diff --git a/.github/workflows/verify-docs.yml b/.github/workflows/verify-docs.yml new file mode 100644 index 00000000..153e57b9 --- /dev/null +++ b/.github/workflows/verify-docs.yml @@ -0,0 +1,35 @@ +name: Verify Docs + +on: + pull_request: + paths: + - 'docs/**' + - 'zensical.toml' + - '.github/workflows/verify-docs.yml' + workflow_dispatch: + +jobs: + verify: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build docs image + uses: docker/build-push-action@v6 + with: + context: . + file: docs/Dockerfile + load: true + tags: docs-verifier:latest + cache-from: type=gha + cache-to: type=gha,mode=max + + - name: Verify rendering + run: | + docker run --rm \ + -v ${{ github.workspace }}:/docs \ + docs-verifier:latest build --strict diff --git a/build/alpine/install-packages.sh b/build/alpine/install-packages.sh index a0f2648f..127a69fd 100755 --- a/build/alpine/install-packages.sh +++ b/build/alpine/install-packages.sh @@ -33,6 +33,7 @@ apk add --no-cache -U \ libwebp \ libcap \ numactl \ + jattach \ ${EXTRA_ALPINE_PACKAGES} # Download and install patched knockd diff --git a/build/ubuntu/install-packages.sh b/build/ubuntu/install-packages.sh index b4f372bb..91827cb6 100755 --- a/build/ubuntu/install-packages.sh +++ b/build/ubuntu/install-packages.sh @@ -30,6 +30,7 @@ apt-get install -y \ libpcap0.8 \ libnuma1 \ libcap2-bin \ + jattach \ ${EXTRA_DEB_PACKAGES} # Clean up APT when done diff --git a/docs/misc/troubleshooting.md b/docs/misc/troubleshooting.md index 051d987f..e36071f1 100644 --- a/docs/misc/troubleshooting.md +++ b/docs/misc/troubleshooting.md @@ -35,4 +35,20 @@ The labels that are most interesting are: - `org.opencontainers.image.created` : the date/time the image was built - `org.opencontainers.image.revision` : which maps to -- `org.opencontainers.image.version` : image tag and variant [as described in this page](../versions/java.md) \ No newline at end of file +- `org.opencontainers.image.version` : image tag and variant [as described in this page](../versions/java.md) + +## jattach + +This image bundles the [jattach](https://github.com/jattach/jattach) utility for attaching to running Java processes. It is described as + +> The utility to send commands to a JVM process via Dynamic Attach mechanism. +> +> All-in-one jmap + jstack + jcmd + jinfo functionality in a single tiny program. + +When exec'ed interactively into the container, jattach can be invoked against the Minecraft server's java process by using commands similar to the following + +!!! example + + ```shell + jattach $(pgrep java) threaddump + ``` \ No newline at end of file diff --git a/docs/sending-commands/ssh.md b/docs/sending-commands/ssh.md index da249ecf..487cd82b 100644 --- a/docs/sending-commands/ssh.md +++ b/docs/sending-commands/ssh.md @@ -6,7 +6,7 @@ The container can host an SSH console. It is enabled by setting `ENABLE_SSH` to The SSH server only supports password based authentication. The password is the same as the RCON password. !!! question - See [the RCON password](../configuration/server-properties.md/#rcon-password) section under configuration/server-properties for more information on how to set an RCON password. + See [the RCON password](../configuration/server-properties.md#rcon-password) section under configuration/server-properties for more information on how to set an RCON password. The SSH server runs on port `2222` inside the container. @@ -15,7 +15,7 @@ The SSH server runs on port `2222` inside the container. !!! warning "Security Implications" By default, publishing ports in Docker binds them to all network interfaces (`0.0.0.0`), making the SSH console accessible to any device that can reach your host machine. - Since the SSH console grants **full administrative access** to your server, it is critical to use a strong [RCON password](../configuration/server-properties.md/#rcon-password). + Since the SSH console grants **full administrative access** to your server, it is critical to use a strong [RCON password](../configuration/server-properties.md#rcon-password). If you wish to restrict access to the local machine only, refer to the [Docker documentation](https://docs.docker.com/engine/network/port-publishing/#publishing-ports) on binding to specific IP addresses (e.g., `127.0.0.1:2222:2222`). diff --git a/docs/sending-commands/websocket.md b/docs/sending-commands/websocket.md index 011a0f16..d1d0e4d0 100644 --- a/docs/sending-commands/websocket.md +++ b/docs/sending-commands/websocket.md @@ -26,9 +26,9 @@ When a connection is established, the last 50 (by default, configurable with `WE !!! warning "Security Implications" By default, publishing ports in Docker binds them to all network interfaces (`0.0.0.0`), making the WebSocket console accessible to any device that can reach your host machine. - Since the WebSocket console grants **full administrative access** to your server, it is critical to use a strong [WebSocket password](#password) or [RCON password](../configuration/server-properties.md/#rcon-password). + Since the WebSocket console grants **full administrative access** to your server, it is critical to use a strong [WebSocket password](#password) or [RCON password](../configuration/server-properties.md#rcon-password). - If you wish to restrict access to the local machine only, refer to the [Docker documentation](https://docs.docker.com/engine/network/port-publishing/#publishing-ports) on binding to specific IP addresses (e.g., `127.0.0.1:80:80`). + If you wish to restrict access to the local machine only, refer to the [Docker documentation](https://docs.docker.com/engine/network/port-publishing#publishing-ports) on binding to specific IP addresses (e.g., `127.0.0.1:80:80`). If WebSocket access is only intended for inter-container connections, consider **NOT** forwarding the port to the host machine, and putting the containers in a shared [Docker network](https://docs.docker.com/engine/network/#user-defined-networks).