Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't complete admin using the API #1846

Closed
TonySerpofski opened this issue May 21, 2022 · 6 comments
Closed

Can't complete admin using the API #1846

TonySerpofski opened this issue May 21, 2022 · 6 comments
Labels
question This issue is a question related to installation

Comments

@TonySerpofski
Copy link

TonySerpofski commented May 21, 2022

Playbook Configuration:

My vars.yml file looks like this:

# The bare domain name which represents your Matrix identity.
# Matrix user ids for your server will be of the form (`@user:<matrix-domain>`).
#
# Note: this playbook does not touch the server referenced here.
# Installation happens on another server ("matrix.<matrix-domain>").
#
# If you've deployed using the wrong domain, you'll have to run the Uninstalling step,
# because you can't change the Domain after deployment.
#
# Example value: example.com
matrix_domain: ******.*******

# The Matrix homeserver software to install.
# See `roles/matrix-base/defaults/main.yml` for valid options.
matrix_homeserver_implementation: synapse

# A secret used as a base, for generating various other secrets.
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
matrix_homeserver_generic_secret_key: '******************'

# This is something which is provided to Let's Encrypt when retrieving SSL certificates for domains.
#
# In case SSL renewal fails at some point, you'll also get an email notification there.
#
# If you decide to use another method for managing SSL certificates (different than the default Let's Encrypt),
# you won't be required to define this variable (see `docs/configuring-playbook-ssl-certificates.md`).
#
# Example value: [email protected]
matrix_ssl_lets_encrypt_support_email: '*******@*************.******'

# A Postgres password to use for the superuser Postgres user (called `matrix` by default).
#
# The playbook creates additional Postgres users and databases (one for each enabled service)
# using this superuser account.
matrix_postgres_connection_password: '**********'

# This is where you access Jitsi.
matrix_server_fqn_jitsi: 'jitsi.***********.******'

#This is setting the serves the base domain from the Matrix server -- the federation can find the matrix server
matrix_nginx_proxy_base_domain_serving_enabled: true

#Jetsi stuff copied form https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-jitsi.md
#matrix_jitsi_enabled: true

#Synapse's Admin API exposed to the internet
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true

Matrix Server:

  • OS: Debian11 - AWS
  • Architecture amd64

Ansible:
Working fine

Problem description:

Installed the server via the playbook. All good. I need to get the admin api working but its not. Tried the following commands with ' & " in various locations:

sudo curl -H "Authorization: Bearer syt_***************" http://localhost:8008/_synapse/admin/v1/room/\!LXxm**********sHphYK:**************.com/media

sudo curl -H "Authorization: Bearer syt_***************" http://localhost:8448/_synapse/admin/v1/room/\!LXxm**********sHphYK:**************.com/media

sudo docker exec matrix-synapse curl -H "Authorization: Bearer syt_***************" http://localhost:8008/_synapse/admin/v1/room/\!LXxm**********sHphYK:**************.com/media

sudo docker exec matrix-synapse curl -H "Authorization: Bearer syt_***************" http://localhost:8448/_synapse/admin/v1/room/\!LXxm**********sHphYK:**************.com/media

sudo docker exec matrix-synapse curl -H "Authorization: Bearer syt_***************" http://mydominname.com:8448/_synapse/admin/v1/room/\!LXxm**********sHphYK:**************.com/media

Do i need to call api from inside the container?

Do i need to use iptables to route from 127.0.0.11 to the backend DNS resolver in the Docker Engine?

I even tied installing synadm. Same issue

Can someone give me an example of an api command.. im not sure if im using the correct commands and there are no real word examples in the doc.

Client (please complete the following information):

  • Device: Terminal via ssh to server

Additional context

Getting the following errors (out of synadm) and nothing out of the server with the api:

reply: 'HTTP/1.1 400 Bad Request\r\n'
header: Server: nginx
header: Date: Sat, 21 May 2022 03:14:40 GMT
header: Content-Type: text/html
header: Content-Length: 248
header: Connection: close
WARNING Synapse returned status code 400
ERROR JSONDecodeError while querying Synapse: Expecting value: line 1 column 1 (char 0)
Media list could not be fetched.

These are the ports i have open:

netstat -tnlp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:3478 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:8448 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:5349 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::3478 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::443 :::* LISTEN -
tcp6 0 0 :::8448 :::* LISTEN -
tcp6 0 0 :::5349 :::* LISTEN -

@spantaleev
Copy link
Owner

Using localhost to talk to Synapse may only work if matrix_nginx_proxy_enabled: false. In that case, we automatically expose the ports of some containers (like Synapse) on 127.0.0.1.

http://mydominname.com:8448 would be the federation API. It needs https too, not http. The Synapse Admin API is not available on this federation port.


You can access the Synapse Admin API on the Client-Server API port, at https://matrix.DOMAIN.

Alternatively, you can access it on the container network (named matrix by default) using http://matrix-synapse:8008 (http here, not https).

@TonySerpofski
Copy link
Author

http://matrix-synapse:8008

So accessing the api via this method:

You can access the Synapse Admin API on the Client-Server API port, at https://matrix.DOMAIN.

I have to expose the api with:

matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true in the vars.yml file before running the playbook?

@JOJ0
Copy link

JOJ0 commented May 23, 2022

Hi @spantaleev sorry for hijacking this issue. I am here to improve synadm's documentation regarding the usage with matrix-docker-ansible-deploy installed Synapse instances. I tried to summarize in the README what's required: https://github.com/JOJ0/synadm#matrix-docker-ansible-deploy

I'd kindly ask if you could take a minute and confirm that this information is entirely correct :-) Thanks a ton in advance!

One question berforehand: In that sentence, do I understand correctly that the hostname matrix-synapse is put into the docker host's /etc/hosts file automatically and thus the Synapse container is accessible via the name matrix-synapse. Furthermore with the name matrix you are referring to the name of the container network and not to the hostname?

Alternatively, you can access it on the container network (named matrix by default) using http://matrix-synapse:8008 (http here, not https).

@spantaleev
Copy link
Owner

There is no special configuration required in vars.yaml. The default settings will do.

I think we need matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true for accessing the Synapse's Admin APIs via the public endpoint (https://matrix.DOMAIN)

If you access them from within the container network (using http://matrix-synapse:8008), you can avoid exposing the Synapse Admin APIs publicly on https://matrix.DOMAIN using matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true. For that, you need to start a container on that network (e.g. docker run -it --rm --network=matrix docker.io/alpine:3.15.2), install synadm there and use http://matrix-synapse:8008 to talk to Synapse. Alternatively, you can start a synadam container image directly, if one is available (e.g. docker run -it --rm --network=matrix docker.io/JOJ0/synadm:v0.34) and run your synadm commands there.


From what I see, there are 2 options for using synadm against a Synapse homeserver. Either in a container, on the same container network as matrix-synapse (--network=matrix), or anywhere (on the Matrix server or on some other server) with access happening via the public endpoint (https://matrix.DOMAIN). For the latter, one needs to expose Synapse's Admin APIs publicly by toggling matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled to true.


One question berforehand: In that sentence, do I understand correctly that the hostname matrix-synapse is put into the docker host's /etc/hosts file automatically and thus the Synapse container is accessible via the name matrix-synapse

Actually, containers started on the same network (--network=matrix in this case - the playbook starts all its containers there), all use the same DNS server (Docker's internal DNS server). When they say matrix-synapse or some-other-hostname, Docker's internal DNS server resolves that to the internal IP of the container (e.g. 172.18.0.4). This way, containers on the same network can reference each other by name. It's not a static reference hardcoded in /etc/hosts. It's a dynamic answer coming from Docker's internal DNS server. Containers can be restarted and change IPs, and even still Docker's internal DNS server will return the correct address each time you ask it.


Furthermore with the name matrix you are referring to the name of the container network and not to the hostname?

Yes. We create a custom Docker bridge network (docker network create --driver=bridge matrix) and we put all containers that we start in that network (dockr run --network=matrix ...). That way, they're isolated from any other containers that may run on the host, and they can all easily talk to one another by name (thanks to Docker's internal DNS, described above).

As with all other things, the network name is configurable via the matrix_docker_network playbook variable (initially defined in roles/matrix-base/defaults/main.yml).

@JOJ0
Copy link

JOJ0 commented May 24, 2022

Thanks for this superdetailed answer @spantaleev. All clear to me now! will adapt the readme and probably even additionally point here directly. Why not.

And thanks for the heads up. It is about time to provide synadm as a container ;-)

@JOJ0
Copy link

JOJ0 commented May 27, 2022

The synadm README is fixed and improved: https://github.com/JOJ0/synadm#matrix-docker-ansible-deploy

Thanks again @spantaleev for your help! Appreciated! And BTW thanks for maintaining matrix-docker-ansible-deploy! Great project helping admins to spread Matrix :-)

@luixxiul luixxiul added the question This issue is a question related to installation label Nov 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question This issue is a question related to installation
Projects
None yet
Development

No branches or pull requests

4 participants