forked from MirrorHub/synapse
Add note to manhole.md about bind_address when using with docker (#8526)
Signed-off-by: Christopher May-Townsend <chris@maytownsend.co.uk>
This commit is contained in:
parent
9e66f3761c
commit
1cf4a68108
2 changed files with 40 additions and 7 deletions
1
changelog.d/8526.doc
Normal file
1
changelog.d/8526.doc
Normal file
|
@ -0,0 +1 @@
|
||||||
|
Added note about docker in manhole.md regarding which ip address to bind to. Contributed by @Maquis196.
|
|
@ -5,8 +5,45 @@ The "manhole" allows server administrators to access a Python shell on a running
|
||||||
Synapse installation. This is a very powerful mechanism for administration and
|
Synapse installation. This is a very powerful mechanism for administration and
|
||||||
debugging.
|
debugging.
|
||||||
|
|
||||||
|
**_Security Warning_**
|
||||||
|
|
||||||
|
Note that this will give administrative access to synapse to **all users** with
|
||||||
|
shell access to the server. It should therefore **not** be enabled in
|
||||||
|
environments where untrusted users have shell access.
|
||||||
|
|
||||||
|
***
|
||||||
|
|
||||||
To enable it, first uncomment the `manhole` listener configuration in
|
To enable it, first uncomment the `manhole` listener configuration in
|
||||||
`homeserver.yaml`:
|
`homeserver.yaml`. The configuration is slightly different if you're using docker.
|
||||||
|
|
||||||
|
#### Docker config
|
||||||
|
|
||||||
|
If you are using Docker, set `bind_addresses` to `['0.0.0.0']` as shown:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
listeners:
|
||||||
|
- port: 9000
|
||||||
|
bind_addresses: ['0.0.0.0']
|
||||||
|
type: manhole
|
||||||
|
```
|
||||||
|
|
||||||
|
When using `docker run` to start the server, you will then need to change the command to the following to include the
|
||||||
|
`manhole` port forwarding. The `-p 127.0.0.1:9000:9000` below is important: it
|
||||||
|
ensures that access to the `manhole` is only possible for local users.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
docker run -d --name synapse \
|
||||||
|
--mount type=volume,src=synapse-data,dst=/data \
|
||||||
|
-p 8008:8008 \
|
||||||
|
-p 127.0.0.1:9000:9000 \
|
||||||
|
matrixdotorg/synapse:latest
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Native config
|
||||||
|
|
||||||
|
If you are not using docker, set `bind_addresses` to `['::1', '127.0.0.1']` as shown.
|
||||||
|
The `bind_addresses` in the example below is important: it ensures that access to the
|
||||||
|
`manhole` is only possible for local users).
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
listeners:
|
listeners:
|
||||||
|
@ -15,12 +52,7 @@ listeners:
|
||||||
type: manhole
|
type: manhole
|
||||||
```
|
```
|
||||||
|
|
||||||
(`bind_addresses` in the above is important: it ensures that access to the
|
#### Accessing synapse manhole
|
||||||
manhole is only possible for local users).
|
|
||||||
|
|
||||||
Note that this will give administrative access to synapse to **all users** with
|
|
||||||
shell access to the server. It should therefore **not** be enabled in
|
|
||||||
environments where untrusted users have shell access.
|
|
||||||
|
|
||||||
Then restart synapse, and point an ssh client at port 9000 on localhost, using
|
Then restart synapse, and point an ssh client at port 9000 on localhost, using
|
||||||
the username `matrix`:
|
the username `matrix`:
|
||||||
|
|
Loading…
Reference in a new issue