Bump latest/stable image variant to java25 (#3845)

.github/workflows/build.yml

@@ -108,7 +108,7 @@ jobs:
     env:
       IMAGE_TO_TEST: "${{ github.repository_owner }}/minecraft-server:test-${{ matrix.variant }}-${{ github.run_id }}"
       HAS_IMAGE_REPO_ACCESS: ${{ secrets.DOCKER_USER != '' && secrets.DOCKER_PASSWORD != '' }}
-      MAIN_VARIANT: java21
+      MAIN_VARIANT: java25
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout

.github/workflows/verify-pr.yml

@@ -19,14 +19,14 @@ jobs:
       fail-fast: false
       matrix:
         variant:
-          - java21
+          - java25
           - java21-alpine
           - java17
           - java8
         include:
-        # JAVA 21:
-          - variant: java21
-            baseImage: eclipse-temurin:21-jre
+        # JAVA 21/25:
+          - variant: java25
+            baseImage: eclipse-temurin:25-jre
             platforms: linux/amd64,linux/arm64
             mcVersion: latest
           - variant: java21-alpine

Dockerfile

@@ -1,4 +1,4 @@
-ARG BASE_IMAGE=eclipse-temurin:21-jre
+ARG BASE_IMAGE=eclipse-temurin:25-jre
 FROM ${BASE_IMAGE}
 
 # hook into docker BuildKit --platform support

docs/configuration/server-properties.md

@@ -238,15 +238,46 @@ By default an existing `server-icon.png` file will not be replaced, that can be
 
 ### RCON
 
-RCON is **enabled by default** to allow for graceful shut down the server and coordination of save state during backups. RCON can be disabled by setting `ENABLE_RCON` to "false".
+RCON is **enabled by default** to allow for graceful shut down of the server and coordination of save state during backups. RCON can be disabled by setting `ENABLE_RCON` to "false".
 
 !!! warning
 
     Disabling RCON will remove and limit some features, such as interactive and color console support.
 
-The default password is randomly generated on each startup; however, a specific one can be set with `RCON_PASSWORD`.
+#### RCON Password
 
-**DO NOT MAP THE RCON PORT EXTERNALLY** unless you are aware of all the consequences and have set a **secure password** with `RCON_PASSWORD`. 
+The default password is randomly generated on each startup. However, you can specify a password using one of the following environment variables:
+
+* Set `RCON_PASSWORD` to your desired password.
+* Set `RCON_PASSWORD_FILE` to the path of a file containing the password.
+
+Using `RCON_PASSWORD_FILE` is the recommended method for managing sensitive data, as it allows full support for [Docker Secrets](https://docs.docker.com/compose/how-tos/use-secrets/).
+
+??? example
+    ```yaml title="compose.yaml"
+    services:
+      mc:
+        image: itzg/minecraft-server:latest
+        pull_policy: daily
+        tty: true
+        stdin_open: true
+        ports:
+          - "25565:25565"
+        environment:
+          EULA: "TRUE"
+          RCON_PASSWORD_FILE: /run/secrets/rcon_pass # Points to the path where the secret is mounted
+        volumes:
+          # attach the relative directory 'data' to the container's /data path
+          - ./data:/data
+        secrets:
+          - rcon_pass
+    
+    secrets:
+      rcon_pass:
+        file: ./rcon_password # local file containing the password
+    ```
+!!! warning
+    **BE CAUTIOUS OF MAPPING THE RCON PORT EXTERNALLY** unless you are aware of all the consequences and have set a **secure password**.
 
 !!! info 
 
@@ -444,4 +475,4 @@ When using `docker run` from a bash shell, the entries must be quoted with the `
 | STATUS_HEARTBEAT_INTERVAL               | [status-heartbeat-interval](https://minecraft.wiki/w/Server.properties#status-heartbeat-interval)                             |
 | SYNC_CHUNK_WRITES                       | [sync-chunk-writes](https://minecraft.wiki/w/Server.properties#sync-chunk-writes)                                             |
 | USE_NATIVE_TRANSPORT                    | [use-native-transport](https://minecraft.wiki/w/Server.properties#use-native-transport)                                       |
-| VIEW_DISTANCE                           | [view-distance](https://minecraft.wiki/w/Server.properties#view-distance)                                                     |
+| VIEW_DISTANCE                           | [view-distance](https://minecraft.wiki/w/Server.properties#view-distance)                                                     |

docs/sending-commands/ssh.md

@@ -0,0 +1,70 @@
+---
+title: Over SSH
+---
+
+The container can host an SSH console. It is enabled by setting `ENABLE_SSH` to `true`.
+The SSH server only supports password based authentication. The password is the same as the RCON password.
+
+!!! question
+    See [the RCON password](../configuration/server-properties.md/#rcon-password) section under configuration/server-properties for more information on how to set an RCON password.
+
+The SSH server runs on port `2222` inside the container.
+
+??? tip "Tip: Exposing the SSH port"
+
+    !!! warning "Security Implications"
+        By default, publishing ports in Docker binds them to all network interfaces (`0.0.0.0`), making the SSH console accessible to any device that can reach your host machine.
+        
+        Since the SSH console grants **full administrative access** to your server, it is critical to use a strong [RCON password](../configuration/server-properties.md/#rcon-password). 
+        
+        If you wish to restrict access to the local machine only, refer to the [Docker documentation](https://docs.docker.com/engine/network/port-publishing/#publishing-ports) on binding to specific IP addresses (e.g., `127.0.0.1:2222:2222`).
+      
+        If SSH access is only intended for inter-container connections, consider **NOT** forwarding the port to the host machine, and putting the containers in a shared [Docker network](https://docs.docker.com/engine/network/#user-defined-networks).
+
+    ```yaml title="compose.yaml"
+    services:
+      mc:
+        ports:
+          - '25565:25565'
+          - '2222:2222'
+    ```
+
+## Connecting
+
+Connecting should be as simple as running
+```bash
+ssh anyuser@127.0.0.1 -p 2222
+```
+and typing in the RCON password.
+
+## Environment variables
+
+| Environment Variable | Usage                     | Default |
+| -------------------- | ------------------------- | ------- |
+| `ENABLE_SSH`   | Enable remote SSH console | `false` |
+
+
+## Example
+
+```yaml title="compose.yaml"
+services:
+  mc:
+    image: itzg/minecraft-server:latest
+    pull_policy: daily
+    tty: true
+    stdin_open: true
+    ports:
+      - "25565:25565"
+      - "2222:2222"
+    environment:
+      EULA: "TRUE"
+      ENABLE_SSH: true
+      RCON_PASSWORD_FILE: /run/secrets/rcon_pass
+    volumes:
+      # attach the relative directory 'data' to the container's /data path
+      - ./data:/data
+    
+secrets:
+  rcon_pass:
+    file: ./rcon_password
+```

docs/sending-commands/websocket.md

@@ -1,8 +1,8 @@
 ---
-title: With websocket
+title: With WebSocket
 ---
 
-With `WEBSOCKET_CONSOLE` set to `true`, logs can be streamed, and commands sent, over a websocket connection.
+With `WEBSOCKET_CONSOLE` set to `true`, logs can be streamed, and commands sent, over a WebSocket connection.
 The API is available on `/console`.
 
 ## Password
@@ -21,7 +21,16 @@ The listen address and port can be set with `WEBSOCKET_ADDRESS` (defaults to `0.
 ## Log history
 When a connection is established, the last 50 (by default, configurable with `WEBSOCKET_LOG_BUFFER_SIZE`) log lines are sent with a `logHistory` type message.
 
-??? tip "Tip: Remember to forward the websocket port on the host"
+??? tip "Tip: Remember to forward the WebSocket port on the host"
+
+    !!! warning "Security Implications"
+        By default, publishing ports in Docker binds them to all network interfaces (`0.0.0.0`), making the WebSocket console accessible to any device that can reach your host machine.
+        
+        Since the WebSocket console grants **full administrative access** to your server, it is critical to use a strong [WebSocket password](#password) or [RCON password](../configuration/server-properties.md/#rcon-password).
+      
+        If you wish to restrict access to the local machine only, refer to the [Docker documentation](https://docs.docker.com/engine/network/port-publishing/#publishing-ports) on binding to specific IP addresses (e.g., `127.0.0.1:80:80`).
+        
+        If WebSocket access is only intended for inter-container connections, consider **NOT** forwarding the port to the host machine, and putting the containers in a shared [Docker network](https://docs.docker.com/engine/network/#user-defined-networks).
 
     ```yaml title="compose.yaml"
     services:
@@ -34,12 +43,12 @@ When a connection is established, the last 50 (by default, configurable with `WE
 ## Environment variables
 | Environment Variable               | Usage                                                      | Default      |
 | ---------------------------------- | ---------------------------------------------------------- | ------------ |
-| `WEBSOCKET_CONSOLE`                | Allow remote shell over websocket                          | `false`      |
-| `WEBSOCKET_ADDRESS`                | Bind address for websocket server                          | `0.0.0.0:80` |
+| `WEBSOCKET_CONSOLE`                | Allow remote shell over WebSocket                          | `false`      |
+| `WEBSOCKET_ADDRESS`                | Bind address for WebSocket server                          | `0.0.0.0:80` |
 | `WEBSOCKET_DISABLE_ORIGIN_CHECK`   | Disable checking if origin is trusted                      | `false`      |
 | `WEBSOCKET_ALLOWED_ORIGINS`        | Comma-separated list of trusted origins                    | ` `          |
 | `WEBSOCKET_PASSWORD`               | Password will be the same as RCON_PASSWORD if unset        | ` `          |
-| `WEBSOCKET_DISABLE_AUTHENTICATION` | Disable websocket authentication                           | `false`      |
+| `WEBSOCKET_DISABLE_AUTHENTICATION` | Disable WebSocket authentication                           | `false`      |
 | `WEBSOCKET_LOG_BUFFER_SIZE`        | Number of log lines to save and send to connecting clients | `50`         |
 
 ## API Schema

docs/versions/java.md

@@ -12,8 +12,8 @@ where `<tag>` refers to the first column of this table:
 
 | Tag            | Java version | Linux  | JVM Type           | Architecture        | Note |
 |----------------|--------------|--------|--------------------|---------------------|------|
-| latest         | 21           | Ubuntu | Hotspot            | amd64, arm64        |      |
-| stable         | 21           | Ubuntu | Hotspot            | amd64, arm64        |      |
+| latest         | 25           | Ubuntu | Hotspot            | amd64, arm64        |      |
+| stable         | 25           | Ubuntu | Hotspot            | amd64, arm64        |      |
 | java25         | 25           | Ubuntu | Hotspot            | amd64, arm64        |      |
 | java25-jdk     | 25           | Ubuntu | Hotspot+JDK        | amd64, arm64        |      |
 | java25-graalvm | 25           | Oracle | Oracle GraalVM (3) | amd64, arm64        | (5)  |   

files/cf-exclude-include.json

@@ -35,6 +35,7 @@
     "controllable",
     "controlling",
     "craftpresence",
+    "crash-assistant",
     "cull-less-leaves",
     "ctm",
     "custom-main-menu",
@@ -183,7 +184,10 @@
       "forceIncludes": ["just-enough-resources-jer"]
     },
     "ftb-stoneblock-4": {
-      "forceIncludes": ["particular-reforged"]
+      "forceIncludes": [
+        "particular-reforged",
+        "ctm"
+      ]
     },
     "mc-eternal-2": {
       "forceIncludes": [

files/modrinth-exclude-include.json

@@ -32,6 +32,7 @@
     "continuity",
     "controlling",
     "craftpresence",
+    "CrashAssistant",
     "Cull Less Leaves",
     "cwb",
     "DisableCustomWorldsAdvice",

scripts/start-configuration

@@ -321,7 +321,7 @@ case "${TYPE^^}" in
       logError "Invalid TYPE: '$TYPE'"
       logError "Must be: VANILLA, FORGE, BUKKIT, SPIGOT, PAPER, FOLIA, PURPUR, FABRIC, QUILT,"
       logError "         SPONGEVANILLA, CUSTOM, MAGMA, MOHIST, GTNH, AIRPLANE, PUFFERFISH,"
-      logError "         CANYON, LIMBO, NANOLIMBO, CRUCIBLE, LEAF, YOUER, BANNER"
+      logError "         CANYON, LIMBO, NANOLIMBO, CRUCIBLE, LEAF, YOUER, BANNER, NEOFORGE"
       exit 1
   ;;
 

scripts/start-finalExec

@@ -130,8 +130,8 @@ if ${canUseRollingLogs}; then
 
   LOGFILE="${SERVER_DIR}/log4j2.xml"
 
-  # Always regenerate if file doesn't exist or REGENERATE_LOG4J2 is set
-  if [ ! -e "$LOGFILE" ] || isTrue "${REGENERATE_LOG4J2:-false}"; then
+  # Always regenerate if file doesn't exist
+  if [ ! -e "$LOGFILE" ] || isTrue "${REGENERATE_LOG4J2:-true}"; then
     log "Generating log4j2.xml from template in ${LOGFILE}"
 
     # Generate log4j2.xml using heredoc for reliable variable substitution
@@ -142,6 +142,9 @@ if ${canUseRollingLogs}; then
         <Console name="SysOut" target="SYSTEM_OUT">
             <PatternLayout pattern="${LOG_CONSOLE_FORMAT}" />
         </Console>
+        <Queue name="TerminalConsole">
+            <PatternLayout pattern="${LOG_TERMINAL_FORMAT}" />
+        </Queue>
         <RollingRandomAccessFile name="File" fileName="logs/latest.log" filePattern="${ROLLING_LOG_FILE_PATTERN}">
             <PatternLayout pattern="${LOG_FILE_FORMAT}" />
             <Policies>