New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
matrix-synapse: 0.34.1.1 -> 0.99.0 #55320
Conversation
Also cleanup of old dependencies and irrelevant patch
597d830
to
863e49e
Compare
Any details what is wrong with the tests at the moment? |
@Mic92 it seems |
@nyanloutre ok. so our nixos service also needs to be adapted. |
I had to rewrote the test a bit because synapse will not generate self signed certificates anymore. EDIT: the "removing the certificate generation from prestart" was a mistake, it is still generating useful keys |
445b469
to
46cbdd9
Compare
@Mic92 my PR should be ready to merge, what do you think ? |
While we are at updating the NixOS service, as synapse will require a valid certificate soon, might be a good idea to add the new certificate reloading via SIGHUP as |
launch synapse with the python executable because the startup script is no longer available
46cbdd9
to
415e3da
Compare
This is used to load new certificates without restarting the service
415e3da
to
524e26c
Compare
I think this needs to be backported to stable. They announcde that they are going to break downwards compatiblity in one month. That's too soon to wait for nixos-19.03 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! I'll leave it here a bit for @Ralith to check.
However, I don't think we should backport this: it breaks backwards-compatibility in a way that will require manual intervention. Meaning that if we backport and the user does nothing the user no longer has any server, while if we don't backport and the user does nothing then the user has a server that just can't federate with too-up-to-date servers.
And the upgrade is not actually required to be done by 1 month. The only thing that is really required is to have a non-self-signed certificate. Which can perfectly well be done from 0.34.1.1, and which would have to be done manually anyway, as it's the steps for migrating to 0.99.0.
So overall I think we shouldn't backport such a heavily-backwards-compatibility-breaking update.
As an aside, I think the 1-month delay is stupid, but that is not my choice to make and I already voiced it upstream.
Oh, and… @GrahamcOfBorg build matrix-synapse nixosTests.matrix-synapse |
What about backporting it to a new package? Then users would have a choice of having the pain now or just waiting for 19.03. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great cleanup, thanks!
@@ -687,7 +691,7 @@ in { | |||
WorkingDirectory = cfg.dataDir; | |||
PermissionsStartOnly = true; | |||
ExecStart = '' | |||
${cfg.package}/bin/homeserver \ | |||
${python.interpreter} -m synapse.app.homeserver \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should probably be squashed into the commit that removed the script.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what commit do you mean ?
What's the advantage over simply using the package from the unstable channel on a stable system? |
What's the advantage over simply using the package from the unstable channel on a stable system?
Not having the second glibc and python in the store, I guess.
Re: migration pain — as far as I know, Synapse 0.99 can be told to obtain ACME certificates for itself https://github.com/matrix-org/synapse/blob/3bd9daf4b86ed811c9ced95a4adb9aa58b681399/docs/ACME.md
|
@7c6f434c for automatic ACME to work it needs an optional library that is not yet packaged in nixpkgs |
Note that 0.99 and 1.0 can still talk to 0.34.1 if 0.34.1 is equipped with a valid certificate, so while manual intervention is always required, the backport is not actually necessary to stay compatible, as you can use the usual nixos machinery for getting certificates. This is roughly what I use with 0.34.1 to stay compatible with 0.99 and 1.0, without actually needing to update to 0.99 yet. While I'll personally updated to 0.99 by using the unstable package & module, this code is the same what you will need to do for 0.99 anyway, if you don't plan to use the integrated ACME support or want to use a tls terminating reverse proxy for port 8448.
EDIT: My current proposal is now at #57699 |
@florianjacob Could you consider submitting this code as a PR to the NixOS manual? It sounds like it'd be pretty useful for people :) @nyanloutre Upon second review I think this is missing release notes (nixos/doc/manual/release-notes/rl-1903.xml). Could you consider adding a line there pointing to the need for a non-self-signed certificate? Then @florianjacob's PR, if he feels like it, would be able to add a link to this line pointing to the NixOS manual section for how to actually do it. |
@Ekleog done |
@nyanloutre Thank you! Merged :) @pstn Backporting to a separate package sounds against the spirit of @florianjacob If you decide to send your configuration excerpt as a PR to the manual and add a link to it from the release notes, feel free to ping me. :) |
@florianjacob You might be interested in the |
I've attempted running this on NixOS 18.09 by importing the module and package from the unstable channel. The service refuses to start with the following error due to a Python version mismatch (probably in a similar way as in matrix-org/synapse#4431):
Setting the version properly to python37 in the service configuration here allows the
|
@pacien Try this: https://github.com/dotlambda/nixpkgs/commits/matrix-synapse-correct-python. It might be a little overcomplicated but I think it's the correct way to do this. |
@dotlambda This works great, thanks! |
It would and I have no clue what hinders upstream from doing this. |
@Ekleog working on a manual section, I actually now switched to a different, easier and more robust setup. @dotlambda your changes seem very sensible to me, the nixos module shouldn't use whatever is in |
I leave that up to the module maintainers. |
zip_safe=False, | ||
long_description=long_description, | ||
- scripts=["synctl"] + glob.glob("scripts/*"), | ||
+ scripts=["synctl", "homeserver"] + glob.glob("scripts/*"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nyanloutre What was the reason for removing this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is because there isn't any homeserver
script anymore
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The patch was actually creating this wrapper script.
I've opened a PR to restore it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But still, it's better if we can avoid a patch
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reason why this patch can't be upstreamed? I'd much prefer the patch to my (more complicated) solution.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Motivation for this change
There is a new optional dependency to support automatic ACME certificate, maybe we should add this
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)