-
Notifications
You must be signed in to change notification settings - Fork 1
/
Dockerfile-unified
executable file
·171 lines (146 loc) · 6.45 KB
/
Dockerfile-unified
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
# syntax=docker/dockerfile:1
# Dockerfile to build our forked matrixdotorg/synapse docker images.
# This file is largely based on the matrixdotorg/synapse-workers Dockerfile
# found at https://github.com/matrix-org/synapse/docker/Dockerfile-workers which is
# used primarily(only?) for testing with the Complement integration testing suite.
#
# Note that it uses features which are only available in BuildKit - see
# https://docs.docker.com/go/buildkit/ for more information.
#
# To build the image, run `docker build` command from the root of the
# synapse repository:
#
# DOCKER_BUILDKIT=1 docker build -f Dockerfile-unified .
#
# There is an optional SYNAPSE_VERSION build argument which sets the
# version of Synapse to build against: for example:
#
# DOCKER_BUILDKIT=1 docker build -f Dockerfile-unified --build-arg SYNAPSE_VERSION=1.77 .
#
ARG SYNAPSE_VERSION=latest
ARG REDIS_VERSION=7.0.8
###
### Stage 2: Add-ons
###
# Adding:
# 1. Nginx - for reverse proxy support to avoid exposing a mess of ports
# 2. Redis - for internal replication. This is cleaner and faster than an external redis
# 3. Prometheus - to collect the metrics that Synapse exposes if enabled.
# 3a. Redis metrics exporter
# 3b. Nginx metrics exporter
# 3c. Postgres metrics exporter
# 4. Postgres Synapse auto compressor. Add to cron later, after testing.
# 5. Coturn - Maybe. Notoriously hard to get it right. Lots of ports to expose.
# Not Adding:
# ?1. DNS caching - To many ways to get this wrong. This is better as an external
# service like pihole or unbound. Getting docker to route through it can be rough.
#
# A base image with nginx and prometheus which we can copy into the
# target image. For repeated rebuilds, this is much faster than apt installing
# each time.
FROM debian:bookworm-slim AS deps_base
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt,sharing=locked \
apt-get update -qq && \
DEBIAN_FRONTEND=noninteractive apt-get install -yqq --no-install-recommends \
prometheus \
&& rm -rf /var/lib/apt/lists/*
# Similarly, a base to copy the redis server from.
#
# The redis docker image has fewer dynamic libraries than the debian package,
# which makes it much easier to copy (but we need to make sure we use an image
# based on the same debian version as the synapse image, to make sure we get
# the expected version of libc.
#
# We will be using the PPA version of keydb until their docker image works for bookworm
# FROM eqalpha/keydb:latest AS redis_base
# Do the same for the Nginx docker image.
FROM nginx:1.24.0 as nginx_base
# The synapse auto compressor is from an image we build. It won't change much
# so there's no reason to not have this pre-compiled and just borrow it. This also
# contains the custom compiled version of coturn that includes metrics support for
# prometheus, and the postgres and redis metrics exporter tools for prometheus
FROM realtyem/synapse-tools:latest as tools
###
### Stage #: runtime
###
FROM matrixdotorg/synapse
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt,sharing=locked \
apt-get update -qq && apt-get install -yqq \
cron \
curl \
gosu \
libevent-core-2.1-7 \
libevent-extra-2.1-7 \
libevent-openssl-2.1-7 \
libevent-pthreads-2.1-7 \
libhiredis0.14 \
libjemalloc2 \
libjpeg62-turbo \
libmicrohttpd12 \
libpq5 \
libssl-dev \
libwebp7 \
logrotate \
nano \
openssl \
prometheus-nginx-exporter \
wget \
xmlsec1 \
&& rm -rf /var/lib/apt/lists/*
# Install keydb from their supplied PPA. Preferably, the docker image would be better,
# but is currently compiled against ubuntu 18.04 which doesn't work with our libssl.
# We specifically get the keydb-tools package, as the others tend to setup service
# entries that are not used(and cause errors).
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt,sharing=locked \
echo "deb https://download.keydb.dev/open-source-dist bookworm main" | tee /etc/apt/sources.list.d/keydb.list && \
wget -O /etc/apt/trusted.gpg.d/keydb.gpg https://download.keydb.dev/open-source-dist/keyring.gpg && \
apt-get update -qq && apt-get install -yqq \
keydb-tools \
&& rm -rf /var/lib/apt/lists/*
# Prepare directories. Do it in one layer
RUN mkdir -p /etc/supervisor/conf.d && \
mkdir /var/log/nginx /var/cache/nginx && \
chown www-data /var/log/nginx /var/cache/nginx && \
mkdir -p /etc/prometheus
# Install supervisord with pip instead of apt, to avoid installing a second
# copy of python.
RUN --mount=type=cache,target=/root/.cache/pip \
pip install supervisor~=4.2
# Copy over redis and nginx
# COPY --from=redis_base /usr/local/bin/keydb-server /usr/local/bin
COPY --from=nginx_base /usr/sbin/nginx /usr/sbin
COPY --from=nginx_base /usr/share/nginx /usr/share/nginx
COPY --from=nginx_base /usr/lib/nginx /usr/lib/nginx
COPY --from=nginx_base /usr/lib/x86_64-linux-gnu/libssl.so.1.1 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 /usr/lib/x86_64-linux-gnu/
COPY --from=nginx_base /etc/nginx /etc/nginx
RUN rm /etc/nginx/conf.d/default.conf
# Copy over Prometheus. Should we bring the website files. It's 10's of MB's
COPY --from=deps_base /usr/bin/prometheus /usr/bin
COPY --from=deps_base /usr/share/prometheus/* /usr/share/prometheus
# And Synapse's Prometheus rule file
COPY /contrib/prometheus/synapse-V2.rules /etc/prometheus
COPY /contrib/mtail/ /conf/mtail/
COPY --from=tools /out /
# Copy Synapse worker, nginx and supervisord configuration template files
# The worker configuration and base start up script, used to generate some
# config files then start supervisord.
COPY ./configure_workers_and_start.py /
# Various config and script templates including the extended homeserver yaml
# to replace the one that comes with their image.
COPY ./conf-workers /conf/
# Copy a script to prefix log lines with the supervisor program name
COPY ./prefix-log /usr/local/bin/
# Copy over prometheus contrib files, rules and such
# COPY ./contrib/prometheus/* /etc/prometheus/
# Expose nginx listener port
EXPOSE 8008/tcp
# Expose the prometheus listener port
EXPOSE 9090/tcp
ENTRYPOINT ["/configure_workers_and_start.py"]
# Replace the healthcheck with one which checks *all* the workers. The script
# is generated by configure_workers_and_start.py.
HEALTHCHECK --start-period=5s --interval=15s --timeout=5s \
CMD /bin/sh /healthcheck.sh