From 433780384ef4cfa1d4d620d0e1493c443cddf0ab Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 25 Feb 2019 10:42:27 +0200 Subject: [PATCH] Do not use docker_container module Using `docker_container` with a `cap_drop` argument requires Ansible >=2.7. We want to support older versions too (2.4), so we either need to stop invoking it with `cap_drop` (insecure), or just stop using the module altogether. Since it was suffering from other bugs too (not deleting containers on failure), we've decided to remove `docker_container` usage completely. --- .../tasks/import_sqlite_db.yml | 43 ++++++++----------- .../tasks/setup_synapse_main.yml | 29 +++++++------ 2 files changed, 34 insertions(+), 38 deletions(-) diff --git a/roles/matrix-postgres/tasks/import_sqlite_db.yml b/roles/matrix-postgres/tasks/import_sqlite_db.yml index c989dca9e..d5fc832fa 100644 --- a/roles/matrix-postgres/tasks/import_sqlite_db.yml +++ b/roles/matrix-postgres/tasks/import_sqlite_db.yml @@ -64,27 +64,22 @@ delegate_to: 127.0.0.1 become: false -# If the actual migration command (below) fails, it will leave a container behind. -# Starting it again later will relaunch that one, which may or may not work. -# To ensure we're starting from a clean state, ensure any such leftovers are removed. -- name: Cleanup any old leftover migration container - docker_container: - name: matrix-synapse-migrate - state: absent - -- name: Importing SQLite database into Postgres - docker_container: - name: matrix-synapse-migrate - image: "{{ matrix_synapse_docker_image }}" - detach: no - cleanup: yes - entrypoint: /usr/local/bin/python - command: "/usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db|basename }} --postgres-config /data/homeserver.yaml" - user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}" - cap_drop: ['all'] - volumes: - - "{{ matrix_synapse_config_dir_path }}:/data" - - "{{ matrix_synapse_run_path }}:/matrix-run" - - "{{ server_path_homeserver_db }}:/{{ server_path_homeserver_db|basename }}:ro" - networks: - - name: "{{ matrix_docker_network }}" +# We don't use the `docker_container` module, because using it with `cap_drop` requires +# a very recent version, which is not available for a lot of people yet. +# +# Also, some old `docker_container` versions were buggy and would leave containers behind +# on failure, which we had to work around to allow retries (by re-running the playbook). +- name: Import SQLite database into Postgres + command: | + docker run + --rm + --name=matrix-synapse-migrate + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + --network={{ matrix_docker_network }} + --entrypoint=python + -v {{ matrix_synapse_config_dir_path }}:/data + -v {{ matrix_synapse_run_path }}:/matrix-run + -v {{ server_path_homeserver_db }}:/{{ server_path_homeserver_db|basename }}:ro + {{ matrix_synapse_docker_image }} + /usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db|basename }} --postgres-config /data/homeserver.yaml diff --git a/roles/matrix-synapse/tasks/setup_synapse_main.yml b/roles/matrix-synapse/tasks/setup_synapse_main.yml index 57a296bc1..339f5650e 100644 --- a/roles/matrix-synapse/tasks/setup_synapse_main.yml +++ b/roles/matrix-synapse/tasks/setup_synapse_main.yml @@ -29,21 +29,22 @@ # We do this mostly so that the keys would get generated. # We'll replace the rest of the configuration with our own templates below. +# +# We don't use the `docker_container` module, because using it with `cap_drop` requires +# a very recent version, which is not available for a lot of people yet. - name: Generate initial Matrix config - docker_container: - name: matrix-config - image: "{{ matrix_synapse_docker_image }}" - detach: no - cleanup: yes - command: generate - env: - SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml" - SYNAPSE_SERVER_NAME: "{{ hostname_matrix }}" - SYNAPSE_REPORT_STATS: "no" - user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}" - cap_drop: ['all'] - volumes: - - "{{ matrix_synapse_config_dir_path }}:/data" + command: | + docker run + --rm + --name=matrix-config + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + -v {{ matrix_synapse_config_dir_path }}:/data + -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml + -e SYNAPSE_SERVER_NAME={{ hostname_matrix }} + -e SYNAPSE_REPORT_STATS=no + {{ matrix_synapse_docker_image }} + generate when: "not matrix_synapse_config_stat.stat.exists" - name: Ensure Matrix homeserver config installed