mirror of
https://mau.dev/maunium/synapse.git
synced 2024-12-14 00:33:46 +01:00
Docker: avoid changing userid unnecessarily (#11209)
* Docker image: avoid changing user during `generate` The intention was always that the config files get written as the initial user (normally root) - only the data directory needs to be writable by Synapse. This got changed in https://github.com/matrix-org/synapse/pull/5970, but that seems to have been a mistake. * Avoid changing user if no explicit UID is given * changelog
This commit is contained in:
parent
3ae1464efd
commit
0b99d4c8d2
3 changed files with 28 additions and 23 deletions
1
changelog.d/11209.docker
Normal file
1
changelog.d/11209.docker
Normal file
|
@ -0,0 +1 @@
|
||||||
|
Avoid changing userid when started as a non-root user, and no explicit `UID` is set.
|
|
@ -65,7 +65,8 @@ The following environment variables are supported in `generate` mode:
|
||||||
* `SYNAPSE_DATA_DIR`: where the generated config will put persistent data
|
* `SYNAPSE_DATA_DIR`: where the generated config will put persistent data
|
||||||
such as the database and media store. Defaults to `/data`.
|
such as the database and media store. Defaults to `/data`.
|
||||||
* `UID`, `GID`: the user id and group id to use for creating the data
|
* `UID`, `GID`: the user id and group id to use for creating the data
|
||||||
directories. Defaults to `991`, `991`.
|
directories. If unset, and no user is set via `docker run --user`, defaults
|
||||||
|
to `991`, `991`.
|
||||||
|
|
||||||
## Running synapse
|
## Running synapse
|
||||||
|
|
||||||
|
@ -97,7 +98,9 @@ The following environment variables are supported in `run` mode:
|
||||||
`<SYNAPSE_CONFIG_DIR>/homeserver.yaml`.
|
`<SYNAPSE_CONFIG_DIR>/homeserver.yaml`.
|
||||||
* `SYNAPSE_WORKER`: module to execute, used when running synapse with workers.
|
* `SYNAPSE_WORKER`: module to execute, used when running synapse with workers.
|
||||||
Defaults to `synapse.app.homeserver`, which is suitable for non-worker mode.
|
Defaults to `synapse.app.homeserver`, which is suitable for non-worker mode.
|
||||||
* `UID`, `GID`: the user and group id to run Synapse as. Defaults to `991`, `991`.
|
* `UID`, `GID`: the user and group id to run Synapse as. If unset, and no user
|
||||||
|
is set via `docker run --user`, defaults to `991`, `991`. Note that this user
|
||||||
|
must have permission to read the config files, and write to the data directories.
|
||||||
* `TZ`: the [timezone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) the container will run with. Defaults to `UTC`.
|
* `TZ`: the [timezone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) the container will run with. Defaults to `UTC`.
|
||||||
|
|
||||||
For more complex setups (e.g. for workers) you can also pass your args directly to synapse using `run` mode. For example like this:
|
For more complex setups (e.g. for workers) you can also pass your args directly to synapse using `run` mode. For example like this:
|
||||||
|
|
|
@ -120,6 +120,7 @@ def generate_config_from_template(config_dir, config_path, environ, ownership):
|
||||||
]
|
]
|
||||||
|
|
||||||
if ownership is not None:
|
if ownership is not None:
|
||||||
|
log(f"Setting ownership on /data to {ownership}")
|
||||||
subprocess.check_output(["chown", "-R", ownership, "/data"])
|
subprocess.check_output(["chown", "-R", ownership, "/data"])
|
||||||
args = ["gosu", ownership] + args
|
args = ["gosu", ownership] + args
|
||||||
|
|
||||||
|
@ -144,12 +145,18 @@ def run_generate_config(environ, ownership):
|
||||||
config_path = environ.get("SYNAPSE_CONFIG_PATH", config_dir + "/homeserver.yaml")
|
config_path = environ.get("SYNAPSE_CONFIG_PATH", config_dir + "/homeserver.yaml")
|
||||||
data_dir = environ.get("SYNAPSE_DATA_DIR", "/data")
|
data_dir = environ.get("SYNAPSE_DATA_DIR", "/data")
|
||||||
|
|
||||||
|
if ownership is not None:
|
||||||
|
# make sure that synapse has perms to write to the data dir.
|
||||||
|
log(f"Setting ownership on {data_dir} to {ownership}")
|
||||||
|
subprocess.check_output(["chown", ownership, data_dir])
|
||||||
|
|
||||||
# create a suitable log config from our template
|
# create a suitable log config from our template
|
||||||
log_config_file = "%s/%s.log.config" % (config_dir, server_name)
|
log_config_file = "%s/%s.log.config" % (config_dir, server_name)
|
||||||
if not os.path.exists(log_config_file):
|
if not os.path.exists(log_config_file):
|
||||||
log("Creating log config %s" % (log_config_file,))
|
log("Creating log config %s" % (log_config_file,))
|
||||||
convert("/conf/log.config", log_config_file, environ)
|
convert("/conf/log.config", log_config_file, environ)
|
||||||
|
|
||||||
|
# generate the main config file, and a signing key.
|
||||||
args = [
|
args = [
|
||||||
"python",
|
"python",
|
||||||
"-m",
|
"-m",
|
||||||
|
@ -168,29 +175,23 @@ def run_generate_config(environ, ownership):
|
||||||
"--open-private-ports",
|
"--open-private-ports",
|
||||||
]
|
]
|
||||||
# log("running %s" % (args, ))
|
# log("running %s" % (args, ))
|
||||||
|
|
||||||
if ownership is not None:
|
|
||||||
# make sure that synapse has perms to write to the data dir.
|
|
||||||
subprocess.check_output(["chown", ownership, data_dir])
|
|
||||||
|
|
||||||
args = ["gosu", ownership] + args
|
|
||||||
os.execv("/usr/sbin/gosu", args)
|
|
||||||
else:
|
|
||||||
os.execv("/usr/local/bin/python", args)
|
os.execv("/usr/local/bin/python", args)
|
||||||
|
|
||||||
|
|
||||||
def main(args, environ):
|
def main(args, environ):
|
||||||
mode = args[1] if len(args) > 1 else "run"
|
mode = args[1] if len(args) > 1 else "run"
|
||||||
desired_uid = int(environ.get("UID", "991"))
|
|
||||||
desired_gid = int(environ.get("GID", "991"))
|
|
||||||
synapse_worker = environ.get("SYNAPSE_WORKER", "synapse.app.homeserver")
|
|
||||||
if (desired_uid == os.getuid()) and (desired_gid == os.getgid()):
|
|
||||||
ownership = None
|
|
||||||
else:
|
|
||||||
ownership = "{}:{}".format(desired_uid, desired_gid)
|
|
||||||
|
|
||||||
if ownership is None:
|
# if we were given an explicit user to switch to, do so
|
||||||
log("Will not perform chmod/gosu as UserID already matches request")
|
ownership = None
|
||||||
|
if "UID" in environ:
|
||||||
|
desired_uid = int(environ["UID"])
|
||||||
|
desired_gid = int(environ.get("GID", "991"))
|
||||||
|
ownership = f"{desired_uid}:{desired_gid}"
|
||||||
|
elif os.getuid() == 0:
|
||||||
|
# otherwise, if we are running as root, use user 991
|
||||||
|
ownership = "991:991"
|
||||||
|
|
||||||
|
synapse_worker = environ.get("SYNAPSE_WORKER", "synapse.app.homeserver")
|
||||||
|
|
||||||
# In generate mode, generate a configuration and missing keys, then exit
|
# In generate mode, generate a configuration and missing keys, then exit
|
||||||
if mode == "generate":
|
if mode == "generate":
|
||||||
|
|
Loading…
Reference in a new issue