Skip to content

tulilirockz/papermache

BranchesTags

Repository files navigation

Build Status for Paper Build Status for Folia Image License: APACHE 2.0

Some actually pretty good PaperMC OCI images.

These images are built with Chainguard's apko/melange tooling, based on Wolfi. We provide SBOMs, proper signing, and a very minimal container so your runtime isnt cluttered by vulnerabilities. This is also meant to have a very tight scope, we dont want to manage your minecraft server installation at all, just deliver you a secure container.

Just know that sadly these builds are very much non deterministic due to Paper's nature of patching official JARs straight from Mojang

Motivation

I mostly just thought this would be a cool project to make, after watching Chainguard's video on Minecraft Servers I just got curious to see if I could do this with PaperMC, then I saw there wasnt anything similar to this in the wild, so I made this project!

TODO

  • Templating for multiple PaperMC versions
  • Official MC server package
  • Use Renovate for everything

Usage

podman run --rm -it -v minecraft:/data:Z -p 25565:25565 ghcr.io/tulilirockz/paper:latest

You can also use this as a compose:

services:
  paper:
    image: ghcr.io/tulilirockz/paper:1.24.1
    ports:
      - 25565:25565
    volumes:
      - minecraft:/data:Z
volumes:
  minecraft:

Building locally

just build (package)
# This will also import the image to your storage if you want
just build-container (package) # (import or not w/ 1/0)

Verifying authenticity

Our claims about security don't make sense at all if you cant verify them. Here are a few methods:

Cosign Key

This way you can actually know if I made this image or not. Allows you to know if the image has been tampered with

cosign verify \
 --key https://raw.githubusercontent.com/tulilirockz/papermache/refs/heads/main/cosign.pub \
  "ghcr.io/tulilirockz/paper:latest"

Fetch SBOM

This returns you the Software Bill of Materials for these images, a list of pretty much everything in it.

cosign verify-attestation \
  --key https://raw.githubusercontent.com/tulilirockz/papermache/refs/heads/main/cosign.pub \
  --type https://spdx.dev/Document \
  "ghcr.io/tulilirockz/paper:latest" | jq -r .payload | base64 -d | jq .predicate > ./paper-sbom.yaml

Scanning for Vulnerabilities and Verifying contents

Grype and Dive are great tools for verifying what you got is safe

# This will analyze the image and check for vulnerabilities
# Any vulnerability here is a combination of Wolfi's vulnerabilities, openJDKs, and PaperMCs
grype ghcr.io/tulilirockz/paper:latest

# This allows you to know what even is on the image, before executing
dive ghcr.io/tulilirockz/paper:latest

NOTE

This project is not affiliated with Mojang, Microsoft, Chainguard, Oracle and is redistributed following the Apache 2.0 license with no warranty or liability

The cute birb on the logo is made by EfthimiaPapierMache on Etsy! Check them out!

About

Actually pretty good PaperMC OCI images.

Topics

minecraft server papermc wolfi

Resources

Readme

License

Apache-2.0 license
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Sponsor this project

 
Learn more about GitHub Sponsors

Packages

 
 
 

Languages