MatrixSynapse/docs/manhole.md

Using the synapse manhole
=========================

The "manhole" allows server administrators to access a Python shell on a running
Synapse installation. This is a very powerful mechanism for administration and
debugging.

**_Security Warning_**

Note that this will give administrative access to synapse to **all users** with
shell access to the server. It should therefore **not** be enabled in
environments where untrusted users have shell access.

## Configuring the manhole

To enable it, first add the `manhole` listener configuration in your
`homeserver.yaml`. You can find information on how to do that 
in the [configuration manual](usage/configuration/config_documentation.md#manhole_settings).
The configuration is slightly different if you're using docker.

#### Docker config

If you are using Docker, set `bind_addresses` to `['0.0.0.0']` as shown:

```yaml
listeners:
  - port: 9000
    bind_addresses: ['0.0.0.0']
    type: manhole
```

When using `docker run` to start the server, you will then need to change the command to the following to include the
`manhole` port forwarding. The `-p 127.0.0.1:9000:9000` below is important: it 
ensures that access to the `manhole` is only possible for local users.

```bash
docker run -d --name synapse \
    --mount type=volume,src=synapse-data,dst=/data \
    -p 8008:8008 \
    -p 127.0.0.1:9000:9000 \
    matrixdotorg/synapse:latest
```

#### Native config

If you are not using docker, set `bind_addresses` to `['::1', '127.0.0.1']` as shown.
The `bind_addresses` in the example below is important: it ensures that access to the
`manhole` is only possible for local users).

```yaml
listeners:
  - port: 9000
    bind_addresses: ['::1', '127.0.0.1']
    type: manhole
```

### Security settings

The following config options are available:

- `username` - The username for the manhole (defaults to `matrix`)
- `password` - The password for the manhole (defaults to `rabbithole`)
- `ssh_priv_key` - The path to a private SSH key (defaults to a hardcoded value)
- `ssh_pub_key` - The path to a public SSH key (defaults to a hardcoded value)

For example:

```yaml
manhole_settings:
  username: manhole
  password: mypassword
  ssh_priv_key: "/home/synapse/manhole_keys/id_rsa"
  ssh_pub_key: "/home/synapse/manhole_keys/id_rsa.pub"
```


## Accessing synapse manhole

Then restart synapse, and point an ssh client at port 9000 on localhost, using
the username and password configured in `homeserver.yaml` - with the default 
configuration, this would be:

```bash
ssh -p9000 matrix@localhost
```

Then enter the password when prompted (the default is `rabbithole`).

This gives a Python REPL in which `hs` gives access to the
`synapse.server.HomeServer` object - which in turn gives access to many other
parts of the process.

Note that, prior to Synapse 1.41, any call which returns a coroutine will need to be wrapped in `ensureDeferred`.

As a simple example, retrieving an event from the database:

```pycon
>>> from twisted.internet import defer
>>> defer.ensureDeferred(hs.get_datastores().main.get_event('$1416420717069yeQaw:matrix.org'))
<Deferred at 0x7ff253fc6998 current result: <FrozenEvent event_id='$1416420717069yeQaw:matrix.org', type='m.room.create', state_key=''>>
```
Notes on the manhole 2018-05-23 14:45:17 +02:00			`Using the synapse manhole`
			`=========================`

			`The "manhole" allows server administrators to access a Python shell on a running`
			`Synapse installation. This is a very powerful mechanism for administration and`
			`debugging.`

Add note to manhole.md about bind_address when using with docker (#8526) Signed-off-by: Christopher May-Townsend <chris@maytownsend.co.uk> 2020-10-14 16:28:59 +02:00			`_Security Warning_`

			`Note that this will give administrative access to synapse to all users with`
			`shell access to the server. It should therefore not be enabled in`
			`environments where untrusted users have shell access.`

Add config option to use non-default manhole password and keys (#10643) 2021-09-06 17:08:03 +02:00			`## Configuring the manhole`
Add note to manhole.md about bind_address when using with docker (#8526) Signed-off-by: Christopher May-Townsend <chris@maytownsend.co.uk> 2020-10-14 16:28:59 +02:00
Cleanup references to sample config in the docs and redirect users to configuration manual (#13077) 2022-06-30 18:21:39 +02:00			To enable it, first add the `manhole` listener configuration in your
			`homeserver.yaml`. You can find information on how to do that
			`in the [configuration manual](usage/configuration/config_documentation.md#manhole_settings).`
			`The configuration is slightly different if you're using docker.`
Add note to manhole.md about bind_address when using with docker (#8526) Signed-off-by: Christopher May-Townsend <chris@maytownsend.co.uk> 2020-10-14 16:28:59 +02:00
			`#### Docker config`

			If you are using Docker, set `bind_addresses` to `['0.0.0.0']` as shown:
Notes on the manhole 2018-05-23 14:45:17 +02:00
			```yaml
			`listeners:`
			`- port: 9000`
Add note to manhole.md about bind_address when using with docker (#8526) Signed-off-by: Christopher May-Townsend <chris@maytownsend.co.uk> 2020-10-14 16:28:59 +02:00			`bind_addresses: ['0.0.0.0']`
Notes on the manhole 2018-05-23 14:45:17 +02:00			`type: manhole`
			```

Add note to manhole.md about bind_address when using with docker (#8526) Signed-off-by: Christopher May-Townsend <chris@maytownsend.co.uk> 2020-10-14 16:28:59 +02:00			When using `docker run` to start the server, you will then need to change the command to the following to include the
			`manhole` port forwarding. The `-p 127.0.0.1:9000:9000` below is important: it
			ensures that access to the `manhole` is only possible for local users.
Notes on the manhole 2018-05-23 14:45:17 +02:00
Add note to manhole.md about bind_address when using with docker (#8526) Signed-off-by: Christopher May-Townsend <chris@maytownsend.co.uk> 2020-10-14 16:28:59 +02:00			```bash
			`docker run -d --name synapse \`
			`--mount type=volume,src=synapse-data,dst=/data \`
			`-p 8008:8008 \`
			`-p 127.0.0.1:9000:9000 \`
			`matrixdotorg/synapse:latest`
			```

			`#### Native config`

			If you are not using docker, set `bind_addresses` to `['::1', '127.0.0.1']` as shown.
			The `bind_addresses` in the example below is important: it ensures that access to the
			`manhole` is only possible for local users).

			```yaml
			`listeners:`
			`- port: 9000`
			`bind_addresses: ['::1', '127.0.0.1']`
			`type: manhole`
			```

Add config option to use non-default manhole password and keys (#10643) 2021-09-06 17:08:03 +02:00			`### Security settings`

			`The following config options are available:`

			- `username` - The username for the manhole (defaults to `matrix`)
			- `password` - The password for the manhole (defaults to `rabbithole`)
			- `ssh_priv_key` - The path to a private SSH key (defaults to a hardcoded value)
			- `ssh_pub_key` - The path to a public SSH key (defaults to a hardcoded value)

			`For example:`

			```yaml
			`manhole_settings:`
			`username: manhole`
			`password: mypassword`
			`ssh_priv_key: "/home/synapse/manhole_keys/id_rsa"`
			`ssh_pub_key: "/home/synapse/manhole_keys/id_rsa.pub"`
			```


			`## Accessing synapse manhole`
Notes on the manhole 2018-05-23 14:45:17 +02:00
			`Then restart synapse, and point an ssh client at port 9000 on localhost, using`
Add config option to use non-default manhole password and keys (#10643) 2021-09-06 17:08:03 +02:00			the username and password configured in `homeserver.yaml` - with the default
			`configuration, this would be:`
Notes on the manhole 2018-05-23 14:45:17 +02:00
			```bash
			`ssh -p9000 matrix@localhost`
			```

Add config option to use non-default manhole password and keys (#10643) 2021-09-06 17:08:03 +02:00			Then enter the password when prompted (the default is `rabbithole`).
Notes on the manhole 2018-05-23 14:45:17 +02:00
			This gives a Python REPL in which `hs` gives access to the
			`synapse.server.HomeServer` object - which in turn gives access to many other
			`parts of the process.`

Manhole: wrap coroutines in `defer.ensureDeferred` automatically (#10602) 2021-08-16 19:11:48 +02:00			Note that, prior to Synapse 1.41, any call which returns a coroutine will need to be wrapped in `ensureDeferred`.
Update manhole documentation for async/await. (#8462) 2020-10-05 15:40:19 +02:00
Notes on the manhole 2018-05-23 14:45:17 +02:00			`As a simple example, retrieving an event from the database:`

Update manhole documentation for async/await. (#8462) 2020-10-05 15:40:19 +02:00			```pycon
			`>>> from twisted.internet import defer`
Remove `HomeServer.get_datastore()` (#12031) The presence of this method was confusing, and mostly present for backwards compatibility. Let's get rid of it. Part of #11733 2022-02-23 12:04:02 +01:00			`>>> defer.ensureDeferred(hs.get_datastores().main.get_event('$1416420717069yeQaw:matrix.org'))`
Notes on the manhole 2018-05-23 14:45:17 +02:00			`<Deferred at 0x7ff253fc6998 current result: <FrozenEvent event_id='$1416420717069yeQaw:matrix.org', type='m.room.create', state_key=''>>`
			```