Skip to content

Commit f422269

Browse files
USA-RedDragonUSA-RedDragon
committed
rootless php
1 parent b7674f2 commit f422269

File tree

4 files changed

+128
-4
lines changed

4 files changed

+128
-4
lines changed

.github/workflows/docker.yml

Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,22 @@ jobs:
4040
# {{major}}-base
4141
type=semver,enable=${{ matrix.composer_version == '2' && (matrix.latest_major == 'true' || matrix.latest == 'true') }},pattern={{major}},suffix=-base,value=${{ matrix.php_version }}.0
4242

43+
- name: Docker meta (base-rootless)
44+
id: meta-base-rootless
45+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
46+
with:
47+
images: |
48+
clevyr/php
49+
ghcr.io/clevyr/php
50+
flavor: latest=false
51+
tags: |
52+
# {{major}}.{{minor}}-composer{{major}}-base-rootless
53+
type=semver,pattern={{major}}.{{minor}},suffix=-composer${{ matrix.composer_version }}-base,value=${{ matrix.php_version }}.0
54+
# {{major}}.{{minor}}-base-rootless
55+
type=semver,enable=${{ matrix.composer_version == '2' }},pattern={{major}}.{{minor}},suffix=-base-rootless,value=${{ matrix.php_version }}.0
56+
# {{major}}-base-rootless
57+
type=semver,enable=${{ matrix.composer_version == '2' && (matrix.latest_major == 'true' || matrix.latest == 'true') }},pattern={{major}},suffix=-base-rootless,value=${{ matrix.php_version }}.0
58+
4359
- name: Docker meta (onbuild)
4460
id: meta-onbuild
4561
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
@@ -66,6 +82,30 @@ jobs:
6682
# {{major}}
6783
type=semver,enable=${{ matrix.composer_version == '2' && (matrix.latest_major == 'true' || matrix.latest == 'true') }},pattern={{major}},value=${{ matrix.php_version }}.0
6884

85+
- name: Docker meta (onbuild-rootless)
86+
id: meta-onbuild-rootless
87+
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
88+
with:
89+
images: |
90+
clevyr/php
91+
ghcr.io/clevyr/php
92+
flavor: latest=false
93+
tags: |
94+
# {{major}}.{{minor}}-composer{{major}}-onbuild-rootless
95+
type=semver,pattern={{major}}.{{minor}},suffix=-composer${{ matrix.composer_version }}-onbuild-rootless,value=${{ matrix.php_version }}.0
96+
# {{major}}.{{minor}}-composer{{major}}
97+
type=semver,pattern={{major}}.{{minor}},suffix=-composer${{ matrix.composer_version }},value=${{ matrix.php_version }}.0
98+
# {{major}}.{{minor}}-onbuild-rootless
99+
type=semver,enable=${{ matrix.composer_version == '2' }},pattern={{major}}.{{minor}},suffix=-onbuild-rootless,value=${{ matrix.php_version }}.0
100+
# {{major}}.{{minor}}
101+
type=semver,enable=${{ matrix.composer_version == '2' }},pattern={{major}}.{{minor}},value=${{ matrix.php_version }}.0
102+
# {{major}}-composer{{major}}
103+
type=semver,enable=${{ (matrix.latest_major == 'true' || matrix.latest == 'true') }},pattern={{major}},suffix=-composer${{ matrix.composer_version }},value=${{ matrix.php_version }}.0
104+
# {{major}}-onbuild-rootless
105+
type=semver,enable=${{ matrix.composer_version == '2' && (matrix.latest_major == 'true' || matrix.latest == 'true') }},pattern={{major}},suffix=-onbuild-rootless,value=${{ matrix.php_version }}.0
106+
# {{major}}
107+
type=semver,enable=${{ matrix.composer_version == '2' && (matrix.latest_major == 'true' || matrix.latest == 'true') }},pattern={{major}},value=${{ matrix.php_version }}.0
108+
69109
- name: Set up QEMU
70110
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
71111

@@ -121,6 +161,22 @@ jobs:
121161
cache-from: type=gha
122162
cache-to: type=gha,mode=max
123163

164+
- name: Build and Push (base-rootless)
165+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
166+
with:
167+
context: .
168+
pull: true
169+
push: ${{ github.ref_name == 'main' }}
170+
platforms: ${{ matrix.platforms }}
171+
tags: ${{ steps.meta-base-rootless.outputs.tags }}
172+
labels: ${{ steps.meta-base-rootless.outputs.labels }}
173+
build-args: |
174+
COMPOSER_VERSION=${{ matrix.composer_version }}
175+
PHP_VERSION=${{ matrix.php_version }}
176+
target: base-rootless
177+
cache-from: type=gha
178+
cache-to: type=gha,mode=max
179+
124180
- name: Build and Push (onbuild)
125181
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
126182
with:
@@ -135,3 +191,18 @@ jobs:
135191
target: onbuild
136192
cache-from: type=gha
137193
cache-to: type=gha,mode=max
194+
195+
- name: Build and Push (onbuild-rootless)
196+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
197+
with:
198+
context: .
199+
push: ${{ github.ref_name == 'main' }}
200+
platforms: ${{ matrix.platforms }}
201+
tags: ${{ steps.meta-onbuild-rootless.outputs.tags }}
202+
labels: ${{ steps.meta-onbuild-rootless.outputs.labels }}
203+
build-args: |
204+
COMPOSER_VERSION=${{ matrix.composer_version }}
205+
PHP_VERSION=${{ matrix.php_version }}
206+
target: onbuild-rootless
207+
cache-from: type=gha
208+
cache-to: type=gha,mode=max

Dockerfile

Lines changed: 30 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,6 @@ ARG ALPINE_VERSION
77
FROM composer:$COMPOSER_VERSION AS local-composer
88

99
FROM php:$PHP_VERSION-fpm-alpine$ALPINE_VERSION AS base
10-
WORKDIR /app
1110

1211
COPY --from=mlocati/php-extension-installer:2.8.5 /usr/bin/install-php-extensions /usr/bin/
1312

@@ -36,7 +35,7 @@ RUN <<EOT
3635
-e 's/^;?(expose_php).*/\1 = Off/' \
3736
php.ini-production
3837
ln -s php.ini-production php.ini
39-
mkdir -p /run/nginx
38+
mkdir -p /run/nginx /var/lib/nginx/tmp /var/log/nginx
4039
sed -ri -e 's/#(tcp_nopush on;)/\1/' /etc/nginx/nginx.conf
4140
if [ -d /etc/nginx/http.d ]; then
4241
mv /etc/nginx/http.d /etc/nginx/conf.d
@@ -91,6 +90,22 @@ COPY rootfs/ /
9190

9291
CMD ["s6-svscan", "/etc/services.d"]
9392

93+
FROM base AS base-rootless
94+
95+
RUN <<EOT
96+
sed -ri \
97+
-e 's/^;(user) = .*/\1 = www-data/' \
98+
-e 's/^;(group) = .*/\1 = www-data/' \
99+
"$PHP_INI_DIR"/php-fpm.d/www.conf
100+
sed -i 's/^user .*;/user www-data;/' /etc/nginx/nginx.conf
101+
chown -R www-data:www-data /run/nginx /var/lib/nginx /var/log/nginx
102+
EOT
103+
104+
USER www-data:www-data
105+
WORKDIR /app
106+
107+
CMD ["s6-svscan-rootless", "/etc/services.d"]
108+
94109
FROM base AS onbuild
95110

96111
ONBUILD ARG PHP_FPM_PM_MAX_CHILDREN
@@ -141,3 +156,16 @@ ONBUILD RUN <<EOT
141156
clevyr-build
142157
fi
143158
EOT
159+
160+
FROM onbuild AS onbuild-rootless
161+
162+
ONBUILD USER root
163+
164+
ONBUILD RUN <<EOT
165+
set -eux
166+
if [ "${SKIP_BUILD:-}" != "true" ]; then
167+
clevyr-build
168+
fi
169+
EOT
170+
171+
ONBUILD USER www-data:www-data

rootfs/etc/nginx/conf.d/default.conf.tpl

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
server {
2-
listen 80;
3-
listen [::]:80 default ipv6only=on;
2+
listen 8080;
3+
listen [::]:8080 default ipv6only=on;
44

55
server_name _;
66

rootfs/usr/bin/s6-svscan-rootless

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
#!/bin/sh
2+
3+
set -euo pipefail
4+
5+
# Wrapper to run s6-svscan from a writable directory
6+
# s6-svscan creates .s6-svscan in the service directory, so we need to copy services to /tmp
7+
8+
# See https://skarnet.org/software/s6/scandir.html
9+
10+
SERVICE_DIR="$1"
11+
12+
if [ -z "$SERVICE_DIR" ]; then
13+
echo "Usage: $0 <service-directory>" >&2
14+
exit 1
15+
fi
16+
17+
# Create a unique directory in /tmp for our services
18+
TEMP_SERVICE_DIR="/tmp/s6-services-$$"
19+
mkdir -p "$TEMP_SERVICE_DIR"
20+
21+
# Copy the service directory contents to /tmp
22+
cp -r "$SERVICE_DIR"/* "$TEMP_SERVICE_DIR/" 2>/dev/null || cp -r "$SERVICE_DIR"/. "$TEMP_SERVICE_DIR/"
23+
24+
# Run s6-svscan against the copied services
25+
exec s6-svscan "$TEMP_SERVICE_DIR"

0 commit comments

Comments
 (0)