Configure DNS should make some notes re: /etc/hosts

[skepticalwaves]

https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-dns.md

I ran into an issue with the matrix_appservice_discord bot, because the bot was resolving the matrix.example.com to 127.0.1.1 because that's how the default ubuntu /etc/hosts config resolves it.

I had to fix up /etc/hosts so the FQDN would resolve to the external IP.

[spantaleev]

My testing showed that /etc/hosts entries only seem to make it into the container's /etc/hosts if you launch the container with --net=host:

• docker run --rm docker.io/alpine:3.13 /bin/sh -c 'cat /etc/hosts'. Has a pristine /etc/hosts file that looks like this:

127.0.0.1       localhost
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2      4dcf9047f2f8

• docker run --rm --net=host docker.io/alpine:3.13 /bin/sh -c 'cat /etc/hosts'. Has the host's /etc/hosts file merged into its own.

I also have matrix.DOMAIN pointed to 127.0.0.1 in my own /etc/hosts file, but it hasn't affected services negatively (yet).

I don't think we run containers with --net=host though, so I wonder how you came to run into this issue. Perhaps some other way? Or some different Docker version does things differently?

[skepticalwaves]

This was deployed on a pristine Ubuntu 20.04.1 using only the ansible script, with ansible installed via pip3.

The only component I had issues with was the matrix_appservice_discord bot:

Jan 25 03:43:08 matrix systemd[1]: Started Matrix Appservice Discord bridge.
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]: Jan-25 03:43:14.011 [DiscordStore] info: Starting DB Init
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]: Jan-25 03:43:14.017 [DiscordStore] info: connString present in config, using postgres
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]: Jan-25 03:43:14.019 [Postgres] info: Opening @matrix-postgres:5432/matrix_appservice_discord
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]: Jan-25 03:43:14.120 [DiscordStore] info: Database schema version is 11, latest version is 11
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]: Jan-25 03:43:14.121 [DiscordStore] info: Updated database to the latest schema
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]: Jan-25 03:43:14.138 [bot-sdkMatrixLiteClient (REQ-1)] info: [ 'POST https://matrix.<redacted>.com/_matrix/client/r0/register' ]
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]: Jan-25 03:43:14.181 [bot-sdkMatrixLiteClient (REQ-1)] error: [
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]:   Error: connect ECONNREFUSED 127.0.1.1:443
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]:       at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1146:16) {
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]:     errno: -111,
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]:     code: 'ECONNREFUSED',
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]:     syscall: 'connect',
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]:     address: '127.0.1.1',
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]:     port: 443
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]:   }
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]: ]
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]: Jan-25 03:43:14.184 [bot-sdkAppservice] error: [ 'Encountered error registering user: ' ]
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]: Jan-25 03:43:14.185 [bot-sdkAppservice] error: [
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]:   Error: connect ECONNREFUSED 127.0.1.1:443
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]:       at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1146:16) {
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]:     errno: -111,
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]:     code: 'ECONNREFUSED',
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]:     syscall: 'connect',
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]:     address: '127.0.1.1',
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]:     port: 443
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]:   }
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]: ]
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]: Jan-25 03:43:14.190 [DiscordAS] error: A fatal error occurred during startup: Error: connect ECONNREFUSED 127.0.1.1:443
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]:     at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1146:16) {
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]:   errno: -111,
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]:   code: 'ECONNREFUSED',
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]:   syscall: 'connect',
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]:   address: '127.0.1.1',
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]:   port: 443
Jan 25 03:43:14 matrix matrix-appservice-discord[250626]: }
Jan 25 03:43:14 matrix systemd[1]: matrix-appservice-discord.service: Main process exited, code=exited, status=1/FAILURE
Jan 25 03:43:14 matrix systemd[1]: matrix-appservice-discord.service: Failed with result 'exit-code'.

After adjusting /etc/hosts and restarting the bot, things started working.

[spantaleev]

Interesting! What's your vars.yml file like (hiding secrets, of course)?

[skepticalwaves]

# The bare domain name which represents your Matrix identity.
# Matrix user ids for your server will be of the form (`@user:<matrix-domain>`).
#
# Note: this playbook does not touch the server referenced here.
# Installation happens on another server ("matrix.<matrix-domain>").
#
# If you've deployed using the wrong domain, you'll have to run the Uninstalling step,
# because you can't change the Domain after deployment.
#
# Example value: example.com
matrix_domain: <redacted>

# This is something which is provided to Let's Encrypt when retrieving SSL certificates for domains.
#
# In case SSL renewal fails at some point, you'll also get an email notification there.
#
# If you decide to use another method for managing SSL certifites (different than the default Let's Encrypt),
# you won't be required to define this variable (see `docs/configuring-playbook-ssl-certificates.md`).
#
# Example value: someone@example.com
matrix_ssl_lets_encrypt_support_email: '<redacted>'

# A shared secret (between Coturn and Synapse) used for authentication.
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
matrix_coturn_turn_static_auth_secret: '<redacted>'

# A secret used to protect access keys issued by the server.
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
matrix_synapse_macaroon_secret_key: '<redacted>'

# A Postgres password to use for the superuser Postgres user (called `matrix` by default).
#
# The playbook creates additional Postgres users and databases (one for each enabled service)
# using this superuser account.
matrix_postgres_connection_password: '<redacted>'

# Additional Custom Setup Stuff added by SkepticalWaves

# Disable the identity server for now, no need for people to be id'd via email/phone
matrix_ma1sd_enabled: false

##ENABLE JITSI
matrix_jitsi_enabled: true
# Run `bash inventory/scripts/jitsi-generate-passwords.sh` to generate these passwords,
# or define your own strong passwords manually.
matrix_jitsi_jicofo_component_secret: <redacted>
matrix_jitsi_jicofo_auth_password: <redacted>
matrix_jitsi_jvb_auth_password: <redacted>
matrix_jitsi_jibri_recorder_password: <redacted>
matrix_jitsi_jibri_xmpp_password: <redacted>
#matrix_jitsi_enable_auth: true
#matrix_jitsi_enable_guests: true
matrix_jitsi_web_custom_config_extension: |
  config.enableLayerSuspension = true;

  config.disableAudioLevels = true;

  // Limit the number of video feeds forwarded to each client
  config.channelLastN = 4;

matrix_jitsi_web_config_resolution_width_ideal_and_max: 480
matrix_jitsi_web_config_resolution_height_ideal_and_max: 240

##ENABLE WEB ADMIN
matrix_synapse_admin_enabled: true

#Synapse
matrix_synapse_enable_registration: true
matrix_synapse_enable_registration_captcha: true
matrix_synapse_recaptcha_public_key: '<redacted>'
matrix_synapse_recaptcha_private_key: '<redacted>'
matrix_synapse_max_upload_size_mb: 10
matrix_synapse_configuration_extension_yaml: |
  limit_remote_rooms:
    enabled: true
    complexity: 1.0

##Synapse Federation
matrix_synapse_allow_public_rooms_over_federation: true

##ELEMENT DEFAULTS
matrix_client_element_themes_enabled: true
matrix_client_element_default_theme: 'dark'

##Anti Spam Config
#matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled: true
#You need to specify domains to block
#matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers:
#- example.com
#- another.com

##Reminder bot
matrix_bot_matrix_reminder_bot_enabled: true

# Adjust this to whatever password you chose when registering the bot user
matrix_bot_matrix_reminder_bot_matrix_user_password: <redacted>

# Adjust this to your timezone
matrix_bot_matrix_reminder_bot_reminders_timezone: Europe/London

## Email configuration
matrix_mailer_sender_address: "matrix@<redacted>"
matrix_mailer_relay_use: true
matrix_mailer_relay_host_name: "mail.<redacted>"
matrix_mailer_relay_host_port: 587
matrix_mailer_relay_auth: true
matrix_mailer_relay_auth_username: "matrix@<redacted>"
matrix_mailer_relay_auth_password: "<redacted>"

## Dimension Configuration
matrix_dimension_enabled: true
matrix_dimension_admins:
  - "<redacted>:{{ matrix_domain }}"
  - "<redacted>:{{ matrix_domain }}"
  - "<redacted>:{{ matrix_domain }}"

matrix_dimension_access_token: "<redacted>"

#Telegram Bridging
matrix_mautrix_telegram_enabled: true
matrix_mautrix_telegram_api_id: <redacted>
matrix_mautrix_telegram_api_hash: <redacted>

#Password provide
matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: <redacted>

#Discord bridging
matrix_mx_puppet_discord_enabled: false
#matrix_mx_puppet_discord_client_id: ""
#matrix_mx_puppet_discord_client_secret: ""

matrix_appservice_discord_enabled: true
matrix_appservice_discord_client_id: '<redacted>'
matrix_appservice_discord_bot_token: '<redacted>'
matrix_appservice_discord_bridge_enableSelfServiceBridging: true

matrix_appservice_webhooks_enabled: true
matrix_appservice_webhooks_api_secret: '<redacted>'

[spantaleev]

I don't see anything out of the ordinary that should trigger this.

Which Docker version are you on? docker version.

[skepticalwaves]

root@matrix:~# docker version
Client: Docker Engine - Community
 Version:           20.10.2
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        2291f61
 Built:             Mon Dec 28 16:17:43 2020
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.2
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       8891c58
  Built:            Mon Dec 28 16:15:19 2020
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.3
  GitCommit:        269548fa27e0089a8b8278fc4fc781d7f65a939b
 runc:
  Version:          1.0.0-rc92
  GitCommit:        ff819c7e9184c13b7c2607fe6c30ae19403a7aff
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

[spantaleev]

Not sure why this happens.

I've tested on Ubuntu 20.04.1 LTS

With Docker 19.03.13, I can't reproduce it. docker run --network=some-custom-network .. also leads to the same (no /etc/hosts sharing). It's only with --net=host that the container's /etc/hosts file contains the entries from the host.

I have even upgraded that system to Docker 20.10.2, so it should be the same as yours. It's still the same result - custom /etc/hosts entries are only transferred when --net=host is used (which the playbook doesn't normally use).