Skip to content
Snippets Groups Projects
Unverified Commit 1cf4a681 authored by Christopher May-Townsend's avatar Christopher May-Townsend Committed by GitHub
Browse files

Add note to manhole.md about bind_address when using with docker (#8526) 


Signed-off-by: default avatarChristopher May-Townsend <chris@maytownsend.co.uk>
parent 9e66f376
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
changelog.d/8526.doc 0 → 100644
+ 1
0
View file @ 1cf4a681
Added note about docker in manhole.md regarding which ip address to bind to. Contributed by @Maquis196.
docs/manhole.md
+ 39
7
View file @ 1cf4a681
...@@ -5,22 +5,54 @@ The "manhole" allows server administrators to access a Python shell on a running ...@@ -5,22 +5,54 @@ The "manhole" allows server administrators to access a Python shell on a running
Synapse installation. This is a very powerful mechanism for administration and Synapse installation. This is a very powerful mechanism for administration and
debugging. debugging.
**_Security Warning_**
Note that this will give administrative access to synapse to **all users** with
shell access to the server. It should therefore **not** be enabled in
environments where untrusted users have shell access.
***
To enable it, first uncomment the `manhole` listener configuration in To enable it, first uncomment the `manhole` listener configuration in
`homeserver.yaml`: `homeserver.yaml`. The configuration is slightly different if you're using docker.
#### Docker config
If you are using Docker, set `bind_addresses` to `['0.0.0.0']` as shown:
```yaml ```yaml
listeners: listeners:
- port: 9000 - port: 9000
bind_addresses: ['::1', '127.0.0.1'] bind_addresses: ['0.0.0.0']
type: manhole type: manhole
``` ```
(`bind_addresses` in the above is important: it ensures that access to the When using `docker run` to start the server, you will then need to change the command to the following to include the
manhole is only possible for local users). `manhole` port forwarding. The `-p 127.0.0.1:9000:9000` below is important: it
ensures that access to the `manhole` is only possible for local users.
Note that this will give administrative access to synapse to **all users** with ```bash
shell access to the server. It should therefore **not** be enabled in docker run -d --name synapse \
environments where untrusted users have shell access. --mount type=volume,src=synapse-data,dst=/data \
-p 8008:8008 \
-p 127.0.0.1:9000:9000 \
matrixdotorg/synapse:latest
```
#### Native config
If you are not using docker, set `bind_addresses` to `['::1', '127.0.0.1']` as shown.
The `bind_addresses` in the example below is important: it ensures that access to the
`manhole` is only possible for local users).
```yaml
listeners:
- port: 9000
bind_addresses: ['::1', '127.0.0.1']
type: manhole
```
#### Accessing synapse manhole
Then restart synapse, and point an ssh client at port 9000 on localhost, using Then restart synapse, and point an ssh client at port 9000 on localhost, using
the username `matrix`: the username `matrix`:
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment