auvem/wordpress-docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

clean up & simplify structure w/ separate build workflows

Browse Source 
Independent NGINX & PHP-FPM build workflows & directory structure for
cleaner and simpler workflow logic.
This commit is contained in:
Elijah Duffy
2025-12-07 22:45:10 -08:00
parent 8c7a098129
commit 82cdc6a2ad
10 changed files with 292 additions and 360 deletions
Download Patch File Download Diff File Expand all files Collapse all files

221
.github/workflows/build.yml vendored
View File

@@ -1,221 +0,0 @@
name: build
on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:
workflow_call:
inputs:
REGISTRY_USER:
required: true
type: string
secrets:
REGISTRY_TOKEN:
required: true
jobs:
plan:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.compute.outputs.matrix }}
should_build: ${{ steps.compute.outputs.should_build }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- id: compute
shell: bash
run: |
set -euo pipefail
# Discover lanes: immediate subdirs under docker/
mapfile -t ALL_LANES < <(find docker -mindepth 1 -maxdepth 1 -type d | sort)
# Filter to only directories that contain a Dockerfile (real lanes)
FILTERED_LANES=()
SKIPPED_LANES=()
build:
needs: plan
if: needs.plan.outputs.should_build == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: docker/setup-buildx-action@v3
- name: DEBUG registry username source
run: |
echo "Selected registry username source: $SOURCE"
env:
SOURCE: ${{ inputs.REGISTRY_USER != '' && 'inputs' || secrets.REGISTRY_USER != '' && 'secrets' || vars.REGISTRY_USER != '' && 'vars' || 'actor' }}
- uses: docker/login-action@v3
with:
registry: gitea.auvem.com
username: ${{ inputs.REGISTRY_USER != '' && inputs.REGISTRY_USER || secrets.REGISTRY_USER != '' && secrets.REGISTRY_USER || vars.REGISTRY_USER != '' && vars.REGISTRY_USER || github.actor }}
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Show plan matrix
run: |
echo "Plan matrix: $MATRIX_JSON"
jq -C . dir <<< "$MATRIX_JSON" 2>/dev/null || true
env:
MATRIX_JSON: ${{ needs.plan.outputs.matrix }}
- name: Loop: build and push per-lane
shell: bash
env:
MATRIX_JSON: ${{ needs.plan.outputs.matrix }}
GIT_SHA_SHORT: ${GITHUB_SHA::7}
run: |
set -euo pipefail
if [[ -z "$MATRIX_JSON" ]]; then
echo "ERROR: plan matrix is empty. Aborting." >&2
exit 1
fi
# Iterate lanes
lanes=$(jq -r '.dir[]' <<< "$MATRIX_JSON")
echo "Lanes to build:"
echo "$lanes"
for lane in $lanes; do
echo "\n--- Building lane: $lane ---"
if [[ ! -f "$lane/Dockerfile" ]]; then
echo "ERROR: No Dockerfile at $lane/Dockerfile" >&2
exit 1
fi
NAME=$(basename "$lane")
if [[ "$NAME" == "nginx" ]]; then
IMAGE="gitea.auvem.com/auvem/wordpress-docker/nginx"
TAG="stable"
else
IMAGE="gitea.auvem.com/auvem/wordpress-docker/php-fpm"
if [[ "$NAME" =~ ^([0-9]+\.[0-9]+)$ ]]; then
VERSION="${BASH_REMATCH[1]}"
TAG="${VERSION}-stable"
elif [[ "$NAME" =~ ^([0-9]+)$ ]]; then
VERSION="${BASH_REMATCH[1]}"
TAG="${VERSION}-stable"
else
echo "ERROR: Cannot deterministically derive a version tag from lane name '$NAME'." >&2
exit 1
fi
fi
echo "Computed: lane='$lane' name='$NAME' image='$IMAGE' tags='$IMAGE:${TAG},$IMAGE:git-${GIT_SHA_SHORT}'"
# Buildx build and push
docker buildx build \
--push \
--platform linux/amd64 \
--tag "$IMAGE:${TAG}" \
--tag "$IMAGE:git-${GIT_SHA_SHORT}" \
--file "$lane/Dockerfile" \
.
done
echo "No lane directories changed. Skipping build."
echo "should_build=false" >> $GITHUB_OUTPUT
echo 'matrix={"dir":[]}' >> $GITHUB_OUTPUT
exit 0
fi
# Produce JSON matrix
JSON=$(jq -nc --argjson arr "$(printf '%s\n' "${TARGET_DIRS[@]}" | jq -R . | jq -s .)" '{dir: $arr}')
echo "Matrix: $JSON"
echo "should_build=true" >> $GITHUB_OUTPUT
echo "matrix=$JSON" >> $GITHUB_OUTPUT
build:
needs: plan
if: needs.plan.outputs.should_build == 'true'
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.plan.outputs.matrix) }}
steps:
- uses: actions/checkout@v4
- uses: docker/setup-buildx-action@v3
- name: DEBUG registry username source
run: |
echo "Selected registry username source: $SOURCE"
# Do NOT echo the username or any secret values — only indicate which source will be used
env:
SOURCE: ${{ inputs.REGISTRY_USER != '' && 'inputs' || secrets.REGISTRY_USER != '' && 'secrets' || vars.REGISTRY_USER != '' && 'vars' || 'actor' }}
- uses: docker/login-action@v3
with:
registry: gitea.auvem.com
# Resolve username in this order: workflow input -> repo/secret -> repo var -> actor
username: ${{ inputs.REGISTRY_USER != '' && inputs.REGISTRY_USER || secrets.REGISTRY_USER != '' && secrets.REGISTRY_USER || vars.REGISTRY_USER != '' && vars.REGISTRY_USER || github.actor }}
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Show matrix payload received by this job
run: |
echo "Expression toJson(matrix): ${{ toJson(matrix) }}"
echo "Expression matrix.dir: '${{ matrix.dir }}'"
echo "ENV MATRIX_DIR: '${MATRIX_DIR}'"
echo "Dockerfile path expression: '${{ matrix.dir }}/Dockerfile'"
env:
MATRIX_DIR: ${{ matrix.dir }}
- name: Derive image name and tags
id: meta
shell: bash
run: |
set -euo pipefail
DIR="${{ matrix.dir }}"
# Fail fast on ambiguous/empty matrix.dir. We require a deterministic lane.
if [[ -z "${DIR}" || "${DIR}" == "." ]]; then
echo "ERROR: Ambiguous lane: matrix.dir is empty or '.'."
echo "Provide a specific lane directory under docker/ (e.g. '7.4' or 'nginx')."
exit 1
fi
NAME="$(basename "${DIR}")" # e.g. '7.4' or 'nginx'
SHA=${GITHUB_SHA::7}
# Decide repository and tag scheme. Must be deterministic.
if [[ "${NAME}" == "nginx" ]]; then
IMAGE="gitea.auvem.com/auvem/wordpress-docker/nginx"
TAG="stable"
else
IMAGE="gitea.auvem.com/auvem/wordpress-docker/php-fpm"
# Accept only lanes that encode a numeric version like '7.4' or '8'.
if [[ "${NAME}" =~ ^([0-9]+\.[0-9]+)$ ]]; then
VERSION="${BASH_REMATCH[1]}"
TAG="${VERSION}-stable"
elif [[ "${NAME}" =~ ^([0-9]+)$ ]]; then
VERSION="${BASH_REMATCH[1]}"
TAG="${VERSION}-stable"
else
echo "ERROR: Cannot deterministically derive a version tag from lane name '${NAME}'."
echo "Expected lane names like '7.4' or '8' for php-fpm lanes."
exit 1
fi
fi
# Debug output for name resolution
echo "Computed values: DIR='${DIR}', NAME='${NAME}', IMAGE='${IMAGE}', TAG='${TAG}', SHA='${SHA}'"
echo "image=$IMAGE" >> $GITHUB_OUTPUT
echo "tags=$IMAGE:${TAG},$IMAGE:git-${SHA}" >> $GITHUB_OUTPUT
- name: Build and push
uses: docker/build-push-action@v6
with:
context: .
file: ${{ matrix.dir }}/Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
platforms: linux/amd64
cache-from: type=registry,ref=${{ steps.meta.outputs.image }}:cache
cache-to: type=registry,ref=${{ steps.meta.outputs.image }}:cache,mode=max

106
.github/workflows/nginx.yml vendored Normal file
View File

@@ -0,0 +1,106 @@
name: nginx-build
on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:
inputs:
force:
description: "Set to true to force a build even if no files changed."
required: false
default: "false"
workflow_call:
secrets:
REGISTRY_TOKEN:
required: true
description: "Token for registry authentication."
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: docker/setup-buildx-action@v3
- uses: docker/login-action@v3
with:
registry: gitea.auvem.com
username: ${{ vars.REGISTRY_USER || github.actor }}
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Decide and build nginx if needed
shell: bash
env:
GIT_SHA_SHORT: ${GITHUB_SHA::7}
FORCE: ${{ github.event.inputs.force || 'false' }}
run: |
set -euo pipefail
if [[ ! -f nginx/Dockerfile ]]; then
echo "No nginx/Dockerfile present; nothing to build."
exit 0
fi
BUILD=false
# Manual trigger or explicit force -> build
if [[ "${{ github.event_name }}" == "workflow_dispatch" ]] || [[ "$FORCE" == "true" ]]; then
echo "Manual/forced trigger -> building nginx"
BUILD=true
else
# detect changed files between base/head (or list all files for shallow contexts)
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
BASE_SHA="${{ github.event.pull_request.base.sha }}"
HEAD_SHA="${{ github.event.pull_request.head.sha }}"
elif [[ "${{ github.event_name }}" == "push" ]]; then
BASE_SHA="$(git rev-parse HEAD~1 2>/dev/null || true)"
HEAD_SHA="$(git rev-parse HEAD 2>/dev/null || true)"
else
BASE_SHA=""
HEAD_SHA="$(git rev-parse HEAD 2>/dev/null || true)"
fi
if [[ -n "$BASE_SHA" ]]; then
CHANGED=$(git diff --name-only "$BASE_SHA" "$HEAD_SHA")
else
CHANGED=$(git ls-files)
fi
echo "Changed files:\n$CHANGED"
if grep -q "^.github/workflows/" <<< "$CHANGED"; then
echo "Workflow changed; building nginx"
BUILD=true
elif grep -q "^nginx/" <<< "$CHANGED"; then
echo "nginx directory changed; building nginx"
BUILD=true
else
BUILD=false
fi
fi
if [[ "$BUILD" != "true" ]]; then
echo "No relevant changes; skipping nginx build."
exit 0
fi
IMAGE="gitea.auvem.com/auvem/wordpress-docker/nginx"
TAG="latest"
echo "Building $IMAGE:$TAG"
docker buildx build --push --platform linux/amd64 \
--tag "${IMAGE}:${TAG}" \
--tag "${IMAGE}:git-${GIT_SHA_SHORT}" \
--file nginx/Dockerfile \
.
IMAGE="gitea.auvem.com/auvem/wordpress-docker/nginx"
TAG="latest"
echo "Building nginx image ${IMAGE}:${TAG}"
docker buildx build --push --platform linux/amd64 \
--tag "${IMAGE}:${TAG}" \
--tag "${IMAGE}:git-${GIT_SHA_SHORT}" \
--file "nginx/Dockerfile" .
done

161
.github/workflows/php-fpm.yml vendored Normal file
View File

@@ -0,0 +1,161 @@
name: php-fpm-build
on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:
inputs:
lane:
description: 'Lane to build (e.g. 7.4). Use "all" to build all lanes.'
required: false
default: ""
workflow_call:
secrets:
REGISTRY_TOKEN:
required: true
description: "Token for registry authentication."
jobs:
plan:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.compute.outputs.matrix }}
should_build: ${{ steps.compute.outputs.should_build }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- id: compute
shell: bash
run: |
set -euo pipefail
# discover lanes under php-fpm/* that contain a Dockerfile
mapfile -t ALL_LANES < <(find php-fpm -mindepth 1 -maxdepth 1 -type d | sort)
FILTERED=()
for d in "${ALL_LANES[@]}"; do
if [[ -f "${d}/Dockerfile" ]]; then
FILTERED+=("${d}")
fi
done
ALL_LANES=("${FILTERED[@]}")
if [[ ${#ALL_LANES[@]} -eq 0 ]]; then
echo "No php-fpm lanes found. Nothing to do."
echo "should_build=false" >> $GITHUB_OUTPUT
echo 'matrix={"dir":[]}' >> $GITHUB_OUTPUT
exit 0
fi
# allow workflow_dispatch lane selection
SELECTED=()
REQ_LANE="${{ github.event.inputs.lane || '' }}"
if [[ -n "$REQ_LANE" ]]; then
if [[ "$REQ_LANE" == "all" ]]; then
SELECTED=("${ALL_LANES[@]}")
else
candidate="php-fpm/$REQ_LANE"
if [[ -d "$candidate" && -f "$candidate/Dockerfile" ]]; then
SELECTED=("$candidate")
else
echo "ERROR: Requested lane '$REQ_LANE' not found under php-fpm/" >&2
exit 1
fi
fi
else
# Determine changed files
if [[ "${{ github.event_name }}" == "push" ]]; then
BASE_SHA="$(git rev-parse HEAD~1 2>/dev/null || true)"
HEAD_SHA="$(git rev-parse HEAD 2>/dev/null || true)"
elif [[ "${{ github.event_name }}" == "pull_request" ]]; then
BASE_SHA="${{ github.event.pull_request.base.sha }}"
HEAD_SHA="${{ github.event.pull_request.head.sha }}"
else
BASE_SHA=""
HEAD_SHA="$(git rev-parse HEAD 2>/dev/null || true)"
fi
if [[ -n "$BASE_SHA" ]]; then
CHANGED=$(git diff --name-only "$BASE_SHA" "$HEAD_SHA")
else
CHANGED=$(git ls-files)
fi
# If workflow files changed, rebuild all lanes
if grep -q "^.github/workflows/" <<< "$CHANGED"; then
SELECTED=("${ALL_LANES[@]}")
else
for d in "${ALL_LANES[@]}"; do
if grep -q "^${d}/" <<< "$CHANGED"; then
SELECTED+=("${d}")
fi
done
fi
fi
# Dedupe and validate
mapfile -t SELECTED < <(printf "%s\n" "${SELECTED[@]}" | awk 'NF && !x[$0]++')
if [[ ${#SELECTED[@]} -eq 0 ]]; then
echo "No php-fpm lanes to build."
echo "should_build=false" >> $GITHUB_OUTPUT
echo 'matrix={"dir":[]}' >> $GITHUB_OUTPUT
exit 0
fi
JSON=$(jq -nc --argjson arr "$(printf '%s\n' "${SELECTED[@]}" | jq -R . | jq -s .)" '{dir: $arr}')
echo "Matrix: $JSON"
echo "should_build=true" >> $GITHUB_OUTPUT
echo "matrix=$JSON" >> $GITHUB_OUTPUT
build:
needs: plan
if: needs.plan.outputs.should_build == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: docker/setup-buildx-action@v3
- uses: docker/login-action@v3
with:
registry: gitea.auvem.com
username: ${{ vars.REGISTRY_USER || github.actor }}
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Show plan matrix
run: |
echo "Plan matrix: $MATRIX_JSON"
jq -C . dir <<< "$MATRIX_JSON" 2>/dev/null || true
env:
MATRIX_JSON: ${{ needs.plan.outputs.matrix }}
- name: Build lanes
shell: bash
env:
MATRIX_JSON: ${{ needs.plan.outputs.matrix }}
GIT_SHA_SHORT: ${GITHUB_SHA::7}
run: |
set -euo pipefail
lanes=$(jq -r '.dir[]' <<< "$MATRIX_JSON")
for lane in $lanes; do
echo "Building lane: $lane"
if [[ ! -f "$lane/Dockerfile" ]]; then
echo "ERROR: missing Dockerfile for $lane" >&2
exit 1
fi
NAME=$(basename "$lane")
if [[ ! "$NAME" =~ ^([0-9]+\.?[0-9]*)$ ]]; then
echo "ERROR: php-fpm lane name '$NAME' is not a numeric version" >&2
exit 1
fi
IMAGE="gitea.auvem.com/auvem/wordpress-docker/php-fpm"
TAG="$NAME"
echo "Computed: image=${IMAGE}, tags=${IMAGE}:${TAG},${IMAGE}:git-${GIT_SHA_SHORT}"
docker buildx build --push --platform linux/amd64 \
--tag "${IMAGE}:${TAG}" \
--tag "${IMAGE}:git-${GIT_SHA_SHORT}" \
--file "$lane/Dockerfile" .
done

11
docker/nginx/Dockerfile
View File

@@ -1,11 +0,0 @@
FROM nginx:alpine-slim
# Add a minimal, secure nginx config that works with the php-fpm service
COPY nginx.conf /etc/nginx/conf.d/default.conf
# Create directories for logs and ensure permissions (nginx user is nginx)
RUN mkdir -p /var/www/html /var/log/nginx && chown -R nginx:nginx /var/www/html /var/log/nginx
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]

69
docker/nginx/nginx.conf
View File

@@ -1,69 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name _;
root /var/www/html;
index index.php index.html index.htm;
# Basic security headers (can be extended per-site)
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Deny access to hidden files and directories
location ~ (^|/)[.] {
deny all;
access_log off;
log_not_found off;
}
# Static files: long cache, immutable where appropriate
location ~* \.(?:css|js|gif|jpe?g|png|ico|svg|woff2?|ttf|eot)$ {
try_files $uri =404;
access_log off;
expires 30d;
add_header Cache-Control "public, max-age=2592000, immutable";
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; allow all; }
# Main front controller; fall back to index.php
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
# PHP-FPM handling; pass to php-fpm:9000 (docker service name)
location ~ [^/]
\.php(/|$) {
# Prevent direct access to PHP files in uploads or other writable dirs if necessary
try_files $document_root$fastcgi_script_name =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# Use TCP FPM backend service name. Matches the php-fpm image we built.
fastcgi_pass php-fpm:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_read_timeout 300;
}
# Block access to .ht* files
location ~* /\.(?:ht|git) {
deny all;
}
# Optional: small buffer for large headers (WordPress with many cookies/plugins)
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
# Prevent clickjacking on all responses
add_header X-Frame-Options "SAMEORIGIN";
}
# Default server; allow override by mounting /etc/nginx/conf.d/default.conf

19
docker/php-fpm/entrypoint.sh
View File

@@ -1,19 +0,0 @@
#!/bin/sh
set -euo pipefail
# Entrypoint for php-fpm images.
# If CHOWN_ON_START is set to '1' or 'true', recursively chown the webroot
# to the 'app' user (UID 1000). This is optional and must be explicitly enabled
# via environment (safer for multi-tenant hosts).
: ${CHOWN_ON_START:=}
if [ "${CHOWN_ON_START}" = "1" ] || [ "${CHOWN_ON_START}" = "true" ]; then
echo "[entrypoint] CHOWN_ON_START enabled — fixing ownership of /var/www/html"
# Only run chown if the directory exists
if [ -d /var/www/html ]; then
chown -R 1000:1000 /var/www/html || true
fi
fi
# Exec the given command (php-fpm by default)
exec "$@"

10
nginx/Dockerfile Normal file
View File

@@ -0,0 +1,10 @@
FROM nginx:alpine-slim
# Copy nginx config from repo
COPY --chown=root:root nginx/nginx.conf /etc/nginx/conf.d/default.conf
RUN mkdir -p /var/www/html /var/log/nginx && chown -R nginx:nginx /var/www/html /var/log/nginx
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]

31
docker/7.4/Dockerfile → php-fpm/7.4/Dockerfile
View File

@@ -1,10 +1,4 @@
# Multi-stage Alpine-based PHP 7.4 FPM image optimized for WordPress # Multi-stage Alpine-based PHP 7.4 FPM image optimized for WordPress
# - builds extensions in a builder stage (isolation)
# - copies only runtime bits into the final image
# - minimal runtime packages, production php.ini and opcache tuned
# - includes common WordPress extensions: pdo_mysql, mysqli, gd, zip, exif,
# intl, xml, xmlrpc (if compiled), bcmath, opcache, mbstring, curl, fileinfo
ARG BASE_TAG=7.4-fpm-alpine3.16 ARG BASE_TAG=7.4-fpm-alpine3.16
FROM php:${BASE_TAG} AS build FROM php:${BASE_TAG} AS build
@@ -27,7 +21,6 @@ RUN set -eux; \
oniguruma-dev \ oniguruma-dev \
mariadb-dev \ mariadb-dev \
; \ ; \
# Configure and build common extensions required by WordPress
docker-php-ext-configure gd --with-freetype --with-jpeg; \ docker-php-ext-configure gd --with-freetype --with-jpeg; \
docker-php-ext-install -j"$(nproc)" \ docker-php-ext-install -j"$(nproc)" \
gd \ gd \
@@ -47,15 +40,12 @@ RUN set -eux; \
; \ ; \
pecl channel-update pecl.php.net; \ pecl channel-update pecl.php.net; \
pecl install redis && docker-php-ext-enable redis; \ pecl install redis && docker-php-ext-enable redis; \
# Use production php.ini as a base
cp "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"; \ cp "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"; \
# Clean build deps (we'll copy only runtime artifacts to final image)
apk del .build-deps; \ apk del .build-deps; \
rm -rf /var/cache/apk/* /tmp/* rm -rf /var/cache/apk/* /tmp/*
FROM php:${BASE_TAG} AS runtime FROM php:${BASE_TAG} AS runtime
# Install only runtime library packages (no -dev)
RUN set -eux; \ RUN set -eux; \
apk add --no-cache \ apk add --no-cache \
freetype \ freetype \
@@ -81,7 +71,6 @@ RUN addgroup -g 1000 app || true; \
adduser -D -u 1000 -G app app || true; \ adduser -D -u 1000 -G app app || true; \
mkdir -p /var/www/html; \ mkdir -p /var/www/html; \
chown -R app:app /var/www/html; \ chown -R app:app /var/www/html; \
# Ensure php-fpm runtime directories exist and are writable by the app user
mkdir -p /var/run/php /run/php /var/log/php; \ mkdir -p /var/run/php /run/php /var/log/php; \
chown -R app:app /var/run/php /run/php /var/log/php chown -R app:app /var/run/php /run/php /var/log/php
@@ -103,33 +92,19 @@ RUN set -eux; \
echo 'error_log = /proc/self/fd/2'; \ echo 'error_log = /proc/self/fd/2'; \
} > /usr/local/etc/php/conf.d/zz-hardening.ini } > /usr/local/etc/php/conf.d/zz-hardening.ini
# Expose FPM socket port (if using TCP); keep default unix socket when preferred
EXPOSE 9000 EXPOSE 9000
# Healthcheck: ensure php-fpm master process exists
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 CMD pgrep -f "php-fpm" || exit 1 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 CMD pgrep -f "php-fpm" || exit 1
WORKDIR /var/www/html WORKDIR /var/www/html
# Copy pool configuration from build context (keep a copy in each lane to # Copy pool configuration and entrypoint from shared path in repo root
# allow building with context set to the lane directory). COPY --chown=root:root shared/php-fpm/www.conf /usr/local/etc/php-fpm.d/www.conf
COPY --chown=root:root docker/php-fpm/www.conf /usr/local/etc/php-fpm.d/www.conf COPY --chown=root:root shared/php-fpm/entrypoint.sh /usr/local/bin/entrypoint.sh
# Copy a shared entrypoint that can optionally fix permissions on the mounted webroot
COPY --chown=root:root docker/php-fpm/entrypoint.sh /usr/local/bin/entrypoint.sh
RUN chmod 755 /usr/local/bin/entrypoint.sh RUN chmod 755 /usr/local/bin/entrypoint.sh
# Use a small entrypoint to optionally chown mounted volumes at container start.
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
# Run php-fpm master as root and have workers drop to the non-root `app` user.
# This avoids permission surprises while keeping workers unprivileged.
USER root USER root
CMD ["php-fpm"] CMD ["php-fpm"]
# Notes:
# - The build stage compiles extensions and leaves a production php.ini in place.
# - The final image copies only the runtime artifacts and installs only runtime libs
# to keep it small.
# - If you want to run PHP-FPM as a non-root user in container, you will need to
# adjust the php-fpm pool user/group configuration in /usr/local/etc/php-fpm.d/www.conf

12
shared/php-fpm/entrypoint.sh Normal file
View File

@@ -0,0 +1,12 @@
#!/bin/sh
set -euo pipefail
: ${CHOWN_ON_START:=}
if [ "${CHOWN_ON_START}" = "1" ] || [ "${CHOWN_ON_START}" = "true" ]; then
echo "[entrypoint] CHOWN_ON_START enabled — fixing ownership of /var/www/html"
if [ -d /var/www/html ]; then
chown -R 1000:1000 /var/www/html || true
fi
fi
exec "$@"

12
docker/php-fpm/www.conf → shared/php-fpm/www.conf
View File

@@ -1,20 +1,15 @@
; Shared php-fpm pool configuration for containers ; Shared php-fpm pool configuration for containers
; Designed to be reused across php-fpm versions in this repo
[www] [www]
; Listen on TCP to be container-friendly
listen = 0.0.0.0:9000 listen = 0.0.0.0:9000
; Run workers as the unprivileged 'app' user
user = app user = app
group = app group = app
; Ensure socket ownership/mode if a socket is used
listen.owner = app listen.owner = app
listen.group = app listen.group = app
listen.mode = 0660 listen.mode = 0660
; Process management
pm = dynamic pm = dynamic
pm.max_children = 10 pm.max_children = 10
pm.start_servers = 2 pm.start_servers = 2
@@ -22,22 +17,15 @@ pm.min_spare_servers = 1
pm.max_spare_servers = 3 pm.max_spare_servers = 3
pm.max_requests = 500 pm.max_requests = 500
; Timeouts and logging
request_terminate_timeout = 300s request_terminate_timeout = 300s
request_slowlog_timeout = 5s request_slowlog_timeout = 5s
slowlog = /var/log/php/www-slow.log slowlog = /var/log/php/www-slow.log
; Helpful logging for debugging worker crashes
catch_workers_output = yes catch_workers_output = yes
access.log = /var/log/php/www-access.log access.log = /var/log/php/www-access.log
; Keep environment variables (useful if you pass DB credentials via env)
clear_env = no clear_env = no
; Security and restart behaviour
emergency_restart_threshold = 10 emergency_restart_threshold = 10
emergency_restart_interval = 1m emergency_restart_interval = 1m
process_control_timeout = 10s process_control_timeout = 10s
; Ensure stdout/stderr are visible in container logs
; php-fpm will already write logs to paths above; ensure the directory exists in image