spantaleev / matrix-docker-ansible-deploy

🐳 Matrix (An open network for secure, decentralized communication) server setup using Ansible and Docker
GNU Affero General Public License v3.0
4.88k stars 1.04k forks source link

Can't complete admin using the API #1846

Closed BettyNutz closed 2 years ago

BettyNutz commented 2 years ago

Playbook Configuration:

My vars.yml file looks like this:

# The bare domain name which represents your Matrix identity.
# Matrix user ids for your server will be of the form (`@user:<matrix-domain>`).
#
# Note: this playbook does not touch the server referenced here.
# Installation happens on another server ("matrix.<matrix-domain>").
#
# If you've deployed using the wrong domain, you'll have to run the Uninstalling step,
# because you can't change the Domain after deployment.
#
# Example value: example.com
matrix_domain: ******.*******

# The Matrix homeserver software to install.
# See `roles/matrix-base/defaults/main.yml` for valid options.
matrix_homeserver_implementation: synapse

# A secret used as a base, for generating various other secrets.
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
matrix_homeserver_generic_secret_key: '******************'

# This is something which is provided to Let's Encrypt when retrieving SSL certificates for domains.
#
# In case SSL renewal fails at some point, you'll also get an email notification there.
#
# If you decide to use another method for managing SSL certificates (different than the default Let's Encrypt),
# you won't be required to define this variable (see `docs/configuring-playbook-ssl-certificates.md`).
#
# Example value: someone@example.com
matrix_ssl_lets_encrypt_support_email: '*******@*************.******'

# A Postgres password to use for the superuser Postgres user (called `matrix` by default).
#
# The playbook creates additional Postgres users and databases (one for each enabled service)
# using this superuser account.
matrix_postgres_connection_password: '**********'

# This is where you access Jitsi.
matrix_server_fqn_jitsi: 'jitsi.***********.******'

#This is setting the serves the base domain from the Matrix server -- the federation can find the matrix server
matrix_nginx_proxy_base_domain_serving_enabled: true

#Jetsi stuff copied form https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-jitsi.md
#matrix_jitsi_enabled: true

#Synapse's Admin API exposed to the internet
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true

Matrix Server:

Ansible: Working fine

Problem description:

Installed the server via the playbook. All good. I need to get the admin api working but its not. Tried the following commands with ' & " in various locations:

sudo curl -H "Authorization: Bearer syt_***" http://localhost:8008/_synapse/admin/v1/room/\!LXxm**********sHphYK:**************.com/media

sudo curl -H "Authorization: Bearer syt_***" http://localhost:8448/_synapse/admin/v1/room/\!LXxm**********sHphYK:**************.com/media

sudo docker exec matrix-synapse curl -H "Authorization: Bearer syt_***" http://localhost:8008/_synapse/admin/v1/room/\!LXxm**********sHphYK:**************.com/media

sudo docker exec matrix-synapse curl -H "Authorization: Bearer syt_***" http://localhost:8448/_synapse/admin/v1/room/\!LXxm**********sHphYK:**************.com/media

sudo docker exec matrix-synapse curl -H "Authorization: Bearer syt_***" http://mydominname.com:8448/_synapse/admin/v1/room/\!LXxm**********sHphYK:**************.com/media

Do i need to call api from inside the container?

Do i need to use iptables to route from 127.0.0.11 to the backend DNS resolver in the Docker Engine?

I even tied installing synadm. Same issue

Can someone give me an example of an api command.. im not sure if im using the correct commands and there are no real word examples in the doc.

Client (please complete the following information):

Additional context

Getting the following errors (out of synadm) and nothing out of the server with the api:

reply: 'HTTP/1.1 400 Bad Request\r\n' header: Server: nginx header: Date: Sat, 21 May 2022 03:14:40 GMT header: Content-Type: text/html header: Content-Length: 248 header: Connection: close WARNING Synapse returned status code 400 ERROR JSONDecodeError while querying Synapse: Expecting value: line 1 column 1 (char 0) Media list could not be fetched.

These are the ports i have open:

netstat -tnlp (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0: LISTEN -
tcp 0 0 0.0.0.0:3478 0.0.0.0:
LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0: LISTEN -
tcp 0 0 0.0.0.0:443 0.0.0.0:
LISTEN -
tcp 0 0 0.0.0.0:8448 0.0.0.0: LISTEN -
tcp 0 0 0.0.0.0:5349 0.0.0.0:
LISTEN -
tcp6 0 0 :::80 ::: LISTEN -
tcp6 0 0 :::3478 :::
LISTEN -
tcp6 0 0 :::22 ::: LISTEN -
tcp6 0 0 :::443 :::
LISTEN -
tcp6 0 0 :::8448 ::: LISTEN -
tcp6 0 0 :::5349 :::
LISTEN -

spantaleev commented 2 years ago

Using localhost to talk to Synapse may only work if matrix_nginx_proxy_enabled: false. In that case, we automatically expose the ports of some containers (like Synapse) on 127.0.0.1.

http://mydominname.com:8448 would be the federation API. It needs https too, not http. The Synapse Admin API is not available on this federation port.


You can access the Synapse Admin API on the Client-Server API port, at https://matrix.DOMAIN.

Alternatively, you can access it on the container network (named matrix by default) using http://matrix-synapse:8008 (http here, not https).

BettyNutz commented 2 years ago

http://matrix-synapse:8008

So accessing the api via this method:

You can access the Synapse Admin API on the Client-Server API port, at https://matrix.DOMAIN.

I have to expose the api with:

matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true in the vars.yml file before running the playbook?

JOJ0 commented 2 years ago

Hi @spantaleev sorry for hijacking this issue. I am here to improve synadm's documentation regarding the usage with matrix-docker-ansible-deploy installed Synapse instances. I tried to summarize in the README what's required: https://github.com/JOJ0/synadm#matrix-docker-ansible-deploy

I'd kindly ask if you could take a minute and confirm that this information is entirely correct :-) Thanks a ton in advance!

One question berforehand: In that sentence, do I understand correctly that the hostname matrix-synapse is put into the docker host's /etc/hosts file automatically and thus the Synapse container is accessible via the name matrix-synapse. Furthermore with the name matrix you are referring to the name of the container network and not to the hostname?

Alternatively, you can access it on the container network (named matrix by default) using http://matrix-synapse:8008 (http here, not https).

spantaleev commented 2 years ago

There is no special configuration required in vars.yaml. The default settings will do.

I think we need matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true for accessing the Synapse's Admin APIs via the public endpoint (https://matrix.DOMAIN)

If you access them from within the container network (using http://matrix-synapse:8008), you can avoid exposing the Synapse Admin APIs publicly on https://matrix.DOMAIN using matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true. For that, you need to start a container on that network (e.g. docker run -it --rm --network=matrix docker.io/alpine:3.15.2), install synadm there and use http://matrix-synapse:8008 to talk to Synapse. Alternatively, you can start a synadam container image directly, if one is available (e.g. docker run -it --rm --network=matrix docker.io/JOJ0/synadm:v0.34) and run your synadm commands there.


From what I see, there are 2 options for using synadm against a Synapse homeserver. Either in a container, on the same container network as matrix-synapse (--network=matrix), or anywhere (on the Matrix server or on some other server) with access happening via the public endpoint (https://matrix.DOMAIN). For the latter, one needs to expose Synapse's Admin APIs publicly by toggling matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled to true.


One question berforehand: In that sentence, do I understand correctly that the hostname matrix-synapse is put into the docker host's /etc/hosts file automatically and thus the Synapse container is accessible via the name matrix-synapse

Actually, containers started on the same network (--network=matrix in this case - the playbook starts all its containers there), all use the same DNS server (Docker's internal DNS server). When they say matrix-synapse or some-other-hostname, Docker's internal DNS server resolves that to the internal IP of the container (e.g. 172.18.0.4). This way, containers on the same network can reference each other by name. It's not a static reference hardcoded in /etc/hosts. It's a dynamic answer coming from Docker's internal DNS server. Containers can be restarted and change IPs, and even still Docker's internal DNS server will return the correct address each time you ask it.


Furthermore with the name matrix you are referring to the name of the container network and not to the hostname?

Yes. We create a custom Docker bridge network (docker network create --driver=bridge matrix) and we put all containers that we start in that network (dockr run --network=matrix ...). That way, they're isolated from any other containers that may run on the host, and they can all easily talk to one another by name (thanks to Docker's internal DNS, described above).

As with all other things, the network name is configurable via the matrix_docker_network playbook variable (initially defined in roles/matrix-base/defaults/main.yml).

JOJ0 commented 2 years ago

Thanks for this superdetailed answer @spantaleev. All clear to me now! will adapt the readme and probably even additionally point here directly. Why not.

And thanks for the heads up. It is about time to provide synadm as a container ;-)

JOJ0 commented 2 years ago

The synadm README is fixed and improved: https://github.com/JOJ0/synadm#matrix-docker-ansible-deploy

Thanks again @spantaleev for your help! Appreciated! And BTW thanks for maintaining matrix-docker-ansible-deploy! Great project helping admins to spread Matrix :-)