Win $20,000. Help build the future of education. Answer the Call for Code. Learn more

Run a Minecraft server on IBM Cloud Hyper Protect Virtual Servers

In this tutorial, you will learn how to protect your application by leveraging the Bring your own Image (BYOI) feature of the IBM Cloud® Hyper Protect Virtual Servers service using the example of a Minecraft server. I show you how to build your own Minecraft server image and create a new Hyper Protect Virtual Server with it. By deploying the application on this service, you can run it on IBM LinuxONE on the secured software stack of the IBM Secure Service Container technology which provides protection from internal and outsider threats. To achieve even more confidentiality for the Minecraft server, the image that will be built will only include the Minecraft application and the necessary runtime. There will be no interactive shell available to interact with the server to protect it from attacks. After you have completed this tutorial, you will be able to play Minecraft on your Hyper Protect Minecraft server.

Learning objectives

When you’ve completed this tutorial, you will understand how to:

  • Build an OCI image for a Minecraft server
  • Deploy a Hyper Protect Virtual Server using your own Image
  • Connect to the Hyper Protect Virtual Server instance

Prerequisites

To complete this tutorial, you’ll need:

Estimated time

It should take you about 1 – 2 hours to complete this tutorial.

Steps

The following steps will show you how to:

  1. Create an Ubuntu Hyper Protect Virtual Server with the name Minecraft Build Server that you will use for the preparation of the image
  2. Use the Minecraft Build Server to build the Minecraft Server into an OCI image which can be consumed by Hyper Protect Virtual Servers
  3. Push this image to IBM Cloud Container Registry and sign it
  4. Create the registration definition file that is required for the deployment
  5. Deploy a new Hyper Protect Virtual Server using your Minecraft OCI image, and then connect to the deployed Minecraft Server using your Minecraft Launcher

Tutorial components overview

1

Create the Minecraft Build Server

In this step, I show you how to install the Hyper Protect Virtual Servers plugin for the IBM Cloud CLI, and how to use it to order a free Virtual Server.

Go to the terminal where you can run ibmcloud commands and login:

ibmcloud login

Install the Hyper Protect Virtual Servers plugin for the IBM Cloud CLI:

ibmcloud plugin install hpvs

Run the following command to create the Minecraft Build Server instance. Possible values for the <location> are: dal10, dal12, dal13, fra02, fra04, fra05, syd01, syd04, syd05, wdc04, wdc06, and wdc07.

ibmcloud hpvs instance-create "Minecraft Build Server" free <location> --ssh-path <path-to-ssh-public-key>

Check the provisioning status regularly with the command you get as a response and wait until the instance becomes available.

2

Build the image

In this section, I show you how to build the Minecraft Server image, so that it can be consumed by Hyper Protect Virtual Servers. This service runs on IBM LinuxONE hardware, therefore the image needs to be built for the s390x architecture. You will use the Minecraft Build Server instance for that.

Login to your Minecraft Build Server via SSH:

ssh root@<minecraft_build_server_public_ip>

Then install the necessary tools to build and push the image:

apt update && apt install -y docker.io gpg

Create a Dockerfile with the following content. This build script will install the needed tools, download the minecraft_server.1.17.jar, and configure the start command for the image.

FROM ubuntu
RUN apt-get update && apt-get upgrade -y && apt-get install -y default-jdk curl
RUN mkdir minecraft
RUN curl https://launcher.mojang.com/v1/objects/0a269b5f2c5b93b1712d0f5dc43b6182b9ab254e/server.jar --output minecraft/minecraft_server.jar
RUN echo "eula=true" > eula.txt
CMD java -Xms1024m -Xmx1024m -jar minecraft/minecraft_server.jar --nogui

Replace the region and the icr_namespace in the following command with the details from your IBM Cloud Container Registry instance and run it to build the image:

docker build -t <region>.icr.io/<icr_namespace>/minecraft:latest .
3

Push the image to IBM Cloud Container Registry

Now you need to push the built image from the Minecraft Build Server to the IBM Cloud Container Registry instance you prepared earlier. Because the Hyper Protect infrastructure needs to verify that it pulled the correct image before running it, you’ll need to sign the image using Docker Content Trust in this step.

Login on the IBM Cloud Container registry using your API Key:

echo  "<API_Key>" | docker login -u "iamapikey" --password-stdin <registry_region>.icr.io

Push the image to your IBM Cloud Container registry instance and sign it using Docker Content Trust:

export DOCKER_CONTENT_TRUST=1 DOCKER_CONTENT_TRUST_SERVER=https://<registry_region>.icr.io:4443
docker push <region>.icr.io/<icr_namespace>/minecraft:latest

The Docker engine will ask for passwords to protect the keys that are generated to sign the images after the push.

4

Create the registration definition file

In this step, I show you how to create the registration definition file which is used as a manifest file for the deployment. The following instructions explain how to do so using the hpvs CLI plugin. The file contains information for the HPVS infrastructure which is required to pull the image you created and pushed in the previous phases. In addition, it includes the public part of the key that was used to sign the image in step 3. This information is used during the deployment to verify that the correct image is started and that it was not tampered during transmission. The data in the registration definition file can contain secrets that you don’t want to expose to anyone. Therefore, the file will be encrypted using a keypair, where the private half is only available in the protected IBM Hyper Protect infrastructure leveraging the IBM Secure Service Container technology so that no person can access it. In addition, the file will be signed by a keypair that you create and should keep safe.

Switch back to your environment where you can run ibmcloud and gpg commands.

Run the following command and provide a password in the prompt to create a new signing key:

ibmcloud hpvs registration-key-create minecraft

Insert the correct values for your image and run the following command to create the registration definition file. You will be prompted to provide your IBM Cloud API key and to provide allowed environment variables or linux capabilites. For this tutorial it is not needed to provide any environment variables or linux capabilities in this step:

ibmcloud hpvs registration-create --registration-key-public-path minecraft.public --registration-key-private-path minecraft.private --repository-name <region>.icr.io/<icr_namespace>/minecraft

This will generate the registration.json.asc file which contains the encrypted and signed content.

5

Provision the Virtual Servers using the built image

Select a location and provision a new free Virtual Server using your own Minecraft OCI image. Possible values for the <location> are: dal10, dal12, dal13, fra02, fra04, fra05, syd01, syd04, syd05, wdc04, wdc06, and wdc07.

Then run:

ibmcloud hpvs instance-create "Minecraft Server" free <location> --rd-path registration.json.asc -i latest

Check the provisioning status regularly with the command you get as a response and wait until the instance becomes available. Now you can connect to it with your Minecraft launcher using the public IP address.

Summary

In this tutorial, you have learned how you can run a protected application using Bring Your Own Image (BYOI) from the Hyper Protect Virtual Servers service on the example of a Minecraft Server. This server now runs on IBM LinuxONE hardware leveraging the confidentiality capabilities of the Secure Service Container technology. You can now use what you’ve learned to build and run any other application in the same way. Try it out with the application from the disaster donations code pattern.