WIP: MAS in complement

This commit is contained in:
Quentin Gliech 2024-08-05 17:30:40 +02:00
parent 2b620e0a15
commit 4580e12275
No known key found for this signature in database
GPG key ID: 22D62B84552719FC
6 changed files with 93 additions and 66 deletions

View file

@ -1,67 +1,62 @@
# syntax=docker/dockerfile:1 # syntax=docker/dockerfile:1
ARG SYNAPSE_VERSION=latest ARG SYNAPSE_VERSION=latest
ARG FROM=matrixdotorg/synapse:$SYNAPSE_VERSION ARG SYNAPSE_IMAGE=docker.io/matrixdotorg/synapse:$SYNAPSE_VERSION
# first of all, we create a base image with an nginx which we can copy into the ARG MAS_VERSION=latest
# target image. For repeated rebuilds, this is much faster than apt installing ARG MAS_IMAGE=ghcr.io/matrix-org/matrix-authentication-service:$MAS_VERSION
# each time.
FROM docker.io/library/debian:bookworm-slim AS deps_base ARG REDIS_VERSION=7.4.0
RUN \ ARG REDIS_IMAGE=docker.io/library/redis:$REDIS_VERSION-bookworm
--mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt,sharing=locked \
apt-get update -qq && \
DEBIAN_FRONTEND=noninteractive apt-get install -yqq --no-install-recommends \
redis-server nginx-light
# Similarly, a base to copy the redis server from. ARG NGINX_VERSION=1.26.1
# ARG NGINX_IMAGE=docker.io/library/nginx:$NGINX_VERSION-bookworm
# The redis docker image has fewer dynamic libraries than the debian package,
# which makes it much easier to copy (but we need to make sure we use an image FROM $NGINX_IMAGE AS nginx
# based on the same debian version as the synapse image, to make sure we get FROM $REDIS_IMAGE AS redis
# the expected version of libc. FROM $MAS_IMAGE AS mas
FROM docker.io/library/redis:7-bookworm AS redis_base
# now build the final image, based on the the regular Synapse docker image # now build the final image, based on the the regular Synapse docker image
FROM $FROM FROM $SYNAPSE_IMAGE
# Install supervisord with pip instead of apt, to avoid installing a second # Install supervisord with pip instead of apt, to avoid installing a second
# copy of python. # copy of python.
RUN --mount=type=cache,target=/root/.cache/pip \ RUN --mount=type=cache,target=/root/.cache/pip \
pip install supervisor~=4.2 pip install supervisor~=4.2
RUN mkdir -p /etc/supervisor/conf.d RUN mkdir -p /etc/supervisor/conf.d
# Copy over redis and nginx # Copy over redis, nginx and matrix-authentication-service
COPY --from=redis_base /usr/local/bin/redis-server /usr/local/bin COPY --from=redis /usr/local/bin/redis-server /usr/local/bin
COPY --from=deps_base /usr/sbin/nginx /usr/sbin COPY --from=nginx /usr/sbin/nginx /usr/sbin
COPY --from=deps_base /usr/share/nginx /usr/share/nginx COPY --from=nginx /usr/share/nginx /usr/share/nginx
COPY --from=deps_base /usr/lib/nginx /usr/lib/nginx COPY --from=nginx /usr/lib/nginx /usr/lib/nginx
COPY --from=deps_base /etc/nginx /etc/nginx COPY --from=nginx /etc/nginx /etc/nginx
RUN rm /etc/nginx/sites-enabled/default RUN mkdir /var/log/nginx /var/lib/nginx
RUN mkdir /var/log/nginx /var/lib/nginx RUN chown www-data /var/lib/nginx
RUN chown www-data /var/lib/nginx
# have nginx log to stderr/out # have nginx log to stderr/out
RUN ln -sf /dev/stdout /var/log/nginx/access.log RUN ln -sf /dev/stdout /var/log/nginx/access.log
RUN ln -sf /dev/stderr /var/log/nginx/error.log RUN ln -sf /dev/stderr /var/log/nginx/error.log
# Copy Synapse worker, nginx and supervisord configuration template files COPY --from=mas /usr/local/bin/mas-cli /usr/local/bin
COPY ./docker/conf-workers/* /conf/ COPY --from=mas /usr/local/share/mas-cli /usr/local/share
# Copy a script to prefix log lines with the supervisor program name # Copy Synapse worker, nginx and supervisord configuration template files
COPY ./docker/prefix-log /usr/local/bin/ COPY ./docker/conf-workers/* /conf/
# Expose nginx listener port # Copy a script to prefix log lines with the supervisor program name
EXPOSE 8080/tcp COPY ./docker/prefix-log /usr/local/bin/
# A script to read environment variables and create the necessary # Expose nginx listener port
# files to run the desired worker configuration. Will start supervisord. EXPOSE 8080/tcp
COPY ./docker/configure_workers_and_start.py /configure_workers_and_start.py
ENTRYPOINT ["/configure_workers_and_start.py"]
# Replace the healthcheck with one which checks *all* the workers. The script # A script to read environment variables and create the necessary
# is generated by configure_workers_and_start.py. # files to run the desired worker configuration. Will start supervisord.
HEALTHCHECK --start-period=5s --interval=15s --timeout=5s \ COPY ./docker/configure_workers_and_start.py /configure_workers_and_start.py
CMD /bin/sh /healthcheck.sh ENTRYPOINT ["/configure_workers_and_start.py"]
# Replace the healthcheck with one which checks *all* the workers. The script
# is generated by configure_workers_and_start.py.
HEALTHCHECK --start-period=5s --interval=15s --timeout=5s \
CMD /bin/sh /healthcheck.sh

View file

@ -6,11 +6,17 @@
# Instructions for building this image from those it depends on is detailed in this guide: # Instructions for building this image from those it depends on is detailed in this guide:
# https://github.com/element-hq/synapse/blob/develop/docker/README-testing.md#testing-with-postgresql-and-single-or-multi-process-synapse # https://github.com/element-hq/synapse/blob/develop/docker/README-testing.md#testing-with-postgresql-and-single-or-multi-process-synapse
ARG SYNAPSE_VERSION=latest
# This is an intermediate image, to be built locally (not pulled from a registry). # This is an intermediate image, to be built locally (not pulled from a registry).
ARG FROM=matrixdotorg/synapse-workers:$SYNAPSE_VERSION ARG SYNAPSE_WORKERS_IMAGE=synapse-workers
ARG POSTGRES_VERSION=13
ARG POSTGRES_IMAGE=docker.io/library/postgres:$POSTGRES_VERSION-bookworm
# Save the Postgres image for later
FROM $POSTGRES_IMAGE AS postgres
FROM $SYNAPSE_WORKERS_IMAGE
FROM $FROM
# First of all, we copy postgres server from the official postgres image, # First of all, we copy postgres server from the official postgres image,
# since for repeated rebuilds, this is much faster than apt installing # since for repeated rebuilds, this is much faster than apt installing
# postgres each time. # postgres each time.
@ -20,8 +26,8 @@ FROM $FROM
# the same debian version as Synapse's docker image (so the versions of the # the same debian version as Synapse's docker image (so the versions of the
# shared libraries match). # shared libraries match).
RUN adduser --system --uid 999 postgres --home /var/lib/postgresql RUN adduser --system --uid 999 postgres --home /var/lib/postgresql
COPY --from=docker.io/library/postgres:13-bookworm /usr/lib/postgresql /usr/lib/postgresql COPY --from=postgres /usr/lib/postgresql /usr/lib/postgresql
COPY --from=docker.io/library/postgres:13-bookworm /usr/share/postgresql /usr/share/postgresql COPY --from=postgres /usr/share/postgresql /usr/share/postgresql
RUN mkdir /var/run/postgresql && chown postgres /var/run/postgresql RUN mkdir /var/run/postgresql && chown postgres /var/run/postgresql
ENV PATH="${PATH}:/usr/lib/postgresql/13/bin" ENV PATH="${PATH}:/usr/lib/postgresql/13/bin"
ENV PGDATA=/var/lib/postgresql/data ENV PGDATA=/var/lib/postgresql/data
@ -29,9 +35,10 @@ ENV PGDATA=/var/lib/postgresql/data
# We also initialize the database at build time, rather than runtime, so that it's faster to spin up the image. # We also initialize the database at build time, rather than runtime, so that it's faster to spin up the image.
RUN gosu postgres initdb --locale=C --encoding=UTF-8 --auth-host password RUN gosu postgres initdb --locale=C --encoding=UTF-8 --auth-host password
# Configure a password and create a database for Synapse # Configure a password and create a database for Synapse and MAS
RUN echo "ALTER USER postgres PASSWORD 'somesecret'" | gosu postgres postgres --single RUN echo "ALTER USER postgres PASSWORD 'somesecret'" | gosu postgres postgres --single
RUN echo "CREATE DATABASE synapse" | gosu postgres postgres --single RUN echo "CREATE DATABASE synapse" | gosu postgres postgres --single
RUN echo "CREATE DATABASE mas" | gosu postgres postgres --single
# Extend the shared homeserver config to disable rate-limiting, # Extend the shared homeserver config to disable rate-limiting,
# set Complement's static shared secret, enable registration, amongst other # set Complement's static shared secret, enable registration, amongst other

View file

@ -20,4 +20,15 @@ app_service_config_files:
{%- endfor %} {%- endfor %}
{%- endif %} {%- endif %}
{% if enable_mas %}
experimental_features:
msc3861:
enabled: true
issuer: "http://localhost:8008/"
client_id: "0000000000000000000SYNAPSE"
client_auth_method: client_secret_basic
client_secret: choozia3ThiefahZaofeiveish1kahr0
admin_token: eeShoo4ceebae4Lo4Che1hoofoophaiz
{% endif %}
{{ shared_worker_config }} {{ shared_worker_config }}

View file

@ -35,3 +35,12 @@ autorestart=true
# Redis can be disabled if the image is being used without workers # Redis can be disabled if the image is being used without workers
autostart={{ enable_redis }} autostart={{ enable_redis }}
[program:mas]
comamnd=/usr/local/bin/prefix-log /usr/local/bin/mas-cli --config /conf/mas.yaml
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
autorestart=unexpected
autostart={{ enable_mas }}

View file

@ -959,6 +959,7 @@ def generate_worker_files(
shared_worker_config=yaml.dump(shared_config), shared_worker_config=yaml.dump(shared_config),
appservice_registrations=appservice_registrations, appservice_registrations=appservice_registrations,
enable_redis=workers_in_use, enable_redis=workers_in_use,
enable_mas=False,
workers_in_use=workers_in_use, workers_in_use=workers_in_use,
using_unix_sockets=using_unix_sockets, using_unix_sockets=using_unix_sockets,
) )
@ -981,6 +982,7 @@ def generate_worker_files(
"/etc/supervisor/supervisord.conf", "/etc/supervisor/supervisord.conf",
main_config_path=config_path, main_config_path=config_path,
enable_redis=workers_in_use, enable_redis=workers_in_use,
enable_mas=False,
using_unix_sockets=using_unix_sockets, using_unix_sockets=using_unix_sockets,
) )

View file

@ -167,11 +167,11 @@ if [ -z "$skip_docker_build" ]; then
-f "docker/editable.Dockerfile" . -f "docker/editable.Dockerfile" .
$CONTAINER_RUNTIME build -t synapse-workers-editable \ $CONTAINER_RUNTIME build -t synapse-workers-editable \
--build-arg FROM=synapse-editable \ --build-arg SYNAPSE_IMAGE=synapse-editable \
-f "docker/Dockerfile-workers" . -f "docker/Dockerfile-workers" .
$CONTAINER_RUNTIME build -t complement-synapse-editable \ $CONTAINER_RUNTIME build -t complement-synapse-editable \
--build-arg FROM=synapse-workers-editable \ --build-arg SUNAPSE_WORKERS_IMAGE=synapse-workers-editable \
-f "docker/complement/Dockerfile" "docker/complement" -f "docker/complement/Dockerfile" "docker/complement"
# Prepare the Rust module # Prepare the Rust module
@ -180,21 +180,24 @@ if [ -z "$skip_docker_build" ]; then
else else
# Build the base Synapse image from the local checkout # Build the base Synapse image from the local checkout
echo_if_github "::group::Build Docker image: matrixdotorg/synapse" echo_if_github "::group::Build Docker image: synapse"
$CONTAINER_RUNTIME build -t matrixdotorg/synapse \ $CONTAINER_RUNTIME build -t synapse \
--build-arg TEST_ONLY_SKIP_DEP_HASH_VERIFICATION \ --build-arg TEST_ONLY_SKIP_DEP_HASH_VERIFICATION \
--build-arg TEST_ONLY_IGNORE_POETRY_LOCKFILE \ --build-arg TEST_ONLY_IGNORE_POETRY_LOCKFILE \
-f "docker/Dockerfile" . -f "docker/Dockerfile" .
echo_if_github "::endgroup::" echo_if_github "::endgroup::"
# Build the workers docker image (from the base Synapse image we just built). # Build the workers docker image (from the base Synapse image we just built).
echo_if_github "::group::Build Docker image: matrixdotorg/synapse-workers" echo_if_github "::group::Build Docker image: synapse-workers"
$CONTAINER_RUNTIME build -t matrixdotorg/synapse-workers -f "docker/Dockerfile-workers" . $CONTAINER_RUNTIME build -t synapse-workers \
--build-arg SYNAPSE_IMAGE=synapse \
-f "docker/Dockerfile-workers" .
echo_if_github "::endgroup::" echo_if_github "::endgroup::"
# Build the unified Complement image (from the worker Synapse image we just built). # Build the unified Complement image (from the worker Synapse image we just built).
echo_if_github "::group::Build Docker image: complement/Dockerfile" echo_if_github "::group::Build Docker image: complement-synapse"
$CONTAINER_RUNTIME build -t complement-synapse \ $CONTAINER_RUNTIME build -t complement-synapse \
--build-arg SYNAPSE_WORKERS_IMAGE=synapse-workers \
-f "docker/complement/Dockerfile" "docker/complement" -f "docker/complement/Dockerfile" "docker/complement"
echo_if_github "::endgroup::" echo_if_github "::endgroup::"