Skip to content

Harden Dockerfile and integrate worker orchestration#4

Merged
jevonearth merged 2 commits intomainfrom
hardening-and-workers
Feb 26, 2026
Merged

Harden Dockerfile and integrate worker orchestration#4
jevonearth merged 2 commits intomainfrom
hardening-and-workers

Conversation

@jevonearth
Copy link
Contributor

@jevonearth jevonearth commented Feb 26, 2026

Summary

  • Dockerfile hardening: Drop gcc/pysodium build deps (PyNaCl with bundled libsodium is already in the base image), tighten PDU size patch to exact line match with build-time guard, add --no-install-recommends
  • Worker orchestration: Integrate official Element HQ configure_workers_and_start.py (supervisord + nginx + redis, all in-container) replacing our static 4-worker config. Workers are dynamically generated from SYNAPSE_WORKER_TYPES env var
  • Entrypoint rewrite: Single mode execs Synapse directly (no synctl), worker mode execs configure_workers_and_start.py. Listener port/bind set automatically per mode
  • homeserver.yaml cleanup: Removed instance_map, redis, and replication listener blocks (generated dynamically in worker mode). Added ${SYNAPSE_HTTP_PORT} / ${SYNAPSE_HTTP_BIND} template vars
  • CI: Push images on PR and branch push (not just semver tags)

All security hardening is preserved: SSRF federation_ip_range_blacklist, crypto_auth_provider.py v0.3, beacon_monitor_module.py, logfmt logging, password_config: false.

Usage

# Single-process (default)
docker compose -f docker-compose.example.yml up --build

# Worker mode
SYNAPSE_WORKERS=true docker compose -f docker-compose.example.yml up --build

# Custom worker types
SYNAPSE_WORKERS=true SYNAPSE_WORKER_TYPES="synchrotron:4,event_persister:2,federation_inbound:2" \
  docker compose -f docker-compose.example.yml up --build

What's new in the image

Package Purpose
nginx-light Reverse proxy routing requests to workers
redis-server Inter-process replication
supervisor Process management for main + workers

Prometheus service discovery at :9469/metrics/service_discovery when SYNAPSE_ENABLE_METRICS=1.

@jevonearth
Harden Dockerfile: drop gcc/pysodium, target PDU patch, fix script perms
8978bb7 
- Replace pysodium with PyNaCl (already in base Synapse image), removing
  the need for gcc, libsodium-dev, and pip install entirely.
- Narrow signature verification exception catch from bare Exception to
  nacl.exceptions.BadSignatureError.
- Target sed PDU size patch at ^MAX_PDU_SIZE = 65536$ to prevent
  accidental replacement of unrelated constants.
- Fix missing execute permissions on entrypoint scripts.
- Bump crypto_auth_provider to v0.3.
@jevonearth jevonearth force-pushed the hardening-and-workers branch from 06697bd to 959c4a6 Compare February 26, 2026 01:49
@jevonearth
Integrate official Element HQ worker orchestration system
0a9729a 
Replace static worker configs with the upstream configure_workers_and_start.py
that dynamically generates nginx, supervisord, redis, and per-worker configs
from SYNAPSE_WORKER_TYPES. Entrypoint switches between single-process mode
(direct exec) and worker mode (supervisord) based on SYNAPSE_WORKERS env var.

Adds nginx-light, redis-server, supervisor to image. Removes shared_config.yaml
and workers/ directory. Preserves all hardening from previous commit (SSRF
protection, PyNaCl, logfmt logging, Beacon modules).
@jevonearth jevonearth force-pushed the hardening-and-workers branch from 959c4a6 to 0a9729a Compare February 26, 2026 02:04
@jevonearth jevonearth mentioned this pull request Feb 26, 2026
Closed
5 tasks
@jevonearth jevonearth merged commit 9f546a2 into main Feb 26, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jevonearth