Hardened systemd unit files #9803
Conversation
…matrix-synapse service
There was a problem hiding this comment.
I'm unconvinced we should do this. It looks super-scary, and I've never seen any other systemd units to all this stuff. This is supposed to be a simple example for people getting synapse set up for the first time!
It might be more appropriate in a separate contrib directory or something.
|
@richvdh After going through each option in systemd's manpages, they all make sense and I think the comments presented here help explain what each option is doing. That being said, you have a point that the systemd services we ship out of the box should probably be simple, so one can quickly read and edit it. Perhaps moving these to contrib or elsewhere and hyperlinking to them as "hardened" configs from the default service files is the best way to go about it? |
yup, sounds good. |
|
@richvdh Is there a path to including at least some of these directly? Systemd sandboxing feels like a really great way to add defense in depth. Perhaps just targeting |
|
I don't object to it going into the unit file in the debian package (though I would question why debian doesn't do this for all services in packages in its repo, if it's such a great idea). |
|
Also: I'm not keen on us having multiple copies of this stuff that we have to remember to maintain; we are literally bound to forget to update at least one copy when there are changes. Can we do something like move the config options out to a |
|
@richvdh It's not completely uncommon. I got the idea from looking at the service files of postgres and unbound as shipped by Arch Linux and upstream respectively. I think there was the principle of maintaining equivalence between unit files and traditional sysv scripts in Debian till recently which might have been a reason for them to not do this. Regardless, do let me know what to do. Should I keep the Debian changes? Should I remove the ones in |
Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
|
systemd does have support for adding options to a
|
|
@anoadragon453 Typically it's considered bad practice for packagers to put files in I have no issues separating the file out into an |
Indeed. |
…umentation" This reverts all the commits made to harden service files till now.
This reverts commit 2a3b358.
This reverts commit bfc0819.
This reverts commit f70c7aa.
This reverts commit 1de1225.
This reverts commit 5be9e61.
…ing the matrix-synapse service" This reverts commit 0d754ef.
…dening in the docs
|
I've made the changes as requested. Does this work? If it's acceptable, hopefully someone can put the file from |
Mostly a few grammatical changes to better fit the language expected Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
…docs as requested in code review
|
My turn to apologise for the delay: the situation with covid is frankly somewhat alarming in my city. I've made the requisite changes and I hope it looks good. :) |
|
I wonder how this sandboxing solution compares to running Synapse in Docker? |
Synapse 1.35.1 (2021-06-03) =========================== Bugfixes -------- - Fix a bug introduced in v1.35.0 where invite-only rooms would be shown to all users in a space, regardless of if the user had access to it. ([\#10109](matrix-org/synapse#10109)) Synapse 1.35.0 (2021-06-01) =========================== Note that [the tag](https://github.com/matrix-org/synapse/releases/tag/v1.35.0rc3) and [docker images](https://hub.docker.com/layers/matrixdotorg/synapse/v1.35.0rc3/images/sha256-34ccc87bd99a17e2cbc0902e678b5937d16bdc1991ead097eee6096481ecf2c4?context=explore) for `v1.35.0rc3` were incorrectly built. If you are experiencing issues with either, it is recommended to upgrade to the equivalent tag or docker image for the `v1.35.0` release. Deprecations and Removals ------------------------- - The core Synapse development team plan to drop support for the [unstable API of MSC2858](https://github.com/matrix-org/matrix-doc/blob/master/proposals/2858-Multiple-SSO-Identity-Providers.md#unstable-prefix), including the undocumented `experimental.msc2858_enabled` config option, in August 2021. Client authors should ensure that their clients are updated to use the stable API (which has been supported since Synapse 1.30) well before that time, to give their users time to upgrade. ([\#10101](matrix-org/synapse#10101)) Bugfixes -------- - Fixed a bug causing replication requests to fail when receiving a lot of events via federation. Introduced in v1.33.0. ([\#10082](matrix-org/synapse#10082)) - Fix HTTP response size limit to allow joining very large rooms over federation. Introduced in v1.33.0. ([\#10093](matrix-org/synapse#10093)) Internal Changes ---------------- - Log method and path when dropping request due to size limit. ([\#10091](matrix-org/synapse#10091)) Synapse 1.35.0rc2 (2021-05-27) ============================== Bugfixes -------- - Fix a bug introduced in v1.35.0rc1 when calling the spaces summary API via a GET request. ([\#10079](matrix-org/synapse#10079)) Synapse 1.35.0rc1 (2021-05-25) ============================== Features -------- - Add experimental support to allow a user who could join a restricted room to view it in the spaces summary. ([\#9922](matrix-org/synapse#9922), [\#10007](matrix-org/synapse#10007), [\#10038](matrix-org/synapse#10038)) - Reduce memory usage when joining very large rooms over federation. ([\#9958](matrix-org/synapse#9958)) - Add a configuration option which allows enabling opentracing by user id. ([\#9978](matrix-org/synapse#9978)) - Enable experimental support for [MSC2946](matrix-org/matrix-spec-proposals#2946) (spaces summary API) and [MSC3083](matrix-org/matrix-spec-proposals#3083) (restricted join rules) by default. ([\#10011](matrix-org/synapse#10011)) Bugfixes -------- - Fix a bug introduced in v1.26.0 which meant that `synapse_port_db` would not correctly initialise some postgres sequences, requiring manual updates afterwards. ([\#9991](matrix-org/synapse#9991)) - Fix `synctl`'s `--no-daemonize` parameter to work correctly with worker processes. ([\#9995](matrix-org/synapse#9995)) - Fix a validation bug introduced in v1.34.0 in the ordering of spaces in the space summary API. ([\#10002](matrix-org/synapse#10002)) - Fixed deletion of new presence stream states from database. ([\#10014](matrix-org/synapse#10014), [\#10033](matrix-org/synapse#10033)) - Fixed a bug with very high resolution image uploads throwing internal server errors. ([\#10029](matrix-org/synapse#10029)) Updates to the Docker image --------------------------- - Fix bug introduced in Synapse 1.33.0 which caused a `Permission denied: '/homeserver.log'` error when starting Synapse with the generated log configuration. Contributed by Sergio Miguéns Iglesias. ([\#10045](matrix-org/synapse#10045)) Improved Documentation ---------------------- - Add hardened systemd files as proposed in [#9760](matrix-org/synapse#9760) and added them to `contrib/`. Change the docs to reflect the presence of these files. ([\#9803](matrix-org/synapse#9803)) - Clarify documentation around SSO mapping providers generating unique IDs and localparts. ([\#9980](matrix-org/synapse#9980)) - Updates to the PostgreSQL documentation (`postgres.md`). ([\#9988](matrix-org/synapse#9988), [\#9989](matrix-org/synapse#9989)) - Fix broken link in user directory documentation. Contributed by @junquera. ([\#10016](matrix-org/synapse#10016)) - Add missing room state entry to the table of contents of room admin API. ([\#10043](matrix-org/synapse#10043)) Deprecations and Removals ------------------------- - Removed support for the deprecated `tls_fingerprints` configuration setting. Contributed by Jerin J Titus. ([\#9280](matrix-org/synapse#9280)) Internal Changes ---------------- - Allow sending full presence to users via workers other than the one that called `ModuleApi.send_local_online_presence_to`. ([\#9823](matrix-org/synapse#9823)) - Update comments in the space summary handler. ([\#9974](matrix-org/synapse#9974)) - Minor enhancements to the `@cachedList` descriptor. ([\#9975](matrix-org/synapse#9975)) - Split multipart email sending into a dedicated handler. ([\#9977](matrix-org/synapse#9977)) - Run `black` on files in the `scripts` directory. ([\#9981](matrix-org/synapse#9981)) - Add missing type hints to `synapse.util` module. ([\#9982](matrix-org/synapse#9982)) - Simplify a few helper functions. ([\#9984](matrix-org/synapse#9984), [\#9985](matrix-org/synapse#9985), [\#9986](matrix-org/synapse#9986)) - Remove unnecessary property from SQLBaseStore. ([\#9987](matrix-org/synapse#9987)) - Remove `keylen` param on `LruCache`. ([\#9993](matrix-org/synapse#9993)) - Update the Grafana dashboard in `contrib/`. ([\#10001](matrix-org/synapse#10001)) - Add a batching queue implementation. ([\#10017](matrix-org/synapse#10017)) - Reduce memory usage when verifying signatures on large numbers of events at once. ([\#10018](matrix-org/synapse#10018)) - Properly invalidate caches for destination retry timings every (instead of expiring entries every 5 minutes). ([\#10036](matrix-org/synapse#10036)) - Fix running complement tests with Synapse workers. ([\#10039](matrix-org/synapse#10039)) - Fix typo in `get_state_ids_for_event` docstring where the return type was incorrect. ([\#10050](matrix-org/synapse#10050))
Synapse 1.35.0 (2021-06-01) =========================== Note that [the tag](https://github.com/matrix-org/synapse/releases/tag/v1.35.0rc3) and [docker images](https://hub.docker.com/layers/matrixdotorg/synapse/v1.35.0rc3/images/sha256-34ccc87bd99a17e2cbc0902e678b5937d16bdc1991ead097eee6096481ecf2c4?context=explore) for `v1.35.0rc3` were incorrectly built. If you are experiencing issues with either, it is recommended to upgrade to the equivalent tag or docker image for the `v1.35.0` release. Deprecations and Removals ------------------------- - The core Synapse development team plan to drop support for the [unstable API of MSC2858](https://github.com/matrix-org/matrix-doc/blob/master/proposals/2858-Multiple-SSO-Identity-Providers.md#unstable-prefix), including the undocumented `experimental.msc2858_enabled` config option, in August 2021. Client authors should ensure that their clients are updated to use the stable API (which has been supported since Synapse 1.30) well before that time, to give their users time to upgrade. ([\#10101](matrix-org/synapse#10101)) Bugfixes -------- - Fixed a bug causing replication requests to fail when receiving a lot of events via federation. Introduced in v1.33.0. ([\#10082](matrix-org/synapse#10082)) - Fix HTTP response size limit to allow joining very large rooms over federation. Introduced in v1.33.0. ([\#10093](matrix-org/synapse#10093)) Internal Changes ---------------- - Log method and path when dropping request due to size limit. ([\#10091](matrix-org/synapse#10091)) Synapse 1.35.0rc2 (2021-05-27) ============================== Bugfixes -------- - Fix a bug introduced in v1.35.0rc1 when calling the spaces summary API via a GET request. ([\#10079](matrix-org/synapse#10079)) Synapse 1.35.0rc1 (2021-05-25) ============================== Features -------- - Add experimental support to allow a user who could join a restricted room to view it in the spaces summary. ([\#9922](matrix-org/synapse#9922), [\#10007](matrix-org/synapse#10007), [\#10038](matrix-org/synapse#10038)) - Reduce memory usage when joining very large rooms over federation. ([\#9958](matrix-org/synapse#9958)) - Add a configuration option which allows enabling opentracing by user id. ([\#9978](matrix-org/synapse#9978)) - Enable experimental support for [MSC2946](matrix-org/matrix-spec-proposals#2946) (spaces summary API) and [MSC3083](matrix-org/matrix-spec-proposals#3083) (restricted join rules) by default. ([\#10011](matrix-org/synapse#10011)) Bugfixes -------- - Fix a bug introduced in v1.26.0 which meant that `synapse_port_db` would not correctly initialise some postgres sequences, requiring manual updates afterwards. ([\#9991](matrix-org/synapse#9991)) - Fix `synctl`'s `--no-daemonize` parameter to work correctly with worker processes. ([\#9995](matrix-org/synapse#9995)) - Fix a validation bug introduced in v1.34.0 in the ordering of spaces in the space summary API. ([\#10002](matrix-org/synapse#10002)) - Fixed deletion of new presence stream states from database. ([\#10014](matrix-org/synapse#10014), [\#10033](matrix-org/synapse#10033)) - Fixed a bug with very high resolution image uploads throwing internal server errors. ([\#10029](matrix-org/synapse#10029)) Updates to the Docker image --------------------------- - Fix bug introduced in Synapse 1.33.0 which caused a `Permission denied: '/homeserver.log'` error when starting Synapse with the generated log configuration. Contributed by Sergio Miguéns Iglesias. ([\#10045](matrix-org/synapse#10045)) Improved Documentation ---------------------- - Add hardened systemd files as proposed in [#9760](matrix-org/synapse#9760) and added them to `contrib/`. Change the docs to reflect the presence of these files. ([\#9803](matrix-org/synapse#9803)) - Clarify documentation around SSO mapping providers generating unique IDs and localparts. ([\#9980](matrix-org/synapse#9980)) - Updates to the PostgreSQL documentation (`postgres.md`). ([\#9988](matrix-org/synapse#9988), [\#9989](matrix-org/synapse#9989)) - Fix broken link in user directory documentation. Contributed by @junquera. ([\#10016](matrix-org/synapse#10016)) - Add missing room state entry to the table of contents of room admin API. ([\#10043](matrix-org/synapse#10043)) Deprecations and Removals ------------------------- - Removed support for the deprecated `tls_fingerprints` configuration setting. Contributed by Jerin J Titus. ([\#9280](matrix-org/synapse#9280)) Internal Changes ---------------- - Allow sending full presence to users via workers other than the one that called `ModuleApi.send_local_online_presence_to`. ([\#9823](matrix-org/synapse#9823)) - Update comments in the space summary handler. ([\#9974](matrix-org/synapse#9974)) - Minor enhancements to the `@cachedList` descriptor. ([\#9975](matrix-org/synapse#9975)) - Split multipart email sending into a dedicated handler. ([\#9977](matrix-org/synapse#9977)) - Run `black` on files in the `scripts` directory. ([\#9981](matrix-org/synapse#9981)) - Add missing type hints to `synapse.util` module. ([\#9982](matrix-org/synapse#9982)) - Simplify a few helper functions. ([\#9984](matrix-org/synapse#9984), [\#9985](matrix-org/synapse#9985), [\#9986](matrix-org/synapse#9986)) - Remove unnecessary property from SQLBaseStore. ([\#9987](matrix-org/synapse#9987)) - Remove `keylen` param on `LruCache`. ([\#9993](matrix-org/synapse#9993)) - Update the Grafana dashboard in `contrib/`. ([\#10001](matrix-org/synapse#10001)) - Add a batching queue implementation. ([\#10017](matrix-org/synapse#10017)) - Reduce memory usage when verifying signatures on large numbers of events at once. ([\#10018](matrix-org/synapse#10018)) - Properly invalidate caches for destination retry timings every (instead of expiring entries every 5 minutes). ([\#10036](matrix-org/synapse#10036)) - Fix running complement tests with Synapse workers. ([\#10039](matrix-org/synapse#10039)) - Fix typo in `get_state_ids_for_event` docstring where the return type was incorrect. ([\#10050](matrix-org/synapse#10050))
|
FYI the synapse package in Arch Linux is now enabling this by default in |
Pull Request Checklist
EventStoretoEventWorkerStore.".code blocks.Signed-off-by: Savyasachee Jha savya.jha@hawkradius.com