From a60bccf9d17b9815513af078c46229ac3395c5e7 Mon Sep 17 00:00:00 2001 From: DMRobertson Date: Tue, 3 Oct 2023 10:53:20 +0000 Subject: deploy: 8b50a9d01da2c84bb9838287519fa3e0a4e955ce --- v1.94/manhole.html | 258 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 258 insertions(+) create mode 100644 v1.94/manhole.html (limited to 'v1.94/manhole.html') diff --git a/v1.94/manhole.html b/v1.94/manhole.html new file mode 100644 index 0000000000..60bc9432b6 --- /dev/null +++ b/v1.94/manhole.html @@ -0,0 +1,258 @@ + + + + + + Manhole - Synapse + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+ + + + + + + +
+
+ +
+ +
+ +

Using the synapse manhole

+

The "manhole" allows server administrators to access a Python shell on a running +Synapse installation. This is a very powerful mechanism for administration and +debugging.

+

Security Warning

+

Note that this will give administrative access to synapse to all users with +shell access to the server. It should therefore not be enabled in +environments where untrusted users have shell access.

+

Configuring the manhole

+

To enable it, first add the manhole listener configuration in your +homeserver.yaml. You can find information on how to do that +in the configuration manual. +The configuration is slightly different if you're using docker.

+

Docker config

+

If you are using Docker, set bind_addresses to ['0.0.0.0'] as shown:

+
listeners:
+  - port: 9000
+    bind_addresses: ['0.0.0.0']
+    type: manhole
+
+

When using docker run to start the server, you will then need to change the command to the following to include the +manhole port forwarding. The -p 127.0.0.1:9000:9000 below is important: it +ensures that access to the manhole is only possible for local users.

+
docker run -d --name synapse \
+    --mount type=volume,src=synapse-data,dst=/data \
+    -p 8008:8008 \
+    -p 127.0.0.1:9000:9000 \
+    matrixdotorg/synapse:latest
+
+

Native config

+

If you are not using docker, set bind_addresses to ['::1', '127.0.0.1'] as shown. +The bind_addresses in the example below is important: it ensures that access to the +manhole is only possible for local users).

+
listeners:
+  - port: 9000
+    bind_addresses: ['::1', '127.0.0.1']
+    type: manhole
+
+

Security settings

+

The following config options are available:

+
    +
  • username - The username for the manhole (defaults to matrix)
    • +
  • password - The password for the manhole (defaults to rabbithole)
    • +
  • ssh_priv_key - The path to a private SSH key (defaults to a hardcoded value)
    • +
  • ssh_pub_key - The path to a public SSH key (defaults to a hardcoded value)
    • +
+

For example:

+
manhole_settings:
+  username: manhole
+  password: mypassword
+  ssh_priv_key: "/home/synapse/manhole_keys/id_rsa"
+  ssh_pub_key: "/home/synapse/manhole_keys/id_rsa.pub"
+
+

Accessing synapse manhole

+

Then restart synapse, and point an ssh client at port 9000 on localhost, using +the username and password configured in homeserver.yaml - with the default +configuration, this would be:

+
ssh -p9000 matrix@localhost
+
+

Then enter the password when prompted (the default is rabbithole).

+

This gives a Python REPL in which hs gives access to the +synapse.server.HomeServer object - which in turn gives access to many other +parts of the process.

+

Note that, prior to Synapse 1.41, any call which returns a coroutine will need to be wrapped in ensureDeferred.

+

As a simple example, retrieving an event from the database:

+
>>> from twisted.internet import defer
+>>> defer.ensureDeferred(hs.get_datastores().main.get_event('$1416420717069yeQaw:matrix.org'))
+<Deferred at 0x7ff253fc6998 current result: <FrozenEvent event_id='$1416420717069yeQaw:matrix.org', type='m.room.create', state_key=''>>
+
+ +
+ + +
+
+ + + +
+ + + + + + + + + + + + + \ No newline at end of file -- cgit 1.5.1