Skip to content

Commit 9a4ff41

Browse files
anoadragon453anoadragon453
authored
Add a new dockerfile for worker-mode synapse (#62)
This PR adds a new Dockerfile containing the configuration for a Synapse running in worker mode. Some additional files were required to support the image. 1. A caddy binary needed to be placed in the container for termination TLS requests on the federation port (thanks to Conduit for the idea!). The included file is a Caddy config json file. 2. A shared config file to hand to each Synapse worker was necessary. This file is subtley different from [dockerfiles/synapse/homeserver.yaml](https://github.com/matrix-org/complement/blob/master/dockerfiles/synapse/homeserver.yaml), though it may be nice to have both files be derived from a shared file in the future. The intention of this is to add testing of Synapse in worker mode to Complement's CI. It is paired with matrix-org/synapse#9162.
1 parent b7af8fc commit 9a4ff41

File tree

3 files changed

+188
-0
lines changed

3 files changed

+188
-0
lines changed

dockerfiles/SynapseWorkers.Dockerfile

+53
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
# This dockerfile builds on top of Dockerfile-worker and includes a built-in postgres instance
2+
# as well as sets up the homeserver so that it is ready for testing via Complement
3+
FROM matrixdotorg/synapse:workers
4+
5+
# Download a caddy server to stand in front of nginx and terminate TLS using Complement's
6+
# custom CA.
7+
# We include this near the top of the file in order to cache the result.
8+
RUN curl -OL "https://github.com/caddyserver/caddy/releases/download/v2.3.0/caddy_2.3.0_linux_amd64.tar.gz" && \
9+
tar xzf caddy_2.3.0_linux_amd64.tar.gz && rm caddy_2.3.0_linux_amd64.tar.gz && mv caddy /root
10+
11+
# Install postgresql
12+
RUN apt-get update
13+
RUN apt-get install -y postgresql
14+
15+
# Configure a user and create a database for Synapse
16+
RUN pg_ctlcluster 11 main start && su postgres -c "echo \
17+
\"ALTER USER postgres PASSWORD 'somesecret'; \
18+
CREATE DATABASE synapse \
19+
ENCODING 'UTF8' \
20+
LC_COLLATE='C' \
21+
LC_CTYPE='C' \
22+
template=template0;\" | psql" && pg_ctlcluster 11 main stop
23+
24+
# Modify the shared homeserver config with postgres support, certificate setup
25+
# and the disabling of rate-limiting
26+
COPY synapse/workers-shared.yaml /conf/workers/shared.yaml
27+
28+
WORKDIR /root
29+
30+
# Copy the caddy config
31+
COPY synapse/caddy.complement.json /root/caddy.json
32+
33+
# Expose caddy's listener ports
34+
EXPOSE 8008 8448
35+
36+
ENTRYPOINT \
37+
# Replace the server name in the caddy config
38+
sed -i "s/{{ server_name }}/${SERVER_NAME}/g" /root/caddy.json && \
39+
# Start postgres
40+
pg_ctlcluster 11 main start > /dev/null 2>&1 && \
41+
# Start caddy
42+
/root/caddy start --config /root/caddy.json > /dev/null 2>&1 && \
43+
# Set the server name of the homeserver
44+
SYNAPSE_SERVER_NAME=${SERVER_NAME} \
45+
# No need to report stats here
46+
SYNAPSE_REPORT_STATS=no \
47+
# Set postgres authentication details which will be placed in the homeserver config file
48+
POSTGRES_PASSWORD=somesecret POSTGRES_USER=postgres POSTGRES_HOST=localhost \
49+
# Use all available worker types
50+
SYNAPSE_WORKERS=* \
51+
# Run the script that writes the necessary config files and starts supervisord, which in turn
52+
# starts everything else
53+
/configure_workers_and_start.py

dockerfiles/synapse/caddy.complement.json

+76
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,76 @@
1+
{
2+
"apps": {
3+
"http": {
4+
"servers": {
5+
"srv0": {
6+
"listen": [
7+
":8448"
8+
],
9+
"routes": [
10+
{
11+
"match": [
12+
{
13+
"host": [
14+
"{{ server_name }}"
15+
]
16+
}
17+
],
18+
"handle": [
19+
{
20+
"handler": "subroute",
21+
"routes": [
22+
{
23+
"handle": [
24+
{
25+
"handler": "reverse_proxy",
26+
"upstreams": [
27+
{
28+
"dial": "localhost:8008"
29+
}
30+
]
31+
}
32+
]
33+
}
34+
]
35+
}
36+
],
37+
"terminal": true
38+
}
39+
]
40+
}
41+
}
42+
},
43+
"tls": {
44+
"automation": {
45+
"policies": [
46+
{
47+
"subjects": [
48+
"{{ server_name }}"
49+
],
50+
"issuers": [
51+
{
52+
"module": "internal"
53+
}
54+
],
55+
"on_demand": true
56+
}
57+
]
58+
}
59+
},
60+
"pki": {
61+
"certificate_authorities": {
62+
"local": {
63+
"name": "Complement CA",
64+
"root": {
65+
"certificate": "/ca/ca.crt",
66+
"private_key": "/ca/ca.key"
67+
},
68+
"intermediate": {
69+
"certificate": "/ca/ca.crt",
70+
"private_key": "/ca/ca.key"
71+
}
72+
}
73+
}
74+
}
75+
}
76+
}

dockerfiles/synapse/workers-shared.yaml

+59
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
## Server ##
2+
report_stats: False
3+
trusted_key_servers: []
4+
enable_registration: true
5+
6+
## Federation ##
7+
8+
# disable verification of federation certificates
9+
#
10+
# TODO: Figure out why this is still needed even though we are making use of the custom CA
11+
federation_verify_certificates: false
12+
13+
# trust certs signed by Complement's CA
14+
federation_custom_ca_list:
15+
- /ca/ca.crt
16+
17+
# unblacklist RFC1918 addresses
18+
federation_ip_range_blacklist: []
19+
20+
# Disable server rate-limiting
21+
rc_federation:
22+
window_size: 1000
23+
sleep_limit: 10
24+
sleep_delay: 500
25+
reject_limit: 99999
26+
concurrent: 3
27+
28+
rc_message:
29+
per_second: 9999
30+
burst_count: 9999
31+
32+
rc_registration:
33+
per_second: 9999
34+
burst_count: 9999
35+
36+
rc_login:
37+
address:
38+
per_second: 9999
39+
burst_count: 9999
40+
account:
41+
per_second: 9999
42+
burst_count: 9999
43+
failed_attempts:
44+
per_second: 9999
45+
burst_count: 9999
46+
47+
rc_admin_redaction:
48+
per_second: 9999
49+
burst_count: 9999
50+
51+
rc_joins:
52+
local:
53+
per_second: 9999
54+
burst_count: 9999
55+
remote:
56+
per_second: 9999
57+
burst_count: 9999
58+
59+
federation_rr_transactions_per_room_per_second: 9999

0 commit comments

Comments
 (0)