Do not use docker_container module

Using `docker_container` with a `cap_drop` argument requires
Ansible >=2.7.

We want to support older versions too (2.4), so we either need to
stop invoking it with `cap_drop` (insecure), or just stop using
the module altogether.

Since it was suffering from other bugs too (not deleting containers
on failure), we've decided to remove `docker_container` usage completely.

roles/matrix-postgres/tasks/import_sqlite_db.yml

@@ -64,27 +64,22 @@
   delegate_to: 127.0.0.1
   become: false
 
-# If the actual migration command (below) fails, it will leave a container behind.
-# Starting it again later will relaunch that one, which may or may not work.
-# To ensure we're starting from a clean state, ensure any such leftovers are removed.
-- name: Cleanup any old leftover migration container
-  docker_container:
-    name: matrix-synapse-migrate
-    state: absent
-
-- name: Importing SQLite database into Postgres
-  docker_container:
-    name: matrix-synapse-migrate
-    image: "{{ matrix_synapse_docker_image }}"
-    detach: no
-    cleanup: yes
-    entrypoint: /usr/local/bin/python
-    command: "/usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db|basename }} --postgres-config /data/homeserver.yaml"
-    user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}"
-    cap_drop: ['all']
-    volumes:
-      - "{{ matrix_synapse_config_dir_path }}:/data"
-      - "{{ matrix_synapse_run_path }}:/matrix-run"
-      - "{{ server_path_homeserver_db }}:/{{ server_path_homeserver_db|basename }}:ro"
-    networks:
-      - name: "{{ matrix_docker_network }}"
+# We don't use the `docker_container` module, because using it with `cap_drop` requires
+# a very recent version, which is not available for a lot of people yet.
+#
+# Also, some old `docker_container` versions were buggy and would leave containers behind
+# on failure, which we had to work around to allow retries (by re-running the playbook).
+- name: Import SQLite database into Postgres
+  command: |
+    docker run
+    --rm
+    --name=matrix-synapse-migrate
+    --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+    --cap-drop=ALL
+    --network={{ matrix_docker_network }}
+    --entrypoint=python
+    -v {{ matrix_synapse_config_dir_path }}:/data
+    -v {{ matrix_synapse_run_path }}:/matrix-run
+    -v {{ server_path_homeserver_db }}:/{{ server_path_homeserver_db|basename }}:ro
+    {{ matrix_synapse_docker_image }}
+    /usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db|basename }} --postgres-config /data/homeserver.yaml

roles/matrix-synapse/tasks/setup_synapse_main.yml

@@ -29,21 +29,22 @@
 
 # We do this mostly so that the keys would get generated.
 # We'll replace the rest of the configuration with our own templates below.
+#
+# We don't use the `docker_container` module, because using it with `cap_drop` requires
+# a very recent version, which is not available for a lot of people yet.
 - name: Generate initial Matrix config
-  docker_container:
-    name: matrix-config
-    image: "{{ matrix_synapse_docker_image }}"
-    detach: no
-    cleanup: yes
-    command: generate
-    env:
-      SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml"
-      SYNAPSE_SERVER_NAME: "{{ hostname_matrix }}"
-      SYNAPSE_REPORT_STATS: "no"
-    user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}"
-    cap_drop: ['all']
-    volumes:
-      - "{{ matrix_synapse_config_dir_path }}:/data"
+  command: |
+    docker run
+    --rm
+    --name=matrix-config
+    --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+    --cap-drop=ALL
+    -v {{ matrix_synapse_config_dir_path }}:/data
+    -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml
+    -e SYNAPSE_SERVER_NAME={{ hostname_matrix }}
+    -e SYNAPSE_REPORT_STATS=no
+    {{ matrix_synapse_docker_image }}
+    generate
   when: "not matrix_synapse_config_stat.stat.exists"
 
 - name: Ensure Matrix homeserver config installed