghcr.io/matrix-org/matrix-authentication-service:$MAS_VERSION -FROM docker.io/library/debian:bookworm-slim AS deps_base - RUN \ - --mount=type=cache,target=/var/cache/apt,sharing=locked \ - --mount=type=cache,target=/var/lib/apt,sharing=locked \ - apt-get update -qq && \ - DEBIAN_FRONTEND=noninteractive apt-get install -yqq --no-install-recommends \ - redis-server nginx-light +ARG REDIS_VERSION=7.4.0 +ARG REDIS_IMAGE=docker.io/library/redis:$REDIS_VERSION-bookworm -# Similarly, a base to copy the redis server from. -# -# The redis docker image has fewer dynamic libraries than the debian package, -# which makes it much easier to copy (but we need to make sure we use an image -# based on the same debian version as the synapse image, to make sure we get -# the expected version of libc. -FROM docker.io/library/redis:7-bookworm AS redis_base +ARG NGINX_VERSION=1.26.1 +ARG NGINX_IMAGE=docker.io/library/nginx:$NGINX_VERSION-bookworm + +FROM $NGINX_IMAGE AS nginx +FROM $REDIS_IMAGE AS redis +FROM $MAS_IMAGE AS mas # now build the final image, based on the the regular Synapse docker image -FROM $FROM +FROM $SYNAPSE_IMAGE - # Install supervisord with pip instead of apt, to avoid installing a second - # copy of python. - RUN --mount=type=cache,target=/root/.cache/pip \ - pip install supervisor~=4.2 - RUN mkdir -p /etc/supervisor/conf.d +# Install supervisord with pip instead of apt, to avoid installing a second +# copy of python. +RUN --mount=type=cache,target=/root/.cache/pip \ + pip install supervisor~=4.2 +RUN mkdir -p /etc/supervisor/conf.d - # Copy over redis and nginx - COPY --from=redis_base /usr/local/bin/redis-server /usr/local/bin +# Copy over redis, nginx and matrix-authentication-service +COPY --from=redis /usr/local/bin/redis-server /usr/local/bin - COPY --from=deps_base /usr/sbin/nginx /usr/sbin - COPY --from=deps_base /usr/share/nginx /usr/share/nginx - COPY --from=deps_base /usr/lib/nginx /usr/lib/nginx - COPY --from=deps_base /etc/nginx /etc/nginx - RUN rm /etc/nginx/sites-enabled/default - RUN mkdir /var/log/nginx /var/lib/nginx - RUN chown www-data /var/lib/nginx +COPY --from=nginx /usr/sbin/nginx /usr/sbin +COPY --from=nginx /usr/share/nginx /usr/share/nginx +COPY --from=nginx /usr/lib/nginx /usr/lib/nginx +COPY --from=nginx /etc/nginx /etc/nginx +RUN mkdir /var/log/nginx /var/lib/nginx +RUN chown www-data /var/lib/nginx - # have nginx log to stderr/out - RUN ln -sf /dev/stdout /var/log/nginx/access.log - RUN ln -sf /dev/stderr /var/log/nginx/error.log +# have nginx log to stderr/out +RUN ln -sf /dev/stdout /var/log/nginx/access.log +RUN ln -sf /dev/stderr /var/log/nginx/error.log - # Copy Synapse worker, nginx and supervisord configuration template files - COPY ./docker/conf-workers/* /conf/ +COPY --from=mas /usr/local/bin/mas-cli /usr/local/bin +COPY --from=mas /usr/local/share/mas-cli /usr/local/share - # Copy a script to prefix log lines with the supervisor program name - COPY ./docker/prefix-log /usr/local/bin/ +# Copy Synapse worker, nginx and supervisord configuration template files +COPY ./docker/conf-workers/* /conf/ - # Expose nginx listener port - EXPOSE 8080/tcp +# Copy a script to prefix log lines with the supervisor program name +COPY ./docker/prefix-log /usr/local/bin/ - # A script to read environment variables and create the necessary - # files to run the desired worker configuration. Will start supervisord. - COPY ./docker/configure_workers_and_start.py /configure_workers_and_start.py - ENTRYPOINT ["/configure_workers_and_start.py"] +# Expose nginx listener port +EXPOSE 8080/tcp - # Replace the healthcheck with one which checks *all* the workers. The script - # is generated by configure_workers_and_start.py. - HEALTHCHECK --start-period=5s --interval=15s --timeout=5s \ - CMD /bin/sh /healthcheck.sh +# A script to read environment variables and create the necessary +# files to run the desired worker configuration. Will start supervisord. +COPY ./docker/configure_workers_and_start.py /configure_workers_and_start.py +ENTRYPOINT ["/configure_workers_and_start.py"] + +# Replace the healthcheck with one which checks *all* the workers. The script +# is generated by configure_workers_and_start.py. +HEALTHCHECK --start-period=5s --interval=15s --timeout=5s \ + CMD /bin/sh /healthcheck.sh diff --git a/docker/complement/Dockerfile b/docker/complement/Dockerfile index ce82c400eb..890e954b3c 100644 --- a/docker/complement/Dockerfile +++ b/docker/complement/Dockerfile @@ -6,11 +6,17 @@ # Instructions for building this image from those it depends on is detailed in this guide: # https://github.com/element-hq/synapse/blob/develop/docker/README-testing.md#testing-with-postgresql-and-single-or-multi-process-synapse -ARG SYNAPSE_VERSION=latest # This is an intermediate image, to be built locally (not pulled from a registry). -ARG FROM=matrixdotorg/synapse-workers:$SYNAPSE_VERSION +ARG SYNAPSE_WORKERS_IMAGE=synapse-workers + +ARG POSTGRES_VERSION=13 +ARG POSTGRES_IMAGE=docker.io/library/postgres:$POSTGRES_VERSION-bookworm + +# Save the Postgres image for later +FROM $POSTGRES_IMAGE AS postgres + +FROM $SYNAPSE_WORKERS_IMAGE -FROM $FROM # First of all, we copy postgres server from the official postgres image, # since for repeated rebuilds, this is much faster than apt installing # postgres each time. @@ -20,8 +26,8 @@ FROM $FROM # the same debian version as Synapse's docker image (so the versions of the # shared libraries match). RUN adduser --system --uid 999 postgres --home /var/lib/postgresql -COPY --from=docker.io/library/postgres:13-bookworm /usr/lib/postgresql /usr/lib/postgresql -COPY --from=docker.io/library/postgres:13-bookworm /usr/share/postgresql /usr/share/postgresql +COPY --from=postgres /usr/lib/postgresql /usr/lib/postgresql +COPY --from=postgres /usr/share/postgresql /usr/share/postgresql RUN mkdir /var/run/postgresql && chown postgres /var/run/postgresql ENV PATH="${PATH}:/usr/lib/postgresql/13/bin" ENV PGDATA=/var/lib/postgresql/data @@ -29,9 +35,10 @@ ENV PGDATA=/var/lib/postgresql/data # We also initialize the database at build time, rather than runtime, so that it's faster to spin up the image. RUN gosu postgres initdb --locale=C --encoding=UTF-8 --auth-host password -# Configure a password and create a database for Synapse +# Configure a password and create a database for Synapse and MAS RUN echo "ALTER USER postgres PASSWORD 'somesecret'" | gosu postgres postgres --single RUN echo "CREATE DATABASE synapse" | gosu postgres postgres --single +RUN echo "CREATE DATABASE mas" | gosu postgres postgres --single # Extend the shared homeserver config to disable rate-limiting, # set Complement's static shared secret, enable registration, amongst other diff --git a/docker/conf-workers/shared.yaml.j2 b/docker/conf-workers/shared.yaml.j2 index 1dfc60ad11..1f23e18d3b 100644 --- a/docker/conf-workers/shared.yaml.j2 +++ b/docker/conf-workers/shared.yaml.j2 @@ -20,4 +20,15 @@ app_service_config_files: {%- endfor %} {%- endif %} +{% if enable_mas %} +experimental_features: + msc3861: + enabled: true + issuer: "http://localhost:8008/" + client_id: "0000000000000000000SYNAPSE" + client_auth_method: client_secret_basic + client_secret: choozia3ThiefahZaofeiveish1kahr0 + admin_token: eeShoo4ceebae4Lo4Che1hoofoophaiz +{% endif %} + {{ shared_worker_config }} diff --git a/docker/conf-workers/supervisord.conf.j2 b/docker/conf-workers/supervisord.conf.j2 index da93358051..fbd2433d37 100644 --- a/docker/conf-workers/supervisord.conf.j2 +++ b/docker/conf-workers/supervisord.conf.j2 @@ -35,3 +35,12 @@ autorestart=true # Redis can be disabled if the image is being used without workers autostart={{ enable_redis }} +[program:mas] +comamnd=/usr/local/bin/prefix-log /usr/local/bin/mas-cli --config /conf/mas.yaml +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 +autorestart=unexpected + +autostart={{ enable_mas }} diff --git a/docker/configure_workers_and_start.py b/docker/configure_workers_and_start.py index 15d8d7b558..266df6d5eb 100755 --- a/docker/configure_workers_and_start.py +++ b/docker/configure_workers_and_start.py @@ -959,6 +959,7 @@ def generate_worker_files( shared_worker_config=yaml.dump(shared_config), appservice_registrations=appservice_registrations, enable_redis=workers_in_use, + enable_mas=False, workers_in_use=workers_in_use, using_unix_sockets=using_unix_sockets, ) @@ -981,6 +982,7 @@ def generate_worker_files( "/etc/supervisor/supervisord.conf", main_config_path=config_path, enable_redis=workers_in_use, + enable_mas=False, using_unix_sockets=using_unix_sockets, ) diff --git a/scripts-dev/complement.sh b/scripts-dev/complement.sh index 4ad547bc7e..2c4f341463 100755 --- a/scripts-dev/complement.sh +++ b/scripts-dev/complement.sh @@ -167,11 +167,11 @@ if [ -z "$skip_docker_build" ]; then -f "docker/editable.Dockerfile" . $CONTAINER_RUNTIME build -t synapse-workers-editable \ - --build-arg FROM=synapse-editable \ + --build-arg SYNAPSE_IMAGE=synapse-editable \ -f "docker/Dockerfile-workers" . $CONTAINER_RUNTIME build -t complement-synapse-editable \ - --build-arg FROM=synapse-workers-editable \ + --build-arg SUNAPSE_WORKERS_IMAGE=synapse-workers-editable \ -f "docker/complement/Dockerfile" "docker/complement" # Prepare the Rust module @@ -180,21 +180,24 @@ if [ -z "$skip_docker_build" ]; then else # Build the base Synapse image from the local checkout - echo_if_github "::group::Build Docker image: matrixdotorg/synapse" - $CONTAINER_RUNTIME build -t matrixdotorg/synapse \ - --build-arg TEST_ONLY_SKIP_DEP_HASH_VERIFICATION \ - --build-arg TEST_ONLY_IGNORE_POETRY_LOCKFILE \ - -f "docker/Dockerfile" . + echo_if_github "::group::Build Docker image: synapse" + $CONTAINER_RUNTIME build -t synapse \ + --build-arg TEST_ONLY_SKIP_DEP_HASH_VERIFICATION \ + --build-arg TEST_ONLY_IGNORE_POETRY_LOCKFILE \ + -f "docker/Dockerfile" . echo_if_github "::endgroup::" # Build the workers docker image (from the base Synapse image we just built). - echo_if_github "::group::Build Docker image: matrixdotorg/synapse-workers" - $CONTAINER_RUNTIME build -t matrixdotorg/synapse-workers -f "docker/Dockerfile-workers" . + echo_if_github "::group::Build Docker image: synapse-workers" + $CONTAINER_RUNTIME build -t synapse-workers \ + --build-arg SYNAPSE_IMAGE=synapse \ + -f "docker/Dockerfile-workers" . echo_if_github "::endgroup::" # Build the unified Complement image (from the worker Synapse image we just built). - echo_if_github "::group::Build Docker image: complement/Dockerfile" + echo_if_github "::group::Build Docker image: complement-synapse" $CONTAINER_RUNTIME build -t complement-synapse \ + --build-arg SYNAPSE_WORKERS_IMAGE=synapse-workers \ -f "docker/complement/Dockerfile" "docker/complement" echo_if_github "::endgroup::"