-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider removing COMPLEMENT_CA and having it always on #65
Comments
It adds complexity to have it on which is why I wanted it to be opt-in originally. For now, my position remains the same. |
does it really though? Looks like it will just work; it'll just use the complement CA instead of its own. in any case, +1. I feel like there should be one way to do this. |
how so? (@anoadragon453: what is the benefit of this approach over using a static CA cert as the monolith image does?) |
Complement needs to generate the cert and add a volume to every docker container it runs. There's some magic to determine where to look/query depending on if Complement itself is running in docker https://github.com/matrix-org/complement/blob/master/internal/docker/builder.go#L350 The alternative is no volumes, and skipping TLS checks. |
well, we've talked previously about how the magic I'm still failing to grasp why setting up a CA is an optional feature. Either it's required to run complement's tests, so should be enabled by default; or it's not required, in which case we can just get rid of it? |
Well, I was hoping it would allow us to set complement/dockerfiles/synapse/workers-shared.yaml Lines 8 to 11 in 40d2a8d
|
Well the above is likely the case because I didn't follow the instructions on using the certificate correctly. Regardless, the intention behind enabling it for Synapse runs is so that we can test certificate validation in the homeserver. It's a small thing, but nice to give homeservers the option to decide whether they want to do testing with certificate validation enabled or disabled.
Complement doesn't attempt to verify certificates upon connecting to a homeserver: complement/internal/docker/deployer.go Lines 144 to 150 in 665c1dd
So there's not really much point in using a separate certificate for Synapse versus creating one derived from the provided Complement CA cert. The only benefit that |
I've got Synapse verifying Complement's certificates after some fixes to Complement 🎉 I'd like to get a conclusion on this issue now though. Unless performance is a concern, my personal preference is just to go for it being always on. |
Sure, let's go with it always being on then. I'll need to tweak the Dendrite image to make certs from |
So my fears about magic stuff were well-founded given anoa's recent woes running Complement with a local buildkite runner:
I don't want to enable this by default until we figure out the root cause here. |
I think we identified the problem in docker not populating the cpuset correctly. We were not able to reproduce this problem. I am not sure if @anoadragon453 was able to follow up in this though. |
At the moment I still don't know what causes cpuset to not be populated - all I know is that it's not on my Arch Linux machines, but does work on my Ubuntu machine. So this might either be:
I haven't done a proper investigation yet, but I just confirmed that it's still an issue with the latest docker version on Arch Linux (20.10.6, build 370c28948e). |
I'm biting the bullet here and turning this on by default for the following reasons:
|
Before too many more homeserver dockerfiles are written, what do people think about removing the
COMPLEMENT_CA
environment variable, and making its behaviour the default?/ca
will just be mounted in all docker containers, and homeserverd dockerfiles can choose to use the certificate and key in/ca
or not.Existing dockerfiles, such as the Synapse Monolith one will need to be updated, but I've been planning to adjust that one to use Complement's CA anyhow.
The text was updated successfully, but these errors were encountered: