This image is built with a "Security-First" mindset to protect both the game server data and the host system.

1. Non-Root Execution: The container runs as the container user (UID 1000) by default. Even if an attacker gains control of the Hytale process, they do not have root access to the container or the host.
2. Zombie Process Protection: We use tini as the init system. This ensures that the Java process is managed correctly, signals (like SIGTERM) are handled gracefully, and "zombie" processes are reaped to prevent resource exhaustion.
3. Audit Scripts: The image includes pre-flight audit scripts (security-check.sh, network-check.sh) that run on every boot to detect common misconfigurations before the server starts.
4. Minimal Attack Surface: Based on eclipse-temurin (JRE), we exclude unnecessary build tools, compilers, and shells where possible to reduce the footprint for potential exploits.
5. Read-Only Integrity: The server JAR is stored in /usr/local/lib/ with 444 (read-only) permissions to prevent runtime modification of the server core.

Please follow these steps to report security issues:

• Submit a Private Advisory: Please report security issues to https://github.com/deinfreu/hytale-server-container/security/advisories/new.
• Alert the Maintainer: Please also create an empty security issue to alert me, as GitHub Advisories do not send a notification; I probably will miss it without this: Submit Alert Issue.
• No Automated Scans: Do not report any upstream dependency issues or scan results by any tools. It will be closed immediately without explanation. Unless you have a Proof of Concept (PoC) to prove that the upstream issue actually affects this Hytale server image.
• Keep it Private: Do not use the public issue tracker or discuss it in public as it will cause more damage.

Always run this container with memory and CPU limits to prevent a rogue Hytale process from crashing your host.

• Docker Compose: Use deploy.resources.limits.
• Pterodactyl: Set the limits in the "Build Configuration" tab.

• Do not use --network host. Use the default bridge or a custom Docker network.
• Only expose the necessary ports (default 5520/udp for Hytale and 5520/tcp for legacy/proxies).

• Mount your local volume to /home/container.
• Ensure the host directory is owned by UID 1000 to avoid needing sudo or root privileges within the container.

We regularly rebuild this image to include the latest JRE security patches. Enable automated updates or periodically pull the latest tag:

docker pull ghcr.io/deinfreu/hytale-server-container:latest