WIP: MAS in complement

docker/Dockerfile-workers

@@ -1,67 +1,62 @@
 # syntax=docker/dockerfile:1
 
 ARG SYNAPSE_VERSION=latest
-ARG FROM=matrixdotorg/synapse:$SYNAPSE_VERSION
-
-# first of all, we create a base image with an nginx which we can copy into the
-# target image. For repeated rebuilds, this is much faster than apt installing
-# each time.
-
-FROM docker.io/library/debian:bookworm-slim AS deps_base
-    RUN \
-       --mount=type=cache,target=/var/cache/apt,sharing=locked \
-       --mount=type=cache,target=/var/lib/apt,sharing=locked \
-      apt-get update -qq && \
-      DEBIAN_FRONTEND=noninteractive apt-get install -yqq --no-install-recommends \
-          redis-server nginx-light
-
-# Similarly, a base to copy the redis server from.
-#
-# The redis docker image has fewer dynamic libraries than the debian package,
-# which makes it much easier to copy (but we need to make sure we use an image
-# based on the same debian version as the synapse image, to make sure we get
-# the expected version of libc.
-FROM docker.io/library/redis:7-bookworm AS redis_base
+ARG SYNAPSE_IMAGE=docker.io/matrixdotorg/synapse:$SYNAPSE_VERSION
+
+ARG MAS_VERSION=latest
+ARG MAS_IMAGE=ghcr.io/matrix-org/matrix-authentication-service:$MAS_VERSION
+
+ARG REDIS_VERSION=7.4.0
+ARG REDIS_IMAGE=docker.io/library/redis:$REDIS_VERSION-bookworm
+
+ARG NGINX_VERSION=1.26.1
+ARG NGINX_IMAGE=docker.io/library/nginx:$NGINX_VERSION-bookworm
+
+FROM $NGINX_IMAGE AS nginx
+FROM $REDIS_IMAGE AS redis
+FROM $MAS_IMAGE AS mas
 
 # now build the final image, based on the the regular Synapse docker image
-FROM $FROM
-
-    # Install supervisord with pip instead of apt, to avoid installing a second
-    # copy of python.
-    RUN --mount=type=cache,target=/root/.cache/pip \
-        pip install supervisor~=4.2
-    RUN mkdir -p /etc/supervisor/conf.d
-
-    # Copy over redis and nginx
-    COPY --from=redis_base /usr/local/bin/redis-server /usr/local/bin
-
-    COPY --from=deps_base /usr/sbin/nginx /usr/sbin
-    COPY --from=deps_base /usr/share/nginx /usr/share/nginx
-    COPY --from=deps_base /usr/lib/nginx /usr/lib/nginx
-    COPY --from=deps_base /etc/nginx /etc/nginx
-    RUN rm /etc/nginx/sites-enabled/default
-    RUN mkdir /var/log/nginx /var/lib/nginx
-    RUN chown www-data /var/lib/nginx
-
-    # have nginx log to stderr/out
-    RUN ln -sf /dev/stdout /var/log/nginx/access.log
-    RUN ln -sf /dev/stderr /var/log/nginx/error.log
-
-    # Copy Synapse worker, nginx and supervisord configuration template files
-    COPY ./docker/conf-workers/* /conf/
-
-    # Copy a script to prefix log lines with the supervisor program name
-    COPY ./docker/prefix-log /usr/local/bin/
-
-    # Expose nginx listener port
-    EXPOSE 8080/tcp
-
-    # A script to read environment variables and create the necessary
-    # files to run the desired worker configuration. Will start supervisord.
-    COPY ./docker/configure_workers_and_start.py /configure_workers_and_start.py
-    ENTRYPOINT ["/configure_workers_and_start.py"]
-
-    # Replace the healthcheck with one which checks *all* the workers. The script
-    # is generated by configure_workers_and_start.py.
-    HEALTHCHECK --start-period=5s --interval=15s --timeout=5s \
-        CMD /bin/sh /healthcheck.sh
+FROM $SYNAPSE_IMAGE
+
+# Install supervisord with pip instead of apt, to avoid installing a second
+# copy of python.
+RUN --mount=type=cache,target=/root/.cache/pip \
+    pip install supervisor~=4.2
+RUN mkdir -p /etc/supervisor/conf.d
+
+# Copy over redis, nginx and matrix-authentication-service
+COPY --from=redis /usr/local/bin/redis-server /usr/local/bin
+
+COPY --from=nginx /usr/sbin/nginx /usr/sbin
+COPY --from=nginx /usr/share/nginx /usr/share/nginx
+COPY --from=nginx /usr/lib/nginx /usr/lib/nginx
+COPY --from=nginx /etc/nginx /etc/nginx
+RUN mkdir /var/log/nginx /var/lib/nginx
+RUN chown www-data /var/lib/nginx
+
+# have nginx log to stderr/out
+RUN ln -sf /dev/stdout /var/log/nginx/access.log
+RUN ln -sf /dev/stderr /var/log/nginx/error.log
+
+COPY --from=mas /usr/local/bin/mas-cli /usr/local/bin
+COPY --from=mas /usr/local/share/mas-cli /usr/local/share
+
+# Copy Synapse worker, nginx and supervisord configuration template files
+COPY ./docker/conf-workers/* /conf/
+
+# Copy a script to prefix log lines with the supervisor program name
+COPY ./docker/prefix-log /usr/local/bin/
+
+# Expose nginx listener port
+EXPOSE 8080/tcp
+
+# A script to read environment variables and create the necessary
+# files to run the desired worker configuration. Will start supervisord.
+COPY ./docker/configure_workers_and_start.py /configure_workers_and_start.py
+ENTRYPOINT ["/configure_workers_and_start.py"]
+
+# Replace the healthcheck with one which checks *all* the workers. The script
+# is generated by configure_workers_and_start.py.
+HEALTHCHECK --start-period=5s --interval=15s --timeout=5s \
+    CMD /bin/sh /healthcheck.sh

docker/complement/Dockerfile

@@ -6,11 +6,17 @@
 # Instructions for building this image from those it depends on is detailed in this guide:
 # https://github.com/element-hq/synapse/blob/develop/docker/README-testing.md#testing-with-postgresql-and-single-or-multi-process-synapse
 
-ARG SYNAPSE_VERSION=latest
 # This is an intermediate image, to be built locally (not pulled from a registry).
-ARG FROM=matrixdotorg/synapse-workers:$SYNAPSE_VERSION
+ARG SYNAPSE_WORKERS_IMAGE=synapse-workers
+
+ARG POSTGRES_VERSION=13
+ARG POSTGRES_IMAGE=docker.io/library/postgres:$POSTGRES_VERSION-bookworm
+
+# Save the Postgres image for later
+FROM $POSTGRES_IMAGE AS postgres
+
+FROM $SYNAPSE_WORKERS_IMAGE
 
-FROM $FROM
 # First of all, we copy postgres server from the official postgres image,
 # since for repeated rebuilds, this is much faster than apt installing
 # postgres each time.
@@ -20,18 +26,19 @@ FROM $FROM
 # the same debian version as Synapse's docker image (so the versions of the
 # shared libraries match).
 RUN adduser --system --uid 999 postgres --home /var/lib/postgresql
-COPY --from=docker.io/library/postgres:13-bookworm /usr/lib/postgresql /usr/lib/postgresql
-COPY --from=docker.io/library/postgres:13-bookworm /usr/share/postgresql /usr/share/postgresql
+COPY --from=postgres /usr/lib/postgresql /usr/lib/postgresql
+COPY --from=postgres /usr/share/postgresql /usr/share/postgresql
 RUN mkdir /var/run/postgresql && chown postgres /var/run/postgresql
 ENV PATH="${PATH}:/usr/lib/postgresql/13/bin"
 ENV PGDATA=/var/lib/postgresql/data
 
 # We also initialize the database at build time, rather than runtime, so that it's faster to spin up the image.
 RUN gosu postgres initdb --locale=C --encoding=UTF-8 --auth-host password
 
-# Configure a password and create a database for Synapse
+# Configure a password and create a database for Synapse and MAS
 RUN echo "ALTER USER postgres PASSWORD 'somesecret'" | gosu postgres postgres --single
 RUN echo "CREATE DATABASE synapse" | gosu postgres postgres --single
+RUN echo "CREATE DATABASE mas" | gosu postgres postgres --single
 
 # Extend the shared homeserver config to disable rate-limiting,
 # set Complement's static shared secret, enable registration, amongst other

docker/conf-workers/shared.yaml.j2

@@ -20,4 +20,15 @@ app_service_config_files:
 {%- endfor %}
 {%- endif %}
 
+{% if enable_mas %}
+experimental_features:
+  msc3861:
+    enabled: true
+    issuer: "http://localhost:8008/"
+    client_id: "0000000000000000000SYNAPSE"
+    client_auth_method: client_secret_basic
+    client_secret: choozia3ThiefahZaofeiveish1kahr0
+    admin_token: eeShoo4ceebae4Lo4Che1hoofoophaiz
+{% endif %}
+
 {{ shared_worker_config }}

docker/conf-workers/supervisord.conf.j2

@@ -35,3 +35,12 @@ autorestart=true
 # Redis can be disabled if the image is being used without workers
 autostart={{ enable_redis }}
 
+[program:mas]
+comamnd=/usr/local/bin/prefix-log /usr/local/bin/mas-cli --config /conf/mas.yaml
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+autorestart=unexpected
+
+autostart={{ enable_mas }}

docker/configure_workers_and_start.py

@@ -959,6 +959,7 @@ def generate_worker_files(
         shared_worker_config=yaml.dump(shared_config),
         appservice_registrations=appservice_registrations,
         enable_redis=workers_in_use,
+        enable_mas=False,
         workers_in_use=workers_in_use,
         using_unix_sockets=using_unix_sockets,
     )
@@ -981,6 +982,7 @@ def generate_worker_files(
         "/etc/supervisor/supervisord.conf",
         main_config_path=config_path,
         enable_redis=workers_in_use,
+        enable_mas=False,
         using_unix_sockets=using_unix_sockets,
     )
 

scripts-dev/complement.sh

@@ -167,11 +167,11 @@ if [ -z "$skip_docker_build" ]; then
             -f "docker/editable.Dockerfile" .
 
         $CONTAINER_RUNTIME build -t synapse-workers-editable \
-            --build-arg FROM=synapse-editable \
+            --build-arg SYNAPSE_IMAGE=synapse-editable \
             -f "docker/Dockerfile-workers" .
 
         $CONTAINER_RUNTIME build -t complement-synapse-editable \
-            --build-arg FROM=synapse-workers-editable \
+            --build-arg SUNAPSE_WORKERS_IMAGE=synapse-workers-editable \
             -f "docker/complement/Dockerfile" "docker/complement"
 
         # Prepare the Rust module
@@ -180,21 +180,24 @@ if [ -z "$skip_docker_build" ]; then
     else
 
         # Build the base Synapse image from the local checkout
-        echo_if_github "::group::Build Docker image: matrixdotorg/synapse"
-        $CONTAINER_RUNTIME build -t matrixdotorg/synapse \
-        --build-arg TEST_ONLY_SKIP_DEP_HASH_VERIFICATION \
-        --build-arg TEST_ONLY_IGNORE_POETRY_LOCKFILE \
-        -f "docker/Dockerfile" .
+        echo_if_github "::group::Build Docker image: synapse"
+        $CONTAINER_RUNTIME build -t synapse \
+            --build-arg TEST_ONLY_SKIP_DEP_HASH_VERIFICATION \
+            --build-arg TEST_ONLY_IGNORE_POETRY_LOCKFILE \
+            -f "docker/Dockerfile" .
         echo_if_github "::endgroup::"
 
         # Build the workers docker image (from the base Synapse image we just built).
-        echo_if_github "::group::Build Docker image: matrixdotorg/synapse-workers"
-        $CONTAINER_RUNTIME build -t matrixdotorg/synapse-workers -f "docker/Dockerfile-workers" .
+        echo_if_github "::group::Build Docker image: synapse-workers"
+        $CONTAINER_RUNTIME build -t synapse-workers \
+            --build-arg SYNAPSE_IMAGE=synapse \
+            -f "docker/Dockerfile-workers" .
         echo_if_github "::endgroup::"
 
         # Build the unified Complement image (from the worker Synapse image we just built).
-        echo_if_github "::group::Build Docker image: complement/Dockerfile"
+        echo_if_github "::group::Build Docker image: complement-synapse"
         $CONTAINER_RUNTIME build -t complement-synapse \
+            --build-arg SYNAPSE_WORKERS_IMAGE=synapse-workers \
             -f "docker/complement/Dockerfile" "docker/complement"
         echo_if_github "::endgroup::"