docker-synapse-worker
A docker image for a synapse worker.
Available on Docker Hub as t2bot/synapse-worker.
Please read the documentation for workers before using this project. This project assumes you have a fair amount of experience with the operation of synapse and are prepared to use workers in a containerized environment. This project is not intended to be used by inexperienced worker users.
Building with a custom synapse
There are two build arguments available: The branch name and repo slug to build. By default, the repo slug is matrix-org/synapse
and the branch is master
. These can be changed like so:
docker build -t t2bot/synapse-worker --build-arg SYNAPSE_REPO_SLUG=matrix-org/synapse --build-arg SYNAPSE_BRANCH=master .
Running
There are several workers available, all of which have their own port mappings you'll need to handle for your environment.
The following items should be available prior to starting a worker container:
- Signing and TLS keys should already be generated.
- A
homeserver.yaml
that is pre-configured for workers.
All containers expose the following ports and should be remapped to your needs:
8008
- Client APIs (http)8448
- Federation APIs (https)9000
- Metrics (http)
Additional ports, such as replication, will be bound as per the homeserver.yaml
configuration and should not be forwarded to the host. Instead, a docker network should be created. The remainder of this document assumes you've created a network named synapse
.
It is recommended that a reverse proxy be placed in front of both your federation and client-server APIs. This will allow you to change the worker locations more easily and route traffic to them. Setting up that reverse proxy is left as an exercise to the reader, however it is generally recommended to place the reverse proxy inside the synapse
network and expose ports 443 and 8448 through that rather than use the -p
flag on the worker containers.
Assumptions on all worker containers
To reduce the amount of duplication in this documentation, it is assumed that you know how to start a docker container in your environment. This means you're expected to set up the appropriate port mappings (-p 8448:8448
for example) and volume locations for your environment.
All of the workers need the following files mapped via volumes:
/data/homeserver.yaml
(some variables, such as log configuration and listeners, may be overwritten)/data/signing.key
(usually generated asexample.com.signing.key
)/data/tls.crt
(usually generated asexample.com.tls.crt
)/data/tls.dh
(usually generated asexample.com.tls.dh
)/data/tls.key
(usually generated asexample.com.tls.key
)
Some notable things ignored in the configuration are:
- The logging configuration. Instead, the worker will only log to the console and not bind a file handler. The level at which this happens can be set via the
SYNAPSE_LOG_LEVEL
environment variable (defaults toINFO
). - The TCP and HTTP replication ports will be hardcoded to
9092
and9093
respectively, and bound to0.0.0.0
so they can be used by other containers. These must not be exposed to the outside world as the replication streams are not authenticated. If you are exposing these ports on the host, be sure to have strict network security to ensure that the wider world cannot influence the replication streams. - The client and federation listeners will be hardcoded to
8008
and8448
respectively, and bound to0.0.0.0
. Additionally, they will havex_forwarded: true
for their configuration. - The metrics listener will be hardcoded to
9000
and bound to0.0.0.0
. This will also havex_forwarded: true
on it. This should only be exposed externally if you'd like the statistics public, as this is unauthenticated.
It is up to you to ensure that any special requirements are met for your workers. For example, if you're using a federation sender and fail to set the send_federation: false
flag in your homeserver.yaml
then the worker may fail to start, or break in bad ways. Always double check your configuration before starting a worker.
Restarting/stopping the stack
Always ensure the main process starts first, followed by the workers. When restarting or shutting down the stack, stop the workers first then the main process last. It is generally unsafe to restart workers individually or independently of the whole stack.
Workers
All the workers are configured via a SYNAPSE_WORKER
environment variable. This is set to the worker application that should be started. All the workers, with the exception of the main process, need an additional environment variable to tell it where to look for replication host. The replication host is configured as SYNAPSE_REPLICATION_HOST
.
As an example, if you set up a SYNAPSE_WORKER=synapse.app.homeserver
container in the synapse
network with the name synapse-homeserver
, then any other workers would need SYNAPSE_REPLICATION_HOST=synapse-homeserver
assuming they were also in the synapse
network.
The media repository is mounted at /synapse_media
on the container. If you're referencing application service registration files, be sure they point at a mounted volume.
All workers support a SYNAPSE_CPU_AFFINITY
variable that is passed directly to the cpu_affinity
or worker_cpu_affinity
configuration variable.
The hostname used in the logs can be overridden with the SYNAPSE_HOSTNAME
variable. Otherwise whatever Docker sets as the container's hostname will be used.
Supported workers:
Application | Ports bound |
---|---|
synapse.app.homeserver |
8008, 8448, 9000 |
synapse.app.pusher |
9000 |
synapse.app.synchrotron |
8008, 9000 |
synapse.app.appservice |
9000 |
synapse.app.federation_reader |
8448, 9000 |
synapse.app.federation_sender |
9000 |
synapse.app.media_repository |
8008, 9000 |
synapse.app.client_reader |
8008, 9000 |
synapse.app.user_dir |
8008, 9000 |
synapse.app.frontend_proxy |
8008, 9000 |
synapse.app.event_creator |
8008, 9000 |