Commit Graph

98 Commits

Author SHA1 Message Date
Slavi Pantaleev
4b1d5c7de4
Ensure git cloning when self-building is done with the matrix user, not root
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1749
2022-04-15 11:55:57 +02:00
Aine
ac1bd49494
Update coturn 4.5.2-r8 -> 4.5.2-r11 2022-04-12 11:16:36 +00:00
Slavi Pantaleev
f4ba995d9b Fix validation and prevent empty "external-ip=" lines in Coturn config
We no longer validate that there's an IP address defined.
Seems like Coturn can start without one as well, so there's no need to
require it.

If people populate `matrix_coturn_turn_external_ip_addresses` directly
to specify multiple addresses, they can leave
`matrix_coturn_turn_external_ip_address` empty.

We use the "select not equal to empty string" thing in the for loop
to avoid `matrix_coturn_turn_external_ip_address` leading to
`matrix_coturn_turn_external_ip_addresses: ['']` leading to
`external-ip=` in the Coturn configuration.

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1741
2022-04-11 15:38:35 +03:00
Hefty Zauk
03d2dcc996
Move into coturn defaults 2022-04-11 11:20:09 +00:00
heftyzauk
268b079374
Revert Coturn Address Change, add new Addresses var (#2) 2022-04-11 11:50:41 +01:00
heftyzauk
da31eecdb7
Merge branch 'spantaleev:master' into master 2022-04-11 11:42:49 +01:00
Slavi Pantaleev
0364c6c634 Suppress old container cleanup (kill/rm) failures
People often report and ask about these "failures".
More-so previously, when the `docker kill/rm` output was collected,
but it still happens now when people do `systemctl status
matrix-something` and notice that it says "FAILURE".

Suppressing to avoid further time being wasted on saying "this is
expected".
2022-04-11 09:05:33 +03:00
heftyzauk
29847627f1
Multi-IP coturn
Add support for multiple external turn IP addresses, this allows for better comptability with dualstack ipv4/ipv6 hosts, and is supported as per the documentation (point 6 here: https://matrix-org.github.io/synapse/latest/turn-howto.html#configuration)
2022-04-10 21:51:03 +01:00
Aine
2da3768b20
Added retries to the docker pulls (#1701) 2022-03-17 17:37:11 +02:00
Marko Weltzer
819574b8ba
Merge branch 'spantaleev:master' into master 2022-02-05 21:37:53 +01:00
Marko Weltzer
7e5b88c3b7 fix: all praise the allmighty yamllinter 2022-02-05 21:32:54 +01:00
Slavi Pantaleev
86c36523df Replace ExecStopPost with ExecStop
Reverts b1b4ba501f, 90c9801c56, a3c84f78ca, ..

I haven't really traced it (yet), but on some servers, I'm observing
`ansible-playbook ... --tags=start` completing very slowly, waiting
to stop services. I can't reproduce this on all Matrix servers I manage.
I suspect that either the systemd version is to blame or that some
specific service is not responding well to some `docker kill/rm` command.

`ExecStop` seems to work great in all cases and it's what we've been
using for a very long time, so I'm reverting to that.
2022-02-05 12:13:36 +02:00
Slavi Pantaleev
b1b4ba501f Replace ExecStop with ExecStopPost
ExecStopPost should allow us to clean up (docker kill + docker rm)
even if the ExecStart (docker run ..) command failed, and not just after
a graceful service stop was initiated.

Source: https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStopPost=
2022-01-04 17:27:25 +02:00
sakkiii
980c2b9a80
Update coturn (4.5.2-r4 -> 4.5.2-r8) 2021-12-15 18:35:13 +05:30
Slavi Pantaleev
735c966ab6 Disable systemd services when stopping to uninstall them
Until now, we were leaving services "enabled"
(symlinks in /etc/systemd/system/multi-user.target.wants/).

We clean these up now. Broken symlinks may still exist in older
installations that enabled/disabled services. We're not taking care
to fix these up. It's just a cosmetic defect anyway.
2021-11-10 17:39:21 +02:00
sakkiii
6feb99076a
Update Coturn (4.5.2-r3 -> 4.5.2-r4) 2021-08-29 15:40:00 +05:30
Slavi Pantaleev
dc8000760b Bump Coturn version tag (4.5.2-r2 -> 4.5.2-r3)
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1236
2021-08-18 09:50:10 +03:00
Slavi Pantaleev
b6d71b9da1 Fix self-building for Coturn
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1158
2021-07-03 10:06:09 +03:00
sakkiii
04805f35a7
Coturn update 4.5.2 -> 4.5.2-r2 2021-06-22 22:39:35 +05:30
sakkiii
1cc1202df2
update coturn 2021-06-08 23:59:31 +05:30
Slavi Pantaleev
fa76c1ee5b Do not run self-build Ansible version-check, if component not enabled
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1108
2021-06-08 08:59:02 +03:00
Slavi Pantaleev
47b4608b96 Fail in a friendlier way when trying to self-build on Ansible <= 2.8
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070

Related discussion here: 1ab507349c (commitcomment-51108407)
2021-05-21 11:15:05 +03:00
Slavi Pantaleev
1ab507349c Fix self-building for various components on Ansible < 2.8
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
2021-05-20 08:43:20 +03:00
Slavi Pantaleev
3dcc006932 Fix self-building for Coturn
689dcea773 wasn't enough. The `upstream/..` tags are
just upstream sources, without the alpine-based Dockerfile.
We need to use the `docker/..` tags for that (or `master`)

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1032

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1023

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1009
2021-05-10 11:35:53 +03:00
Slavi Pantaleev
689dcea773 Fix self-building for Coturn
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1023

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1009
2021-04-24 20:31:25 +03:00
Slavi Pantaleev
62c0587b6a Use Alpine-based Coturn 2021-04-22 15:05:37 +03:00
Dan Arnfield
b2ca1f2829 Add capability required by new image 2021-04-19 10:16:26 -05:00
Dan Arnfield
29177d4922 Switch to official coturn docker image 2021-04-19 09:04:08 -05:00
Slavi Pantaleev
fcb9e9618a Make Coturn TLSv1/v1.1 configurable
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/999
2021-04-16 09:29:32 +03:00
sakkiii
540416e32d
Disable support for TLS 1.0 and TLS 1.1
These old versions of TLS rely on MD5 and SHA-1, both now broken, and contain other flaws. TLS 1.0 is no longer PCI-DSS compliant and the TLS working group has adopted a document to deprecate TLS 1.0 and TLS 1.1.
2021-04-15 19:25:23 +05:30
Ahmad Haghighi
e335f3fc77 rename matrix_global_registry to matrix_container_global_registry_prefix related to #990
Signed-off-by: Ahmad Haghighi <haghighi@fedoraproject.org>
2021-04-12 17:23:55 +04:30
Ahmad Haghighi
f52a8b6484 use custom docker registry 2021-04-12 17:23:55 +04:30
Hardy Erlinger
f4930d789e Run Let's Encrypt renewal checks daily instead of weekly.
This ensures more timely updates of certifcates.
2021-02-27 21:11:22 +01:00
rakshazi
2f887f292c
added "matrix_%SERVICE%_version" variable to all roles, use it in "matrix_%SERVICE%_docker_image" var (preserving backward-compatibility) 2021-02-20 19:08:28 +02:00
Slavi Pantaleev
512f42aa76 Do not report docker kill/rm attempts as errors
These are just defensive cleanup tasks that we run.
In the good case, there's nothing to kill or remove, so they trigger an
error like this:

> Error response from daemon: Cannot kill container: something: No such container: something

and:

> Error: No such container: something

People often ask us if this is a problem, so instead of always having to
answer with "no, this is to be expected", we'd rather eliminate it now
and make logs cleaner.

In the event that:
- a container is really stuck and needs cleanup using kill/rm
- and cleanup fails, and we fail to report it because of error
suppression (`2>/dev/null`)

.. we'd still get an error when launching ("container name already in use .."),
so it shouldn't be too hard to investigate.
2021-01-27 10:22:46 +02:00
Slavi Pantaleev
1cd251ed78 Don't delete Docker images which may have been pulled by another
Some people run Coturn or Jitsi, etc., by themselves and disable it
in the playbook.

Because the playbook is trying to be nice and clean up after itself,
it was deleting these Docker images.

However, people wish to pull and use them separately and would rather
they don't get deleted.

We could make this configurable for the sake of this special case, but
it's simpler to just avoid deleting these images.
It's not like this "cleaning things up" thing works anyway.
As time goes on, the playbook gets updated with newer image tags
and we leave so many images behind. If one doesn't run
`docker system prune -a` manually once in a while, they'd get swamped
with images anyway. Whether we leave a few images behind due to the lack
of this cleanup now is pretty much irrelevant.
2021-01-23 14:01:31 +02:00
Slavi Pantaleev
c1008fde44 Upgrade matrix-coturn (4.5.1.3 -> 4.5.2) 2021-01-18 00:41:47 +02:00
Slavi Pantaleev
1692a28fe4 Work around annoying Docker warning about undefined $HOME
> WARNING: Error loading config file: .dockercfg: $HOME is not defined

.. which appeared in Docker 20.10.
2021-01-15 00:23:01 +02:00
Slavi Pantaleev
e1690722f7 Replace cronjobs with systemd timers
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/756

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/737

I feel like timers are somewhat more complicated and dirty (compared to
cronjobs), but they come with these benefits:

- log output goes to journald
- on newer systemd distros, you can see when the timer fired, when it
will fire, etc.
- we don't need to rely on cron (reducing our dependencies to just
systemd + Docker)

Cronjobs work well, but it's one more dependency that needs to be
installed. We were even asking people to install it manually
(in `docs/prerequisites.md`), which could have gone unnoticed.

Once in a while someone says "my SSL certificates didn't renew"
and it's likely because they forgot to install a cron daemon.

Switching to systemd timers means that installation is simpler
and more unified.
2021-01-14 23:35:50 +02:00
Slavi Pantaleev
05ca9357a8 Add .service suffix to systemd units list
We'll be adding `.timer` units later on, so it's good to be
more explicit.
2021-01-14 23:02:10 +02:00
Slavi Pantaleev
6f5aaad48d Split install/uninstall tasks in matrix-coturn 2021-01-14 22:11:38 +02:00
Slavi Pantaleev
8710883064
Merge pull request #743 from pushytoxin/docker_network
Drop the old workaround for an Ansible bug that has been fixed three years ago
2021-01-03 08:49:09 +02:00
Slavi Pantaleev
d08b27784f Fix systemd services autostart problem with Docker 20.10
The Docker 19.04 -> 20.10 upgrade contains the following change
in `/usr/lib/systemd/system/docker.service`:

```
-BindsTo=containerd.service
-After=network-online.target firewalld.service containerd.service
+After=network-online.target firewalld.service containerd.service multi-user.target
-Requires=docker.socket
+Requires=docker.socket containerd.service
Wants=network-online.target
```

The `multi-user.target` requirement in `After` seems to be in conflict
with our `WantedBy=multi-user.target` and `After=docker.service` /
`Requires=docker.service` definitions, causing the following error on
startup for all of our systemd services:

> Job matrix-synapse.service/start deleted to break ordering cycle starting with multi-user.target/start

A workaround which appears to work is to add `DefaultDependencies=no`
to all of our services.
2020-12-10 11:43:20 +02:00
Béla Becker
6f9b4bd9ac Drop workaround for old Ansible docker_network bug 2020-12-05 19:02:10 +01:00
Slavi Pantaleev
be5263f397 Move self-building git repository URLs to variables (stop hardcoding) 2020-11-28 21:34:14 +02:00
Slavi Pantaleev
75f9fde7a4 Remove some more -v usage
Continuation of 1fca917ad1.

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/722
2020-11-25 10:49:59 +02:00
Slavi Pantaleev
5eed874199 Improve self-building experience (avoid conflict with pullable images)
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/716

This patch makes us use more fully-qualified container image names
(either prefixed with docker.io/ or with localhost/).

The latter happens when self-building is enabled.

We've recently had issues where if an image was removed manually
and the service was restarted (making `docker run` fetch it from Docker Hub, etc.),
we'd end up with a pulled image, even though we're aiming for a self-built one.
Re-running the playbook would then not do a rebuild, because:
- the image with that name already exists (even though it's something
else)
- we sometimes had conditional logic where we'd build only if the git
repo changed

By explicitly changing the name of the images (prefixing with localhost/),
we avoid such confusion and the possibility that we'd automatically pul something
which is not what we expect.

Also, I've removed that condition where building would happen on git
changes only. We now always build (unless an image with that name
already exists). We just force-build when the git repo changes.
2020-11-14 23:00:49 +02:00
Slavi Pantaleev
2a1ec38e3a Stop using Ansible's cron module
This is mainly to address SSL renewal not working for us due to:
- https://github.com/ansible/ansible/issues/71213
- https://github.com/ansible/ansible/pull/71207

Using the cron module was hacky anyway. We shouldn't need an extra
level of buggy abstraction to manage a cronjob file.
2020-09-06 10:49:19 +03:00
Slavi Pantaleev
de0efe96e7 Fix incorrect when statement 2020-07-17 08:59:00 +03:00
Slavi Pantaleev
8b59402f79 Upgrade Coturn (4.5.1.2 -> 4.5.1.3)
4.5.1.3 fixes a security vulnerability:
https://github.com/coturn/coturn/security/advisories/GHSA-c8r8-8vp5-6gcm
2020-06-30 14:28:41 +03:00