From 63301b0ef1e3c1b85c7e0822abb03ea4be079aef Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 25 Jan 2021 08:25:43 +0200 Subject: [PATCH] Improvements around Synapse worker/metrics ports exposure There was a `matrix_nginx_proxy_enabled|default(False)` check, but: - it didn't seem to work reliably for some reason (hmm) - referring to a `matrix_nginx_proxy_*` variable from within the `matrix-synapse` role is not ideal - exposing always happened on `127.0.0.1`, which may not be good enough for some rarer setups (where the own webserver is external to the host) --- group_vars/matrix_servers | 3 +++ roles/matrix-synapse/defaults/main.yml | 8 ++++++++ .../synapse/systemd/matrix-synapse.service.j2 | 11 ++++------- 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 56c9ebf6..f64b02a0 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1276,6 +1276,9 @@ matrix_synapse_container_metrics_api_host_bind_port: "{{ '127.0.0.1:9100' if (ma # # For exposing the Synapse Manhole port (plain HTTP) to the local host. matrix_synapse_container_manhole_api_host_bind_port: "{{ '127.0.0.1:9000' if matrix_synapse_manhole_enabled else '' }}" +# +# For exposing the Synapse worker (and metrics) ports to the local host. +matrix_synapse_workers_container_host_bind_address: "{{ '127.0.0.1' if (matrix_synapse_workers_enabled and not matrix_nginx_proxy_enabled) else '' }}" matrix_synapse_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'synapse.db') | to_uuid }}" diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index d159f8a3..7c00c3e5 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -301,6 +301,14 @@ matrix_synapse_manhole_enabled: false # Enable support for Synapse workers matrix_synapse_workers_enabled: false + +# Controls whether the matrix-synapse container exposes the various worker ports +# (see `port` and `metrics_port` in `matrix_synapse_workers_enabled_list`) outside of the container. +# +# Takes an "" value (e.g. "127.0.0.1", "0.0.0.0", etc), or empty string to not expose. +# It takes "*" to signify "bind on all interfaces" ("0.0.0.0" is IPv4-only). +matrix_synapse_workers_container_host_bind_address: '' + # Default list of workers to spawn (order in accord to docs) # - no endpoints / doesn't need port mapping if port ends on 0 # - single-instance-only if 2nd last digit of port number is 0 diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 3bf51b6f..3b9ccdf8 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -45,19 +45,16 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ {% if matrix_synapse_manhole_enabled and matrix_synapse_container_manhole_api_host_bind_port %} -p {{ matrix_synapse_container_manhole_api_host_bind_port }}:9000 \ {% endif %} + {% if matrix_synapse_workers_enabled and matrix_synapse_workers_container_host_bind_address %} {% for worker in matrix_synapse_workers_enabled_list %} - {% if matrix_synapse_workers_enabled and not matrix_nginx_proxy_enabled|default(False) %} - {# Expose worker ports (by default in 18xxx range) on localhost, f.e. when using - an external reverse proxy outside the matrix docker network #} {% if worker.port != 0 %} - -p 127.0.0.1:{{ worker.port }}:{{ worker.port }} \ + -p {{ '' if matrix_synapse_workers_container_host_bind_address == '*' else (matrix_synapse_workers_container_host_bind_address + ':') }}{{ worker.port }}:{{ worker.port }} \ {% endif %} - {% endif %} - {# Expose worker metrics ports on localhost #} {% if worker.metrics_port != 0 %} - -p 127.0.0.1:{{ worker.metrics_port }}:{{ worker.metrics_port }} \ + -p {{ '' if matrix_synapse_workers_container_host_bind_address == '*' else (matrix_synapse_workers_container_host_bind_address + ':') }}{{ worker.metrics_port }}:{{ worker.metrics_port }} \ {% endif %} {% endfor %} + {% endif %} --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data,ro \ --mount type=bind,src={{ matrix_synapse_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ {% for volume in matrix_synapse_container_additional_volumes %}