Add note to manhole.md about bind_address when using with docker (#8526)

Signed-off-by: Christopher May-Townsend <chris@maytownsend.co.uk>
This commit is contained in:
Christopher May-Townsend 2020-10-14 15:28:59 +01:00 committed by GitHub
parent 9e66f3761c
commit 1cf4a68108
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 40 additions and 7 deletions

1
changelog.d/8526.doc Normal file
View File

@ -0,0 +1 @@
Added note about docker in manhole.md regarding which ip address to bind to. Contributed by @Maquis196.

View File

@ -5,8 +5,45 @@ The "manhole" allows server administrators to access a Python shell on a running
Synapse installation. This is a very powerful mechanism for administration and Synapse installation. This is a very powerful mechanism for administration and
debugging. debugging.
**_Security Warning_**
Note that this will give administrative access to synapse to **all users** with
shell access to the server. It should therefore **not** be enabled in
environments where untrusted users have shell access.
***
To enable it, first uncomment the `manhole` listener configuration in To enable it, first uncomment the `manhole` listener configuration in
`homeserver.yaml`: `homeserver.yaml`. The configuration is slightly different if you're using docker.
#### Docker config
If you are using Docker, set `bind_addresses` to `['0.0.0.0']` as shown:
```yaml
listeners:
- port: 9000
bind_addresses: ['0.0.0.0']
type: manhole
```
When using `docker run` to start the server, you will then need to change the command to the following to include the
`manhole` port forwarding. The `-p 127.0.0.1:9000:9000` below is important: it
ensures that access to the `manhole` is only possible for local users.
```bash
docker run -d --name synapse \
--mount type=volume,src=synapse-data,dst=/data \
-p 8008:8008 \
-p 127.0.0.1:9000:9000 \
matrixdotorg/synapse:latest
```
#### Native config
If you are not using docker, set `bind_addresses` to `['::1', '127.0.0.1']` as shown.
The `bind_addresses` in the example below is important: it ensures that access to the
`manhole` is only possible for local users).
```yaml ```yaml
listeners: listeners:
@ -15,12 +52,7 @@ listeners:
type: manhole type: manhole
``` ```
(`bind_addresses` in the above is important: it ensures that access to the #### Accessing synapse manhole
manhole is only possible for local users).
Note that this will give administrative access to synapse to **all users** with
shell access to the server. It should therefore **not** be enabled in
environments where untrusted users have shell access.
Then restart synapse, and point an ssh client at port 9000 on localhost, using Then restart synapse, and point an ssh client at port 9000 on localhost, using
the username `matrix`: the username `matrix`: