From 2a48d0838b46963b134b4351d4da0dd352cbd8bf Mon Sep 17 00:00:00 2001 From: erikjohnston Date: Tue, 26 Sep 2023 16:01:35 +0000 Subject: deploy: 88ba67eb91215a708f321e16559fe3c2c0d0a407 --- latest/print.html | 135 +++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 94 insertions(+), 41 deletions(-) (limited to 'latest/print.html') diff --git a/latest/print.html b/latest/print.html index a767926a34..d5b2cc977e 100644 --- a/latest/print.html +++ b/latest/print.html @@ -257,7 +257,7 @@ on hub.docker.com.

Dockerfile to automate a synapse server in a single Docker image, at https://hub.docker.com/r/avhost/docker-matrix/tags/

Slavi Pantaleev has created an Ansible playbook, -which installs the offical Docker image of Matrix Synapse +which installs the official Docker image of Matrix Synapse along with many other Matrix-related services (Postgres database, Element, coturn, ma1sd, SSL support, etc.). For more details, see @@ -296,7 +296,7 @@ the Debian repositories. For bookworm and sid, it can be installed simply with:

sudo apt install matrix-synapse
-

Synapse is also avaliable in bullseye-backports. Please +

Synapse is also available in bullseye-backports. Please see the Debian documentation for information on how to use backports.

matrix-synapse is no longer maintained for buster and older.

@@ -333,6 +333,10 @@ installing under virtualenv):

sudo pip uninstall py-bcrypt
 sudo pip install py-bcrypt
+

Alpine Linux

+

6543 maintains Synapse packages for Alpine Linux in the community repository. Install with:

+
sudo apk add synapse
+

Void Linux

Synapse can be found in the void repositories as 'synapse':

@@ -850,7 +854,7 @@ of COLLATE and CTYPE unless the config flag allo database section of the config, is set to true. Using different locales can cause issues if the locale library is updated from underneath the database, or if a different version of the locale is used on any replicas.

-

If you have a databse with an unsafe locale, the safest way to fix the issue is to dump the database and recreate it with +

If you have a database with an unsafe locale, the safest way to fix the issue is to dump the database and recreate it with the correct locale parameter (as shown above). It is also possible to change the parameters on a live database and run a REINDEX on the entire database, however extreme care must be taken to avoid database corruption.

@@ -1175,7 +1179,7 @@ TURN server.

Requirements

For TURN relaying to work, the TURN service must be hosted on a server/endpoint with a public IP.

-

Hosting TURN behind NAT requires port forwaring and for the NAT gateway to have a public IP. +

Hosting TURN behind NAT requires port forwarding and for the NAT gateway to have a public IP. However, even with appropriate configuration, NAT is known to cause issues and to often not work.

Afterwards, the homeserver needs some further configuration.

Synapse setup

@@ -1779,6 +1783,11 @@ dpkg -i matrix-synapse-py3_1.3.0+stretch1_amd64.deb +

Upgrading to v1.93.0

+

Minimum supported Rust version

+

The minimum supported Rust version has been increased from v1.60.0 to v1.61.0. +Users building from source will need to ensure their rustc version is up to +date.

Upgrading to v1.90.0

App service query parameter authorization is now a configuration option

Synapse v1.81.0 deprecated application service authorization via query parameters as this is @@ -1815,7 +1824,7 @@ are being removed in this release of Synapse:

administrators of single-process (monolith) installations don't need to do anything.

For an illustrative example, please see Upgrading to v1.84.0 below.

Upgrading to v1.86.0

-

Minimum supported Rust version

+

Minimum supported Rust version

The minimum supported Rust version has been increased from v1.58.1 to v1.60.0. Users building from source will need to ensure their rustc version is up to date.

@@ -2668,7 +2677,7 @@ Instructions for doing so are provided

In line with our deprecation policy, we've dropped support for Python 3.5 and PostgreSQL 9.5, as they are no longer supported upstream.

-

This release of Synapse requires Python 3.6+ and PostgresSQL 9.6+ or +

This release of Synapse requires Python 3.6+ and PostgreSQL 9.6+ or SQLite 3.22+.

Removal of old List Accounts Admin API

The deprecated v1 "list accounts" admin API @@ -3449,7 +3458,7 @@ in the config and update your dependencies dependencies. See README.rst for details.

Upgrading to v0.11.0

This release includes the option to send anonymous usage stats to -matrix.org, and requires that administrators explictly opt in or out by +matrix.org, and requires that administrators explicitly opt in or out by setting the report_stats option to either true or false.

We would really appreciate it if you could help our project out by reporting anonymized usage statistics from your homeserver. Only very @@ -3529,7 +3538,7 @@ latest module, please run:

$ pip uninstall syweb

Upgrading to v0.5.0

-

The webclient has been split out into a seperate repository/pacakage in +

The webclient has been split out into a separate repository/package in this release. Before you restart your homeserver you will need to pull in the webclient package by running:

python setup.py develop --user
@@ -3706,8 +3715,10 @@ followed by a letter. Letters have the following meanings:

 messages from the database after 5 minutes, rather than 5 months.

 
In addition, configuration options referring to size use the following suffixes:

 
    
-
  • M = MiB, or 1,048,576 bytes
    • 
 
  • K = KiB, or 1024 bytes
    • 
+
  • M = MiB, or 1,048,576 bytes
    • 
+
  • G = GiB, or 1,073,741,824 bytes
    • 
+
  • T = TiB, or 1,099,511,627,776 bytes
    • 
 

 
For example, setting max_avatar_size: 10M means that Synapse will not accept files larger than 10,485,760 bytes
 for a user avatar.

@@ -4129,7 +4140,7 @@ for workers and containers

Example configuration #2:

listeners:
-  # Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy
+  # Insecure HTTP listener: for when matrix traffic passes through a reverse proxy
   # that unwraps TLS.
   #
   # If you plan to use a reverse proxy, please see
@@ -4500,6 +4511,13 @@ still take up to 5 minutes to purge redacted events from the database.

 
redaction_retention_period: 28d
 

 

+
forgotten_room_retention_period

+
How long to keep locally forgotten rooms before purging them from the DB.

+
Defaults to null, meaning it's disabled.

+
Example configuration:

+
forgotten_room_retention_period: 28d
+

+

 
user_ips_max_age

 
How long to track users' last seen time and IPs in the database.

 
Defaults to 28d. Set to null to disable clearing out of old rows.

@@ -4650,12 +4668,12 @@ any intermediate certificates (for instance, if using certbot, use
 

 
federation_client_minimum_tls_version

 
The minimum TLS version that will be used for outbound federation requests.

-
Defaults to 1. Configurable to 1, 1.1, 1.2, or 1.3. Note
-that setting this value higher than 1.2 will prevent federation to most
-of the public Matrix network: only configure it to 1.3 if you have an
+
Defaults to "1". Configurable to "1", "1.1", "1.2", or "1.3". Note
+that setting this value higher than "1.2" will prevent federation to most
+of the public Matrix network: only configure it to "1.3" if you have an
 entirely private federation setup and you can ensure TLS 1.3 support.

 
Example configuration:

-
federation_client_minimum_tls_version: 1.2
+
federation_client_minimum_tls_version: "1.2"
 

 

 
federation_certificate_verification_whitelist

@@ -6109,7 +6127,7 @@ are still valid. Defaults to 1d.

 
Normally, the connection to the key server is validated via TLS certificates.
 Additional security can be provided by configuring a verify key, which
 will make synapse check that the response is signed by that key.

-
This setting supercedes an older setting named perspectives. The old format
+
This setting supersedes an older setting named perspectives. The old format
 is still supported for backwards-compatibility, but it is deprecated.

 
trusted_key_servers defaults to matrix.org, but using it will generate a
 warning on start-up. To suppress this warning, set
@@ -6595,27 +6613,50 @@ claim MUST contain "admin".

 
Enable Central Authentication Service (CAS) for registration and login.
 Has the following sub-options:

 
    
-
  • enabled: Set this to true to enable authorization against a CAS server.
-Defaults to false.
    • 
-
  • idp_name: A user-facing name for this identity provider, which is used to
-offer the user a choice of login mechanisms.
    • 
-
  • idp_icon: An optional icon for this identity provider, which is presented
+
  • 
+
    enabled: Set this to true to enable authorization against a CAS server.
+Defaults to false.
    
+
    • 
+
  • 
+
    idp_name: A user-facing name for this identity provider, which is used to
+offer the user a choice of login mechanisms.
    
+
    • 
+
  • 
+
    idp_icon: An optional icon for this identity provider, which is presented
 by clients and Synapse's own IdP picker page. If given, must be an
 MXC URI of the format mxc://<server-name>/<media-id>. (An easy way to
 obtain such an MXC URI is to upload an image to an (unencrypted) room
-and then copy the "url" from the source of the event.)
    • 
-
  • idp_brand: An optional brand for this identity provider, allowing clients
+and then copy the "url" from the source of the event.)
    
+
    • 
+
  • 
+
    idp_brand: An optional brand for this identity provider, allowing clients
 to style the login flow according to the identity provider in question.
-See the spec for possible options here.
    • 
-
  • server_url: The URL of the CAS authorization endpoint.
    • 
-
  • protocol_version: The CAS protocol version, defaults to none (version 3 is required if you want to use "required_attributes").
    • 
-
  • displayname_attribute: The attribute of the CAS response to use as the display name.
-If no name is given here, no displayname will be set.
    • 
-
  • required_attributes:  It is possible to configure Synapse to only allow logins if CAS attributes
+See the spec for possible options here.
    
+
    • 
+
  • 
+
    server_url: The URL of the CAS authorization endpoint.
    
+
    • 
+
  • 
+
    protocol_version: The CAS protocol version, defaults to none (version 3 is required if you want to use "required_attributes").
    
+
    • 
+
  • 
+
    displayname_attribute: The attribute of the CAS response to use as the display name.
+If no name is given here, no displayname will be set.
    
+
    • 
+
  • 
+
    required_attributes:  It is possible to configure Synapse to only allow logins if CAS attributes
 match particular values. All of the keys given below must exist
 and the values must match the given value. Alternately if the given value
 is None then any value is allowed (the attribute just must exist).
-All of the listed attributes must match for the login to be permitted.
    • 
+All of the listed attributes must match for the login to be permitted.
    
+
+
  • 
+
    enable_registration: set to 'false' to disable automatic registration of new
+users. This allows the CAS SSO flow to be limited to sign in only, rather than
+automatically registering users that have a valid SSO login but do not have
+a pre-registered account. Defaults to true.
    
+
    Added in Synapse 1.93.0.
    
+
    • 
 

 
Example configuration:

 
cas_config:
@@ -6626,6 +6667,7 @@ All of the listed attributes must match for the login to be permitted.
   required_attributes:
     userGroup: "staff"
     department: None
+  enable_registration: true
 

 

 
sso

@@ -9254,9 +9296,9 @@ terms and conditions set by the administrator of a server - and blocking access
 to the server until they have.

 
There are several parts to this functionality; each requires some specific
 configuration in homeserver.yaml to be enabled.

-
Note that various parts of the configuation and this document refer to the
+
Note that various parts of the configuration and this document refer to the
 "privacy policy": agreement with a privacy policy is one particular use of this
-feature, but of course adminstrators can specify other terms and conditions
+feature, but of course administrators can specify other terms and conditions
 unrelated to "privacy" per se.

 
Collecting policy agreement from a user

 
Synapse can be configured to serve the user a simple policy form with an
@@ -11122,6 +11164,7 @@ information.

 ^/_matrix/client/(r0|v3|unstable)/user/.*/filter(/|$)
 ^/_matrix/client/(api/v1|r0|v3|unstable)/directory/room/.*$
 ^/_matrix/client/(r0|v3|unstable)/capabilities$
+^/_matrix/client/(r0|v3|unstable)/notifications$
 
 # Encryption requests
 ^/_matrix/client/(r0|v3|unstable)/keys/query$
@@ -13837,7 +13880,8 @@ for a server admin: see A
             "external_id": "<user_id_provider_2>"
         }
     ],
-    "user_type": null
+    "user_type": null,
+    "locked": false
 }
 

 
URL parameters:

@@ -13878,7 +13922,8 @@ specific user_id.

     ],
     "admin": false,
     "deactivated": false,
-    "user_type": null
+    "user_type": null,
+    "locked": false
 }

Returns HTTP status code:

@@ -13977,7 +14022,8 @@ By default, the response is ordered by ascending user ID.

"shadow_banned": 0, "displayname": "<User One>", "avatar_url": null, - "creation_ts": 1560432668000 + "creation_ts": 1560432668000, + "locked": false }, { "name": "<user_id2>", "is_guest": 0, @@ -13988,7 +14034,8 @@ By default, the response is ordered by ascending user ID.

"shadow_banned": 0, "displayname": "<User Two>", "avatar_url": "<avatar_url>", - "creation_ts": 1561550621000 + "creation_ts": 1561550621000, + "locked": false } ], "next_token": "100", @@ -14058,6 +14105,10 @@ Setting this value to b will reverse the above sort order. Defaults Can be provided multiple times. Possible values are bot, support or "empty string". "empty string" here means to exclude users without a type.

+
  • +

    locked - string representing a bool - Is optional and if true will include locked users. +Defaults to false to exclude locked users. Note: Introduced in v1.93.

    +

    • Caution. The database only has indexes on the columns name and creation_ts. This means that if a different sort order is used (is_guest, admin, @@ -14082,6 +14133,7 @@ This allows user type specific behaviour. There are also types supportavatar_url - string - The user's avatar URL if they have set one.

  • creation_ts - integer - The user's creation timestamp in ms.
  • last_seen_ts - integer - The user's last activity timestamp in ms.
    • +
  • locked - bool - Status if that user has been marked as locked. Note: Introduced in v1.93.
  • @@ -14091,6 +14143,7 @@ This allows user type specific behaviour. There are also types supporttotal - integer - Total number of media.

    • +

    Added in Synapse 1.93: the locked query parameter and response field.

    Query current sessions for a user

    This API returns information about the active sessions for a specific user.

    The endpoints are:

    @@ -14981,7 +15034,7 @@ Destination objects contain the following fields: remote server, in ms. This is 0 if the last attempt to communicate with the remote server was successful.
  • retry_interval - integer - How long since the last time Synapse tried to reach -the remote server before trying again, in ms. This is 0 if no further retrying occuring.
    • +the remote server before trying again, in ms. This is 0 if no further retrying occurring.
  • failure_ts - nullable integer - The first time Synapse tried and failed to reach the remote server, in ms. This is null if communication with the remote server has never failed.
  • last_successful_stream_ordering - nullable integer - The stream ordering of the most @@ -16223,7 +16276,7 @@ useful to reproduce this locally.

    Using Docker

    The easiest way to do so is to run Postgres via a docker container. In one terminal:

    -
    docker run --rm -e POSTGRES_PASSWORD=mysecretpassword -e POSTGRES_USER=postgres -e POSTGRES_DB=postgress -p 5432:5432 postgres:14
+
    docker run --rm -e POSTGRES_PASSWORD=mysecretpassword -e POSTGRES_USER=postgres -e POSTGRES_DB=postgres -p 5432:5432 postgres:14
 
    
 
    If you see an error like
    
 
    docker: Error response from daemon: driver failed programming external connectivity on endpoint nice_ride (b57bbe2e251b70015518d00c9981e8cb8346b5c785250341a6c53e3c899875f1): Error starting userland proxy: listen tcp4 0.0.0.0:5432: bind: address already in use.
@@ -17732,7 +17785,7 @@ blocking operation, and returns an awaitable:
    
 
    So we have stopped processing the request (and will probably go on to
 start processing the next), without clearing the logcontext.
    
 
    To circumvent this problem, synapse code assumes that, wherever you have
-an awaitable, you will want to await it. To that end, whereever
+an awaitable, you will want to await it. To that end, wherever
 functions return awaitables, we adopt the following conventions:
    
 
    Rules for functions returning awaitables:
    
 
    
@@ -18147,7 +18200,7 @@ noted when manually using the protocol:
    
 been disabled on the main process.
  • The server will only time connections out that have sent a PING command. If a ping is sent then the connection will be closed if no -further commands are receieved within 15s. Both the client and +further commands are received within 15s. Both the client and server protocol implementations will send an initial PING on connection and ensure at least one command every 5s is sent (not necessarily PING).
    • @@ -18218,7 +18271,7 @@ received for each stream so that on reconnection it can start streaming from the correct place. Note: not all RDATA have valid tokens due to batching. See RdataCommand for more details.

    Example

    -

    An example iteraction is shown below. Each line is prefixed with '>' +

    An example interaction is shown below. Each line is prefixed with '>' or '<' to indicate which side is sending, these are not included on the wire:

    * connection established *
@@ -18546,7 +18599,7 @@ But don't want to send out sensitive data in other HS's events in this way.
    
 
    Suppose we discover after resync that we shouldn't have sent out one our events (not a prev_event) to a target HS. Not much we can do.
 What about if we didn't send them an event but shouldn't've?
 E.g. what if someone joined from a new HS shortly after you did? We wouldn't talk to them.
-Could imagine sending out the "Missed" events after the resync but... painful to work out what they shuld have seen if they joined/left.
+Could imagine sending out the "Missed" events after the resync but... painful to work out what they should have seen if they joined/left.
 Instead, just send them the latest event (if they're still in the room after resync) and let them backfill.(?)
    
 
      
 
    • Don't do this currently.
      • 
-- 
cgit 1.5.1