From fd4070a85dc4ece77f2427b586c18bb1f4a04197 Mon Sep 17 00:00:00 2001 From: Amber Brown Date: Tue, 11 Dec 2018 04:14:34 +1100 Subject: import from package-debian-synapse --- debian/homeserver.yaml | 621 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 621 insertions(+) create mode 100644 debian/homeserver.yaml (limited to 'debian/homeserver.yaml') diff --git a/debian/homeserver.yaml b/debian/homeserver.yaml new file mode 100644 index 0000000000..04ece25d49 --- /dev/null +++ b/debian/homeserver.yaml @@ -0,0 +1,621 @@ +# vim:ft=yaml +# PEM encoded X509 certificate for TLS. +# You can replace the self-signed certificate that synapse +# autogenerates on launch with your own SSL certificate + key pair +# if you like. Any required intermediary certificates can be +# appended after the primary certificate in hierarchical order. +tls_certificate_path: "/etc/matrix-synapse/homeserver.tls.crt" + +# PEM encoded private key for TLS +tls_private_key_path: "/etc/matrix-synapse/homeserver.tls.key" + +# PEM dh parameters for ephemeral keys +tls_dh_params_path: "/etc/matrix-synapse/homeserver.tls.dh" + +# Don't bind to the https port +no_tls: False + +# List of allowed TLS fingerprints for this server to publish along +# with the signing keys for this server. Other matrix servers that +# make HTTPS requests to this server will check that the TLS +# certificates returned by this server match one of the fingerprints. +# +# Synapse automatically adds the fingerprint of its own certificate +# to the list. So if federation traffic is handled directly by synapse +# then no modification to the list is required. +# +# If synapse is run behind a load balancer that handles the TLS then it +# will be necessary to add the fingerprints of the certificates used by +# the loadbalancers to this list if they are different to the one +# synapse is using. +# +# Homeservers are permitted to cache the list of TLS fingerprints +# returned in the key responses up to the "valid_until_ts" returned in +# key. It may be necessary to publish the fingerprints of a new +# certificate and wait until the "valid_until_ts" of the previous key +# responses have passed before deploying it. +# +# You can calculate a fingerprint from a given TLS listener via: +# openssl s_client -connect $host:$port < /dev/null 2> /dev/null | +# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' +# or by checking matrix.org/federationtester/api/report?server_name=$host +# +tls_fingerprints: [] +# tls_fingerprints: [{"sha256": ""}] + + +## Server ## + +# When running as a daemon, the file to store the pid in +pid_file: "/var/run/matrix-synapse.pid" + +# CPU affinity mask. Setting this restricts the CPUs on which the +# process will be scheduled. It is represented as a bitmask, with the +# lowest order bit corresponding to the first logical CPU and the +# highest order bit corresponding to the last logical CPU. Not all CPUs +# may exist on a given system but a mask may specify more CPUs than are +# present. +# +# For example: +# 0x00000001 is processor #0, +# 0x00000003 is processors #0 and #1, +# 0xFFFFFFFF is all processors (#0 through #31). +# +# Pinning a Python process to a single CPU is desirable, because Python +# is inherently single-threaded due to the GIL, and can suffer a +# 30-40% slowdown due to cache blow-out and thread context switching +# if the scheduler happens to schedule the underlying threads across +# different cores. See +# https://www.mirantis.com/blog/improve-performance-python-programs-restricting-single-cpu/. +# +# cpu_affinity: 0xFFFFFFFF + +# Whether to serve a web client from the HTTP/HTTPS root resource. +web_client: False + +# The root directory to server for the above web client. +# If left undefined, synapse will serve the matrix-angular-sdk web client. +# Make sure matrix-angular-sdk is installed with pip if web_client is True +# and web_client_location is undefined +# web_client_location: "/path/to/web/root" + +# The public-facing base URL for the client API (not including _matrix/...) +# public_baseurl: https://example.com:8448/ + +# Set the soft limit on the number of file descriptors synapse can use +# Zero is used to indicate synapse should set the soft limit to the +# hard limit. +soft_file_limit: 0 + +# The GC threshold parameters to pass to `gc.set_threshold`, if defined +# gc_thresholds: [700, 10, 10] + +# Set the limit on the returned events in the timeline in the get +# and sync operations. The default value is -1, means no upper limit. +# filter_timeline_limit: 5000 + +# Whether room invites to users on this server should be blocked +# (except those sent by local server admins). The default is False. +# block_non_admin_invites: True + +# Restrict federation to the following whitelist of domains. +# N.B. we recommend also firewalling your federation listener to limit +# inbound federation traffic as early as possible, rather than relying +# purely on this application-layer restriction. If not specified, the +# default is to whitelist everything. +# +# federation_domain_whitelist: +# - lon.example.com +# - nyc.example.com +# - syd.example.com + +# List of ports that Synapse should listen on, their purpose and their +# configuration. +listeners: + # Main HTTPS listener + # For when matrix traffic is sent directly to synapse. + - + # The port to listen for HTTPS requests on. + port: 8448 + + # Local addresses to listen on. + # On Linux and Mac OS, `::` will listen on all IPv4 and IPv6 + # addresses by default. For most other OSes, this will only listen + # on IPv6. + bind_addresses: + - '::' + - '0.0.0.0' + + # This is a 'http' listener, allows us to specify 'resources'. + type: http + + tls: true + + # Use the X-Forwarded-For (XFF) header as the client IP and not the + # actual client IP. + x_forwarded: false + + # List of HTTP resources to serve on this listener. + resources: + - + # List of resources to host on this listener. + names: + - client # The client-server APIs, both v1 and v2 + - webclient # The bundled webclient. + + # Should synapse compress HTTP responses to clients that support it? + # This should be disabled if running synapse behind a load balancer + # that can do automatic compression. + compress: true + + - names: [federation] # Federation APIs + compress: false + + # optional list of additional endpoints which can be loaded via + # dynamic modules + # additional_resources: + # "/_matrix/my/custom/endpoint": + # module: my_module.CustomRequestHandler + # config: {} + + # Unsecure HTTP listener, + # For when matrix traffic passes through loadbalancer that unwraps TLS. + - port: 8008 + tls: false + bind_addresses: ['::', '0.0.0.0'] + type: http + + x_forwarded: false + + resources: + - names: [client, webclient] + compress: true + - names: [federation] + compress: false + + # Turn on the twisted ssh manhole service on localhost on the given + # port. + # - port: 9000 + # bind_addresses: ['::1', '127.0.0.1'] + # type: manhole + + +# Database configuration +database: + # The database engine name + name: "sqlite3" + # Arguments to pass to the engine + args: + # Path to the database + database: "/var/lib/matrix-synapse/homeserver.db" + +# Number of events to cache in memory. +event_cache_size: "10K" + + +# A yaml python logging config file +log_config: "/etc/matrix-synapse/log.yaml" + + + +## Ratelimiting ## + +# Number of messages a client can send per second +rc_messages_per_second: 0.2 + +# Number of message a client can send before being throttled +rc_message_burst_count: 10.0 + +# The federation window size in milliseconds +federation_rc_window_size: 1000 + +# The number of federation requests from a single server in a window +# before the server will delay processing the request. +federation_rc_sleep_limit: 10 + +# The duration in milliseconds to delay processing events from +# remote servers by if they go over the sleep limit. +federation_rc_sleep_delay: 500 + +# The maximum number of concurrent federation requests allowed +# from a single server +federation_rc_reject_limit: 50 + +# The number of federation requests to concurrently process from a +# single server +federation_rc_concurrent: 3 + + + +# Directory where uploaded images and attachments are stored. +media_store_path: "/var/lib/matrix-synapse/media" + +# Media storage providers allow media to be stored in different +# locations. +# media_storage_providers: +# - module: file_system +# # Whether to write new local files. +# store_local: false +# # Whether to write new remote media +# store_remote: false +# # Whether to block upload requests waiting for write to this +# # provider to complete +# store_synchronous: false +# config: +# directory: /mnt/some/other/directory + +# Directory where in-progress uploads are stored. +uploads_path: "/var/lib/matrix-synapse/uploads" + +# The largest allowed upload size in bytes +max_upload_size: "10M" + +# Maximum number of pixels that will be thumbnailed +max_image_pixels: "32M" + +# Whether to generate new thumbnails on the fly to precisely match +# the resolution requested by the client. If true then whenever +# a new resolution is requested by the client the server will +# generate a new thumbnail. If false the server will pick a thumbnail +# from a precalculated list. +dynamic_thumbnails: false + +# List of thumbnail to precalculate when an image is uploaded. +thumbnail_sizes: +- width: 32 + height: 32 + method: crop +- width: 96 + height: 96 + method: crop +- width: 320 + height: 240 + method: scale +- width: 640 + height: 480 + method: scale +- width: 800 + height: 600 + method: scale + +# Is the preview URL API enabled? If enabled, you *must* specify +# an explicit url_preview_ip_range_blacklist of IPs that the spider is +# denied from accessing. +url_preview_enabled: False + +# List of IP address CIDR ranges that the URL preview spider is denied +# from accessing. There are no defaults: you must explicitly +# specify a list for URL previewing to work. You should specify any +# internal services in your network that you do not want synapse to try +# to connect to, otherwise anyone in any Matrix room could cause your +# synapse to issue arbitrary GET requests to your internal services, +# causing serious security issues. +# +# url_preview_ip_range_blacklist: +# - '127.0.0.0/8' +# - '10.0.0.0/8' +# - '172.16.0.0/12' +# - '192.168.0.0/16' +# - '100.64.0.0/10' +# - '169.254.0.0/16' +# +# List of IP address CIDR ranges that the URL preview spider is allowed +# to access even if they are specified in url_preview_ip_range_blacklist. +# This is useful for specifying exceptions to wide-ranging blacklisted +# target IP ranges - e.g. for enabling URL previews for a specific private +# website only visible in your network. +# +# url_preview_ip_range_whitelist: +# - '192.168.1.1' + +# Optional list of URL matches that the URL preview spider is +# denied from accessing. You should use url_preview_ip_range_blacklist +# in preference to this, otherwise someone could define a public DNS +# entry that points to a private IP address and circumvent the blacklist. +# This is more useful if you know there is an entire shape of URL that +# you know that will never want synapse to try to spider. +# +# Each list entry is a dictionary of url component attributes as returned +# by urlparse.urlsplit as applied to the absolute form of the URL. See +# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit +# The values of the dictionary are treated as an filename match pattern +# applied to that component of URLs, unless they start with a ^ in which +# case they are treated as a regular expression match. If all the +# specified component matches for a given list item succeed, the URL is +# blacklisted. +# +# url_preview_url_blacklist: +# # blacklist any URL with a username in its URI +# - username: '*' +# +# # blacklist all *.google.com URLs +# - netloc: 'google.com' +# - netloc: '*.google.com' +# +# # blacklist all plain HTTP URLs +# - scheme: 'http' +# +# # blacklist http(s)://www.acme.com/foo +# - netloc: 'www.acme.com' +# path: '/foo' +# +# # blacklist any URL with a literal IPv4 address +# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' + +# The largest allowed URL preview spidering size in bytes +max_spider_size: "10M" + + + + +## Captcha ## +# See docs/CAPTCHA_SETUP for full details of configuring this. + +# This Home Server's ReCAPTCHA public key. +recaptcha_public_key: "YOUR_PUBLIC_KEY" + +# This Home Server's ReCAPTCHA private key. +recaptcha_private_key: "YOUR_PRIVATE_KEY" + +# Enables ReCaptcha checks when registering, preventing signup +# unless a captcha is answered. Requires a valid ReCaptcha +# public/private key. +enable_registration_captcha: False + +# A secret key used to bypass the captcha test entirely. +#captcha_bypass_secret: "YOUR_SECRET_HERE" + +# The API endpoint to use for verifying m.login.recaptcha responses. +recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" + + +## Turn ## + +# The public URIs of the TURN server to give to clients +turn_uris: [] + +# The shared secret used to compute passwords for the TURN server +turn_shared_secret: "YOUR_SHARED_SECRET" + +# The Username and password if the TURN server needs them and +# does not use a token +#turn_username: "TURNSERVER_USERNAME" +#turn_password: "TURNSERVER_PASSWORD" + +# How long generated TURN credentials last +turn_user_lifetime: "1h" + +# Whether guests should be allowed to use the TURN server. +# This defaults to True, otherwise VoIP will be unreliable for guests. +# However, it does introduce a slight security risk as it allows users to +# connect to arbitrary endpoints without having first signed up for a +# valid account (e.g. by passing a CAPTCHA). +turn_allow_guests: False + + +## Registration ## + +# Enable registration for new users. +enable_registration: False + +# The user must provide all of the below types of 3PID when registering. +# +# registrations_require_3pid: +# - email +# - msisdn + +# Mandate that users are only allowed to associate certain formats of +# 3PIDs with accounts on this server. +# +# allowed_local_3pids: +# - medium: email +# pattern: ".*@matrix\.org" +# - medium: email +# pattern: ".*@vector\.im" +# - medium: msisdn +# pattern: "\+44" + +# If set, allows registration by anyone who also has the shared +# secret, even if registration is otherwise disabled. +# registration_shared_secret: + +# Set the number of bcrypt rounds used to generate password hash. +# Larger numbers increase the work factor needed to generate the hash. +# The default number is 12 (which equates to 2^12 rounds). +# N.B. that increasing this will exponentially increase the time required +# to register or login - e.g. 24 => 2^24 rounds which will take >20 mins. +bcrypt_rounds: 12 + +# Allows users to register as guests without a password/email/etc, and +# participate in rooms hosted on this server which have been made +# accessible to anonymous users. +allow_guest_access: False + +# The list of identity servers trusted to verify third party +# identifiers by this server. +trusted_third_party_id_servers: + - matrix.org + - vector.im + - riot.im + +# Users who register on this homeserver will automatically be joined +# to these rooms +#auto_join_rooms: +# - "#example:example.com" + + +## Metrics ### + +# Enable collection and rendering of performance metrics +enable_metrics: False + +## API Configuration ## + +# A list of event types that will be included in the room_invite_state +room_invite_state_types: + - "m.room.join_rules" + - "m.room.canonical_alias" + - "m.room.avatar" + - "m.room.name" + + +# A list of application service config file to use +app_service_config_files: [] + + +# macaroon_secret_key: + +# Used to enable access token expiration. +expire_access_token: False + +## Signing Keys ## + +# Path to the signing key to sign messages with +signing_key_path: "/etc/matrix-synapse/homeserver.signing.key" + +# The keys that the server used to sign messages with but won't use +# to sign new messages. E.g. it has lost its private key +old_signing_keys: {} +# "ed25519:auto": +# # Base64 encoded public key +# key: "The public part of your old signing key." +# # Millisecond POSIX timestamp when the key expired. +# expired_ts: 123456789123 + +# How long key response published by this server is valid for. +# Used to set the valid_until_ts in /key/v2 APIs. +# Determines how quickly servers will query to check which keys +# are still valid. +key_refresh_interval: "1d" # 1 Day. + +# The trusted servers to download signing keys from. +perspectives: + servers: + "matrix.org": + verify_keys: + "ed25519:auto": + key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" + + + +# Enable SAML2 for registration and login. Uses pysaml2 +# config_path: Path to the sp_conf.py configuration file +# idp_redirect_url: Identity provider URL which will redirect +# the user back to /login/saml2 with proper info. +# See pysaml2 docs for format of config. +#saml2_config: +# enabled: true +# config_path: "/home/erikj/git/synapse/sp_conf.py" +# idp_redirect_url: "http://test/idp" + + + +# Enable CAS for registration and login. +#cas_config: +# enabled: true +# server_url: "https://cas-server.com" +# service_url: "https://homeserver.domain.com:8448" +# #required_attributes: +# # name: value + + +# The JWT needs to contain a globally unique "sub" (subject) claim. +# +# jwt_config: +# enabled: true +# secret: "a secret" +# algorithm: "HS256" + + + +# Enable password for login. +password_config: + enabled: true + # Uncomment and change to a secret random string for extra security. + # DO NOT CHANGE THIS AFTER INITIAL SETUP! + #pepper: "" + + + +# Enable sending emails for notification events +# Defining a custom URL for Riot is only needed if email notifications +# should contain links to a self-hosted installation of Riot; when set +# the "app_name" setting is ignored. +# +# If your SMTP server requires authentication, the optional smtp_user & +# smtp_pass variables should be used +# +#email: +# enable_notifs: false +# smtp_host: "localhost" +# smtp_port: 25 +# smtp_user: "exampleusername" +# smtp_pass: "examplepassword" +# require_transport_security: False +# notif_from: "Your Friendly %(app)s Home Server " +# app_name: Matrix +# template_dir: res/templates +# notif_template_html: notif_mail.html +# notif_template_text: notif_mail.txt +# notif_for_new_users: True +# riot_base_url: "http://localhost/riot" + + +# password_providers: +# - module: "ldap_auth_provider.LdapAuthProvider" +# config: +# enabled: true +# uri: "ldap://ldap.example.com:389" +# start_tls: true +# base: "ou=users,dc=example,dc=com" +# attributes: +# uid: "cn" +# mail: "email" +# name: "givenName" +# #bind_dn: +# #bind_password: +# #filter: "(objectClass=posixAccount)" + + + +# Clients requesting push notifications can either have the body of +# the message sent in the notification poke along with other details +# like the sender, or just the event ID and room ID (`event_id_only`). +# If clients choose the former, this option controls whether the +# notification request includes the content of the event (other details +# like the sender are still included). For `event_id_only` push, it +# has no effect. + +# For modern android devices the notification content will still appear +# because it is loaded by the app. iPhone, however will send a +# notification saying only that a message arrived and who it came from. +# +#push: +# include_content: true + + +# spam_checker: +# module: "my_custom_project.SuperSpamChecker" +# config: +# example_option: 'things' + + +# Whether to allow non server admins to create groups on this server +enable_group_creation: false + +# If enabled, non server admins can only create groups with local parts +# starting with this prefix +# group_creation_prefix: "unofficial/" + + + +# User Directory configuration +# +# 'search_all_users' defines whether to search all users visible to your HS +# when searching the user directory, rather than limiting to users visible +# in public rooms. Defaults to false. If you set it True, you'll have to run +# UPDATE user_directory_stream_pos SET stream_id = NULL; +# on your database to tell it to rebuild the user_directory search indexes. +# +#user_directory: +# search_all_users: false -- cgit 1.4.1 From 1a6d5bfa08b4ba618dcab68e4ed524c4db07da2b Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Thu, 20 Dec 2018 11:33:29 +0000 Subject: Debian packaging via dh_virtualenv (#4285) --- .dockerignore | 2 + .gitignore | 8 +- MANIFEST.in | 1 + changelog.d/4212.misc | 1 + debian/.gitignore | 7 + debian/NEWS | 22 +++ debian/build_virtualenv | 48 ++++++ debian/changelog | 11 ++ debian/control | 92 +++-------- debian/copyright | 2 +- debian/gbp.conf | 5 - debian/homeserver.yaml | 10 +- debian/matrix-synapse-py3.links | 4 + debian/matrix-synapse-py3.postinst | 39 +++++ debian/matrix-synapse-py3.preinst | 31 ++++ debian/matrix-synapse-py3.triggers | 9 + debian/matrix-synapse.init | 184 --------------------- debian/matrix-synapse.service | 4 +- debian/patches/0001-tox.patch | 19 --- debian/patches/0002-change_instructions.patch | 34 ---- debian/patches/0004-webclient-instructions.patch | 27 --- ...n-t-require-strict-nacl-0.3.0-requirement.patch | 21 --- debian/patches/bcrypt.patch | 30 ---- debian/patches/no_install_with_pip | 43 ----- debian/patches/remove-webclient.patch | 31 ---- debian/patches/series | 7 - debian/postinst | 39 ----- debian/pydist-overrides | 5 - debian/rules | 28 ++-- debian/source/format | 2 +- debian/watch | 11 -- docker/Dockerfile-dhvirtualenv | 35 ++++ docker/build_debian.sh | 41 +++++ docker/build_debian_packages.sh | 39 +++++ synapse/python_dependencies.py | 2 +- synapse/storage/e2e_room_keys.py | 2 +- tox.ini | 1 + 37 files changed, 349 insertions(+), 548 deletions(-) create mode 100644 changelog.d/4212.misc create mode 100644 debian/.gitignore create mode 100644 debian/NEWS create mode 100755 debian/build_virtualenv delete mode 100644 debian/gbp.conf create mode 100644 debian/matrix-synapse-py3.links create mode 100644 debian/matrix-synapse-py3.postinst create mode 100644 debian/matrix-synapse-py3.preinst create mode 100644 debian/matrix-synapse-py3.triggers delete mode 100755 debian/matrix-synapse.init delete mode 100644 debian/patches/0001-tox.patch delete mode 100644 debian/patches/0002-change_instructions.patch delete mode 100644 debian/patches/0004-webclient-instructions.patch delete mode 100644 debian/patches/0006-Don-t-require-strict-nacl-0.3.0-requirement.patch delete mode 100644 debian/patches/bcrypt.patch delete mode 100644 debian/patches/no_install_with_pip delete mode 100644 debian/patches/remove-webclient.patch delete mode 100644 debian/patches/series delete mode 100755 debian/postinst delete mode 100644 debian/pydist-overrides delete mode 100644 debian/watch create mode 100644 docker/Dockerfile-dhvirtualenv create mode 100644 docker/build_debian.sh create mode 100755 docker/build_debian_packages.sh (limited to 'debian/homeserver.yaml') diff --git a/.dockerignore b/.dockerignore index 0180602e56..3c3996eb4c 100644 --- a/.dockerignore +++ b/.dockerignore @@ -5,3 +5,5 @@ demo/etc tox.ini .git/* .tox/* +debian/matrix-synapse/ +debian/matrix-synapse-*/ diff --git a/.gitignore b/.gitignore index 3b2252ad8a..1b632646bb 100644 --- a/.gitignore +++ b/.gitignore @@ -18,7 +18,7 @@ homeserver*.db homeserver*.log homeserver*.log.* homeserver*.pid -homeserver*.yaml +/homeserver*.yaml *.signing.key *.tls.crt @@ -26,6 +26,8 @@ homeserver*.yaml *.tls.key .coverage +.coverage.* +!.coverage.rc htmlcov demo/*/*.db @@ -57,3 +59,7 @@ env/ .vscode/ .ropeproject/ + +*.deb + +/debs diff --git a/MANIFEST.in b/MANIFEST.in index ec18819bc9..29303cc8b5 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -36,6 +36,7 @@ prune demo/etc prune docker prune .circleci prune .coveragerc +prune debian exclude jenkins* recursive-exclude jenkins *.sh diff --git a/changelog.d/4212.misc b/changelog.d/4212.misc new file mode 100644 index 0000000000..42f2546cf9 --- /dev/null +++ b/changelog.d/4212.misc @@ -0,0 +1 @@ +Debian packages utilising a virtualenv with bundled dependencies can now be built. diff --git a/debian/.gitignore b/debian/.gitignore new file mode 100644 index 0000000000..f027374ae2 --- /dev/null +++ b/debian/.gitignore @@ -0,0 +1,7 @@ +/matrix-synapse-py3.*.debhelper +/matrix-synapse-py3.debhelper.log +/matrix-synapse-py3.substvars +/matrix-synapse-*/ +/files +/debhelper-build-stamp +/.debhelper diff --git a/debian/NEWS b/debian/NEWS new file mode 100644 index 0000000000..367e08f851 --- /dev/null +++ b/debian/NEWS @@ -0,0 +1,22 @@ +matrix-synapse-py3 (0.34.0) stable; urgency=medium + + matrix-synapse-py3 is intended as a drop-in replacement for the existing + matrix-synapse package. The replacement should be relatively seamless, + however, please note the following important differences to matrix-synapse: + + * Most importantly, the matrix-synapse service now runs under Python 3 rather + than Python 2.7. + + * Synapse is installed into its own virtualenv (in /opt/venvs/matrix-synapse) + instead of using the system python libraries. (This may mean that you can + remove a number of old dependencies with `apt-get autoremove`). + + matrix-synapse-py3 will take over responsibility for the existing + configuration files, including the matrix-synapse systemd service. + + Beware, however, that `apt-get purge matrix-synapse` will *disable* the + matrix-synapse service (so that it will not be started on reboot), even + though that service is no longer being provided by the matrix-synapse + package. It can be re-enabled with `systemctl enable matrix-synapse`. + + -- Richard van der Hoff Wed, 19 Dec 2018 14:00:00 +0000 diff --git a/debian/build_virtualenv b/debian/build_virtualenv new file mode 100755 index 0000000000..61ffb13192 --- /dev/null +++ b/debian/build_virtualenv @@ -0,0 +1,48 @@ +#!/bin/bash +# +# runs dh_virtualenv to build the virtualenv in the build directory, +# and then runs the trial tests against the installed synapse. + +set -e + +export DH_VIRTUALENV_INSTALL_ROOT=/opt/venvs +SNAKE=/usr/bin/python3 + +# try to set the CFLAGS so any compiled C extensions are compiled with the most +# generic as possible x64 instructions, so that compiling it on a new Intel chip +# doesn't enable features not available on older ones or AMD. +# +# TODO: add similar things for non-amd64, or figure out a more generic way to +# do this. + +case `dpkg-architecture -q DEB_HOST_ARCH` in + amd64) + export CFLAGS=-march=x86-64 + ;; +esac + +# Use --builtin-venv to use the better `venv` module from CPython 3.4+ rather +# than the 2/3 compatible `virtualenv`. + +dh_virtualenv \ + --install-suffix "matrix-synapse" \ + --builtin-venv \ + --setuptools \ + --python "$SNAKE" \ + --upgrade-pip \ + --preinstall="lxml" \ + --preinstall="mock" \ + --extra-pip-arg="--no-cache-dir" \ + --extra-pip-arg="--compile" + +# we copy the tests to a temporary directory so that we can put them on the +# PYTHONPATH without putting the uninstalled synapse on the pythonpath. +tmpdir=`mktemp -d` +trap "rm -r $tmpdir" EXIT + +cp -r tests "$tmpdir" +cd debian/matrix-synapse-py3 + +PYTHONPATH="$tmpdir" \ + ./opt/venvs/matrix-synapse/bin/python \ + -B -m twisted.trial --reporter=text -j2 tests diff --git a/debian/changelog b/debian/changelog index 20167978cf..040c8e7cd3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +matrix-synapse-py3 (0.34.0) stable; urgency=medium + + * New synapse release 0.34.0. + * Synapse is now installed into a Python 3 virtual environment with + up-to-date dependencies. + * The matrix-synapse service will now be restarted when the package is + upgraded. + (Fixes https://github.com/matrix-org/package-synapse-debian/issues/18) + + -- Synapse packaging team Wed, 19 Dec 2018 14:00:00 +0000 + matrix-synapse (0.33.9-1matrix1) stretch; urgency=medium [ Erik Johnston ] diff --git a/debian/control b/debian/control index 854d9688f3..552a81dcb0 100644 --- a/debian/control +++ b/debian/control @@ -1,77 +1,37 @@ -Source: matrix-synapse -Maintainer: Erik Johnston -Section: python -Priority: optional +Source: matrix-synapse-py3 +Section: contrib/python +Priority: extra +Maintainer: Synapse Packaging team Build-Depends: debhelper (>= 9), - dh-python, - dh-systemd (>= 1.5), - po-debconf, - python (>= 2.6.6-3), - python-bcrypt, - python-blist, - python-canonicaljson (>=1.1.3), - python-daemonize, - python-frozendict (>= 0.4), - python-lxml, - python-mock, - python-msgpack (>=0.3.0), - python-nacl (>= 0.3.0), - python-netaddr, - python-openssl (>= 0.14), - python-pil, - python-psutil, - python-pyasn1, - python-pydenticon, - python-pymacaroons-pynacl, - python-pysaml2, - python-service-identity (>= 1.0.0), - python-setuptools (>= 0.6b3), - python-signedjson (>= 1.0.0), - python-sortedcontainers, - python-syutil (>= 0.0.7), - python-treq (>= 15.1.0), - python-twisted (>= 17.1.0), - python-unpaddedbase64 (>= 1.0.1), - python-yaml, - python-phonenumbers (>= 8.2.0), - python-jsonschema (>=2.5.1), - python-prometheus-client, - python-attr -Standards-Version: 3.9.8 -X-Python-Version: >= 2.7 + dh-systemd, + dh-virtualenv (>= 1.0), + lsb-release, + python3-dev, + python3, + python3-setuptools, + python3-pip, + python3-venv, + tar, +Standards-Version: 3.9.5 +Homepage: https://github.com/matrix-org/synapse -Package: matrix-synapse -Architecture: all +Package: matrix-synapse-py3 +Architecture: amd64 +Conflicts: matrix-synapse +Pre-Depends: dpkg (>= 1.16.1) Depends: - ${misc:Depends}, - ${python:Depends}, adduser, debconf, - lsb-base (>= 3.0-6), - python-attr (>= 16.0.0), - python-twisted (>= 17.1.0), - python-canonicaljson (>=1.1.3), - python-prometheus-client (>=0.0.14), + python3-distutils|libpython3-stdlib (<< 3.6), + python3, + ${misc:Depends}, +# some of our scripts use perl, but none of them are important, +# so we put perl:Depends in Suggests rather than Depends. Suggests: - python-bleach (>= 1.4.2), - python-jinja2 (>= 2.8), -Recommends: - python-psycopg2, - python-lxml, + sqlite3, + ${perl:Depends}, Description: Open federated Instant Messaging and VoIP server Matrix is an ambitious new ecosystem for open federated Instant Messaging and VoIP. Synapse is a reference Matrix server implementation. - . - Everything in Matrix happens in a room. Rooms are distributed and do - not exist on any single server. Rooms can be located using - convenience aliases like #matrix:matrix.org or #test:localhost:8448. - . - Matrix user IDs look like @matthew:matrix.org (although in the future - you will normally refer to yourself and others using a 3PID: email - address, phone number, etc rather than manipulating Matrix user IDs) - . - The overall architecture is: - client <------> homeserver <=============> homeserver <------> client - https://a.org/_matrix https://b.net/_matrix diff --git a/debian/copyright b/debian/copyright index 35597e0804..95c21ea12a 100644 --- a/debian/copyright +++ b/debian/copyright @@ -3,7 +3,7 @@ Upstream-Name: synapse Source: https://github.com/matrix-org/synapse Files: * -Copyright: 2014-2017, OpenMarket Ltd +Copyright: 2014-2017, OpenMarket Ltd, 2017-2018 New Vector Ltd License: Apache-2.0 Files: synapse/config/saml2.py diff --git a/debian/gbp.conf b/debian/gbp.conf deleted file mode 100644 index 0432accfa0..0000000000 --- a/debian/gbp.conf +++ /dev/null @@ -1,5 +0,0 @@ -[DEFAULT] -debian-branch = debian - -[dch] -distribution = stable diff --git a/debian/homeserver.yaml b/debian/homeserver.yaml index 04ece25d49..188a2d5483 100644 --- a/debian/homeserver.yaml +++ b/debian/homeserver.yaml @@ -70,13 +70,9 @@ pid_file: "/var/run/matrix-synapse.pid" # # cpu_affinity: 0xFFFFFFFF -# Whether to serve a web client from the HTTP/HTTPS root resource. -web_client: False - -# The root directory to server for the above web client. -# If left undefined, synapse will serve the matrix-angular-sdk web client. -# Make sure matrix-angular-sdk is installed with pip if web_client is True -# and web_client_location is undefined +# The path to the web client which will be served at /_matrix/client/ +# if 'webclient' is configured under the 'listeners' configuration. +# # web_client_location: "/path/to/web/root" # The public-facing base URL for the client API (not including _matrix/...) diff --git a/debian/matrix-synapse-py3.links b/debian/matrix-synapse-py3.links new file mode 100644 index 0000000000..bf19efa562 --- /dev/null +++ b/debian/matrix-synapse-py3.links @@ -0,0 +1,4 @@ +opt/venvs/matrix-synapse/bin/hash_password usr/bin/hash_password +opt/venvs/matrix-synapse/bin/register_new_matrix_user usr/bin/register_new_matrix_user +opt/venvs/matrix-synapse/bin/synapse_port_db usr/bin/synapse_port_db +opt/venvs/matrix-synapse/bin/synctl usr/bin/synctl diff --git a/debian/matrix-synapse-py3.postinst b/debian/matrix-synapse-py3.postinst new file mode 100644 index 0000000000..0509acd0a4 --- /dev/null +++ b/debian/matrix-synapse-py3.postinst @@ -0,0 +1,39 @@ +#!/bin/sh -e + +. /usr/share/debconf/confmodule + +CONFIGFILE_SERVERNAME="/etc/matrix-synapse/conf.d/server_name.yaml" +CONFIGFILE_REPORTSTATS="/etc/matrix-synapse/conf.d/report_stats.yaml" +USER="matrix-synapse" + +case "$1" in + configure|reconfigure) + # Set server name in config file + mkdir -p "/etc/matrix-synapse/conf.d/" + db_get matrix-synapse/server-name + + if [ "$RET" ]; then + echo "server_name: $RET" > $CONFIGFILE_SERVERNAME + fi + + db_get matrix-synapse/report-stats + if [ "$RET" ]; then + echo "report_stats: $RET" > $CONFIGFILE_REPORTSTATS + fi + + if ! getent passwd $USER >/dev/null; then + adduser --quiet --system --no-create-home --home /var/lib/matrix-synapse $USER + fi + + for DIR in /var/lib/matrix-synapse /var/log/matrix-synapse /etc/matrix-synapse; do + if ! dpkg-statoverride --list --quiet $DIR >/dev/null; then + dpkg-statoverride --force --quiet --update --add $USER nogroup 0755 $DIR + fi + done + + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/matrix-synapse-py3.preinst b/debian/matrix-synapse-py3.preinst new file mode 100644 index 0000000000..4b5612f050 --- /dev/null +++ b/debian/matrix-synapse-py3.preinst @@ -0,0 +1,31 @@ +#!/bin/sh -e + +# Attempt to undo some of the braindamage caused by +# https://github.com/matrix-org/package-synapse-debian/issues/18. +# +# Due to reasons [1], the old python2 matrix-synapse package will not stop the +# service when the package is uninstalled. Our maintainer scripts will do the +# right thing in terms of ensuring the service is enabled and unmasked, but +# then do a `systemctl start matrix-synapse`, which of course does nothing - +# leaving the old (py2) service running. +# +# There should normally be no reason for the service to be running during our +# preinst, so we assume that if it *is* running, it's due to that situation, +# and stop it. +# +# [1] dh_systemd_start doesn't do anything because it sees that there is an +# init.d script with the same name, so leaves it to dh_installinit. +# +# dh_installinit doesn't do anything because somebody gave it a --no-start +# for unknown reasons. + +if [ -x /bin/systemctl ]; then + if /bin/systemctl --quiet is-active -- matrix-synapse; then + echo >&2 "stopping existing matrix-synapse service" + /bin/systemctl stop matrix-synapse || true + fi +fi + +#DEBHELPER# + +exit 0 diff --git a/debian/matrix-synapse-py3.triggers b/debian/matrix-synapse-py3.triggers new file mode 100644 index 0000000000..f8c1fdb021 --- /dev/null +++ b/debian/matrix-synapse-py3.triggers @@ -0,0 +1,9 @@ +# Register interest in Python interpreter changes and +# don't make the Python package dependent on the virtualenv package +# processing (noawait) +interest-noawait /usr/bin/python3.5 +interest-noawait /usr/bin/python3.6 +interest-noawait /usr/bin/python3.7 + +# Also provide a symbolic trigger for all dh-virtualenv packages +interest dh-virtualenv-interpreter-update diff --git a/debian/matrix-synapse.init b/debian/matrix-synapse.init deleted file mode 100755 index 7a9e8b3296..0000000000 --- a/debian/matrix-synapse.init +++ /dev/null @@ -1,184 +0,0 @@ -#!/bin/sh -### BEGIN INIT INFO -# Provides: matrix-synapse -# Required-Start: $local_fs $network $remote_fs $syslog -# Required-Stop: $local_fs $network $remote_fs $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: -# Description: -# <...> -# <...> -### END INIT INFO - -# Author: Paul "LeoNerd" Evans - -# Do NOT "set -e" - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/usr/sbin:/bin:/usr/bin -DESC="matrix-synapse" -NAME=matrix-synapse -SCRIPTNAME=/etc/init.d/$NAME - -PYTHON="/usr/bin/python" -CONFIGS="--config-path /etc/matrix-synapse/homeserver.yaml --config-path /etc/matrix-synapse/conf.d/" -USER="matrix-synapse" -SHAREDIR=/var/lib/$NAME - -# Exit if the package is not installed -[ -f "/etc/matrix-synapse/homeserver.yaml" ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.2-14) to ensure that this file is present -# and status_of_proc is working. -. /lib/lsb/init-functions - -get_config_key() -{ - python -m synapse.config read "$1" $CONFIGS || return 2 -} - -# -# Function that starts the daemon/service -# -do_start() -{ - # Running --generate-config to create keys if any are absent. - # Doesn't matter if not - $PYTHON -m "synapse.app.homeserver" $CONFIGS --generate-keys || return 2 - - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - PIDFILE=`get_config_key "pid_file"` - RETVAL=$? - if [ "$RETVAL" != 0 ]; then - return $RETVAL - fi - if [ -r "$PIDFILE" ]; then - kill -0 `cat $PIDFILE` && return 1 - fi - - export PYTHONPATH - - # Create the PID file so that synapse can write to it as nonroot - touch $PIDFILE - chown $USER:nogroup $PIDFILE - chown $USER:nogroup $SHAREDIR/media/ - chown $USER:nogroup $SHAREDIR/uploads/ - - start-stop-daemon --start --pidfile $PIDFILE --chuid $USER \ - --exec $PYTHON -- -m "synapse.app.homeserver" $CONFIGS --daemonize || return 2 - - return 0 -} - -# -# Function that stops the daemon/service -# -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - PIDFILE=`get_config_key "pid_file"` - RETVAL=$? - if [ "$RETVAL" != 0 ]; then - return $RETVAL - fi - - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --user $USER --exec $PYTHON - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} - -# -# Function that sends a SIGHUP to the daemon/service -# -do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - return 1 -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - status) - PIDFILE=`get_config_key "pid_file"` - RETVAL=$? - if [ "$RETVAL" != 0 ]; then - return $RETVAL - fi - status_of_proc -p "$PIDFILE" "$PYTHON" "$NAME" && exit 0 || exit $? - ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 - echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 - exit 3 - ;; -esac - -: diff --git a/debian/matrix-synapse.service b/debian/matrix-synapse.service index ab94e073a6..2e9cd83b5f 100644 --- a/debian/matrix-synapse.service +++ b/debian/matrix-synapse.service @@ -6,8 +6,8 @@ Type=simple User=matrix-synapse WorkingDirectory=/var/lib/matrix-synapse EnvironmentFile=/etc/default/matrix-synapse -ExecStartPre=/usr/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --generate-keys -ExecStart=/usr/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ +ExecStartPre=/opt/venvs/matrix-synapse/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --generate-keys +ExecStart=/opt/venvs/matrix-synapse/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ Restart=always RestartSec=3 diff --git a/debian/patches/0001-tox.patch b/debian/patches/0001-tox.patch deleted file mode 100644 index 2cf3ec0fe8..0000000000 --- a/debian/patches/0001-tox.patch +++ /dev/null @@ -1,19 +0,0 @@ -From: Erik Johnston -Date: Fri, 10 Jun 2016 10:57:07 +0100 -Subject: tox - ---- - tox.ini | 1 + - 1 file changed, 1 insertion(+) - -Index: package-synapse-debian/tox.ini -=================================================================== ---- package-synapse-debian.orig/tox.ini -+++ package-synapse-debian/tox.ini -@@ -1,5 +1,6 @@ - [tox] - envlist = packaging, py27, py36, pep8, check_isort -+sitepackages = True - - [base] - deps = diff --git a/debian/patches/0002-change_instructions.patch b/debian/patches/0002-change_instructions.patch deleted file mode 100644 index 933de3ab94..0000000000 --- a/debian/patches/0002-change_instructions.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Erik Johnston -Date: Fri, 10 Jun 2016 10:57:07 +0100 -Subject: change_instructions - ---- - synapse/config/_base.py | 10 ++++++++++ - 1 file changed, 10 insertions(+) - ---- a/synapse/config/_base.py -+++ b/synapse/config/_base.py -@@ -31,6 +31,11 @@ - MISSING_REPORT_STATS_CONFIG_INSTRUCTIONS = """\ - Please opt in or out of reporting anonymized homeserver usage statistics, by - setting the `report_stats` key in your config file to either True or False. -+ -+To set it run: -+ -+ dpkg-reconfigure matrix-synapse -+ - """ - - MISSING_REPORT_STATS_SPIEL = """\ -@@ -45,6 +50,11 @@ - - MISSING_SERVER_NAME = """\ - Missing mandatory `server_name` config option. -+ -+To set it run: -+ -+ dpkg-reconfigure matrix-synapse -+ - """ - - diff --git a/debian/patches/0004-webclient-instructions.patch b/debian/patches/0004-webclient-instructions.patch deleted file mode 100644 index e2e61a8446..0000000000 --- a/debian/patches/0004-webclient-instructions.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: Erik Johnston -Date: Fri, 10 Jun 2016 10:57:07 +0100 -Subject: webclient-instructions - ---- - synapse/app/homeserver.py | 8 +++----- - 1 file changed, 3 insertions(+), 5 deletions(-) - -Index: package-synapse-debian/synapse/app/homeserver.py -=================================================================== ---- package-synapse-debian.orig/synapse/app/homeserver.py -+++ package-synapse-debian/synapse/app/homeserver.py -@@ -86,12 +86,11 @@ def build_resource_for_web_client(hs): - "Please either install the matrix-angular-sdk or configure\n" - "the location of the source to serve via the configuration\n" - "option `web_client_location`\n\n" -- "To install the `matrix-angular-sdk` via pip, run:\n\n" -- " pip install '%(dep)s'\n" -+ "To install the `matrix-angular-sdk` via apt-get, run:\n\n" -+ " apt-get install matrix-synapse-angular-client\n" - "\n" - "You can also disable hosting of the webclient via the\n" - "configuration option `web_client`\n" -- % {"dep": CONDITIONAL_REQUIREMENTS["web_client"].keys()[0]} - ) - syweb_path = os.path.dirname(syweb.__file__) - webclient_path = os.path.join(syweb_path, "webclient") diff --git a/debian/patches/0006-Don-t-require-strict-nacl-0.3.0-requirement.patch b/debian/patches/0006-Don-t-require-strict-nacl-0.3.0-requirement.patch deleted file mode 100644 index 8370c96166..0000000000 --- a/debian/patches/0006-Don-t-require-strict-nacl-0.3.0-requirement.patch +++ /dev/null @@ -1,21 +0,0 @@ -From: Erik Johnston -Date: Mon, 20 Jun 2016 13:20:37 +0100 -Subject: Don't require strict nacl==0.3.0 requirement - ---- - synapse/python_dependencies.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: package-synapse-debian/synapse/python_dependencies.py -=================================================================== ---- package-synapse-debian.orig/synapse/python_dependencies.py -+++ package-synapse-debian/synapse/python_dependencies.py -@@ -37,7 +37,7 @@ REQUIREMENTS = { - "unpaddedbase64>=1.1.0": ["unpaddedbase64>=1.1.0"], - "canonicaljson>=1.1.3": ["canonicaljson>=1.1.3"], - "signedjson>=1.0.0": ["signedjson>=1.0.0"], -- "pynacl>=1.2.1": ["nacl>=1.2.1", "nacl.bindings"], -+ "pynacl>=0.3.0": ["nacl>=0.3.0", "nacl.bindings"], - "service_identity>=16.0.0": ["service_identity>=16.0.0"], - "Twisted>=17.1.0": ["twisted>=17.1.0"], - "treq>=15.1": ["treq>=15.1"], diff --git a/debian/patches/bcrypt.patch b/debian/patches/bcrypt.patch deleted file mode 100644 index a962949920..0000000000 --- a/debian/patches/bcrypt.patch +++ /dev/null @@ -1,30 +0,0 @@ -Index: package-synapse-debian/synapse/handlers/auth.py -=================================================================== ---- package-synapse-debian.orig/synapse/handlers/auth.py -+++ package-synapse-debian/synapse/handlers/auth.py -@@ -921,10 +921,10 @@ class AuthHandler(BaseHandler): - # Normalise the Unicode in the password - pw = unicodedata.normalize("NFKC", password) - -- return bcrypt.checkpw( -+ return bcrypt.hashpw( - pw.encode('utf8') + self.hs.config.password_pepper.encode("utf8"), - stored_hash -- ) -+ ) == stored_hash - - if stored_hash: - if not isinstance(stored_hash, bytes): -Index: package-synapse-debian/synapse/python_dependencies.py -=================================================================== ---- package-synapse-debian.orig/synapse/python_dependencies.py -+++ package-synapse-debian/synapse/python_dependencies.py -@@ -49,7 +49,7 @@ REQUIREMENTS = { - "pyasn1>=0.1.9": ["pyasn1"], - "pyasn1-modules>=0.0.7": ["pyasn1_modules"], - "daemonize>=2.3.1": ["daemonize"], -- "bcrypt>=3.1.0": ["bcrypt>=3.1.0"], -+ "bcrypt": ["bcrypt"], - "pillow>=3.1.2": ["PIL"], - "sortedcontainers>=1.4.4": ["sortedcontainers"], - "psutil>=2.0.0": ["psutil>=2.0.0"], diff --git a/debian/patches/no_install_with_pip b/debian/patches/no_install_with_pip deleted file mode 100644 index 654656f596..0000000000 --- a/debian/patches/no_install_with_pip +++ /dev/null @@ -1,43 +0,0 @@ -Index: package-synapse-debian/synapse/app/__init__.py -=================================================================== ---- package-synapse-debian.orig/synapse/app/__init__.py -+++ package-synapse-debian/synapse/app/__init__.py -@@ -25,8 +25,8 @@ try: - except python_dependencies.MissingRequirementError as e: - message = "\n".join([ - "Missing Requirement: %s" % (str(e),), -- "To install run:", -- " pip install --upgrade --force \"%s\"" % (e.dependency,), -+ "To install, try:", -+ " sudo apt-get install python-%s" % (e.dependency,), - "", - ]) - sys.stderr.writelines(message) -Index: package-synapse-debian/synapse/config/jwt_config.py -=================================================================== ---- package-synapse-debian.orig/synapse/config/jwt_config.py -+++ package-synapse-debian/synapse/config/jwt_config.py -@@ -19,7 +19,7 @@ MISSING_JWT = ( - """Missing jwt library. This is required for jwt login. - - Install by running: -- pip install pyjwt -+ sudo apt-get install python-jwt - """ - ) - -Index: package-synapse-debian/synapse/config/repository.py -=================================================================== ---- package-synapse-debian.orig/synapse/config/repository.py -+++ package-synapse-debian/synapse/config/repository.py -@@ -27,9 +27,7 @@ MISSING_LXML = ( - """Missing lxml library. This is required for URL preview API. - - Install by running: -- pip install lxml -- -- Requires libxslt1-dev system package. -+ sudo apt-get install python-lxml - """ - ) - diff --git a/debian/patches/remove-webclient.patch b/debian/patches/remove-webclient.patch deleted file mode 100644 index bfd2fce576..0000000000 --- a/debian/patches/remove-webclient.patch +++ /dev/null @@ -1,31 +0,0 @@ -Index: package-synapse-debian/synapse/app/homeserver.py -=================================================================== ---- package-synapse-debian.orig/synapse/app/homeserver.py -+++ package-synapse-debian/synapse/app/homeserver.py -@@ -124,7 +124,7 @@ class SynapseHomeServer(HomeServer): - for res in listener_config["resources"]: - for name in res["names"]: - resources.update(self._configure_named_resource( -- name, res.get("compress", False), -+ config, name, res.get("compress", False), - )) - - additional_resources = listener_config.get("additional_resources", {}) -@@ -171,7 +171,7 @@ class SynapseHomeServer(HomeServer): - ) - logger.info("Synapse now listening on port %d", port) - -- def _configure_named_resource(self, name, compress=False): -+ def _configure_named_resource(self, config, name, compress=False): - """Build a resource map for a named resource - - Args: -@@ -235,7 +235,7 @@ class SynapseHomeServer(HomeServer): - if name in ["keys", "federation"]: - resources[SERVER_KEY_V2_PREFIX] = KeyApiV2Resource(self) - -- if name == "webclient": -+ if name == "webclient" and config.web_client: - resources[WEB_CLIENT_PREFIX] = build_resource_for_web_client(self) - - if name == "metrics" and self.get_config().enable_metrics: diff --git a/debian/patches/series b/debian/patches/series deleted file mode 100644 index ae46209e92..0000000000 --- a/debian/patches/series +++ /dev/null @@ -1,7 +0,0 @@ -0001-tox.patch -0002-change_instructions.patch -0004-webclient-instructions.patch -0006-Don-t-require-strict-nacl-0.3.0-requirement.patch -remove-webclient.patch -bcrypt.patch -no_install_with_pip diff --git a/debian/postinst b/debian/postinst deleted file mode 100755 index 0509acd0a4..0000000000 --- a/debian/postinst +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/sh -e - -. /usr/share/debconf/confmodule - -CONFIGFILE_SERVERNAME="/etc/matrix-synapse/conf.d/server_name.yaml" -CONFIGFILE_REPORTSTATS="/etc/matrix-synapse/conf.d/report_stats.yaml" -USER="matrix-synapse" - -case "$1" in - configure|reconfigure) - # Set server name in config file - mkdir -p "/etc/matrix-synapse/conf.d/" - db_get matrix-synapse/server-name - - if [ "$RET" ]; then - echo "server_name: $RET" > $CONFIGFILE_SERVERNAME - fi - - db_get matrix-synapse/report-stats - if [ "$RET" ]; then - echo "report_stats: $RET" > $CONFIGFILE_REPORTSTATS - fi - - if ! getent passwd $USER >/dev/null; then - adduser --quiet --system --no-create-home --home /var/lib/matrix-synapse $USER - fi - - for DIR in /var/lib/matrix-synapse /var/log/matrix-synapse /etc/matrix-synapse; do - if ! dpkg-statoverride --list --quiet $DIR >/dev/null; then - dpkg-statoverride --force --quiet --update --add $USER nogroup 0755 $DIR - fi - done - - ;; -esac - -#DEBHELPER# - -exit 0 diff --git a/debian/pydist-overrides b/debian/pydist-overrides deleted file mode 100644 index e2e34b7d30..0000000000 --- a/debian/pydist-overrides +++ /dev/null @@ -1,5 +0,0 @@ -matrix-angular-sdk -jinja2 -bleach -ldap3 -matrix-synapse-ldap3 diff --git a/debian/rules b/debian/rules index ad0e95c83d..05cbbdde08 100755 --- a/debian/rules +++ b/debian/rules @@ -1,18 +1,22 @@ #!/usr/bin/make -f +# +# Build Debian package using https://github.com/spotify/dh-virtualenv +# -# This file was automatically generated by stdeb 0.8.2 at -# Fri, 12 Jun 2015 14:32:03 +0100 -export PYBUILD_NAME=matrix-synapse -%: - dh $@ --with python2 --with systemd --buildsystem=pybuild --no-guessing-deps +override_dh_systemd_enable: + dh_systemd_enable --name=matrix-synapse -override_dh_auto_install: - python setup.py install --root=debian/matrix-synapse --install-layout=deb +override_dh_installinit: + dh_installinit --name=matrix-synapse -override_dh_auto_build: +override_dh_strip: -override_dh_installinit: - dh_installinit --no-start +override_dh_shlibdeps: -override_dh_auto_test: - PYTHONPATH=. trial tests +override_dh_virtualenv: + ./debian/build_virtualenv + +# We are restricted to compat level 9 (because xenial), so have to +# enable the systemd bits manually. +%: + dh $@ --with python-virtualenv --with systemd diff --git a/debian/source/format b/debian/source/format index 163aaf8d82..89ae9db8f8 100644 --- a/debian/source/format +++ b/debian/source/format @@ -1 +1 @@ -3.0 (quilt) +3.0 (native) diff --git a/debian/watch b/debian/watch deleted file mode 100644 index b1b10d4cd0..0000000000 --- a/debian/watch +++ /dev/null @@ -1,11 +0,0 @@ -# Example watch control file for uscan -# Rename this file to "watch" and then you can run the "uscan" command -# to check for upstream updates and more. -# See uscan(1) for format - -# Compulsory line, this is a version 3 file -version=3 - - -opts=filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/matrix-synapse-$1\.tar\.gz/,uversionmangle=s/-?rc/~rc/ \ - https://github.com/matrix-org/synapse/tags .*/v?(\d[^\s\-]*)\.tar\.gz debian uupdate diff --git a/docker/Dockerfile-dhvirtualenv b/docker/Dockerfile-dhvirtualenv new file mode 100644 index 0000000000..ea6b650af2 --- /dev/null +++ b/docker/Dockerfile-dhvirtualenv @@ -0,0 +1,35 @@ +# A dockerfile which builds a docker image for building a debian package for +# synapse. The distro to build for is passed as a docker build var. +# +# The default entrypoint expects the synapse source to be mounted as a +# (read-only) volume at /synapse/source, and an output directory at /debs. +# +# A pair of environment variables (TARGET_USERID and TARGET_GROUPID) can be +# passed to the docker container; if these are set, the build script will chown +# the build products accordingly, to avoid ending up with things owned by root +# in the host filesystem. + +# Get the distro we want to pull from as a dynamic build variable +ARG distro="" +FROM ${distro} + +# Install the build dependencies +RUN apt-get update -qq -o Acquire::Languages=none \ + && env DEBIAN_FRONTEND=noninteractive apt-get install \ + -yqq --no-install-recommends -o Dpkg::Options::=--force-unsafe-io \ + build-essential \ + debhelper \ + devscripts \ + dh-systemd \ + dh-virtualenv \ + equivs \ + lsb-release \ + python3-dev \ + python3-pip \ + python3-setuptools \ + python3-venv \ + sqlite3 \ + wget + +WORKDIR /synapse/source +ENTRYPOINT ["bash","/synapse/source/docker/build_debian.sh"] diff --git a/docker/build_debian.sh b/docker/build_debian.sh new file mode 100644 index 0000000000..cea5067fe9 --- /dev/null +++ b/docker/build_debian.sh @@ -0,0 +1,41 @@ +#!/bin/bash + +# The script to build the Debian package, as ran inside the Docker image. + +set -ex + +DIST=`lsb_release -c -s` + +# We need to build a newer dh_virtualenv on older OSes like Xenial. +if [ "$DIST" = 'xenial' ]; then + mkdir -p /tmp/dhvenv + cd /tmp/dhvenv + wget https://github.com/spotify/dh-virtualenv/archive/1.1.tar.gz + tar xvf 1.1.tar.gz + cd dh-virtualenv-1.1/ + env DEBIAN_FRONTEND=noninteractive mk-build-deps -ri -t "apt-get -yqq --no-install-recommends -o Dpkg::Options::=--force-unsafe-io" + dpkg-buildpackage -us -uc -b + cd /tmp/dhvenv + apt-get install -yqq ./dh-virtualenv_1.1-1_all.deb +fi + + +# we get a read-only copy of the source: make a writeable copy +cp -aT /synapse/source /synapse/build +cd /synapse/build + +# add an entry to the changelog for this distribution +dch -M -l "+$DIST" "build for $DIST" +dch -M -r "" --force-distribution --distribution "$DIST" + +dpkg-buildpackage -us -uc + +ls -l .. + +# copy the build results out, setting perms if necessary +shopt -s nullglob +for i in ../*.deb ../*.dsc ../*.tar.xz ../*.changes ../*.buildinfo; do + [ -z "$TARGET_USERID" ] || chown "$TARGET_USERID" "$i" + [ -z "$TARGET_GROUPID" ] || chgrp "$TARGET_GROUPID" "$i" + mv "$i" /debs +done diff --git a/docker/build_debian_packages.sh b/docker/build_debian_packages.sh new file mode 100755 index 0000000000..eafed4ac41 --- /dev/null +++ b/docker/build_debian_packages.sh @@ -0,0 +1,39 @@ +#!/bin/bash + +# Build the Debian packages using Docker images. +# +# This script builds the Docker images and then executes them sequentially, each +# one building a Debian package for the targeted operating system. It is +# designed to be a "single command" to produce all the images. +# +# By default, builds for all known distributions, but a list of distributions +# can be passed on the commandline for debugging. + +set -ex + +cd `dirname $0` + +if [ $# -lt 1 ]; then + DISTS=(debian:stretch debian:sid ubuntu:xenial ubuntu:bionic ubuntu:cosmic) +else + DISTS=("$@") +fi + +# Make the dir where the debs will live. +# +# Note that we deliberately put this outside the source tree, otherwise we tend +# to get source packages which are full of debs. (We could hack around that +# with more magic in the build_debian.sh script, but that doesn't solve the +# problem for natively-run dpkg-buildpakage). + +mkdir -p ../../debs + +# Build each OS image; +for i in "${DISTS[@]}"; do + TAG=$(echo ${i} | cut -d ":" -f 2) + docker build --tag dh-venv-builder:${TAG} --build-arg distro=${i} -f Dockerfile-dhvirtualenv . + docker run -it --rm --volume=$(pwd)/../\:/synapse/source:ro --volume=$(pwd)/../../debs:/debs \ + -e TARGET_USERID=$(id -u) \ + -e TARGET_GROUPID=$(id -g) \ + dh-venv-builder:${TAG} +done diff --git a/synapse/python_dependencies.py b/synapse/python_dependencies.py index 92422c6ffc..96cd154234 100644 --- a/synapse/python_dependencies.py +++ b/synapse/python_dependencies.py @@ -78,7 +78,7 @@ CONDITIONAL_REQUIREMENTS = { }, "postgres": { "psycopg2>=2.6": ["psycopg2"] - } + }, } diff --git a/synapse/storage/e2e_room_keys.py b/synapse/storage/e2e_room_keys.py index 16b7f005aa..45cebe61d1 100644 --- a/synapse/storage/e2e_room_keys.py +++ b/synapse/storage/e2e_room_keys.py @@ -182,7 +182,7 @@ class EndToEndRoomKeyStore(SQLBaseStore): keyvalues = { "user_id": user_id, - "version": version, + "version": int(version), } if room_id: keyvalues['room_id'] = room_id diff --git a/tox.ini b/tox.ini index 731094b5da..44371f211f 100644 --- a/tox.ini +++ b/tox.ini @@ -119,6 +119,7 @@ setenv = [testenv:packaging] +skip_install=True deps = check-manifest commands = -- cgit 1.4.1