What this guide covers
Once the server is running, the next questions are usually operational:
- How do I
opmyself? - How do I add a player to the whitelist?
- How do I stop the server cleanly?
- Where is the actual server console in Docker?
For itzg/minecraft-server, the clean answer is usually RCON first, interactive console second.
Quick answer
For one-shot commands, use:
docker exec mc rcon-cli stop
docker exec mc rcon-cli op YourPlayerName
docker exec mc rcon-cli whitelist add YourPlayerName
For interactive RCON:
docker exec -i mc rcon-cli
The -i flag matters for interactive use.
Why RCON is the default path
The image enables RCON by default and uses it for safe server control. That matters for two reasons:
- clean shutdowns use the same admin path
- backup tooling can coordinate save state over RCON
In other words, you are not working around the image when you use RCON. You are using the admin path it already expects.
Step 1: Set a deliberate RCON password
If you have never set one, do it now.
The recommended production-friendly option is RCON_PASSWORD_FILE.
services:
mc:
image: itzg/minecraft-server:latest
tty: true
stdin_open: true
environment:
EULA: "TRUE"
RCON_PASSWORD_FILE: /run/secrets/rcon_pass
secrets:
- rcon_pass
secrets:
rcon_pass:
file: ./rcon_password
This keeps the secret out of the Compose file itself.
Step 2: Use rcon-cli for normal admin tasks
Common commands:
docker exec mc rcon-cli list
docker exec mc rcon-cli save-all
docker exec mc rcon-cli op YourPlayerName
docker exec mc rcon-cli whitelist on
docker exec mc rcon-cli whitelist add YourPlayerName
For ongoing administration, an interactive shell is more comfortable:
docker exec -i mc rcon-cli
Then type normal Minecraft console commands one by one.
Step 3: Enable interactive console only if you actually need it
Some admins want the full console for log reading and tab-completion.
For that, keep stdin_open and tty enabled:
services:
mc:
tty: true
stdin_open: true
Then attach:
docker compose attach mc
Or, if you run plain Docker:
docker attach mc
To detach without stopping the container, use:
Ctrl-P Ctrl-Q
Step 4: Keep RCON off the public internet
This is the important safety rule. In most setups you should not publish the RCON port externally at all.
Avoid this unless you have a very specific reason:
ports:
- "25575:25575"
The normal player-facing port is the game port. RCON is an admin interface and should stay private.
Step 5: Validate your setup
Run a safe command:
docker exec mc rcon-cli list
If you get a normal response from the server, your admin path works. If not, check:
- whether the container is healthy
- whether the password is set correctly
- whether you accidentally disabled RCON
Common mistakes
| Symptom | Likely cause | Fix |
|---|---|---|
rcon-cli fails | Wrong password or RCON disabled | Set a deliberate password and keep ENABLE_RCON enabled |
docker attach is useless | tty and stdin_open are missing | Enable both in Compose |
You exposed 25575 publicly | Admin interface published unnecessarily | Remove the public mapping |
| Backups behave strangely after disabling RCON | Image features lost admin path | Keep RCON enabled unless you have a clear alternative |
FAQ
Can I manage ops and whitelist without interactive console?
Yes. That is exactly what rcon-cli is good at.
When should I use docker attach?
Use it when you want a live interactive console and you already enabled tty and stdin_open.
Next steps
- If commands fail because files are not writable, read Fix Permission Denied in itzg/minecraft-server with UID/GID and Bind Mounts.
- Before you automate restarts or updates, set up automatic backups with docker-mc-backup.
- Still dealing with network issues? Check how to open port 25565 correctly.