Minecraft Geyser + Floodgate Paper Minecraft Server
This is a new Docker container to automatically set up and run a Minecraft server that both Java and Bedrock players can connect to! This allows everyone to play on your server no matter which edition of Minecraft you are using. It uses the Geyser and Floodgate plugins to accomplish this.
Since it uses the Paper Minecraft server it also supports any additional plugins that are compatible with Paper / Spigot. This gives you the ability to do many things that are currently impossible to do in Bedrock if you are hosting the official Bedrock dedicated server.
Sets up fully operational Minecraft server that allows both Java and Bedrock clients to connect
Runs the highly efficient “Paper” Minecraft server
Runs Geyser to allow Bedrock clients to connect and Floodgate to allow them to authenticate with their Bedrock credentials to a Java server
Plugin support for Paper / Spigot / Bukkit
Uses named Docker volume for safe and easy to access storage of server data files (which enables more advanced Docker features such as automatic volume backups)
Installs and configures OpenJDK 18
Automatic backups to minecraft/backups when server restarts
Full logging available in minecraft/logs folder
Updates automatically to the latest version when server is started
Runs on all Docker platforms including Raspberry Pi
Usage
First you must create a named Docker volume. This can be done with:
docker volume create yourvolumename
Now you may launch the server and open the ports necessary with one of the following Docker launch commands.
The server data is stored where Docker stores your volumes. This is typically a folder on the host OS that is shared and mounted with the container. I’ll give the usual locations here but if you’re having trouble just do some Googling for your exact platform and you should find where Docker is storing the volume files.
You can find your exact path by typing:
docker volume inspect yourvolumename
This will give you the fully qualified path to your volume like this:
You can then normally access the Docker volumes using the path you found in the first step with docker volume inspect.
Most people will want to edit server.properties. You can make the changes to the file and then restart the container to make them effective. Backups are stored in the “backups” folder Log files with timestamps are stored in the “logs” folder.
Plugin Support for Paper / Spigot / Bukkit
This is a “Paper” Minecraft server which has plugin compatibility with Paper / Spigot / Bukkit.
Installation is simple. There is a “plugins” folder on your Docker named volume.
Navigate to your server files on your host operating system (see accessing server files section if you don’t know where this is) and you will see the “plugins” folder.
You just need to drop the extracted version of the plugin (a .jar file) into this folder and restart the container. That’s it!
Some plugins have dependencies so make sure you read the installation guide first for the plugin you are looking at.
A very common problem people have with the Oracle Virtual Machine tutorials out there that typically show you how to use a free VM is that the VM is much more difficult to configure than just about any other product / offering out there.
It is because there are several steps you need to take to open the ports on the Oracle VM. You need to both:
Set the ingress ports (TCP/UDP) in the Virtual Cloud Network (VCN) security list
*and* set the ingress ports in a Network Security Group assigned to your instance
Both of these settings are typically required before you will be able to connect to your VM instance. This is purely configuration related and has nothing to do with the script or the Minecraft server itself.
I do not recommend this platform due to the configuration difficulty but the people who have gone through the pain of configuring an Oracle VM have had good experiences with it after that point. Just keep in mind it’s going to be a rough ride through the configuration for most people.
Troubleshooting Note – Hyper-V
There is a weird bug in Hyper-V that breaks UDP connections on the Minecraft server. The easy workaround for this is that you have to use a Generation 1 VM with the Legacy LAN network driver.
There is a second fix that was shared by bpsimons here. For that fix you need to install ethtool first with sudo apt install ethtool. Next in your /etc/network/interfaces file add “offload-tx off” to the bottom as the issue appears to be with TX offloading.
Here’s an example:
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.1.5
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
offload-tx off
This can also be done non-persistently with the following ethtool command:
ethtool -K eth0 tx off
Additional Support
The comments section right here is the best place for support. The second best place is the GitHub issues section.
I will add additional documentation based on what problems people are running into / questions people are asking because right now I’m not really sure what those will be yet. Definitely let me know if you need any of these things!
406 thoughts on “Minecraft Java + Bedrock Server Together – Geyser + Floodgate”
Mitsch
Does anybody know why geyser gives that error “[Geyser-Spigot] Your server software does not support the Java version that Geyser requires (1.19.3, 1.19.2)” when the paper server is 1.19.2? I used the docker-compose.yml from the github-repo. I added fixed names for volume and container and Version: 1.19.2 as environment var.
I honestly have no idea. It has nothing to do with the container or your settings. If you rolled back to an older version of Geyser I’m sure it would work. It always downloads the latest Geyser though when you run the server though and that one seems to not want to work with 1.19.2 anymore.
If you replaced Geyser-Spigot.jar with an older version I’m sure it would work just like it always did. It has been running on 1.19.2 with Geyser for literally months so we know that of course it works with 1.19.2 but their current version is currently broken. There’s no way to currently roll back with the container though as it will just update it when you start the container. They’ve somehow broken the new version of Geyser temporarily. I’m sure it will just fix itself whenever they correct what the problem is.
This doesn’t have anything to do with the container and is just update pains. I literally haven’t changed anything with the container nor will I need to for this to get fixed. The people who made the changes that broke it are Geyser basically (and they’re the ones that will need to fix it)! This will all happen automatically (the same way it broke without you having to update or change anything with the container or your config).
Maybe I will have to add some kind of Geyser version freeze or override but I’m guessing that this will just be fixed before too long.
Understand though that all the container is is a set of scripts that simply download the latest version of Geyser and Paper. I don’t make Paper or Geyser and they’re big projects (much bigger than just me). They’re probably the ones to ask for answers for this one! The answer for every Minecraft update that has happened while I’ve had the containers and other scripts though is to just wait. Let the Paper and Geyser projects do their thing and fix it (or if you want to ask someone about the progress those are the people to ask if that makes sense). They’ve never failed yet.
It wouldn’t hurt to plan on this for the future too. It happens every update and it always has. When vanilla version 1.19.3 comes out that is when the Paper and Geyser teams get to START on the update basically. Sure they can do some prep in the prereleases but things are always changed in the final release (sometimes substantially) and those they have no way to prepare for. Maybe just leave it up and running for a day or two when an update comes out and you can avoid all of the patching / fixes / etc.
Sometimes the teams are putting out new builds every hour or two during this time and it’s really not a good time to update until they’re ready! They don’t do their releases like Minecraft where it’s all a bunch of fixes released at once. They’re literally doing live changes on Geyser one at a time and updating them and you can see those changes on their site that I’ve linked to in many of my other posts regarding these issues.
It’s definitely frustrating (even more so for me, because every time there’s an update I get tons of GitHub issues and messages about this and the answer is you need to wait for Paper and Geyser to update and there is nothing I can do about that). That’s why I would just suggest planning on it and leaving the container alone for the most part during those times is one way you could prepare / minimize the disruption but it has always happened.
This is the unfortunate downside running a non vanilla server (which wouldn’t be able to do any of the cool stuff this does unfortunately). The Paper team is pretty good about it although for 1.19.2 they had the update out within a few hours and right now there’s still no 1.19.3 so this one is taking longer than the other recent ones already.
This could be due to there being trickier changes in 1.19.3 than in 1.19.2 (indeed the change list for 1.19.3 is a lot longer and honestly was more than I expected). It says they added new player reporting features (again) in the changelog and I suspect this may be part of the hangup. That’s more of that “secure profile” reporting stuff that is pretty controversial. Those are all considered security features and are particularly tricky for Geyser to handle.
I’ve seen it take several days before at worst. Not sure what is going on with Geyser still but if it’s not resolved before too long I guess I can just roll it back to a version from maybe a week ago and that would probably do it. It would just be silly to make that update and have them fix it a few hours later but if it goes on for too long I will go ahead and do it. Every update is a little bit different though. 1.19.2 was a breeze but 1.19.3 is not going well so far for either Paper or Geyser by the looks of it!
thank you for your detailed answer. I didn’t not want to blame your work in any way (it’s awesome and extremely convenient :)). I was just wondering whether i did something wrong or not. So i guess the error message geyser gives is just missleading, since it seems to check for 1.19.3 only and not for both 1.19.2 and 1.19.3. So i’ll see if i can get and push an older version to my container. Keep the good work up! 🙂
Maybe i’ll give that ViaVersion app a try that seems to route requests to older server versions making geyser a bit more robust regarding version changes. Well maybe at least a little bit. 😀
Meanwhile i’ll share some coffee.
Don’t sweat it at all! I hope my frustration didn’t come off as directed at you guys. It’s really not at all and has more to do with how the forked Minecraft server ecosystem works where there is this small gap in time between updates where there’s this sticking point. Many of you are frustrated with it like I am when it takes a lot longer than usual and things start breaking like this (albeit temporarily). It puts both server operators and projects like mine that are downstream in a difficult position where all we can do is wait (and I do hate waiting).
The Geyser message does seem to be misleading since it is talking about the Java version but the Java version is just OpenJDK 19 (the current release). It’s hard to say if this is related to the Minecraft Bedrock clients being too new for Geyser to handle or if they changed something for the new update that actually broke the old version.
Definitely let me know what you find if you run this experiment since I’m actually not sure what you will find. If the new Bedrock client is the problem (and Geyser just isn’t handling it correctly yet) then rolling back to an older Geyser won’t fix it. If this is a breaking change they introduced in the new Geyser it will 100% fix it. What you find may impact what I do with the container as well so if you get a chance let me know!
I modified the setup script and Dockerfiles and placed a pull request. I guess that’s the fastest way to show you what i found as solution (for me). Maybe it helps you.
No worries. Paper 1.19.3 is out and this fixes this issue. It’s simply that Geyser dropped support for older Bedrock versions not too long ago and Paper was slow to update.
Your changes are actually pretty interesting. It looks like ViaVersion is a plugin that lets you have people connect from versions newer than the server has been updated for. This is cool but it’s a lot of complexity, extra updates, etc. to add simply to let the server work for 24 hours upon a new release instead of waiting for real support to be added. Since it’s letting new versions connect that are unsupported there’s really no guarantee everything will work. It’s just going to let them connect without throwing the error. It still won’t support any of the new features this way though.
1.19.3 is considered experimental. Paper says the following:
Builds marked in red are early, experimental builds. They are only recommended for usage on test servers and should be used with caution. Backups are mandatory!
As long as you have backups this should all be ready to go as per the usual process without installing anything extra! I’m actually on 1.19.3 right now and updating the rest of the projects. Everything is back to normal and nothing needs any changes (unless you wanted to be able to run the new version instantly without there actually being any real code written to support the new version).
ViaVersion seems like the equivalent of just commenting the version check out of the code. That’s what it does if I’m understanding everything correctly and it still has no way to support new features since by definition it had to have been written before they were ever released (otherwise the new version would just be supported normally without any need for it). Just like commenting the version check out in anything this is going to have consequences. The consequences will depend on what is in the update. Most updates it will probably cause no issues whatsoever. This update has a lot of stuff that I’m guessing the server wouldn’t understand at all (like the new reporting features, etc.).
Even in the supported 1.19.3 version Paper expects it to be broken. These are red testing builds. That is why backups are so important. It’s also why running it with ViaVersion has some risks. At least the beta version of Paper 1.19.3 has *some* code finished to support 1.19.3. Running ViaVersion on 1.19.2 will have zero code to support this making it even more dangerous than the Paper 1.19.3 beta.
We’ve passed the window where it’s necessary to do anything but pull the latest version of the container and the drama is over until the next version. The Paper and Geyser teams have done their thing and 1.19.3 is out. All you need to do is update now and I really don’t recommend spending any more time fighting with it (or fighting with it the next time, you can skip all the drama by simply waiting 1 day).
You are basically fighting with it to make it support a new version when it doesn’t (and by definition no code related to 1.19.3 could be in it) and even if you succeed it can’t support the new features and might store invalid data in your database and crash it and who knows what else. You’re trying to do exactly what Paper and Geyser are doing when the update is released simultaneously and get the new version to run but they have far larger teams and more resources than you or I will ever have. We will lose that fight every single time and I’ve lost it enough times before to know not to even try. Whatever workaround we try to do other than waiting for official support will be dangerous and clunky.
It will be like this each update although hopefully the other ones won’t take closer to maybe 36 hours like this time! I’m actually very impressed by your solution regardless. If this was going to go on for another week I would have probably implemented this (with a strong caution to everyone to use backups and understand that there is some risk). Some day your solution may be necessary and people could learn from it if they are willing to undertake these risks upon new release and could absolutely add ViaVersion to the mix!
I set up a test volume to experiment with with ViaVersion and it does work for getting past that Java version error. I don’t like having extra overhead though so I may wait for a Geyser update or try the previous version.
The whole boondoggle did at least force me to learn a little more about how it all works.
James, thanks for creating this container. It has performed well on my Rpi4 (running on SSD) for me and two of my kids. The container idea is so convenient. I’m pretty new to linux, docker, and minecraft so it was a great shortcut to get my kids a server going. Now I’m backfilling the knowledge gap.
The latest Paper 1.19.3 is up and Geyser is working properly with it. They actually adjusted that old Geyser error message in one of their patches because it was misleading. The error is actually that Geyser dropped compatibility for older Java server versions. The issue was the Bedrock clients were trying to connect with 1.19.3 features and Geyser doesn’t support that with the Java Minecraft server 1.19.2 (there’s actually a version from a week ago that says when they dropped this support).
In other words by “Java version” they actually meant Java Minecraft server version and not the Java (OpenJDK) version (definitely a bad error message and why they changed it to not be so unclear). It was also not supposed to mention 1.19.2 as being compatible anymore (it’s not, if you were running 1.19.2 you would want to roll back the Geyser version to before these changes). Now that Paper 1.19.3 is out it’s working normally again.
The only way I could have prevented this that I can think of is if I had seen the changes that were being released for Geyser and froze the Geyser version until Paper 1.19.3 was out. That would have at least kept Geyser working on 1.19.2 until 1.19.3 was out.
Important (from Paper team): Builds marked in red are early, experimental builds. They are only recommended for usage on test servers and should be used with caution. Backups are mandatory!
1.19.3 is in beta basically in other words (although you should always back up before going to a new version no matter what anyone says or doesn’t say for sure, you’ll always be happier you did and wasted your time than if you didn’t and you end up needing it). It should work as-is now though since Geyser won’t complain about the 1.19.3 clients anymore since Paper is now on 1.19.3.
Definitely make sure you pull some of your backups out of the container’s “backups” folder and that you actually have them stored separately (as the container only keeps the most 10 recent backups by default). In other words pull out a set of backups and put them somewhere safe before running the beta. That way if anything weird happens (such as the server crashing and then failing to load with some kind of corruption) you won’t lose anything more than whatever was going down since you upgraded.
You can see the Paper team’s progress on the beta patches here. It’s not uncommon for them to update every few hours or so as they are pushing fixes as they find them. You’ll see the 1.19.3 progress (as well as the fact that the builds are red instead of blue meaning it’s in beta and to be careful / make extra backups).
Thank you for your kind words about the container as well, I’m so glad it’s working well. The SSD is a great choice for the setup. Hopefully that helps!
Arathi
So far, the kids and I have been having an absolute blast with this, so again, thank you so much for the work put into getting the two to work together.
With that, I was curious about mods. Server-side mods like Millenaire. Something to make villages a bit more worth exploring and interacting with. Is that possible with this?
Great question! So the mods are absolutely possible (although they are usually called plugins for Paper / Spigot / Bukkit server mods). I took a look at this specific one and it looks like this one is only meant for Minecraft 1.12 and has it’s own standalone downloadable server and client so this particular one wouldn’t work.
The server can take Spigot / Bukkit / Paper Minecraft server plugins basically. These are downloaded as .jar files into the “plugins” folder. There are already some in there such as Geyser and Floodgate you will see in there for this container.
Some good places to see all the available choices of plugins / server mods are: the Bukkit web site and the Spigot web site. All of the mods on either of those sites will work essentially (as long as they are supporting the version of Minecraft you are running).
I tried to copy files to the plugin folder, but I wasn’t able to. Even installed the desktop UI to do it with a file browser, but wasn’t allowed to open the docker folder. I usermodded the user, but dis not get access. Any thoughts on how to get a jar file in the plugin folder?
So the first thing is make sure you have closed the container first. That is most likely the problem. People have tried to modify things like server.properties and other files before when the container is open and have had similar results where nothing is “sticking”.
Once it’s closed to copy the files (without worrying about permissions issues) just do a sudo before your command to copy them.
I appear do be a more complete noob than I already thought. When typing: sudo cp Downloads/Citizens.jar /var/lib/docker/minecraft/_data/plugins I get an error reading:
can’t create the normal file ‘/var/lib/docker/minecraft/_data/plugins/’ : File or folder does not exist. I stopped the container. Status now says exited.
Also in the Desktop UI I can see the folder ‘Docker’, but opening it gives an acces denied and shows only an empty folder.
Can you check the guide’s instructions and find out where your Docker folder is? It’s not where you’re looking. Which OS is this? I should have every OS covered on how to find the location of your Docker volume.
docker volume inspect yourvolumename
This will tell you exactly where it is. Can you follow the guide and find your correct folder and give that one a try? It is the section on finding your server files.
Thank you for your patience. I took a look of this entire chat history and could not find the answer there, so I am glad you take te time to answer me.
This is the info I got from the ‘inspect’ command: "CreatedAt": "2022-12-10T11:56:02+01:00",
"Driver": "local",
"Labels": {},
"Mountpoint": "/var/lib/docker/volumes/minecraft/_data",
"Name": "minecraft",
"Options": {},
"Scope": "local"
I am on a Raspberry 4 and installed the GUI just to be able to find the folder. When going to this location, I get an ‘access denied’ when opening the “/var/lib/docker’ folder.
Rebooting the raspberry, stopping the container in what order whatsoever does not give me access to this folder.
Using the ‘CP’ command (from within a VNC window) gives me this error:
cp: cannot stat ‘home/minecraft/Downloads/Citizens.jar’: No such file or directory
I can see the file standing right there in that folder. I am absolutely sure I am doing something wrong, but can’t figure out what.
Running the command from the Terminal on my Mac gives the same error.
Besides from the plugin troubles I have, pulling the latest version keeps giving me the same error when using my previous container. After a reboot and I install the latest, a new world is created that works, but I (of course) want my already build world. Stopping the new container an starting the ‘old’ one gives me the same ‘not working on 19.2 error’.
When inspecting the containers, I see that the newly created one has the whole 05james line, but my older build world just the ID numbers/letters.
How can I update the container?
Again, if you ask me to first find my answers somewhere else (e.g. other linux support) just let me know. I understand.
You need to be root to touch any of it. Every command should have a sudo in front of it. You will not be able to use the GUI for this unless you know how to log in as the root user. Your Docker pull command also needs sudo unless you’ve added your user to the Docker group (extremely unlikely).
Try all of it using sudo. Your path is also missing a forward slash such as:
/home/minecraft/Downloads/Citizens.jar
instead of:
home/minecraft/Downloads/Citizens.jar
You also need to completely stop the container before trying to do any of this. If it’s running you cannot change these files.
You can straight up delete the container if you want. You have multiple containers now? Delete them. They don’t do anything. The only thing that is important is your volume. If you have multiple old versions running then remove those container instances with docker container rm xxxxx.
Make sure you have backups before you try any of this. I feel very strongly like despite me saying this you might delete the volume instead of the container. This would be such an easy mistake to make (I could have seen myself making it when I was newer to Docker) which is why I felt the need to bring this up. Do not delete the volume and please have backups before trying anything further here.
You should have 5 copies of your server before trying a single rm command or else all of the ingredients for something to go very very wrong are here. We should not even be worried about losing your server. Stop right now. Do not touch it further before having backups of everything. You should *know* you can’t lose your server. If that is not the case then do not touch it further before backing it up fully. You’re very, very close to losing everything right now.
If you have a backup of your server then you could simply delete everything and start over if everything is all weird and crazy now. That’s actually exactly what I would recommend doing. Remove all of your container instances, do a sudo docker pull of the fresh container and then run. A fresh volume would be even better but unless you’ve gone in and manually moved/modified files I’d imagine that a sudo docker pull will solve your problems.
Definitely do not overcomplicate it. Here is now you update the container:
That’s it. As long as you’ve stopped the container first that is how you update the container. As far as installing additional plugins you will use sudo cp. You will copy the downloaded file with sudo (and don’t leave the forward slash off the front of your path) and I think you’re just about there.
Basically you need to use sudo in front of all of your commands (and use the right paths). That should be all it is from what I can tell. You want to copy a file and it’s telling you that you don’t have permissions to do so. It is right. Only root or sudo can do this and if you didn’t stop the container first then root can’t do it either.
The key thing to keep in mind is that the contents of your volume (or some of the backups from the “backups” folder on your volume) are the only thing that’s “real” or important. Everything to do with Docker and the container is modular. It can be deleted and recreated on the fly no problem. Your actual data and server contents are in the Docker volume or your backups. As long as you have those you never have to worry about anything else with Docker as you can remove it and recreate it (and it’s designed for it).
The Docker volume contents (or your backups) are the real golden goose though that it’s game over if you lose them or break something without having backups first. You can’t ever get in too much trouble if you have a copy of these stored safely first no matter how ugly it gets with Docker or the configuration and we have the option to start over with the container/configuration if it’s too much of a mess (and indeed this is often the best thing to do). You can remove the old container with docker container rm and then just run a totally new instance with the same volume name as you used before and it will start as if nothing even happened.
Even if you deleted the Docker volume or moved to another machine it’s as simple as creating a new Docker volume and then extracting the compressed backup contents from your backups folder into that new empty Docker volume if that makes sense. As long as you have the compressed backup copies from the backups folder that is all you need. It’s as simple as extracting them into a new Docker volume even if the previous volume was lost/removed.
Sorry if this came across as terse (I promise it’s out of concern that before you try anything else you have backups first as the rest can all be sorted out easily but not having the backups can’t). It has been a long time since I have had anyone lose a server when trying to follow my advice (years, and the couple of times it has happened I took actual steps in code to make sure it could never happen again in the future at least in that same way) so I try be very careful about mentioning the backups (stored some place separate) so I had a bit of a mini-freakout here when I realized I hadn’t done that. As long as you have backups we can completely wipe everything clean and reconstruct it within minutes if we need to (without any data loss). Hopefully that helps!
Strixin
Realise this is a tall ask, but I’m having a tonne of issues trying to relate the docker pull/run commands to the TrueNAS docker GUI interface. Has anyone done it, or could point me to something that explains it?
I have a Rpi4 (4Gb) running the Geyser server (and also running HomeBridge). Most things I do on this device (rebooting, making new containers etc) I do from an iPhone in a terminal app (WebSSH). Works great for me. However I am going to portforward it so my children can access the minecraft world from their mothers home also. I cannot get that to work, but I have another more urgent question.
I recently used a command to add a line to the config.txt file on the RPI from terminal, so I did not have to find the file, open it and edit and save it. Is there an easy way to make a whitelist and easily add user to it from a simple command typed in the terminal? After this I want to portforward and open the world outside my LAN.
I hope I made my request clear, as this is not my native language.
Welcome! So basically there’s nothing within the container that would be able to distinguish about whether someone is connecting from the LAN or the outside basically. As long as all of the ports are open it will work.
This would include UDP forwarding for port 19132 for Bedrock. You’ll basically want to make sure you’ve port forwarded everything on the container launch line if that makes sense. If I were to guess you probably have the TCP rules set up for Java and are missing the UDP rule for 19132.
For whitelisting I would actually recommend just typing it in the server console. You can just type:
whitelist add player
This will take care of all of the files for you. Hopefully that helps!
I do not know how to access the ‘interactive terminal’. I am aware that the need for the screen package was removed some time ago, but I want to be able to access the console. If you could tell me the command to do so, that would be great.
Oh, okay. Thank you. It’s actually docker ps though, not docker ls to list the containers. Other than that, everything worked like a charm! Thank you for providing this software.
Excellent, I’m glad it’s working! Honestly you don’t need to memorize anything. Just type “docker”. It will tell you everything (including what the commands do) and that is what I do:
Commands:
attach Attach local standard input, output, and error streams to a running container
build Build an image from a Dockerfile
commit Create a new image from a container's changes
cp Copy files/folders between a container and the local filesystem
create Create a new container
diff Inspect changes to files or directories on a container's filesystem
events Get real time events from the server
exec Run a command in a running container
export Export a container's filesystem as a tar archive
history Show the history of an image
images List images
import Import the contents from a tarball to create a filesystem image
info Display system-wide information
inspect Return low-level information on Docker objects
kill Kill one or more running containers
load Load an image from a tar archive or STDIN
login Log in to a Docker registry
logout Log out from a Docker registry
logs Fetch the logs of a container
pause Pause all processes within one or more containers
port List port mappings or a specific mapping for the container
ps List containers
pull Pull an image or a repository from a registry
push Push an image or a repository to a registry
rename Rename a container
restart Restart one or more containers
rm Remove one or more containers
rmi Remove one or more images
run Run a command in a new container
save Save one or more images to a tar archive (streamed to STDOUT by default)
search Search the Docker Hub for images
start Start one or more stopped containers
stats Display a live stream of container(s) resource usage statistics
stop Stop one or more running containers
tag Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE
top Display the running processes of a container
unpause Unpause all processes within one or more containers
update Update configuration of one or more containers
version Show the Docker version information
wait Block until one or more containers stop, then print their exit codes
You don’t need to memorize everything as that is a waste of brain space (there’s over 50+ just base commands). In other words it’s far more important to learn to find any command you want whenever you want than it is to physically memorize every single command. It will all probably be different in 5-10 years anyway (if you look at the “docker” command from 5-10 years ago half the things on that list won’t exist, and another 5 to 10 years from now the current list will look like a joke compared to the one then). I tend to work with all of my systems this way / with this mentality.
How can one memorize a dozen different programming languages? How can a tech remember everything for a thousand systems they cover? You don’t. Once you get to that point memorization won’t help you. It’s about whether you have enough of a understanding and the proper tools to solve the problems (even if nobody has ever seen them before, which will be the case much of the time).
When I’m working with professional IT techs or engineers the dividing lines tend to be along who can teach themselves to think / work this way. Some people are really good at memorizing things and can be great experienced techs/engineers. They’ve seen it all before, they know everything off the top of their head, that kind of thing. Those are never the people that make it to the top / leadership positions though. It’s the people who can learn to solve any problem (especially the ones nobody has seen before). At that level it becomes much more about your processes/techniques than the individual details. Every single problem will be different and unique and you’ll have to use some combination of all of your skills you’ve built up over your life to solve them.
I told you the command syntax wrong because I told you off the top of my head. That’s kind of my point I’m making here though. That’s not how I actually work with Docker or IT in general. The way I work is by knowing how to find the answer so that it doesn’t matter what command I need to use or someone is asking about because I know how to instantly see all the Docker commands and what they do in less than 1 second on my command line. I have the tools and process I need to work with Docker without having to memorize all these commands and their variations as those change over time and really aren’t that important since they can easily be found/referenced.
It’s actually the same with the Minecraft server commands. It’s not impressive to memorize all the server admin commands as that doesn’t have any practical value. Again, these can all instantly be seen by typing /? in-game (and they’re actually updated based on what permissions you have). I would probably give you the wrong syntax for the Minecraft admin commands too off the top of my head but this would never matter in reality because when I need a command I know how to find it and wouldn’t make flash cards or anything to try to commit these to memory (you’ll automatically memorize the ones you use enough by just pure repetition eventually, just use the reference for the rest of them and commit your brain to storing more important things that aren’t so easily referenced/found).
If I were hiring an admin I would hire the one that can find any command by using the reference rather than someone who memorized 80% of them but had no idea how to find the other 20%. The person using the reference has a process they are following and will generally be able to solve any problem. The person who works by memorizing everything and recalling it would be the one that would end up being the headache even if they are “faster” sometimes due to their memorization. Sure, you could teach that person how to look up the referenced commands but the issue will be that person has not developed that way of thinking about these types of problems and that is very hard to teach. They’re used to recalling things and the truth is in IT that is impossible above a certain level as there is simply too much to recall and you have to use processes / techniques / your foundational knowledge all together.
I guess my advice to anyone new to Docker or hosting Minecraft servers would be to challenge yourself not to try to think in terms of how to do things one at a time and try to memorize those. Learn how to find ALL of the commands whenever you want and try to think about the problems this way. This will free your brain to think about the *really* hard problems instead of trying to remember countless specific commands. It takes practice (a lifetime of practice really) but it’s very empowering and worth it.
I have a headless debian machine where this docker image is the only thing running, and after restarting it 4 days ago it seems to have used up 90% of my 1.2 TB monthly Comcast allotment (nload shows over 1 TB of transfer on this machine), despite us not actually playing on the server in that time. Is it possible there is some pathological edge case where it would download (or upload?) tons of data on a failed startup, or something? Is there anything in the logs that would indicate something going wrong like this?
(We’re in Comcast’s “you get one free month of overages” period, and my kids and really appreciate how easy it was to set this up, so please view this message as a weird technical request and not as a complaint about your free code costing us money or anything. All of my anger is directed at Comcast. 🙂 )
Welcome! That is really frustrating for sure. I’m definitely no fan of the data caps!
The Minecraft server itself would actually use 0 data. It’s a local server. That’s the advantage of self hosting for sure. Unless people are connecting from over the internet / outside the house this will use 0 data.
So basically no, there is no situation where the server could explain this. It won’t even be using your Comcast data. The only time it could possibly use data is when it’s downloading an update. These updates are only downloaded if the server version has changed. It only checks when you restart the server (which is at most once per day and most people’s will be configured to never restart unless they tell it to).
In other words it doesn’t even check if the server is running. The only time it ever checks the internet is when you restart the server / start the server. Theoretically if something like an edge case was going on you would see it looping and downloading it over and over again. The server wouldn’t work if this was happening though. The updates happen before the server starts so if the server is running it can’t be updating.
Since that is the only time it connects to the internet then if your server was running then it couldn’t have been doing this. The server would have been down and if you went and checked it then you would have found some loop of it downloading it over and over I guess theoretically? Except that if it fails it will just fail to start the server so I can’t even really square a way this could possibly happen to be honest.
The paperclip.jar file it downloads when you restart the server is only about 30MB. That means you would have to update the server approximately 35,000 times to hit the data cap (but if it fails to update it won’t start or will just load the old version and will not check again until you shut down the server and restart it).
Does your router have anything like this:
If you have a router that has these capabilities you can literally track and see where your data is going (this one is Unifi). If this continues to be a problem it may be worth getting a router that has these capabilities as it is no fun to be under Comcast data restrictions (or have to pay the bill). Having these capabilities basically gives you control of your data cap back. You can completely see where it’s going and take action before it ever gets near enough to trigger an automated warning from the system.
I only know a couple of things that can use up a data cap that fast. 4K/8K streaming video is the most common. You can’t really hit a cap like this by downloading files. Nobody is hosting 100+GB files you could click to download off a web site for example. I guess if you plugged in a really old Xbox that had 20+ games installed that all had 20-30GB updates maybe you could hit several hundred GB in game updates? My guess though just from the raw numbers was that one of the few things that could explain this is streaming (and specifically in 4K+).
Another possibility is that machine could be compromised. If you’ve tracked it to that machine it’s certainly possible it has a virus and is seeding torrents or hosting fileshares or something like that. That could definitely use up a cap like this as well. If you’re seeing 1TB of data flying from that machine I would definitely recommend reimaging it as it sounds like it’s either malfunctioning extremely badly or is outright compromised/hacked potentially.
It would really help to know what it is connecting to similar to what the router connection manager shows you. If it’s compromised it’s going to be connecting / maintaining connections to some very nasty places and I think it will be pretty obvious. You’ve traced the data flow but what exactly is it connecting to and communicating with? The router may be able to reveal that part for us.
Thanks for the reply. My router wasn’t much help, but I was able to pull the docker log and figure some things out. When the machine came up it restarted the docker image, which ran through the normal startup until the paperclip update, and then it would hit this:
Geyser is up to date
Starting Minecraft server...
Must be connected to a terminal.
Paper Minecraft Java Server Docker + Geyser/Floodgate script by James A. Chambers
Latest version always at https://github.com/TheRemote/Legendary-Java-Minecraft-Geyser-Floodgate
And then it runs though the whole thing again. If I’m parsing the log correctly, it did that about 20,000 times over four days, downloading the paperclip update over and over and over. So, the good news is there doesn’t seem to be a compromised machine, but I’m curious if there’s a way to have this container start up without a connected terminal (or to fake one?) or to have it try to start a few times and then give up instead of repeating for days on end?
I know I can always just turn off restart and do it manually whenever the machine reboots, which isn’t often, but it feels like there’s a more elegant solution out there somewhere.
That’s an interesting failure case I’m going to have to take care of here for sure. What I can do is make it exit at the beginning if the script if you are not running an interactive terminal.
The interactive terminal requirement is from the Minecraft server itself and not from me. You do have to run it the correct way with:
docker run -it
If you want to detach just press Ctrl+A then Ctrl+D. The Docker screen will detach and go into the background (can be reattached to using docker attach command). You can also just run it like this:
docker run -itd
The “d” means detached meaning you don’t have to have it up on a screen. In other words adding the d tells it to still create an interactive terminal for the Minecraft server but to minimize it to the background. You should definitely disable whatever startup line you have going now as that is broken and can’t run without an interactive terminal.
You don’t have to attach or have the server console open. An attached terminal is different from an interactive terminal (which is a Minecraft server requirement) and you can basically attach and detach whenever you want by using docker attach and Ctrl+A followed by Ctrl+D to minimize it again.
I’ll get some code added to abort when ran without a terminal (-t) or interactive mode (-i) after maybe like a 10 second delay (to prevent it from restarting hundreds of times per second). It will never get to downloading anything with this change. It will just fail immediately (as it should, and without using any bandwidth).
I should note that an easy way to set this up (a server running in the background with automatic restarts + the proper terminal configuration) is with the project’s docker-compose.yml file. This most likely resulted from running the command line startup but maybe missing one of the -i or -t flags (maybe intentionally from how you’ve described running it but hopefully some of my suggestions have gave you some other ideas on how to configure this). Hopefully that helps!
EDIT: This has been patched to not allow this to happen. You can pull the latest with:
It shouldn’t be possible for this to happen again as if the terminal isn’t configured correctly it will just fail (and then wait 10 seconds within the container script to prevent restarting spam even if Docker is configured to always restart unless stopped manually).
This also has another positive side effect which is that before this change it would have also backed up the server over and over again making your 10 rotated backups essentially useless (or it would make them essentially all the same backup, so you wouldn’t lose all your backups but you’d have effectively 1 instead of 10). After this change again a backup will not happen as the script fails immediately (it’s the first thing it checks now). Thank you so much for reporting it!
Hi, this is a really cool project. I’m using docker-compose to run an instance of this along with the stock Bedrock server. I’ve updated the ports so they don’t conflict. I can connect using Java clients, but not on a Windows Bedrock client. I can see the server under LAN Games, but when I try to connect it just says, “Unable to connect to world.” There’s nothing in the log files showing the connection attempt.
Welcome, and thanks for the kind words! Is it Hyper-V? Because it definitely sounds like Hyper-V. There are UDP bugs that are covered in the article and in the GitHub README for Hyper-V and that’s the only platform I’ve ever seen this happening on. The other common platform to have trouble with is Oracle but yours doesn’t sound like Oracle to me (as Oracle tends to be nobody can connect period).
Assuming this is Hyper-V it’s a bug with the UDP network stack and there’s a couple different fixes (the easiest of which is changing it to a Gen1 VM). This has been happening for a while now and I’m surprised it hasn’t been fixed yet (but it’s a Hyper-V specific bug and Microsoft would need to fix it). Hopefully that helps!
Thanks, that helps! So the last one of these I saw for Ubuntu specifically it ended up being a weird bug with ufw. They ended up deleting their rules and adding them again and that actually fixed it. That was about a month ago so I definitely would recommend deleting all the ufw rules and adding them back again since that was recent enough that the bug is probably still floating around out there.
In another case someone else actually had firewalld installed (an alternative to ufw) and they didn’t realize that one was on there. If this is a bare metal install you did yourself it’s a lot more likely to be ufw (while VM deployments tend to have firewalld pop up more often at least in my experience).
Ubuntu 22.04.1 is the recommended platform by Microsoft for running the dedicated server (the Bedrock one for Linux at least) and I use it on many of my systems (and the Docker container uses Ubuntu internally as well). It was my desktop OS until yesterday when the NVIDIA drivers crashed and purging them broke the entire X system so I switched to Pop OS (which has been great so far but that’s beside the point which is that you are running a known good configuration at least as far as the OS goes). The version is important too as you’ve ruled out a bunch of other things it could be here too as there are all kinds of issues that can pop up with older versions but you are on current LTS.
Given that you are running a recommended OS this must be some kind of firewall or configuration issue still. I’d be really curious if you are impacted by the same ufw bug as that other person!
It’s a configuration issue for sure. I actually see the mistake this morning with fresh eyes:
- 25565:25565
- 19133:19132
- 19133:19132/udp
Here you are opening ports 19133 twice followed by 19132. I believe this means point port 19133 to 19132 and also to point 19133/udp to 19132/udp. If you are trying to connect with UDP on port 19133 there is no UDP rule in there for that (or it’s trying to reroute it to 19132 which I’m not sure if you can do this without nasty side effects). These mappings aren’t one to one and actually look like they have some redirections (intentional I’m guessing).
I understand that you are running a native Bedrock server as well so I’m sure this has something to do with this but you are actually forwarding one port to a different port number here. What I’d recommend is that if your native Bedrock server is using the default ports then use the BedrockPort environment variable and actually change the Geyser one to something else.
I’d definitely recommend using a 1:1 mapping by both port and protocol for sure. Your config should look like this:
19132 is IPV4 and should be UDP. 19133 is IPV6 and should be UDP. I usually open the TCP counterpart as well as that is used for the “ping” port and the number of players online. These ports need to be opened directly (every single one that you use, with the correct protocol). I don’t think Geyser has an IPV6 port but for my native Bedrock container the configuration looks just like that (minus the 25565). Launching the native Bedrock one looks like this:
If these ports are going to conflict with the native Bedrock server then one or the other one should change. I don’t think forwarding it to a different port than it’s addressed to via the Docker mappings is going to work (or clearly isn’t here). UDP is a connectionless protocol and it wouldn’t surprise me if the server is actually seeing the traffic but with the wrong port (even if Docker is forwarding the traffic) so it’s dropping it or ignoring it.
In this scenario it would receive the traffic but think it’s meant for a different port because the server knows it’s configured to listen on 19132/udp and not 19133/udp. Docker will allow you to do this but they also expect that the application is aware that traffic is coming from a different port (and taking it into account on the application side when handling the data) which Minecraft definitely doesn’t support configurations like that natively unfortunately.
It’s totally fine to change the port from the Geyser side here using the environment variable if you need to in order to resolve this conflict (but make sure you open the new port with the 1:1 mappings for that new port as it’s easy to forget this). That will definitely fix it!
Hmm, ok. I need to run this instance on a different port, since I run a stock Bedrock server on port 19132. I changed ports and tried again, but I get the same error. Again, no log.
Great find and excellent work! Yes, I have seen this once before on the Purpur version. I finally found it here. That was about a month ago.
Well it appears that it’s working just fine… The problem was all the complicated, round-robin Microsoft auth procedures. We can now get to the server from any client!
(Since I just brought this server instance up for my LAMP applications, I hadn’t set up ufw yet…)
Thanks!
Apparently the procedure for Microsoft authentication is quite complicated and there’s some other internal network configuration that sometimes needs to be done for it. This is only the second time I’ve seen this so this issue didn’t immediately pop up into my mind but due to your breakthrough I’m connecting the dots here. This is an issue I will need to watch out for more (and I’d like to understand more about why it happens on certain networks, it’s never happened to me but you and the other person have proven without a doubt that this is a thing).
I half wonder if I should start shipping the container with authentication off by default (which is less secure for sure since it won’t validate accounts, it will just take the connecting client’s word for it, that’s the tricky part and why I hesitate but I don’t like that it’s causing people problems). Maybe that’s what the other person’s container is doing to avoid these issues (although maybe this is Geyser specific)?
I’m hoping there ends up being something else I can do in the config to potentially alleviate this without having to shut off online-mode altogether but realistically unless it’s a public-facing (internet) server turning off online-mode has no downside. If people on LAN are exploiting it then that is relatively easy to deal with compared to remote attacks from the internet since you’ll know exactly who they are and where to find them.
If you find out exactly what was blocking it or fix it a different way definitely let me know. Thanks so much for letting me know what it was though. That definitely does help. I hope you enjoy the container!
shampeon
As far as I can tell I’m doing everything that Geyser says I should be doing. I’m intending on using DynDNS and port forwarding from my router so my kids friends can connect, so the goal is to open this to the network with an allowlist. With online-mode=false, does that mean the whitelist is ignored?
You should be totally okay as far as the whitelisting goes. This is totally separate and online-mode only has to do with Microsoft authentication validation/verification fortunately. Your setup should be fine since you’re using whitelisting.
Theoretically someone could impersonate someone else with a hacked client but that’s not going to happen in this scenario for sure. They would have to know about the server *and* know a connecting player’s UUID that is whitelisted so unless you have reason to believe you’ll be targeted nobody is going to bother to do this as not many people can do it to begin with and the people who can and actually want to use those skills will attack more prominent targets (like if you were a popular streamer and had a private Minecraft server, that kind of thing).
Having a whitelist without online mode is kind of like having a lock on your door. Is it impenetrable? Not at all. If someone is determined enough it’s possible to break in. This is a lot of trouble and risk though. They’re going to have to somehow get the ID of one of your players (and not the email address, like the long random number string ID) which is its own whole ordeal. In the case of the house/apartment with a lock there may be something to steal that is valuable. If nobody playing the server is a public figure or it isn’t some kind of specialized server where money is involved somehow there is nothing to even be gained. None of their friends or colleagues would be impressed by this and would just say “why”? Outside of there being some legitimate reason you are being targeted this is a secure enough lock for what you are talking about.
When people join they will still have a player ID you can use for whitelisting (it just won’t be validated with Microsoft that they actually are using the correct password with that account).
If you wanted to fix online-mode one thing you could do is try turning on Geyser debug mode in plugins/Geyser-Spigot/config.yml:
debug-mode: true
This would hopefully have it give us some helpful output to figure out what is going wrong. Given your strategy is to have a whitelist though I don’t think you really need to fight with it to achieve what you’re trying to do.
Theoretically the fix in the Geyser config for this might be to change some of those addresses from “auto” to the correct IP (which I believe would be 127.0.0.1 for the plugin version) as that is mentioned in a lot of these more rare issues in the Geyser FAQ you linked to. Although maybe that’s the problem? If there’s some kind of localhost restrictions going on it could explain why that fix would have an impact if you set it to the local IP address or something like that and similar issues are also mentioned in the Geyser FAQ. That doesn’t really make sense inside the container though since everyone’s container is the same. It would be something with the network environment somehow.
It’s a tricky one to diagnose but I bet with the debug output we can probably solve this and see why it’s getting stuck at least (or where it’s getting stuck). Hopefully that helps!
shampeon
Ok, I turned debug-mode: false and tried to connect, and got some more error messages. tl;dr you need to set enforce-secure-profile=false in server.properties in order to allow Bedrock players to connect. Apparently this is a recent change. After making that change, I can turn online-mode=true and connect using a Bedrock client.
I’m still sifting through the steps to get Bedrock players whitelisted. From what I can tell, the easiest way to do this is to 1) turn the whitelist off 2) have the player connect 3) add the player to the whitelist 4) turn whitelist back on. I don’t see a way of mapping the XUIDs from Bedrock to the UUID. The Geyser docs that say to append the XUID to 00000000-0000-0000- is either wrong or I’m doing something wrong, since the UUID in Geyser is entirely different for my username, which appears as .username. Very confusing.
Fantastic, you’ve helped me for sure as that is a much safer setting for me to change the defaults on. Thanks for linking to the info on the change as well. I will get this added in. EDIT: This was already the default for new servers using the container but it’s very helpful you posted this as since it’s a recent change anyone who has been hosting a server for a while (and perhaps migrates to the container) is going to run into this!
In my commands I see a “fwhitelist” command which has a fwhitelist add player syntax. In the server console (or on the server as an operator with a / in front of the command):
fwhitelist add Tim203
This totally bypasses any need for the UUID stuff and this is the Floodgate specific whitelist (it’s a part of Geyser for authentication) but it says you can also use UUIDs (it would be the one that looks different from the Java ones as you described). I think this is why it isn’t working though is it is using a different whitelist for that. Using the fwhitelist command is the key and will take care of it for you.
It is more secure to use the UUID as spoofing a player name is easy but spoofing a UUID requires that they somehow get that nasty string so it’s definitely more secure to add it by UUID. Since you have online-mode back on though spoofing this is not going to be possible on your server any longer even if they have the UUID. Microsoft will validate they are actually signed into that account with a valid password.
The secure profile part is actually a different piece and is related to the chat reporting feature where people get in trouble for violations of the Minecraft player code of conduct and I personally have that shut off (and by default for new servers). I’d rather not have all my player’s chat messages encrypted and sent to Microsoft (to the extent that this setting allows) and you saw how much trouble the setting caused with technical issues / connecting.
There’s some debate about how much of the secure profile / chat reporting feature changing this setting disables and whether they’re still sent anyway (plus the client still undoubtedly submits/reports some of these messages on it’s own but the secure profile setting shuts off most of the dedicated server’s piece of it particularly “forcing” people to have secure profile active to even connect). It definitely disables some of it though because people will get a warning on their clients that the chat messages may be unverified (I believe when they first connect, it might even be a notification-style popup in the top of the screen if I am remembering correctly).
I’m sure you could also add people to the fwhitelist via a file somewhere similarly to the whitelist file but I personally would just use the command then you can go take a look at the files it created/changed if you wanted to be able to do this directly using the filesystem without commands as I couldn’t tell you what the file/files are it creates for fwhitelist off the top of my head (but that’s how I’d find them).
Perfect. That looks exactly right. You did exactly what I would have done configuration wise here.
I’ve actually never seen anyone do what you are doing with the volume. Are you actually using a shared OS mount with my container instead of a Docker volume? That is awesome and I wouldn’t have necessarily expected it to work and I didn’t design it that way. I don’t think this is the problem though.
You actually aren’t getting an error here. That would make things a lot easier actually. Cannot connect to world should be what you get if you just type in a random IP address and port in there that isn’t running a Minecraft server. It just basically can’t communicate with it at all (as far as we can see). We’ve done Wireshark traces in the past to figure out what is going on with these.
Your ports look okay though. 19134 shouldn’t overlap with anything and your mappings look perfect here for it. Best I can tell nothing is getting through on port 19134 though here still! You could check the Geyser configuration file and make sure it’s indeed matching your 19134 port and see if anything like that is potentially going on. Also make sure the server is closed when making these edits before launching!
shampeon
Yes, I’m using a local mount as the location. Makes it much easier than using a Docker volume, and it’s part of a ZFS volume so I get those advantages.
Awesome, I’ll have to get that added into the documentation in the next round of updates (just to let people know it’s possible for sure as there will be others that will benefit like you are). Thanks!
Does anybody know why geyser gives that error “[Geyser-Spigot] Your server software does not support the Java version that Geyser requires (1.19.3, 1.19.2)” when the paper server is 1.19.2? I used the docker-compose.yml from the github-repo. I added fixed names for volume and container and Version: 1.19.2 as environment var.
Hey Mitsch,
I honestly have no idea. It has nothing to do with the container or your settings. If you rolled back to an older version of Geyser I’m sure it would work. It always downloads the latest Geyser though when you run the server though and that one seems to not want to work with 1.19.2 anymore.
If you replaced Geyser-Spigot.jar with an older version I’m sure it would work just like it always did. It has been running on 1.19.2 with Geyser for literally months so we know that of course it works with 1.19.2 but their current version is currently broken. There’s no way to currently roll back with the container though as it will just update it when you start the container. They’ve somehow broken the new version of Geyser temporarily. I’m sure it will just fix itself whenever they correct what the problem is.
This doesn’t have anything to do with the container and is just update pains. I literally haven’t changed anything with the container nor will I need to for this to get fixed. The people who made the changes that broke it are Geyser basically (and they’re the ones that will need to fix it)! This will all happen automatically (the same way it broke without you having to update or change anything with the container or your config).
Maybe I will have to add some kind of Geyser version freeze or override but I’m guessing that this will just be fixed before too long.
Understand though that all the container is is a set of scripts that simply download the latest version of Geyser and Paper. I don’t make Paper or Geyser and they’re big projects (much bigger than just me). They’re probably the ones to ask for answers for this one! The answer for every Minecraft update that has happened while I’ve had the containers and other scripts though is to just wait. Let the Paper and Geyser projects do their thing and fix it (or if you want to ask someone about the progress those are the people to ask if that makes sense). They’ve never failed yet.
It wouldn’t hurt to plan on this for the future too. It happens every update and it always has. When vanilla version 1.19.3 comes out that is when the Paper and Geyser teams get to START on the update basically. Sure they can do some prep in the prereleases but things are always changed in the final release (sometimes substantially) and those they have no way to prepare for. Maybe just leave it up and running for a day or two when an update comes out and you can avoid all of the patching / fixes / etc.
Sometimes the teams are putting out new builds every hour or two during this time and it’s really not a good time to update until they’re ready! They don’t do their releases like Minecraft where it’s all a bunch of fixes released at once. They’re literally doing live changes on Geyser one at a time and updating them and you can see those changes on their site that I’ve linked to in many of my other posts regarding these issues.
It’s definitely frustrating (even more so for me, because every time there’s an update I get tons of GitHub issues and messages about this and the answer is you need to wait for Paper and Geyser to update and there is nothing I can do about that). That’s why I would just suggest planning on it and leaving the container alone for the most part during those times is one way you could prepare / minimize the disruption but it has always happened.
This is the unfortunate downside running a non vanilla server (which wouldn’t be able to do any of the cool stuff this does unfortunately). The Paper team is pretty good about it although for 1.19.2 they had the update out within a few hours and right now there’s still no 1.19.3 so this one is taking longer than the other recent ones already.
This could be due to there being trickier changes in 1.19.3 than in 1.19.2 (indeed the change list for 1.19.3 is a lot longer and honestly was more than I expected). It says they added new player reporting features (again) in the changelog and I suspect this may be part of the hangup. That’s more of that “secure profile” reporting stuff that is pretty controversial. Those are all considered security features and are particularly tricky for Geyser to handle.
I’ve seen it take several days before at worst. Not sure what is going on with Geyser still but if it’s not resolved before too long I guess I can just roll it back to a version from maybe a week ago and that would probably do it. It would just be silly to make that update and have them fix it a few hours later but if it goes on for too long I will go ahead and do it. Every update is a little bit different though. 1.19.2 was a breeze but 1.19.3 is not going well so far for either Paper or Geyser by the looks of it!
Hi James,
thank you for your detailed answer. I didn’t not want to blame your work in any way (it’s awesome and extremely convenient :)). I was just wondering whether i did something wrong or not. So i guess the error message geyser gives is just missleading, since it seems to check for 1.19.3 only and not for both 1.19.2 and 1.19.3. So i’ll see if i can get and push an older version to my container. Keep the good work up! 🙂
Maybe i’ll give that ViaVersion app a try that seems to route requests to older server versions making geyser a bit more robust regarding version changes. Well maybe at least a little bit. 😀
Meanwhile i’ll share some coffee.
Cheerz
Mitsch
Hey Mitsch,
Don’t sweat it at all! I hope my frustration didn’t come off as directed at you guys. It’s really not at all and has more to do with how the forked Minecraft server ecosystem works where there is this small gap in time between updates where there’s this sticking point. Many of you are frustrated with it like I am when it takes a lot longer than usual and things start breaking like this (albeit temporarily). It puts both server operators and projects like mine that are downstream in a difficult position where all we can do is wait (and I do hate waiting).
The Geyser message does seem to be misleading since it is talking about the Java version but the Java version is just OpenJDK 19 (the current release). It’s hard to say if this is related to the Minecraft Bedrock clients being too new for Geyser to handle or if they changed something for the new update that actually broke the old version.
Definitely let me know what you find if you run this experiment since I’m actually not sure what you will find. If the new Bedrock client is the problem (and Geyser just isn’t handling it correctly yet) then rolling back to an older Geyser won’t fix it. If this is a breaking change they introduced in the new Geyser it will 100% fix it. What you find may impact what I do with the container as well so if you get a chance let me know!
Hi James
I modified the setup script and Dockerfiles and placed a pull request. I guess that’s the fastest way to show you what i found as solution (for me). Maybe it helps you.
Cheerz
Mitsch
Strange. Got the exact same error. I also get it when the start of the container has finished.
Sorry. Read it better now. Not strange at all. Waiting for the update from their side.
Hey Marijn,
No worries. Paper 1.19.3 is out and this fixes this issue. It’s simply that Geyser dropped support for older Bedrock versions not too long ago and Paper was slow to update.
Your changes are actually pretty interesting. It looks like ViaVersion is a plugin that lets you have people connect from versions newer than the server has been updated for. This is cool but it’s a lot of complexity, extra updates, etc. to add simply to let the server work for 24 hours upon a new release instead of waiting for real support to be added. Since it’s letting new versions connect that are unsupported there’s really no guarantee everything will work. It’s just going to let them connect without throwing the error. It still won’t support any of the new features this way though.
1.19.3 is considered experimental. Paper says the following:
Builds marked in red are early, experimental builds. They are only recommended for usage on test servers and should be used with caution. Backups are mandatory!As long as you have backups this should all be ready to go as per the usual process without installing anything extra! I’m actually on 1.19.3 right now and updating the rest of the projects. Everything is back to normal and nothing needs any changes (unless you wanted to be able to run the new version instantly without there actually being any real code written to support the new version).
ViaVersion seems like the equivalent of just commenting the version check out of the code. That’s what it does if I’m understanding everything correctly and it still has no way to support new features since by definition it had to have been written before they were ever released (otherwise the new version would just be supported normally without any need for it). Just like commenting the version check out in anything this is going to have consequences. The consequences will depend on what is in the update. Most updates it will probably cause no issues whatsoever. This update has a lot of stuff that I’m guessing the server wouldn’t understand at all (like the new reporting features, etc.).
Even in the supported 1.19.3 version Paper expects it to be broken. These are red testing builds. That is why backups are so important. It’s also why running it with ViaVersion has some risks. At least the beta version of Paper 1.19.3 has *some* code finished to support 1.19.3. Running ViaVersion on 1.19.2 will have zero code to support this making it even more dangerous than the Paper 1.19.3 beta.
We’ve passed the window where it’s necessary to do anything but pull the latest version of the container and the drama is over until the next version. The Paper and Geyser teams have done their thing and 1.19.3 is out. All you need to do is update now and I really don’t recommend spending any more time fighting with it (or fighting with it the next time, you can skip all the drama by simply waiting 1 day).
You are basically fighting with it to make it support a new version when it doesn’t (and by definition no code related to 1.19.3 could be in it) and even if you succeed it can’t support the new features and might store invalid data in your database and crash it and who knows what else. You’re trying to do exactly what Paper and Geyser are doing when the update is released simultaneously and get the new version to run but they have far larger teams and more resources than you or I will ever have. We will lose that fight every single time and I’ve lost it enough times before to know not to even try. Whatever workaround we try to do other than waiting for official support will be dangerous and clunky.
It will be like this each update although hopefully the other ones won’t take closer to maybe 36 hours like this time! I’m actually very impressed by your solution regardless. If this was going to go on for another week I would have probably implemented this (with a strong caution to everyone to use backups and understand that there is some risk). Some day your solution may be necessary and people could learn from it if they are willing to undertake these risks upon new release and could absolutely add ViaVersion to the mix!
I set up a test volume to experiment with with ViaVersion and it does work for getting past that Java version error. I don’t like having extra overhead though so I may wait for a Geyser update or try the previous version.
The whole boondoggle did at least force me to learn a little more about how it all works.
James, thanks for creating this container. It has performed well on my Rpi4 (running on SSD) for me and two of my kids. The container idea is so convenient. I’m pretty new to linux, docker, and minecraft so it was a great shortcut to get my kids a server going. Now I’m backfilling the knowledge gap.
Thanks again!
Hey Rich,
No worries at all! So just as a heads up this is totally fixed now. Go ahead and give it a:
sudo docker pull 05jchambers/legendary-minecraft-geyser-floodgate:latestThe latest Paper 1.19.3 is up and Geyser is working properly with it. They actually adjusted that old Geyser error message in one of their patches because it was misleading. The error is actually that Geyser dropped compatibility for older Java server versions. The issue was the Bedrock clients were trying to connect with 1.19.3 features and Geyser doesn’t support that with the Java Minecraft server 1.19.2 (there’s actually a version from a week ago that says when they dropped this support).
In other words by “Java version” they actually meant Java Minecraft server version and not the Java (OpenJDK) version (definitely a bad error message and why they changed it to not be so unclear). It was also not supposed to mention 1.19.2 as being compatible anymore (it’s not, if you were running 1.19.2 you would want to roll back the Geyser version to before these changes). Now that Paper 1.19.3 is out it’s working normally again.
The only way I could have prevented this that I can think of is if I had seen the changes that were being released for Geyser and froze the Geyser version until Paper 1.19.3 was out. That would have at least kept Geyser working on 1.19.2 until 1.19.3 was out.
Important (from Paper team):
Builds marked in red are early, experimental builds. They are only recommended for usage on test servers and should be used with caution. Backups are mandatory!1.19.3 is in beta basically in other words (although you should always back up before going to a new version no matter what anyone says or doesn’t say for sure, you’ll always be happier you did and wasted your time than if you didn’t and you end up needing it). It should work as-is now though since Geyser won’t complain about the 1.19.3 clients anymore since Paper is now on 1.19.3.
Definitely make sure you pull some of your backups out of the container’s “backups” folder and that you actually have them stored separately (as the container only keeps the most 10 recent backups by default). In other words pull out a set of backups and put them somewhere safe before running the beta. That way if anything weird happens (such as the server crashing and then failing to load with some kind of corruption) you won’t lose anything more than whatever was going down since you upgraded.
You can see the Paper team’s progress on the beta patches here. It’s not uncommon for them to update every few hours or so as they are pushing fixes as they find them. You’ll see the 1.19.3 progress (as well as the fact that the builds are red instead of blue meaning it’s in beta and to be careful / make extra backups).
Thank you for your kind words about the container as well, I’m so glad it’s working well. The SSD is a great choice for the setup. Hopefully that helps!
So far, the kids and I have been having an absolute blast with this, so again, thank you so much for the work put into getting the two to work together.
With that, I was curious about mods. Server-side mods like Millenaire. Something to make villages a bit more worth exploring and interacting with. Is that possible with this?
Hey Arathi,
Great question! So the mods are absolutely possible (although they are usually called plugins for Paper / Spigot / Bukkit server mods). I took a look at this specific one and it looks like this one is only meant for Minecraft 1.12 and has it’s own standalone downloadable server and client so this particular one wouldn’t work.
The server can take Spigot / Bukkit / Paper Minecraft server plugins basically. These are downloaded as .jar files into the “plugins” folder. There are already some in there such as Geyser and Floodgate you will see in there for this container.
Some good places to see all the available choices of plugins / server mods are: the Bukkit web site and the Spigot web site. All of the mods on either of those sites will work essentially (as long as they are supporting the version of Minecraft you are running).
Hopefully that helps!
Hi,
I tried to copy files to the plugin folder, but I wasn’t able to. Even installed the desktop UI to do it with a file browser, but wasn’t allowed to open the docker folder. I usermodded the user, but dis not get access. Any thoughts on how to get a jar file in the plugin folder?
Hey Marijn,
So the first thing is make sure you have closed the container first. That is most likely the problem. People have tried to modify things like server.properties and other files before when the container is open and have had similar results where nothing is “sticking”.
Once it’s closed to copy the files (without worrying about permissions issues) just do a sudo before your command to copy them.
sudo cp Downloads/plugin.jar /var/lib/docker/yourvolumename/_data/pluginswith the server closed should do it. Can you give that a try and see if that takes care of it for you?
I appear do be a more complete noob than I already thought. When typing: sudo cp Downloads/Citizens.jar /var/lib/docker/minecraft/_data/plugins I get an error reading:
can’t create the normal file ‘/var/lib/docker/minecraft/_data/plugins/’ : File or folder does not exist. I stopped the container. Status now says exited.
Also in the Desktop UI I can see the folder ‘Docker’, but opening it gives an acces denied and shows only an empty folder.
Hey Marijn,
Can you check the guide’s instructions and find out where your Docker folder is? It’s not where you’re looking. Which OS is this? I should have every OS covered on how to find the location of your Docker volume.
docker volume inspect yourvolumenameThis will tell you exactly where it is. Can you follow the guide and find your correct folder and give that one a try? It is the section on finding your server files.
Hi James,
Thank you for your patience. I took a look of this entire chat history and could not find the answer there, so I am glad you take te time to answer me.
This is the info I got from the ‘inspect’ command:
"CreatedAt": "2022-12-10T11:56:02+01:00","Driver": "local",
"Labels": {},
"Mountpoint": "/var/lib/docker/volumes/minecraft/_data",
"Name": "minecraft",
"Options": {},
"Scope": "local"
I am on a Raspberry 4 and installed the GUI just to be able to find the folder. When going to this location, I get an ‘access denied’ when opening the “/var/lib/docker’ folder.
Rebooting the raspberry, stopping the container in what order whatsoever does not give me access to this folder.
Using the ‘CP’ command (from within a VNC window) gives me this error:
cp: cannot stat ‘home/minecraft/Downloads/Citizens.jar’: No such file or directory
I can see the file standing right there in that folder. I am absolutely sure I am doing something wrong, but can’t figure out what.
Running the command from the Terminal on my Mac gives the same error.
Besides from the plugin troubles I have, pulling the latest version keeps giving me the same error when using my previous container. After a reboot and I install the latest, a new world is created that works, but I (of course) want my already build world. Stopping the new container an starting the ‘old’ one gives me the same ‘not working on 19.2 error’.
When inspecting the containers, I see that the newly created one has the whole 05james line, but my older build world just the ID numbers/letters.
How can I update the container?
Again, if you ask me to first find my answers somewhere else (e.g. other linux support) just let me know. I understand.
Hey Marijn,
You need to be root to touch any of it. Every command should have a sudo in front of it. You will not be able to use the GUI for this unless you know how to log in as the root user. Your Docker pull command also needs sudo unless you’ve added your user to the Docker group (extremely unlikely).
Try all of it using sudo. Your path is also missing a forward slash such as:
/home/minecraft/Downloads/Citizens.jarinstead of:
home/minecraft/Downloads/Citizens.jarYou also need to completely stop the container before trying to do any of this. If it’s running you cannot change these files.
You can straight up delete the container if you want. You have multiple containers now? Delete them. They don’t do anything. The only thing that is important is your volume. If you have multiple old versions running then remove those container instances with docker container rm xxxxx.
Make sure you have backups before you try any of this. I feel very strongly like despite me saying this you might delete the volume instead of the container. This would be such an easy mistake to make (I could have seen myself making it when I was newer to Docker) which is why I felt the need to bring this up. Do not delete the volume and please have backups before trying anything further here.
You should have 5 copies of your server before trying a single rm command or else all of the ingredients for something to go very very wrong are here. We should not even be worried about losing your server. Stop right now. Do not touch it further before having backups of everything. You should *know* you can’t lose your server. If that is not the case then do not touch it further before backing it up fully. You’re very, very close to losing everything right now.
If you have a backup of your server then you could simply delete everything and start over if everything is all weird and crazy now. That’s actually exactly what I would recommend doing. Remove all of your container instances, do a sudo docker pull of the fresh container and then run. A fresh volume would be even better but unless you’ve gone in and manually moved/modified files I’d imagine that a sudo docker pull will solve your problems.
Definitely do not overcomplicate it. Here is now you update the container:
sudo docker pull 05jchambers/legendary-minecraft-geyser-floodgate:latestThat’s it. As long as you’ve stopped the container first that is how you update the container. As far as installing additional plugins you will use sudo cp. You will copy the downloaded file with sudo (and don’t leave the forward slash off the front of your path) and I think you’re just about there.
Basically you need to use sudo in front of all of your commands (and use the right paths). That should be all it is from what I can tell. You want to copy a file and it’s telling you that you don’t have permissions to do so. It is right. Only root or sudo can do this and if you didn’t stop the container first then root can’t do it either.
The key thing to keep in mind is that the contents of your volume (or some of the backups from the “backups” folder on your volume) are the only thing that’s “real” or important. Everything to do with Docker and the container is modular. It can be deleted and recreated on the fly no problem. Your actual data and server contents are in the Docker volume or your backups. As long as you have those you never have to worry about anything else with Docker as you can remove it and recreate it (and it’s designed for it).
The Docker volume contents (or your backups) are the real golden goose though that it’s game over if you lose them or break something without having backups first. You can’t ever get in too much trouble if you have a copy of these stored safely first no matter how ugly it gets with Docker or the configuration and we have the option to start over with the container/configuration if it’s too much of a mess (and indeed this is often the best thing to do). You can remove the old container with docker container rm and then just run a totally new instance with the same volume name as you used before and it will start as if nothing even happened.
Even if you deleted the Docker volume or moved to another machine it’s as simple as creating a new Docker volume and then extracting the compressed backup contents from your backups folder into that new empty Docker volume if that makes sense. As long as you have the compressed backup copies from the backups folder that is all you need. It’s as simple as extracting them into a new Docker volume even if the previous volume was lost/removed.
Sorry if this came across as terse (I promise it’s out of concern that before you try anything else you have backups first as the rest can all be sorted out easily but not having the backups can’t). It has been a long time since I have had anyone lose a server when trying to follow my advice (years, and the couple of times it has happened I took actual steps in code to make sure it could never happen again in the future at least in that same way) so I try be very careful about mentioning the backups (stored some place separate) so I had a bit of a mini-freakout here when I realized I hadn’t done that. As long as you have backups we can completely wipe everything clean and reconstruct it within minutes if we need to (without any data loss). Hopefully that helps!
Realise this is a tall ask, but I’m having a tonne of issues trying to relate the docker pull/run commands to the TrueNAS docker GUI interface. Has anyone done it, or could point me to something that explains it?
Hi James,
I have a Rpi4 (4Gb) running the Geyser server (and also running HomeBridge). Most things I do on this device (rebooting, making new containers etc) I do from an iPhone in a terminal app (WebSSH). Works great for me. However I am going to portforward it so my children can access the minecraft world from their mothers home also. I cannot get that to work, but I have another more urgent question.
I recently used a command to add a line to the config.txt file on the RPI from terminal, so I did not have to find the file, open it and edit and save it. Is there an easy way to make a whitelist and easily add user to it from a simple command typed in the terminal? After this I want to portforward and open the world outside my LAN.
I hope I made my request clear, as this is not my native language.
Hey Marijn,
Welcome! So basically there’s nothing within the container that would be able to distinguish about whether someone is connecting from the LAN or the outside basically. As long as all of the ports are open it will work.
This would include UDP forwarding for port 19132 for Bedrock. You’ll basically want to make sure you’ve port forwarded everything on the container launch line if that makes sense. If I were to guess you probably have the TCP rules set up for Java and are missing the UDP rule for 19132.
For whitelisting I would actually recommend just typing it in the server console. You can just type:
whitelist add playerThis will take care of all of the files for you. Hopefully that helps!
Thanks James
Hi,
I do not know how to access the ‘interactive terminal’. I am aware that the need for the screen package was removed some time ago, but I want to be able to access the console. If you could tell me the command to do so, that would be great.
Thanks.
Hey Dylan,
The command is
docker attach. You can see all of your containers withdocker lsto get the id. Hopefully that helps!Oh, okay. Thank you. It’s actually docker ps though, not docker ls to list the containers. Other than that, everything worked like a charm! Thank you for providing this software.
Hey Dylan,
Excellent, I’m glad it’s working! Honestly you don’t need to memorize anything. Just type “docker”. It will tell you everything (including what the commands do) and that is what I do:
Management Commands:builder Manage builds
config Manage Docker configs
container Manage containers
context Manage contexts
image Manage images
manifest Manage Docker image manifests and manifest lists
network Manage networks
node Manage Swarm nodes
plugin Manage plugins
secret Manage Docker secrets
service Manage services
stack Manage Docker stacks
swarm Manage Swarm
system Manage Docker
trust Manage trust on Docker images
volume Manage volumes
Commands:
attach Attach local standard input, output, and error streams to a running container
build Build an image from a Dockerfile
commit Create a new image from a container's changes
cp Copy files/folders between a container and the local filesystem
create Create a new container
diff Inspect changes to files or directories on a container's filesystem
events Get real time events from the server
exec Run a command in a running container
export Export a container's filesystem as a tar archive
history Show the history of an image
images List images
import Import the contents from a tarball to create a filesystem image
info Display system-wide information
inspect Return low-level information on Docker objects
kill Kill one or more running containers
load Load an image from a tar archive or STDIN
login Log in to a Docker registry
logout Log out from a Docker registry
logs Fetch the logs of a container
pause Pause all processes within one or more containers
port List port mappings or a specific mapping for the container
ps List containers
pull Pull an image or a repository from a registry
push Push an image or a repository to a registry
rename Rename a container
restart Restart one or more containers
rm Remove one or more containers
rmi Remove one or more images
run Run a command in a new container
save Save one or more images to a tar archive (streamed to STDOUT by default)
search Search the Docker Hub for images
start Start one or more stopped containers
stats Display a live stream of container(s) resource usage statistics
stop Stop one or more running containers
tag Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE
top Display the running processes of a container
unpause Unpause all processes within one or more containers
update Update configuration of one or more containers
version Show the Docker version information
wait Block until one or more containers stop, then print their exit codes
You don’t need to memorize everything as that is a waste of brain space (there’s over 50+ just base commands). In other words it’s far more important to learn to find any command you want whenever you want than it is to physically memorize every single command. It will all probably be different in 5-10 years anyway (if you look at the “docker” command from 5-10 years ago half the things on that list won’t exist, and another 5 to 10 years from now the current list will look like a joke compared to the one then). I tend to work with all of my systems this way / with this mentality.
How can one memorize a dozen different programming languages? How can a tech remember everything for a thousand systems they cover? You don’t. Once you get to that point memorization won’t help you. It’s about whether you have enough of a understanding and the proper tools to solve the problems (even if nobody has ever seen them before, which will be the case much of the time).
When I’m working with professional IT techs or engineers the dividing lines tend to be along who can teach themselves to think / work this way. Some people are really good at memorizing things and can be great experienced techs/engineers. They’ve seen it all before, they know everything off the top of their head, that kind of thing. Those are never the people that make it to the top / leadership positions though. It’s the people who can learn to solve any problem (especially the ones nobody has seen before). At that level it becomes much more about your processes/techniques than the individual details. Every single problem will be different and unique and you’ll have to use some combination of all of your skills you’ve built up over your life to solve them.
I told you the command syntax wrong because I told you off the top of my head. That’s kind of my point I’m making here though. That’s not how I actually work with Docker or IT in general. The way I work is by knowing how to find the answer so that it doesn’t matter what command I need to use or someone is asking about because I know how to instantly see all the Docker commands and what they do in less than 1 second on my command line. I have the tools and process I need to work with Docker without having to memorize all these commands and their variations as those change over time and really aren’t that important since they can easily be found/referenced.
It’s actually the same with the Minecraft server commands. It’s not impressive to memorize all the server admin commands as that doesn’t have any practical value. Again, these can all instantly be seen by typing /? in-game (and they’re actually updated based on what permissions you have). I would probably give you the wrong syntax for the Minecraft admin commands too off the top of my head but this would never matter in reality because when I need a command I know how to find it and wouldn’t make flash cards or anything to try to commit these to memory (you’ll automatically memorize the ones you use enough by just pure repetition eventually, just use the reference for the rest of them and commit your brain to storing more important things that aren’t so easily referenced/found).
If I were hiring an admin I would hire the one that can find any command by using the reference rather than someone who memorized 80% of them but had no idea how to find the other 20%. The person using the reference has a process they are following and will generally be able to solve any problem. The person who works by memorizing everything and recalling it would be the one that would end up being the headache even if they are “faster” sometimes due to their memorization. Sure, you could teach that person how to look up the referenced commands but the issue will be that person has not developed that way of thinking about these types of problems and that is very hard to teach. They’re used to recalling things and the truth is in IT that is impossible above a certain level as there is simply too much to recall and you have to use processes / techniques / your foundational knowledge all together.
I guess my advice to anyone new to Docker or hosting Minecraft servers would be to challenge yourself not to try to think in terms of how to do things one at a time and try to memorize those. Learn how to find ALL of the commands whenever you want and try to think about the problems this way. This will free your brain to think about the *really* hard problems instead of trying to remember countless specific commands. It takes practice (a lifetime of practice really) but it’s very empowering and worth it.
Enjoy and have fun!
I have a headless debian machine where this docker image is the only thing running, and after restarting it 4 days ago it seems to have used up 90% of my 1.2 TB monthly Comcast allotment (nload shows over 1 TB of transfer on this machine), despite us not actually playing on the server in that time. Is it possible there is some pathological edge case where it would download (or upload?) tons of data on a failed startup, or something? Is there anything in the logs that would indicate something going wrong like this?
(We’re in Comcast’s “you get one free month of overages” period, and my kids and really appreciate how easy it was to set this up, so please view this message as a weird technical request and not as a complaint about your free code costing us money or anything. All of my anger is directed at Comcast. 🙂 )
Hey Kevin,
Welcome! That is really frustrating for sure. I’m definitely no fan of the data caps!
The Minecraft server itself would actually use 0 data. It’s a local server. That’s the advantage of self hosting for sure. Unless people are connecting from over the internet / outside the house this will use 0 data.
So basically no, there is no situation where the server could explain this. It won’t even be using your Comcast data. The only time it could possibly use data is when it’s downloading an update. These updates are only downloaded if the server version has changed. It only checks when you restart the server (which is at most once per day and most people’s will be configured to never restart unless they tell it to).
In other words it doesn’t even check if the server is running. The only time it ever checks the internet is when you restart the server / start the server. Theoretically if something like an edge case was going on you would see it looping and downloading it over and over again. The server wouldn’t work if this was happening though. The updates happen before the server starts so if the server is running it can’t be updating.
Since that is the only time it connects to the internet then if your server was running then it couldn’t have been doing this. The server would have been down and if you went and checked it then you would have found some loop of it downloading it over and over I guess theoretically? Except that if it fails it will just fail to start the server so I can’t even really square a way this could possibly happen to be honest.
The paperclip.jar file it downloads when you restart the server is only about 30MB. That means you would have to update the server approximately 35,000 times to hit the data cap (but if it fails to update it won’t start or will just load the old version and will not check again until you shut down the server and restart it).
Does your router have anything like this:
If you have a router that has these capabilities you can literally track and see where your data is going (this one is Unifi). If this continues to be a problem it may be worth getting a router that has these capabilities as it is no fun to be under Comcast data restrictions (or have to pay the bill). Having these capabilities basically gives you control of your data cap back. You can completely see where it’s going and take action before it ever gets near enough to trigger an automated warning from the system.
I only know a couple of things that can use up a data cap that fast. 4K/8K streaming video is the most common. You can’t really hit a cap like this by downloading files. Nobody is hosting 100+GB files you could click to download off a web site for example. I guess if you plugged in a really old Xbox that had 20+ games installed that all had 20-30GB updates maybe you could hit several hundred GB in game updates? My guess though just from the raw numbers was that one of the few things that could explain this is streaming (and specifically in 4K+).
Another possibility is that machine could be compromised. If you’ve tracked it to that machine it’s certainly possible it has a virus and is seeding torrents or hosting fileshares or something like that. That could definitely use up a cap like this as well. If you’re seeing 1TB of data flying from that machine I would definitely recommend reimaging it as it sounds like it’s either malfunctioning extremely badly or is outright compromised/hacked potentially.
It would really help to know what it is connecting to similar to what the router connection manager shows you. If it’s compromised it’s going to be connecting / maintaining connections to some very nasty places and I think it will be pretty obvious. You’ve traced the data flow but what exactly is it connecting to and communicating with? The router may be able to reveal that part for us.
Hopefully that helps!
Thanks for the reply. My router wasn’t much help, but I was able to pull the docker log and figure some things out. When the machine came up it restarted the docker image, which ran through the normal startup until the paperclip update, and then it would hit this:
Geyser is up to dateStarting Minecraft server...
Must be connected to a terminal.
Paper Minecraft Java Server Docker + Geyser/Floodgate script by James A. Chambers
Latest version always at https://github.com/TheRemote/Legendary-Java-Minecraft-Geyser-Floodgate
And then it runs though the whole thing again. If I’m parsing the log correctly, it did that about 20,000 times over four days, downloading the paperclip update over and over and over. So, the good news is there doesn’t seem to be a compromised machine, but I’m curious if there’s a way to have this container start up without a connected terminal (or to fake one?) or to have it try to start a few times and then give up instead of repeating for days on end?
I know I can always just turn off restart and do it manually whenever the machine reboots, which isn’t often, but it feels like there’s a more elegant solution out there somewhere.
Hey Kevin,
That’s an interesting failure case I’m going to have to take care of here for sure. What I can do is make it exit at the beginning if the script if you are not running an interactive terminal.
The interactive terminal requirement is from the Minecraft server itself and not from me. You do have to run it the correct way with:
docker run -itIf you want to detach just press Ctrl+A then Ctrl+D. The Docker screen will detach and go into the background (can be reattached to using docker attach command). You can also just run it like this:
docker run -itdThe “d” means detached meaning you don’t have to have it up on a screen. In other words adding the d tells it to still create an interactive terminal for the Minecraft server but to minimize it to the background. You should definitely disable whatever startup line you have going now as that is broken and can’t run without an interactive terminal.
You don’t have to attach or have the server console open. An attached terminal is different from an interactive terminal (which is a Minecraft server requirement) and you can basically attach and detach whenever you want by using docker attach and Ctrl+A followed by Ctrl+D to minimize it again.
I’ll get some code added to abort when ran without a terminal (-t) or interactive mode (-i) after maybe like a 10 second delay (to prevent it from restarting hundreds of times per second). It will never get to downloading anything with this change. It will just fail immediately (as it should, and without using any bandwidth).
I should note that an easy way to set this up (a server running in the background with automatic restarts + the proper terminal configuration) is with the project’s docker-compose.yml file. This most likely resulted from running the command line startup but maybe missing one of the -i or -t flags (maybe intentionally from how you’ve described running it but hopefully some of my suggestions have gave you some other ideas on how to configure this). Hopefully that helps!
EDIT: This has been patched to not allow this to happen. You can pull the latest with:
docker pull 05jchambers/legendary-minecraft-geyser-floodgate:latestIt shouldn’t be possible for this to happen again as if the terminal isn’t configured correctly it will just fail (and then wait 10 seconds within the container script to prevent restarting spam even if Docker is configured to always restart unless stopped manually).
This also has another positive side effect which is that before this change it would have also backed up the server over and over again making your 10 rotated backups essentially useless (or it would make them essentially all the same backup, so you wouldn’t lose all your backups but you’d have effectively 1 instead of 10). After this change again a backup will not happen as the script fails immediately (it’s the first thing it checks now). Thank you so much for reporting it!
Hi, this is a really cool project. I’m using docker-compose to run an instance of this along with the stock Bedrock server. I’ve updated the ports so they don’t conflict. I can connect using Java clients, but not on a Windows Bedrock client. I can see the server under LAN Games, but when I try to connect it just says, “Unable to connect to world.” There’s nothing in the log files showing the connection attempt.
minecraft:image: 05jchambers/legendary-minecraft-geyser-floodgate:latest
restart: "unless-stopped"
ports:
- 25565:25565
- 19133:19132
- 19133:19132/udp
volumes:
- "/mnt/storage/minecraft/data/mc:/minecraft"
stdin_open: true # docker run -i
tty: true # docker run -t
entrypoint: [ "/bin/bash", "/scripts/start.sh" ]
# Environment variables
environment:
Port: "25565"
BedrockPort: "19132"
TZ: "America/Los_Angeles" # timezone
WHITE_LIST: true
WHITE_LIST_USERS: "..."
Hey shampeon,
Welcome, and thanks for the kind words! Is it Hyper-V? Because it definitely sounds like Hyper-V. There are UDP bugs that are covered in the article and in the GitHub README for Hyper-V and that’s the only platform I’ve ever seen this happening on. The other common platform to have trouble with is Oracle but yours doesn’t sound like Oracle to me (as Oracle tends to be nobody can connect period).
Assuming this is Hyper-V it’s a bug with the UDP network stack and there’s a couple different fixes (the easiest of which is changing it to a Gen1 VM). This has been happening for a while now and I’m surprised it hasn’t been fixed yet (but it’s a Hyper-V specific bug and Microsoft would need to fix it). Hopefully that helps!
I’m not using Hyper-V, actually. The server is Ubuntu 22.04.1 running Docker.
Hey shampeon,
Thanks, that helps! So the last one of these I saw for Ubuntu specifically it ended up being a weird bug with ufw. They ended up deleting their rules and adding them again and that actually fixed it. That was about a month ago so I definitely would recommend deleting all the ufw rules and adding them back again since that was recent enough that the bug is probably still floating around out there.
In another case someone else actually had firewalld installed (an alternative to ufw) and they didn’t realize that one was on there. If this is a bare metal install you did yourself it’s a lot more likely to be ufw (while VM deployments tend to have firewalld pop up more often at least in my experience).
Ubuntu 22.04.1 is the recommended platform by Microsoft for running the dedicated server (the Bedrock one for Linux at least) and I use it on many of my systems (and the Docker container uses Ubuntu internally as well). It was my desktop OS until yesterday when the NVIDIA drivers crashed and purging them broke the entire X system so I switched to Pop OS (which has been great so far but that’s beside the point which is that you are running a known good configuration at least as far as the OS goes). The version is important too as you’ve ruled out a bunch of other things it could be here too as there are all kinds of issues that can pop up with older versions but you are on current LTS.
Given that you are running a recommended OS this must be some kind of firewall or configuration issue still. I’d be really curious if you are impacted by the same ufw bug as that other person!
ufw is disabled, and I’m not running firewalld.
$ sudo ufw status verbose
Status: inactive
It’s just really puzzling.
Hey shampeon,
It’s a configuration issue for sure. I actually see the mistake this morning with fresh eyes:
- 25565:25565- 19133:19132
- 19133:19132/udp
Here you are opening ports 19133 twice followed by 19132. I believe this means point port 19133 to 19132 and also to point 19133/udp to 19132/udp. If you are trying to connect with UDP on port 19133 there is no UDP rule in there for that (or it’s trying to reroute it to 19132 which I’m not sure if you can do this without nasty side effects). These mappings aren’t one to one and actually look like they have some redirections (intentional I’m guessing).
I understand that you are running a native Bedrock server as well so I’m sure this has something to do with this but you are actually forwarding one port to a different port number here. What I’d recommend is that if your native Bedrock server is using the default ports then use the BedrockPort environment variable and actually change the Geyser one to something else.
I’d definitely recommend using a 1:1 mapping by both port and protocol for sure. Your config should look like this:
- 25565:25565- 19132:19132
- 19132:19132/udp
- 19133:19133
- 19133:19133/udp
19132 is IPV4 and should be UDP. 19133 is IPV6 and should be UDP. I usually open the TCP counterpart as well as that is used for the “ping” port and the number of players online. These ports need to be opened directly (every single one that you use, with the correct protocol). I don’t think Geyser has an IPV6 port but for my native Bedrock container the configuration looks just like that (minus the 25565). Launching the native Bedrock one looks like this:
docker run -it -v yourvolumename:/minecraft -p 19132:19132/udp -p 19132:19132 -p 19133:19133/udp -p 19133:19133 --restart unless-stopped 05jchambers/legendary-bedrock-container:latestIf these ports are going to conflict with the native Bedrock server then one or the other one should change. I don’t think forwarding it to a different port than it’s addressed to via the Docker mappings is going to work (or clearly isn’t here). UDP is a connectionless protocol and it wouldn’t surprise me if the server is actually seeing the traffic but with the wrong port (even if Docker is forwarding the traffic) so it’s dropping it or ignoring it.
In this scenario it would receive the traffic but think it’s meant for a different port because the server knows it’s configured to listen on 19132/udp and not 19133/udp. Docker will allow you to do this but they also expect that the application is aware that traffic is coming from a different port (and taking it into account on the application side when handling the data) which Minecraft definitely doesn’t support configurations like that natively unfortunately.
It’s totally fine to change the port from the Geyser side here using the environment variable if you need to in order to resolve this conflict (but make sure you open the new port with the 1:1 mappings for that new port as it’s easy to forget this). That will definitely fix it!
Hmm, ok. I need to run this instance on a different port, since I run a stock Bedrock server on port 19132. I changed ports and tried again, but I get the same error. Again, no log.
services:
bds:
image: itzg/minecraft-bedrock-server
environment:
TZ: "America/Los_Angeles"
EULA: "TRUE"
GAMEMODE: survival
DIFFICULTY: easy
SERVER_NAME: "The Des SMP"
ICON: "http://clipart-library.com/new_gallery/57-579791_minecraft-steve-alabama.png"
WHITE_LIST: true
WHITE_LIST_USERS: "..."
ports:
- 19132:19132/udp
volumes:
- /mnt/storage/minecraft/data/bds:/data
stdin_open: true
tty: true
restart: unless-stopped
minecraft:
image: 05jchambers/legendary-minecraft-geyser-floodgate:latest
restart: "unless-stopped"
ports:
- 25565:25565
- 19134:19134
- 19134:19134/udp
volumes:
- "/mnt/storage/minecraft/data/mc:/minecraft"
stdin_open: true # docker run -i
tty: true # docker run -t
entrypoint: [ "/bin/bash", "/scripts/start.sh" ]
# Environment variables
environment:
Port: "25565"
BedrockPort: "19134"
TZ: "America/Los_Angeles" # timezone
WHITE_LIST: true
WHITE_LIST_USERS: "..."
Ok, got it to work by setting
online-mode=false. So it looks like there’s something wrong with the Geyser authentication?Hey shampeon,
Great find and excellent work! Yes, I have seen this once before on the Purpur version. I finally found it here. That was about a month ago.
Apparently the procedure for Microsoft authentication is quite complicated and there’s some other internal network configuration that sometimes needs to be done for it. This is only the second time I’ve seen this so this issue didn’t immediately pop up into my mind but due to your breakthrough I’m connecting the dots here. This is an issue I will need to watch out for more (and I’d like to understand more about why it happens on certain networks, it’s never happened to me but you and the other person have proven without a doubt that this is a thing).
I half wonder if I should start shipping the container with authentication off by default (which is less secure for sure since it won’t validate accounts, it will just take the connecting client’s word for it, that’s the tricky part and why I hesitate but I don’t like that it’s causing people problems). Maybe that’s what the other person’s container is doing to avoid these issues (although maybe this is Geyser specific)?
I’m hoping there ends up being something else I can do in the config to potentially alleviate this without having to shut off online-mode altogether but realistically unless it’s a public-facing (internet) server turning off online-mode has no downside. If people on LAN are exploiting it then that is relatively easy to deal with compared to remote attacks from the internet since you’ll know exactly who they are and where to find them.
If you find out exactly what was blocking it or fix it a different way definitely let me know. Thanks so much for letting me know what it was though. That definitely does help. I hope you enjoy the container!
As far as I can tell I’m doing everything that Geyser says I should be doing. I’m intending on using DynDNS and port forwarding from my router so my kids friends can connect, so the goal is to open this to the network with an allowlist. With online-mode=false, does that mean the whitelist is ignored?
Hey shampeon,
You should be totally okay as far as the whitelisting goes. This is totally separate and online-mode only has to do with Microsoft authentication validation/verification fortunately. Your setup should be fine since you’re using whitelisting.
Theoretically someone could impersonate someone else with a hacked client but that’s not going to happen in this scenario for sure. They would have to know about the server *and* know a connecting player’s UUID that is whitelisted so unless you have reason to believe you’ll be targeted nobody is going to bother to do this as not many people can do it to begin with and the people who can and actually want to use those skills will attack more prominent targets (like if you were a popular streamer and had a private Minecraft server, that kind of thing).
Having a whitelist without online mode is kind of like having a lock on your door. Is it impenetrable? Not at all. If someone is determined enough it’s possible to break in. This is a lot of trouble and risk though. They’re going to have to somehow get the ID of one of your players (and not the email address, like the long random number string ID) which is its own whole ordeal. In the case of the house/apartment with a lock there may be something to steal that is valuable. If nobody playing the server is a public figure or it isn’t some kind of specialized server where money is involved somehow there is nothing to even be gained. None of their friends or colleagues would be impressed by this and would just say “why”? Outside of there being some legitimate reason you are being targeted this is a secure enough lock for what you are talking about.
When people join they will still have a player ID you can use for whitelisting (it just won’t be validated with Microsoft that they actually are using the correct password with that account).
If you wanted to fix online-mode one thing you could do is try turning on Geyser debug mode in plugins/Geyser-Spigot/config.yml:
debug-mode: trueThis would hopefully have it give us some helpful output to figure out what is going wrong. Given your strategy is to have a whitelist though I don’t think you really need to fight with it to achieve what you’re trying to do.
Theoretically the fix in the Geyser config for this might be to change some of those addresses from “auto” to the correct IP (which I believe would be 127.0.0.1 for the plugin version) as that is mentioned in a lot of these more rare issues in the Geyser FAQ you linked to. Although maybe that’s the problem? If there’s some kind of localhost restrictions going on it could explain why that fix would have an impact if you set it to the local IP address or something like that and similar issues are also mentioned in the Geyser FAQ. That doesn’t really make sense inside the container though since everyone’s container is the same. It would be something with the network environment somehow.
It’s a tricky one to diagnose but I bet with the debug output we can probably solve this and see why it’s getting stuck at least (or where it’s getting stuck). Hopefully that helps!
Ok, I turned debug-mode: false and tried to connect, and got some more error messages. tl;dr you need to set enforce-secure-profile=false in server.properties in order to allow Bedrock players to connect. Apparently this is a recent change. After making that change, I can turn online-mode=true and connect using a Bedrock client.
I’m still sifting through the steps to get Bedrock players whitelisted. From what I can tell, the easiest way to do this is to 1) turn the whitelist off 2) have the player connect 3) add the player to the whitelist 4) turn whitelist back on. I don’t see a way of mapping the XUIDs from Bedrock to the UUID. The Geyser docs that say to append the XUID to 00000000-0000-0000- is either wrong or I’m doing something wrong, since the UUID in Geyser is entirely different for my username, which appears as .username. Very confusing.
Hey shampeon,
Fantastic, you’ve helped me for sure as that is a much safer setting for me to change the defaults on. Thanks for linking to the info on the change as well. I will get this added in. EDIT: This was already the default for new servers using the container but it’s very helpful you posted this as since it’s a recent change anyone who has been hosting a server for a while (and perhaps migrates to the container) is going to run into this!
So I can definitely help with the Geyser / Floodgate part. Check out this document here.
In my commands I see a “fwhitelist” command which has a fwhitelist add player syntax. In the server console (or on the server as an operator with a / in front of the command):
fwhitelist add Tim203This totally bypasses any need for the UUID stuff and this is the Floodgate specific whitelist (it’s a part of Geyser for authentication) but it says you can also use UUIDs (it would be the one that looks different from the Java ones as you described). I think this is why it isn’t working though is it is using a different whitelist for that. Using the fwhitelist command is the key and will take care of it for you.
It is more secure to use the UUID as spoofing a player name is easy but spoofing a UUID requires that they somehow get that nasty string so it’s definitely more secure to add it by UUID. Since you have online-mode back on though spoofing this is not going to be possible on your server any longer even if they have the UUID. Microsoft will validate they are actually signed into that account with a valid password.
The secure profile part is actually a different piece and is related to the chat reporting feature where people get in trouble for violations of the Minecraft player code of conduct and I personally have that shut off (and by default for new servers). I’d rather not have all my player’s chat messages encrypted and sent to Microsoft (to the extent that this setting allows) and you saw how much trouble the setting caused with technical issues / connecting.
There’s some debate about how much of the secure profile / chat reporting feature changing this setting disables and whether they’re still sent anyway (plus the client still undoubtedly submits/reports some of these messages on it’s own but the secure profile setting shuts off most of the dedicated server’s piece of it particularly “forcing” people to have secure profile active to even connect). It definitely disables some of it though because people will get a warning on their clients that the chat messages may be unverified (I believe when they first connect, it might even be a notification-style popup in the top of the screen if I am remembering correctly).
I’m sure you could also add people to the fwhitelist via a file somewhere similarly to the whitelist file but I personally would just use the command then you can go take a look at the files it created/changed if you wanted to be able to do this directly using the filesystem without commands as I couldn’t tell you what the file/files are it creates for fwhitelist off the top of my head (but that’s how I’d find them).
Hopefully that helps!
Hey shampeon,
Perfect. That looks exactly right. You did exactly what I would have done configuration wise here.
I’ve actually never seen anyone do what you are doing with the volume. Are you actually using a shared OS mount with my container instead of a Docker volume? That is awesome and I wouldn’t have necessarily expected it to work and I didn’t design it that way. I don’t think this is the problem though.
You actually aren’t getting an error here. That would make things a lot easier actually. Cannot connect to world should be what you get if you just type in a random IP address and port in there that isn’t running a Minecraft server. It just basically can’t communicate with it at all (as far as we can see). We’ve done Wireshark traces in the past to figure out what is going on with these.
Your ports look okay though. 19134 shouldn’t overlap with anything and your mappings look perfect here for it. Best I can tell nothing is getting through on port 19134 though here still! You could check the Geyser configuration file and make sure it’s indeed matching your 19134 port and see if anything like that is potentially going on. Also make sure the server is closed when making these edits before launching!
Yes, I’m using a local mount as the location. Makes it much easier than using a Docker volume, and it’s part of a ZFS volume so I get those advantages.
Hey shampeon,
Awesome, I’ll have to get that added into the documentation in the next round of updates (just to let people know it’s possible for sure as there will be others that will benefit like you are). Thanks!