php-fpm: refactor with deterministic config files & improved debug

php-fpm/7.4/Dockerfile

@@ -79,30 +79,16 @@ RUN addgroup -g 1000 app && \
 	mkdir -p /var/run/php /run/php /var/log/php && \
 	chown -R app:app /var/run/php /run/php /var/log/php
 
-# Minimal security / production tuning for opcache and PHP
-RUN set -eux; \
-	{ \
-	echo 'opcache.enable=1'; \
-	echo 'opcache.memory_consumption=128'; \
-	echo 'opcache.interned_strings_buffer=8'; \
-	echo 'opcache.max_accelerated_files=10000'; \
-	echo 'opcache.revalidate_freq=2'; \
-	echo 'opcache.fast_shutdown=1'; \
-	echo 'opcache.enable_file_override=0'; \
-	} > /usr/local/etc/php/conf.d/zz-opcache.ini; \
-	{ \
-	echo 'expose_php = Off'; \
-	echo 'display_errors = On'; \
-	echo 'log_errors = On'; \
-	echo 'error_log = /proc/self/fd/2'; \
-	} > /usr/local/etc/php/conf.d/zz-hardening.ini
+# Ship opinionated PHP configuration snippets from source control
+COPY php-fpm/conf.d/ /usr/local/etc/php/conf.d/
 
-# Copy the force-debug script and enable it
+# Copy the force-debug script (enablement is handled via conf.d/99-force-debug.ini)
 COPY --chown=app:app shared/php-fpm/force-debug.php /usr/local/etc/php/force-debug.php
-RUN echo 'auto_prepend_file = /usr/local/etc/php/force-debug.php' > /usr/local/etc/php/conf.d/zz-force-debug.ini
 
 # Copy pool configuration from this directory
 COPY --chown=app:app php-fpm/${BASE_VERSION}/www.conf /usr/local/etc/php-fpm.d/www.conf
+# Copy the global php-fpm configuration so logging defaults are predictable
+COPY php-fpm/${BASE_VERSION}/php-fpm.conf /usr/local/etc/php-fpm.conf
 
 # Copy entrypoint from shared path in repo root
 COPY --chown=root:root shared/php-fpm/entrypoint.sh /usr/local/bin/entrypoint.sh

php-fpm/7.4/php-fpm.conf

@@ -0,0 +1,8 @@
+[global]
+pid = /var/run/php/php-fpm.pid
+error_log = /proc/self/fd/2
+log_limit = 8192
+log_buffering = no
+daemonize = no
+
+include = /usr/local/etc/php-fpm.d/*.conf

php-fpm/7.4/www.conf

@@ -41,6 +41,10 @@ request_terminate_timeout = 300s
 request_slowlog_timeout = 5s
 slowlog = /var/log/php/www-slow.log
 
+; Force all PHP errors into the container log stream so kubernetes/docker can collect them.
+php_admin_flag[log_errors] = on
+php_admin_value[error_log] = /proc/self/fd/2
+
 ; Redirect worker stdout and stderr to the main error log.
 ; This ensures that any `echo` or `var_dump` calls from workers are captured in the container logs.
 catch_workers_output = yes

php-fpm/conf.d/40-opcache.ini

@@ -0,0 +1,7 @@
+opcache.enable=1
+opcache.memory_consumption=128
+opcache.interned_strings_buffer=8
+opcache.max_accelerated_files=10000
+opcache.revalidate_freq=2
+opcache.fast_shutdown=1
+opcache.enable_file_override=0

php-fpm/conf.d/90-runtime.ini

@@ -0,0 +1,5 @@
+expose_php=Off
+log_errors=On
+error_log=/proc/self/fd/2
+display_errors=Off
+display_startup_errors=Off

php-fpm/conf.d/99-force-debug.ini

@@ -0,0 +1 @@
+auto_prepend_file=/usr/local/etc/php/force-debug.php