Skip to content

Commit

Permalink
Add a new dockerfile for worker-mode synapse (#62)
Browse files Browse the repository at this point in the history 
This PR adds a new Dockerfile containing the configuration for a Synapse running in worker mode. Some additional files were required to support the image.

1. A caddy binary needed to be placed in the container for termination TLS requests on the federation port (thanks to Conduit for the idea!). The included file is a Caddy config json file.
2. A shared config file to hand to each Synapse worker was necessary. This file is subtley different from [dockerfiles/synapse/homeserver.yaml](https://github.com/matrix-org/complement/blob/master/dockerfiles/synapse/homeserver.yaml), though it may be nice to have both files be derived from a shared file in the future.

The intention of this is to add testing of Synapse in worker mode to Complement's CI. It is paired with matrix-org/synapse#9162.
  • Loading branch information
@anoadragon453
anoadragon453 authored Jan 29, 2021
1 parent b7af8fc commit 9a4ff41
Show file tree
Hide file tree
Showing 3 changed files with 188 additions and 0 deletions.
53 changes: 53 additions & 0 deletions dockerfiles/SynapseWorkers.Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
# This dockerfile builds on top of Dockerfile-worker and includes a built-in postgres instance
# as well as sets up the homeserver so that it is ready for testing via Complement
FROM matrixdotorg/synapse:workers

# Download a caddy server to stand in front of nginx and terminate TLS using Complement's
# custom CA.
# We include this near the top of the file in order to cache the result.
RUN curl -OL "https://github.com/caddyserver/caddy/releases/download/v2.3.0/caddy_2.3.0_linux_amd64.tar.gz" && \
tar xzf caddy_2.3.0_linux_amd64.tar.gz && rm caddy_2.3.0_linux_amd64.tar.gz && mv caddy /root

# Install postgresql
RUN apt-get update
RUN apt-get install -y postgresql

# Configure a user and create a database for Synapse
RUN pg_ctlcluster 11 main start && su postgres -c "echo \
\"ALTER USER postgres PASSWORD 'somesecret'; \
CREATE DATABASE synapse \
ENCODING 'UTF8' \
LC_COLLATE='C' \
LC_CTYPE='C' \
template=template0;\" | psql" && pg_ctlcluster 11 main stop

# Modify the shared homeserver config with postgres support, certificate setup
# and the disabling of rate-limiting
COPY synapse/workers-shared.yaml /conf/workers/shared.yaml

WORKDIR /root

# Copy the caddy config
COPY synapse/caddy.complement.json /root/caddy.json

# Expose caddy's listener ports
EXPOSE 8008 8448

ENTRYPOINT \
# Replace the server name in the caddy config
sed -i "s/{{ server_name }}/${SERVER_NAME}/g" /root/caddy.json && \
# Start postgres
pg_ctlcluster 11 main start > /dev/null 2>&1 && \
# Start caddy
/root/caddy start --config /root/caddy.json > /dev/null 2>&1 && \
# Set the server name of the homeserver
SYNAPSE_SERVER_NAME=${SERVER_NAME} \
# No need to report stats here
SYNAPSE_REPORT_STATS=no \
# Set postgres authentication details which will be placed in the homeserver config file
POSTGRES_PASSWORD=somesecret POSTGRES_USER=postgres POSTGRES_HOST=localhost \
# Use all available worker types
SYNAPSE_WORKERS=* \
# Run the script that writes the necessary config files and starts supervisord, which in turn
# starts everything else
/configure_workers_and_start.py
76 changes: 76 additions & 0 deletions dockerfiles/synapse/caddy.complement.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
{
"apps": {
"http": {
"servers": {
"srv0": {
"listen": [
":8448"
],
"routes": [
{
"match": [
{
"host": [
"{{ server_name }}"
]
}
],
"handle": [
{
"handler": "subroute",
"routes": [
{
"handle": [
{
"handler": "reverse_proxy",
"upstreams": [
{
"dial": "localhost:8008"
}
]
}
]
}
]
}
],
"terminal": true
}
]
}
}
},
"tls": {
"automation": {
"policies": [
{
"subjects": [
"{{ server_name }}"
],
"issuers": [
{
"module": "internal"
}
],
"on_demand": true
}
]
}
},
"pki": {
"certificate_authorities": {
"local": {
"name": "Complement CA",
"root": {
"certificate": "/ca/ca.crt",
"private_key": "/ca/ca.key"
},
"intermediate": {
"certificate": "/ca/ca.crt",
"private_key": "/ca/ca.key"
}
}
}
}
}
}
59 changes: 59 additions & 0 deletions dockerfiles/synapse/workers-shared.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
## Server ##
report_stats: False
trusted_key_servers: []
enable_registration: true

## Federation ##

# disable verification of federation certificates
#
# TODO: Figure out why this is still needed even though we are making use of the custom CA
federation_verify_certificates: false

# trust certs signed by Complement's CA
federation_custom_ca_list:
- /ca/ca.crt

# unblacklist RFC1918 addresses
federation_ip_range_blacklist: []

# Disable server rate-limiting
rc_federation:
window_size: 1000
sleep_limit: 10
sleep_delay: 500
reject_limit: 99999
concurrent: 3

rc_message:
per_second: 9999
burst_count: 9999

rc_registration:
per_second: 9999
burst_count: 9999

rc_login:
address:
per_second: 9999
burst_count: 9999
account:
per_second: 9999
burst_count: 9999
failed_attempts:
per_second: 9999
burst_count: 9999

rc_admin_redaction:
per_second: 9999
burst_count: 9999

rc_joins:
local:
per_second: 9999
burst_count: 9999
remote:
per_second: 9999
burst_count: 9999

federation_rr_transactions_per_room_per_second: 9999

0 comments on commit 9a4ff41

Please sign in to comment.