Upgrade Synapse (1.46.0 -> 1.47.0)

We had to remove UID/GID environment variables that we used to pass to the Synapse container, because it was causing a problem after https://github.com/matrix-org/synapse/pull/11209 We were using both `--user` and UID/GID environment variables until now.
3 years ago · e1a6d1e4b2
parent 75cb4ce3b0
commit e1a6d1e4b2
6 changed files with 36 additions and 23 deletions
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
 # amd64 gets released first.
 # arm32 relies on self-building, so the same version can be built immediately.
 # arm64 users need to wait for a prebuilt image to become available.
-matrix_synapse_version: v1.46.0
-matrix_synapse_version_arm64: v1.46.0
+matrix_synapse_version: v1.47.0
+matrix_synapse_version_arm64: v1.47.0
 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"

--- a/roles/matrix-synapse/tasks/synapse/setup_install.yml
+++ b/roles/matrix-synapse/tasks/synapse/setup_install.yml
@ -67,8 +67,6 @@
    --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
    --cap-drop=ALL
    --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data
-    -e UID={{ matrix_user_uid }}
-    -e GID={{ matrix_user_gid }}
    -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml
    -e SYNAPSE_SERVER_NAME={{ matrix_server_fqn_matrix }}
    -e SYNAPSE_REPORT_STATS=no
--- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@ -66,8 +66,28 @@ pid_file: /homeserver.pid
 # Otherwise, it should be the URL to reach Synapse's client HTTP listener (see
 # 'listeners' below).
 #
+# Defaults to 'https://<server_name>/'.
+#
 public_baseurl: https://{{ matrix_server_fqn_matrix }}/

+# Uncomment the following to tell other servers to send federation traffic on
+# port 443.
+#
+# By default, other servers will try to reach our server on port 8448, which can
+# be inconvenient in some environments.
+#
+# Provided 'https://<server_name>/' on port 443 is routed to Synapse, this
+# option configures Synapse to serve a file at
+# 'https://<server_name>/.well-known/matrix/server'. This will tell other
+# servers to send traffic to port 443 instead.
+#
+# See https://matrix-org.github.io/synapse/latest/delegate.html for more
+# information.
+#
+# Defaults to 'false'.
+#
+#serve_server_wellknown: true
+
 # Set the soft limit on the number of file descriptors synapse can use
 # Zero is used to indicate synapse should set the soft limit to the
 # hard limit.
@ -1271,7 +1291,7 @@ allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }}
 # in on this server.
 #
 # (By default, no suggestion is made, so it is left up to the client.
-# This setting is ignored unless public_baseurl is also set.)
+# This setting is ignored unless public_baseurl is also explicitly set.)
 #
 #default_identity_server: https://matrix.org

@ -1296,8 +1316,6 @@ allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }}
 # by the Matrix Identity Service API specification:
 # https://matrix.org/docs/spec/identity_service/latest
 #
-# If a delegate is specified, the config option public_baseurl must also be filled out.
-#
 account_threepid_delegates:
    email: {{ matrix_synapse_account_threepid_delegates_email|to_json }}
    msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }}
@ -1990,11 +2008,10 @@ sso:
    # phishing attacks from evil.site. To avoid this, include a slash after the
    # hostname: "https://my.client/".
    #
-    # If public_baseurl is set, then the login fallback page (used by clients
-    # that don't natively support the required login flows) is whitelisted in
-    # addition to any URLs in this list.
+    # The login fallback page (used by clients that don't natively support the
+    # required login flows) is whitelisted in addition to any URLs in this list.
    #
-    # By default, this list is empty.
+    # By default, this list contains only the login fallback page.
    #
    #client_whitelist:
    #  - https://riot.im/develop
--- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2
+++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2
@ -17,8 +17,6 @@ ExecStartPre={{ matrix_host_command_sleep }} 5
 ExecStart={{ matrix_host_command_docker }} run --rm --name {{ matrix_synapse_worker_container_name }} \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
-			-e UID={{ matrix_user_uid }} \
-			-e GID={{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--read-only \
 			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \
--- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
+++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
@ -33,8 +33,6 @@ ExecStartPre={{ matrix_host_command_sleep }} 3
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
-			--env=UID={{ matrix_user_uid }} \
-			--env=GID={{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--read-only \
 			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \
--- a/roles/matrix-synapse/vars/workers.yml
+++ b/roles/matrix-synapse/vars/workers.yml
@ -271,19 +271,19 @@ matrix_synapse_workers_media_repository_endpoints:
  # expose the `media` resource. For example:

  # ```yaml
-  #     worker_listeners:
-  #      - type: http
-  #        port: 8085
-  #        resources:
-  #          - names:
-  #            - media
+  # worker_listeners:
+  #  - type: http
+  #    port: 8085
+  #    resources:
+  #      - names:
+  #        - media
  # ```

  # Note that if running multiple media repositories they must be on the same server
  # and you must configure a single instance to run the background tasks, e.g.:

  # ```yaml
-  #     media_instance_running_background_jobs: "media-repository-1"
+  # media_instance_running_background_jobs: "media-repository-1"
  # ```

  # Note that if a reverse proxy is used , then `/_matrix/media/` must be routed for both inbound client and federation requests (if they are handled separately).
@ -319,7 +319,9 @@ matrix_synapse_workers_frontend_proxy_endpoints:
  # the `worker_main_http_uri` setting in the `frontend_proxy` worker configuration
  # file. For example:

-  #     worker_main_http_uri: http://127.0.0.1:{{ matrix_synapse_container_client_api_port }}
+  # ```yaml
+  # worker_main_http_uri: http://127.0.0.1:8008
+  # ```

 matrix_synapse_workers_avail_list:
  - appservice