From cb05aef605ffb30a1d8394e616ae5fad7a36dd56 Mon Sep 17 00:00:00 2001 From: Derek Yeh Date: Wed, 21 Jul 2021 18:23:41 -0700 Subject: [PATCH 01/23] Create utils.sh --- .github/workflows/utils.sh | 112 +++++++++++++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 .github/workflows/utils.sh diff --git a/.github/workflows/utils.sh b/.github/workflows/utils.sh new file mode 100644 index 0000000..eef5302 --- /dev/null +++ b/.github/workflows/utils.sh @@ -0,0 +1,112 @@ +#!/bin/bash + +get_variant_sha(){ + local sha + docker_repo=$1 #alpine or vmnet/alpine + manifest_tag=$2 + docker_image=$docker_repo:$manifest_tag + arch=$3 + variant=$4 + export DOCKER_CLI_EXPERIMENTAL=enabled + + docker pull -q ${docker_image} &>/dev/null + docker manifest inspect ${docker_image} > "$2".txt + + sha="" + i=0 + while [ "$sha" == "" ] && read -r line + do + arch=$(jq .manifests[$i].platform.architecture "$2".txt |sed -e 's/^"//' -e 's/"$//') + if [ "$arch" = "$3" ] && [ "$arch" != "arm" ]; then + sha=$(jq .manifests[$i].digest "$2".txt |sed -e 's/^"//' -e 's/"$//') + echo ${sha} + elif [ "$arch" = "$3" ]; then + variant=$(jq .manifests[$i].platform.variant "$2".txt |sed -e 's/^"//' -e 's/"$//') + if [ "$variant" == "$4" ]; then + sha=$(jq .manifests[$i].digest "$2".txt |sed -e 's/^"//' -e 's/"$//') + echo ${sha} + fi + fi + i=$i+1 + done < "$2".txt +} + +get_manifest_sha (){ + local repo=$1 + local arch=$2 + docker pull -q $1 &>/dev/null + docker manifest inspect $1 > "$2".txt + sha="" + i=0 + while [ "$sha" == "" ] && read -r line + do + archecture=$(jq .manifests[$i].platform.architecture "$2".txt |sed -e 's/^"//' -e 's/"$//') + if [ "$archecture" = "$2" ];then + sha=$(jq .manifests[$i].digest "$2".txt |sed -e 's/^"//' -e 's/"$//') + echo ${sha} + fi + i=$i+1 + done < "$2".txt +} + +get_tag_sha(){ + local repo=$1 + local tag=$2 + docker pull "$repo:$tag" &>/dev/null + sha=$(docker inspect --format='{{index .RepoDigests 0}}' "$repo:$tag" 2>/dev/null | cut -d @ -f 2) + echo $sha +} + +build_image(){ + local repo=$1 # this is the base repo, for example treehouses/alpine + local arch=$2 #arm arm64 amd64 + local tag_repo=$3 # this is the tag repo, for example treehouses/node + if [ $# -le 1 ]; then + echo "missing parameters." + exit 1 + fi + sha=$(get_manifest_sha $@) + echo $sha + base_image="$repo@$sha" + echo $base_image + if [ -n "$sha" ]; then + tag=$tag_repo-tags:$arch + sed "s|{{base_image}}|$base_image|g" Dockerfile.template > Dockerfile.$arch + docker buildx build --platform linux/$arch -t $tag -f Dockerfile.$arch . + fi +} + +deploy_image(){ + local repo=$1 + local arch=$2 #arm arm64 amd64 + tag_arch=$repo-tags:$arch + tag_time=$(date +%Y%m%d%H%M) + tag_arch_time=$repo-tags:$arch-$tag_time + echo $tag_arch_time + docker tag $tag_arch $tag_arch_time + docker push $tag_arch_time + docker tag $tag_arch_time $tag_arch + docker push $tag_arch +} + +compare_sha () { + if [ "$1" != "$2" ] || [ "$3" != "$4" ] || [ "$5" != "$6" ]; then + echo "true" + else + echo "false" + fi +} + +create_manifests(){ + local repo=$1 + local tag=$2 + local x86=$3 + local rpi=$4 + local arm64=$5 + docker manifest create $repo:$tag $x86 $rpi $arm64 + docker manifest create $repo:latest $x86 $rpi $arm64 + docker manifest annotate $repo:latest $rpi --arch arm + docker manifest annotate $repo:$tag $arm64 --arch arm64 + docker manifest annotate $repo:latest $arm64 --arch arm64 + docker manifest annotate $repo:$tag $rpi --arch arm +} From 6f3c6e9b916efc9066c4390ed9c35620a61d5720 Mon Sep 17 00:00:00 2001 From: Derek Yeh Date: Wed, 21 Jul 2021 18:24:39 -0700 Subject: [PATCH 02/23] Create php.yml --- .github/workflows/php.yml | 75 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 .github/workflows/php.yml diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml new file mode 100644 index 0000000..8739791 --- /dev/null +++ b/.github/workflows/php.yml @@ -0,0 +1,75 @@ +name: build on change + +on: + push: + branches: + - master + - main + workflow_dispatch: + repository_dispatch: + types: php + +jobs: + php: + runs-on: ubuntu-20.04 + steps: + - name: checkout code + uses: actions/checkout@v2 + - name: docker login + run: docker login -u ${{ secrets.DOCKERUSERNAME }} -p ${{ secrets.DOCKERAPIKEY }} + - name: treehouses php + run: | + export DOCKER_CLI_EXPERIMENTAL=enabled + repo="dyeh123/php" + base="dyeh123/alpine" + source .github/workflows/utils.sh + echo "amd64" + baseamd64=$(get_variant_sha "$base" "latest" "amd64") + echo $baseamd64 + repoamd64=$(get_manifest_sha "$repo:latest" "amd64") + echo $repoamd64 + echo "arm" + basearm=$(get_tag_sha "$base" "latest") + echo $basearm + repoarm=$(get_manifest_sha "$repo:latest" "arm") + echo $repoarm + echo "arm64" + basearm64=$(get_variant_sha "$base" "latest" "arm64") + echo $basearm64 + repoarm64=$(get_manifest_sha "$repo:latest" "arm64") + echo $repoarm64 + echo "change" + flag=$(compare_sha "$baseamd64" "$repoamd64" "$basearm" "$repoarm" "$basearm64" "$repoarm64") + echo $flag + if [[ $flag == true ]]; then + docker run --rm --privileged multiarch/qemu-user-static --reset -p yes + build_image "$base:latest" amd64 $repo + build_image "$base:latest" arm $repo + build_image "$base:latest" arm64 $repo + deploy_image $repo arm + deploy_image $repo amd64 + deploy_image $repo arm64 + sudo npm install -g @treehouses/cli + export gitter_channel="${{ secrets.CHANNEL }}" + echo "tags" + tag="$(date +%Y%m%d%H%M)" + echo $tag + docker manifest create $repo:$tag $repo-tags:amd64 $repo-tags:arm $repo-tags:arm64 + docker manifest annotate $repo:$tag $repo-tags:amd64 --arch amd64 + docker manifest annotate $repo:$tag $repo-tags:arm64 --arch arm64 + docker manifest annotate $repo:$tag $repo-tags:arm --arch arm + docker manifest inspect $repo:$tag + docker manifest push $repo:$tag + tag2="latest" + echo $tag2 + docker manifest create $repo:$tag2 $repo-tags:amd64 $repo-tags:arm $repo-tags:arm64 + docker manifest annotate $repo:$tag2 $repo-tags:amd64 --arch amd64 + docker manifest annotate $repo:$tag2 $repo-tags:arm64 --arch arm64 + docker manifest annotate $repo:$tag2 $repo-tags:arm --arch arm + docker manifest inspect $repo:$tag2 + docker manifest push $repo:$tag2 + echo "https://hub.docker.com/r/treehouses/php/tags" + treehouses feedback "new treehouses/php check https://hub.docker.com/r/treehouses/php/tags" + else + echo "no changes" + fi From 707b00e7712af85f332ef3866387a50e6a4eecb2 Mon Sep 17 00:00:00 2001 From: Derek Yeh Date: Wed, 21 Jul 2021 18:25:29 -0700 Subject: [PATCH 03/23] Create force.yml --- .github/workflows/force.yml | 75 +++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 .github/workflows/force.yml diff --git a/.github/workflows/force.yml b/.github/workflows/force.yml new file mode 100644 index 0000000..0ed3817 --- /dev/null +++ b/.github/workflows/force.yml @@ -0,0 +1,75 @@ +name: build by force + +on: +# push: +# branches: +# - master +# - main + workflow_dispatch: +# repository_dispatch: +# types: php + +jobs: + php: + runs-on: ubuntu-20.04 + steps: + - name: checkout code + uses: actions/checkout@v2 + - name: docker login + run: docker login -u ${{ secrets.DOCKERUSERNAME }} -p ${{ secrets.DOCKERAPIKEY }} + - name: treehouses php + run: | + export DOCKER_CLI_EXPERIMENTAL=enabled + repo="treehouses/php" + base="treehouses/alpine" + source .github/workflows/utils.sh + echo "amd64" + baseamd64=$(get_variant_sha "$base" "latest" "amd64") + echo $baseamd64 + # repoamd64=$(get_manifest_sha "$repo:latest" "amd64") + # echo $repoamd64 + echo "arm" + basearm=$(get_tag_sha "$base" "latest") + echo $basearm + # repoarm=$(get_manifest_sha "$repo:latest" "arm") + # echo $repoarm + echo "arm64" + basearm64=$(get_variant_sha "$base" "latest" "arm64") + echo $basearm64 + # repoarm64=$(get_manifest_sha "$repo:latest" "arm64") + # echo $repoarm64 + echo "change" + flag=true #$(compare_sha "$baseamd64" "$repoamd64" "$basearm" "$repoarm" "$basearm64" "$repoarm64") + echo $flag + if [[ $flag == true ]]; then + docker run --rm --privileged multiarch/qemu-user-static --reset -p yes + build_image "$base:latest" amd64 $repo + build_image "$base:latest" arm $repo + build_image "$base:latest" arm64 $repo + deploy_image $repo arm + deploy_image $repo amd64 + deploy_image $repo arm64 + sudo npm install -g @treehouses/cli + export gitter_channel="${{ secrets.CHANNEL }}" + echo "tags" + tag="$(date +%Y%m%d%H%M)" + echo $tag + docker manifest create $repo:$tag $repo-tags:amd64 $repo-tags:arm $repo-tags:arm64 + docker manifest annotate $repo:$tag $repo-tags:amd64 --arch amd64 + docker manifest annotate $repo:$tag $repo-tags:arm64 --arch arm64 + docker manifest annotate $repo:$tag $repo-tags:arm --arch arm + docker manifest inspect $repo:$tag + docker manifest push $repo:$tag + tag2="latest" + echo $tag2 + docker manifest create $repo:$tag2 $repo-tags:amd64 $repo-tags:arm $repo-tags:arm64 + docker manifest annotate $repo:$tag2 $repo-tags:amd64 --arch amd64 + docker manifest annotate $repo:$tag2 $repo-tags:arm64 --arch arm64 + docker manifest annotate $repo:$tag2 $repo-tags:arm --arch arm + docker manifest inspect $repo:$tag2 + docker manifest push $repo:$tag2 + echo "https://hub.docker.com/r/treehouses/php/tags" + treehouses feedback "new treehouses/php check https://hub.docker.com/r/treehouses/php/tags" + else + echo "no changes" + fi From ca6e4fe7ff789d686f6022110d162c3ea6c18f56 Mon Sep 17 00:00:00 2001 From: Derek Yeh Date: Wed, 21 Jul 2021 18:28:17 -0700 Subject: [PATCH 04/23] Create Dockerfile.template --- Dockerfile.template | 185 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 185 insertions(+) create mode 100644 Dockerfile.template diff --git a/Dockerfile.template b/Dockerfile.template new file mode 100644 index 0000000..5ebe2da --- /dev/null +++ b/Dockerfile.template @@ -0,0 +1,185 @@ +FROM {{base_image}} + +# dependencies required for running "phpize" +# these get automatically installed and removed by "docker-php-ext-*" (unless they're already installed) +ENV PHPIZE_DEPS \ + autoconf \ + dpkg-dev dpkg \ + file \ + g++ \ + gcc \ + libc-dev \ + make \ + pkgconf \ + re2c + +# persistent / runtime deps +RUN apk add --no-cache \ + ca-certificates \ + curl \ + tar \ + xz \ +# https://github.com/docker-library/php/issues/494 + openssl + +# ensure www-data user exists +RUN set -eux; \ + adduser -u 82 -D -S -G www-data www-data +# 82 is the standard uid/gid for "www-data" in Alpine +# https://git.alpinelinux.org/aports/tree/main/apache2/apache2.pre-install?h=3.14-stable +# https://git.alpinelinux.org/aports/tree/main/lighttpd/lighttpd.pre-install?h=3.14-stable +# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.pre-install?h=3.14-stable + +ENV PHP_INI_DIR /usr/local/etc/php +RUN set -eux; \ + mkdir -p "$PHP_INI_DIR/conf.d"; \ +# allow running as an arbitrary user (https://github.com/docker-library/php/issues/743) + [ ! -d /var/www/html ]; \ + mkdir -p /var/www/html; \ + chown www-data:www-data /var/www/html; \ + chmod 777 /var/www/html + +# Apply stack smash protection to functions using local buffers and alloca() +# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64) +# Enable optimization (-O2) +# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default) +# https://github.com/docker-library/php/issues/272 +# -D_LARGEFILE_SOURCE and -D_FILE_OFFSET_BITS=64 (https://www.php.net/manual/en/intro.filesystem.php) +ENV PHP_CFLAGS="-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64" +ENV PHP_CPPFLAGS="$PHP_CFLAGS" +ENV PHP_LDFLAGS="-Wl,-O1 -pie" + +ENV GPG_KEYS 42670A7FE4D0441C8E4632349E4FDC074A4EF02D 5A52880781F755608BF815FC910DEB46F53EA312 + +ENV PHP_VERSION 7.4.21 +ENV PHP_URL="https://www.php.net/distributions/php-7.4.21.tar.xz" PHP_ASC_URL="https://www.php.net/distributions/php-7.4.21.tar.xz.asc" +ENV PHP_SHA256="cf43384a7806241bc2ff22022619baa4abb9710f12ec1656d0173de992e32a90" + +RUN set -eux; \ + \ + apk add --no-cache --virtual .fetch-deps gnupg; \ + \ + mkdir -p /usr/src; \ + cd /usr/src; \ + \ + curl -fsSL -o php.tar.xz "$PHP_URL"; \ + \ + if [ -n "$PHP_SHA256" ]; then \ + echo "$PHP_SHA256 *php.tar.xz" | sha256sum -c -; \ + fi; \ + \ + if [ -n "$PHP_ASC_URL" ]; then \ + curl -fsSL -o php.tar.xz.asc "$PHP_ASC_URL"; \ + export GNUPGHOME="$(mktemp -d)"; \ + for key in $GPG_KEYS; do \ + gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ + done; \ + gpg --batch --verify php.tar.xz.asc php.tar.xz; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + fi; \ + \ + apk del --no-network .fetch-deps + +COPY docker-php-source /usr/local/bin/ + +RUN set -eux; \ + apk add --no-cache --virtual .build-deps \ + $PHPIZE_DEPS \ + argon2-dev \ + coreutils \ + curl-dev \ + libedit-dev \ + libsodium-dev \ + libxml2-dev \ + linux-headers \ + oniguruma-dev \ + openssl-dev \ + sqlite-dev \ + ; \ + \ + export CFLAGS="$PHP_CFLAGS" \ + CPPFLAGS="$PHP_CPPFLAGS" \ + LDFLAGS="$PHP_LDFLAGS" \ + ; \ + docker-php-source extract; \ + cd /usr/src/php; \ + gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ + ./configure \ + --build="$gnuArch" \ + --with-config-file-path="$PHP_INI_DIR" \ + --with-config-file-scan-dir="$PHP_INI_DIR/conf.d" \ + \ +# make sure invalid --configure-flags are fatal errors instead of just warnings + --enable-option-checking=fatal \ + \ +# https://github.com/docker-library/php/issues/439 + --with-mhash \ + \ +# https://github.com/docker-library/php/issues/822 + --with-pic \ + \ +# --enable-ftp is included here because ftp_ssl_connect() needs ftp to be compiled statically (see https://github.com/docker-library/php/issues/236) + --enable-ftp \ +# --enable-mbstring is included here because otherwise there's no way to get pecl to use it properly (see https://github.com/docker-library/php/issues/195) + --enable-mbstring \ +# --enable-mysqlnd is included here because it's harder to compile after the fact than extensions are (since it's a plugin for several extensions, not an extension in itself) + --enable-mysqlnd \ +# https://wiki.php.net/rfc/argon2_password_hash (7.2+) + --with-password-argon2 \ +# https://wiki.php.net/rfc/libsodium + --with-sodium=shared \ +# always build against system sqlite3 (https://github.com/php/php-src/commit/6083a387a81dbbd66d6316a3a12a63f06d5f7109) + --with-pdo-sqlite=/usr \ + --with-sqlite3=/usr \ + \ + --with-curl \ + --with-libedit \ + --with-openssl \ + --with-zlib \ + \ +# in PHP 7.4+, the pecl/pear installers are officially deprecated (requiring an explicit "--with-pear") + --with-pear \ + \ +# bundled pcre does not support JIT on s390x +# https://manpages.debian.org/stretch/libpcre3-dev/pcrejit.3.en.html#AVAILABILITY_OF_JIT_SUPPORT + $(test "$gnuArch" = 's390x-linux-musl' && echo '--without-pcre-jit') \ + \ + ${PHP_EXTRA_CONFIGURE_ARGS:-} \ + ; \ + make -j "$(nproc)"; \ + find -type f -name '*.a' -delete; \ + make install; \ + find /usr/local/bin /usr/local/sbin -type f -perm +0111 -exec strip --strip-all '{}' + || true; \ + make clean; \ + \ +# https://github.com/docker-library/php/issues/692 (copy default example "php.ini" files somewhere easily discoverable) + cp -v php.ini-* "$PHP_INI_DIR/"; \ + \ + cd /; \ + docker-php-source delete; \ + \ + runDeps="$( \ + scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \ + | tr ',' '\n' \ + | sort -u \ + | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ + )"; \ + apk add --no-cache $runDeps; \ + \ + apk del --no-network .build-deps; \ + \ +# update pecl channel definitions https://github.com/docker-library/php/issues/443 + pecl update-channels; \ + rm -rf /tmp/pear ~/.pearrc; \ + \ +# smoke test + php --version + +COPY docker-php-ext-* docker-php-entrypoint /usr/local/bin/ + +# sodium was built as a shared module (so that it can be replaced later if so desired), so let's enable it too (https://github.com/docker-library/php/issues/598) +RUN docker-php-ext-enable sodium + +ENTRYPOINT ["docker-php-entrypoint"] +CMD ["php", "-a"] From a033f21439920dbc4c38f7bb7402cb9580d9a370 Mon Sep 17 00:00:00 2001 From: Derek Yeh Date: Wed, 21 Jul 2021 18:30:03 -0700 Subject: [PATCH 05/23] Create docker-php-entrypoint --- docker-php-entrypoint | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 docker-php-entrypoint diff --git a/docker-php-entrypoint b/docker-php-entrypoint new file mode 100644 index 0000000..88a016c --- /dev/null +++ b/docker-php-entrypoint @@ -0,0 +1,9 @@ +#!/bin/sh +set -e + +# first arg is `-f` or `--some-option` +if [ "${1#-}" != "$1" ]; then + set -- php "$@" +fi + +exec "$@" From f5df54eddaab1a00c095ac3dbe00093b1b2b05cf Mon Sep 17 00:00:00 2001 From: Derek Yeh Date: Wed, 21 Jul 2021 18:30:24 -0700 Subject: [PATCH 06/23] Create docker-php-ext-configure --- docker-php-ext-configure | 69 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 docker-php-ext-configure diff --git a/docker-php-ext-configure b/docker-php-ext-configure new file mode 100644 index 0000000..34fc133 --- /dev/null +++ b/docker-php-ext-configure @@ -0,0 +1,69 @@ +#!/bin/sh +set -e + +# prefer user supplied CFLAGS, but default to our PHP_CFLAGS +: ${CFLAGS:=$PHP_CFLAGS} +: ${CPPFLAGS:=$PHP_CPPFLAGS} +: ${LDFLAGS:=$PHP_LDFLAGS} +export CFLAGS CPPFLAGS LDFLAGS + +srcExists= +if [ -d /usr/src/php ]; then + srcExists=1 +fi +docker-php-source extract +if [ -z "$srcExists" ]; then + touch /usr/src/php/.docker-delete-me +fi + +cd /usr/src/php/ext + +usage() { + echo "usage: $0 ext-name [configure flags]" + echo " ie: $0 gd --with-jpeg-dir=/usr/local/something" + echo + echo 'Possible values for ext-name:' + find . \ + -mindepth 2 \ + -maxdepth 2 \ + -type f \ + -name 'config.m4' \ + | xargs -n1 dirname \ + | xargs -n1 basename \ + | sort \ + | xargs + echo + echo 'Some of the above modules are already compiled into PHP; please check' + echo 'the output of "php -i" to see which modules are already loaded.' +} + +ext="$1" +if [ -z "$ext" ] || [ ! -d "$ext" ]; then + usage >&2 + exit 1 +fi +shift + +pm='unknown' +if [ -e /lib/apk/db/installed ]; then + pm='apk' +fi + +if [ "$pm" = 'apk' ]; then + if \ + [ -n "$PHPIZE_DEPS" ] \ + && ! apk info --installed .phpize-deps > /dev/null \ + && ! apk info --installed .phpize-deps-configure > /dev/null \ + ; then + apk add --no-cache --virtual .phpize-deps-configure $PHPIZE_DEPS + fi +fi + +if command -v dpkg-architecture > /dev/null; then + gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" + set -- --build="$gnuArch" "$@" +fi + +cd "$ext" +phpize +./configure --enable-option-checking=fatal "$@" From ced8efb70251c476f2adf2625e6fa927cba5aa89 Mon Sep 17 00:00:00 2001 From: Derek Yeh Date: Wed, 21 Jul 2021 18:31:05 -0700 Subject: [PATCH 07/23] Create docker-php-ext-enable --- docker-php-ext-enable | 121 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 121 insertions(+) create mode 100644 docker-php-ext-enable diff --git a/docker-php-ext-enable b/docker-php-ext-enable new file mode 100644 index 0000000..41d20bb --- /dev/null +++ b/docker-php-ext-enable @@ -0,0 +1,121 @@ +#!/bin/sh +set -e + +extDir="$(php -d 'display_errors=stderr' -r 'echo ini_get("extension_dir");')" +cd "$extDir" + +usage() { + echo "usage: $0 [options] module-name [module-name ...]" + echo " ie: $0 gd mysqli" + echo " $0 pdo pdo_mysql" + echo " $0 --ini-name 0-apc.ini apcu apc" + echo + echo 'Possible values for module-name:' + find -maxdepth 1 \ + -type f \ + -name '*.so' \ + -exec basename '{}' ';' \ + | sort \ + | xargs + echo + echo 'Some of the above modules are already compiled into PHP; please check' + echo 'the output of "php -i" to see which modules are already loaded.' +} + +opts="$(getopt -o 'h?' --long 'help,ini-name:' -- "$@" || { usage >&2 && false; })" +eval set -- "$opts" + +iniName= +while true; do + flag="$1" + shift + case "$flag" in + --help|-h|'-?') usage && exit 0 ;; + --ini-name) iniName="$1" && shift ;; + --) break ;; + *) + { + echo "error: unknown flag: $flag" + usage + } >&2 + exit 1 + ;; + esac +done + +modules= +for module; do + if [ -z "$module" ]; then + continue + fi + if ! [ -f "$module" ] && ! [ -f "$module.so" ]; then + echo >&2 "error: '$module' does not exist" + echo >&2 + usage >&2 + exit 1 + fi + modules="$modules $module" +done + +if [ -z "$modules" ]; then + usage >&2 + exit 1 +fi + +pm='unknown' +if [ -e /lib/apk/db/installed ]; then + pm='apk' +fi + +apkDel= +if [ "$pm" = 'apk' ]; then + if \ + [ -n "$PHPIZE_DEPS" ] \ + && ! apk info --installed .phpize-deps > /dev/null \ + && ! apk info --installed .phpize-deps-configure > /dev/null \ + ; then + apk add --no-cache --virtual '.docker-php-ext-enable-deps' binutils + apkDel='.docker-php-ext-enable-deps' + fi +fi + +for module in $modules; do + moduleFile="$module" + if [ -f "$module.so" ] && ! [ -f "$module" ]; then + moduleFile="$module.so" + fi + if readelf --wide --syms "$moduleFile" | grep -q ' zend_extension_entry$'; then + # https://wiki.php.net/internals/extensions#loading_zend_extensions + line="zend_extension=$module" + else + line="extension=$module" + fi + + ext="$(basename "$module")" + ext="${ext%.*}" + if php -d 'display_errors=stderr' -r 'exit(extension_loaded("'"$ext"'") ? 0 : 1);'; then + # this isn't perfect, but it's better than nothing + # (for example, 'opcache.so' presents inside PHP as 'Zend OPcache', not 'opcache') + echo >&2 + echo >&2 "warning: $ext ($module) is already loaded!" + echo >&2 + continue + fi + + case "$iniName" in + /*) + # allow an absolute path + ini="$iniName" + ;; + *) + ini="$PHP_INI_DIR/conf.d/${iniName:-"docker-php-ext-$ext.ini"}" + ;; + esac + if ! grep -qFx -e "$line" -e "$line.so" "$ini" 2>/dev/null; then + echo "$line" >> "$ini" + fi +done + +if [ "$pm" = 'apk' ] && [ -n "$apkDel" ]; then + apk del --no-network $apkDel +fi From f3e8832a644a0da79d848693f1623d3f8ac45415 Mon Sep 17 00:00:00 2001 From: Derek Yeh Date: Wed, 21 Jul 2021 18:31:40 -0700 Subject: [PATCH 08/23] Create docker-php-ext-install --- docker-php-ext-install | 124 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 124 insertions(+) create mode 100644 docker-php-ext-install diff --git a/docker-php-ext-install b/docker-php-ext-install new file mode 100644 index 0000000..f377be4 --- /dev/null +++ b/docker-php-ext-install @@ -0,0 +1,124 @@ +#!/bin/sh +set -e + +# prefer user supplied CFLAGS, but default to our PHP_CFLAGS +: ${CFLAGS:=$PHP_CFLAGS} +: ${CPPFLAGS:=$PHP_CPPFLAGS} +: ${LDFLAGS:=$PHP_LDFLAGS} +export CFLAGS CPPFLAGS LDFLAGS + +srcExists= +if [ -d /usr/src/php ]; then + srcExists=1 +fi +docker-php-source extract +if [ -z "$srcExists" ]; then + touch /usr/src/php/.docker-delete-me +fi + +cd /usr/src/php/ext + +usage() { + echo "usage: $0 [-jN] [--ini-name file.ini] ext-name [ext-name ...]" + echo " ie: $0 gd mysqli" + echo " $0 pdo pdo_mysql" + echo " $0 -j5 gd mbstring mysqli pdo pdo_mysql shmop" + echo + echo 'if custom ./configure arguments are necessary, see docker-php-ext-configure' + echo + echo 'Possible values for ext-name:' + find . \ + -mindepth 2 \ + -maxdepth 2 \ + -type f \ + -name 'config.m4' \ + | xargs -n1 dirname \ + | xargs -n1 basename \ + | sort \ + | xargs + echo + echo 'Some of the above modules are already compiled into PHP; please check' + echo 'the output of "php -i" to see which modules are already loaded.' +} + +opts="$(getopt -o 'h?j:' --long 'help,ini-name:,jobs:' -- "$@" || { usage >&2 && false; })" +eval set -- "$opts" + +j=1 +iniName= +while true; do + flag="$1" + shift + case "$flag" in + --help|-h|'-?') usage && exit 0 ;; + --ini-name) iniName="$1" && shift ;; + --jobs|-j) j="$1" && shift ;; + --) break ;; + *) + { + echo "error: unknown flag: $flag" + usage + } >&2 + exit 1 + ;; + esac +done + +exts= +for ext; do + if [ -z "$ext" ]; then + continue + fi + if [ ! -d "$ext" ]; then + echo >&2 "error: $PWD/$ext does not exist" + echo >&2 + usage >&2 + exit 1 + fi + exts="$exts $ext" +done + +if [ -z "$exts" ]; then + usage >&2 + exit 1 +fi + +pm='unknown' +if [ -e /lib/apk/db/installed ]; then + pm='apk' +fi + +apkDel= +if [ "$pm" = 'apk' ]; then + if [ -n "$PHPIZE_DEPS" ]; then + if apk info --installed .phpize-deps-configure > /dev/null; then + apkDel='.phpize-deps-configure' + elif ! apk info --installed .phpize-deps > /dev/null; then + apk add --no-cache --virtual .phpize-deps $PHPIZE_DEPS + apkDel='.phpize-deps' + fi + fi +fi + +popDir="$PWD" +for ext in $exts; do + cd "$ext" + [ -e Makefile ] || docker-php-ext-configure "$ext" + make -j"$j" + make -j"$j" install + find modules \ + -maxdepth 1 \ + -name '*.so' \ + -exec basename '{}' ';' \ + | xargs -r docker-php-ext-enable ${iniName:+--ini-name "$iniName"} + make -j"$j" clean + cd "$popDir" +done + +if [ "$pm" = 'apk' ] && [ -n "$apkDel" ]; then + apk del --no-network $apkDel +fi + +if [ -e /usr/src/php/.docker-delete-me ]; then + docker-php-source delete +fi From 3b57cb231063bd43715130d4b7b28df380403fb0 Mon Sep 17 00:00:00 2001 From: Derek Yeh Date: Wed, 21 Jul 2021 18:32:00 -0700 Subject: [PATCH 09/23] Create docker-php-source --- docker-php-source | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 docker-php-source diff --git a/docker-php-source b/docker-php-source new file mode 100644 index 0000000..9033d24 --- /dev/null +++ b/docker-php-source @@ -0,0 +1,34 @@ +#!/bin/sh +set -e + +dir=/usr/src/php + +usage() { + echo "usage: $0 COMMAND" + echo + echo "Manage php source tarball lifecycle." + echo + echo "Commands:" + echo " extract extract php source tarball into directory $dir if not already done." + echo " delete delete extracted php source located into $dir if not already done." + echo +} + +case "$1" in + extract) + mkdir -p "$dir" + if [ ! -f "$dir/.docker-extracted" ]; then + tar -Jxf /usr/src/php.tar.xz -C "$dir" --strip-components=1 + touch "$dir/.docker-extracted" + fi + ;; + + delete) + rm -rf "$dir" + ;; + + *) + usage + exit 1 + ;; +esac From cfbae00d23ab213863d78114e9add2ace1d8451d Mon Sep 17 00:00:00 2001 From: Derek Yeh Date: Wed, 21 Jul 2021 18:39:07 -0700 Subject: [PATCH 10/23] Update Dockerfile.template --- Dockerfile.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.template b/Dockerfile.template index 5ebe2da..81bfdb7 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -1,4 +1,4 @@ -FROM {{base_image}} +FROM alpine:3.14 # dependencies required for running "phpize" # these get automatically installed and removed by "docker-php-ext-*" (unless they're already installed) From 488afb4bc3e65cdf35c2b34ee6ab47cf8a125bad Mon Sep 17 00:00:00 2001 From: Derek Yeh Date: Wed, 21 Jul 2021 19:10:05 -0700 Subject: [PATCH 11/23] Update Dockerfile.template --- Dockerfile.template | 186 +------------------------------------------- 1 file changed, 2 insertions(+), 184 deletions(-) diff --git a/Dockerfile.template b/Dockerfile.template index 81bfdb7..835469e 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -1,185 +1,3 @@ -FROM alpine:3.14 +FROM {{base_image}} -# dependencies required for running "phpize" -# these get automatically installed and removed by "docker-php-ext-*" (unless they're already installed) -ENV PHPIZE_DEPS \ - autoconf \ - dpkg-dev dpkg \ - file \ - g++ \ - gcc \ - libc-dev \ - make \ - pkgconf \ - re2c - -# persistent / runtime deps -RUN apk add --no-cache \ - ca-certificates \ - curl \ - tar \ - xz \ -# https://github.com/docker-library/php/issues/494 - openssl - -# ensure www-data user exists -RUN set -eux; \ - adduser -u 82 -D -S -G www-data www-data -# 82 is the standard uid/gid for "www-data" in Alpine -# https://git.alpinelinux.org/aports/tree/main/apache2/apache2.pre-install?h=3.14-stable -# https://git.alpinelinux.org/aports/tree/main/lighttpd/lighttpd.pre-install?h=3.14-stable -# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.pre-install?h=3.14-stable - -ENV PHP_INI_DIR /usr/local/etc/php -RUN set -eux; \ - mkdir -p "$PHP_INI_DIR/conf.d"; \ -# allow running as an arbitrary user (https://github.com/docker-library/php/issues/743) - [ ! -d /var/www/html ]; \ - mkdir -p /var/www/html; \ - chown www-data:www-data /var/www/html; \ - chmod 777 /var/www/html - -# Apply stack smash protection to functions using local buffers and alloca() -# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64) -# Enable optimization (-O2) -# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default) -# https://github.com/docker-library/php/issues/272 -# -D_LARGEFILE_SOURCE and -D_FILE_OFFSET_BITS=64 (https://www.php.net/manual/en/intro.filesystem.php) -ENV PHP_CFLAGS="-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64" -ENV PHP_CPPFLAGS="$PHP_CFLAGS" -ENV PHP_LDFLAGS="-Wl,-O1 -pie" - -ENV GPG_KEYS 42670A7FE4D0441C8E4632349E4FDC074A4EF02D 5A52880781F755608BF815FC910DEB46F53EA312 - -ENV PHP_VERSION 7.4.21 -ENV PHP_URL="https://www.php.net/distributions/php-7.4.21.tar.xz" PHP_ASC_URL="https://www.php.net/distributions/php-7.4.21.tar.xz.asc" -ENV PHP_SHA256="cf43384a7806241bc2ff22022619baa4abb9710f12ec1656d0173de992e32a90" - -RUN set -eux; \ - \ - apk add --no-cache --virtual .fetch-deps gnupg; \ - \ - mkdir -p /usr/src; \ - cd /usr/src; \ - \ - curl -fsSL -o php.tar.xz "$PHP_URL"; \ - \ - if [ -n "$PHP_SHA256" ]; then \ - echo "$PHP_SHA256 *php.tar.xz" | sha256sum -c -; \ - fi; \ - \ - if [ -n "$PHP_ASC_URL" ]; then \ - curl -fsSL -o php.tar.xz.asc "$PHP_ASC_URL"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for key in $GPG_KEYS; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ - done; \ - gpg --batch --verify php.tar.xz.asc php.tar.xz; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME"; \ - fi; \ - \ - apk del --no-network .fetch-deps - -COPY docker-php-source /usr/local/bin/ - -RUN set -eux; \ - apk add --no-cache --virtual .build-deps \ - $PHPIZE_DEPS \ - argon2-dev \ - coreutils \ - curl-dev \ - libedit-dev \ - libsodium-dev \ - libxml2-dev \ - linux-headers \ - oniguruma-dev \ - openssl-dev \ - sqlite-dev \ - ; \ - \ - export CFLAGS="$PHP_CFLAGS" \ - CPPFLAGS="$PHP_CPPFLAGS" \ - LDFLAGS="$PHP_LDFLAGS" \ - ; \ - docker-php-source extract; \ - cd /usr/src/php; \ - gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ - ./configure \ - --build="$gnuArch" \ - --with-config-file-path="$PHP_INI_DIR" \ - --with-config-file-scan-dir="$PHP_INI_DIR/conf.d" \ - \ -# make sure invalid --configure-flags are fatal errors instead of just warnings - --enable-option-checking=fatal \ - \ -# https://github.com/docker-library/php/issues/439 - --with-mhash \ - \ -# https://github.com/docker-library/php/issues/822 - --with-pic \ - \ -# --enable-ftp is included here because ftp_ssl_connect() needs ftp to be compiled statically (see https://github.com/docker-library/php/issues/236) - --enable-ftp \ -# --enable-mbstring is included here because otherwise there's no way to get pecl to use it properly (see https://github.com/docker-library/php/issues/195) - --enable-mbstring \ -# --enable-mysqlnd is included here because it's harder to compile after the fact than extensions are (since it's a plugin for several extensions, not an extension in itself) - --enable-mysqlnd \ -# https://wiki.php.net/rfc/argon2_password_hash (7.2+) - --with-password-argon2 \ -# https://wiki.php.net/rfc/libsodium - --with-sodium=shared \ -# always build against system sqlite3 (https://github.com/php/php-src/commit/6083a387a81dbbd66d6316a3a12a63f06d5f7109) - --with-pdo-sqlite=/usr \ - --with-sqlite3=/usr \ - \ - --with-curl \ - --with-libedit \ - --with-openssl \ - --with-zlib \ - \ -# in PHP 7.4+, the pecl/pear installers are officially deprecated (requiring an explicit "--with-pear") - --with-pear \ - \ -# bundled pcre does not support JIT on s390x -# https://manpages.debian.org/stretch/libpcre3-dev/pcrejit.3.en.html#AVAILABILITY_OF_JIT_SUPPORT - $(test "$gnuArch" = 's390x-linux-musl' && echo '--without-pcre-jit') \ - \ - ${PHP_EXTRA_CONFIGURE_ARGS:-} \ - ; \ - make -j "$(nproc)"; \ - find -type f -name '*.a' -delete; \ - make install; \ - find /usr/local/bin /usr/local/sbin -type f -perm +0111 -exec strip --strip-all '{}' + || true; \ - make clean; \ - \ -# https://github.com/docker-library/php/issues/692 (copy default example "php.ini" files somewhere easily discoverable) - cp -v php.ini-* "$PHP_INI_DIR/"; \ - \ - cd /; \ - docker-php-source delete; \ - \ - runDeps="$( \ - scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \ - | tr ',' '\n' \ - | sort -u \ - | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ - )"; \ - apk add --no-cache $runDeps; \ - \ - apk del --no-network .build-deps; \ - \ -# update pecl channel definitions https://github.com/docker-library/php/issues/443 - pecl update-channels; \ - rm -rf /tmp/pear ~/.pearrc; \ - \ -# smoke test - php --version - -COPY docker-php-ext-* docker-php-entrypoint /usr/local/bin/ - -# sodium was built as a shared module (so that it can be replaced later if so desired), so let's enable it too (https://github.com/docker-library/php/issues/598) -RUN docker-php-ext-enable sodium - -ENTRYPOINT ["docker-php-entrypoint"] -CMD ["php", "-a"] +RUN apk add --no-cache php7 From a3a87e54ba14423ff323733023b8de90fdd0e4e3 Mon Sep 17 00:00:00 2001 From: Derek Yeh Date: Thu, 22 Jul 2021 22:58:45 -0700 Subject: [PATCH 12/23] Update Dockerfile.template --- Dockerfile.template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile.template b/Dockerfile.template index 835469e..76939d8 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -1,3 +1,5 @@ FROM {{base_image}} RUN apk add --no-cache php7 + +COPY docker-php-* /usr/local/bin/ From a97bd469e6481e311125216aa416d4837fc257cd Mon Sep 17 00:00:00 2001 From: Derek Yeh Date: Thu, 22 Jul 2021 23:19:11 -0700 Subject: [PATCH 13/23] Update and rename Dockerfile.template to Dockerfile --- Dockerfile | 185 ++++++++++++++++++++++++++++++++++++++++++++ Dockerfile.template | 5 -- 2 files changed, 185 insertions(+), 5 deletions(-) create mode 100644 Dockerfile delete mode 100644 Dockerfile.template diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..81bfdb7 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,185 @@ +FROM alpine:3.14 + +# dependencies required for running "phpize" +# these get automatically installed and removed by "docker-php-ext-*" (unless they're already installed) +ENV PHPIZE_DEPS \ + autoconf \ + dpkg-dev dpkg \ + file \ + g++ \ + gcc \ + libc-dev \ + make \ + pkgconf \ + re2c + +# persistent / runtime deps +RUN apk add --no-cache \ + ca-certificates \ + curl \ + tar \ + xz \ +# https://github.com/docker-library/php/issues/494 + openssl + +# ensure www-data user exists +RUN set -eux; \ + adduser -u 82 -D -S -G www-data www-data +# 82 is the standard uid/gid for "www-data" in Alpine +# https://git.alpinelinux.org/aports/tree/main/apache2/apache2.pre-install?h=3.14-stable +# https://git.alpinelinux.org/aports/tree/main/lighttpd/lighttpd.pre-install?h=3.14-stable +# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.pre-install?h=3.14-stable + +ENV PHP_INI_DIR /usr/local/etc/php +RUN set -eux; \ + mkdir -p "$PHP_INI_DIR/conf.d"; \ +# allow running as an arbitrary user (https://github.com/docker-library/php/issues/743) + [ ! -d /var/www/html ]; \ + mkdir -p /var/www/html; \ + chown www-data:www-data /var/www/html; \ + chmod 777 /var/www/html + +# Apply stack smash protection to functions using local buffers and alloca() +# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64) +# Enable optimization (-O2) +# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default) +# https://github.com/docker-library/php/issues/272 +# -D_LARGEFILE_SOURCE and -D_FILE_OFFSET_BITS=64 (https://www.php.net/manual/en/intro.filesystem.php) +ENV PHP_CFLAGS="-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64" +ENV PHP_CPPFLAGS="$PHP_CFLAGS" +ENV PHP_LDFLAGS="-Wl,-O1 -pie" + +ENV GPG_KEYS 42670A7FE4D0441C8E4632349E4FDC074A4EF02D 5A52880781F755608BF815FC910DEB46F53EA312 + +ENV PHP_VERSION 7.4.21 +ENV PHP_URL="https://www.php.net/distributions/php-7.4.21.tar.xz" PHP_ASC_URL="https://www.php.net/distributions/php-7.4.21.tar.xz.asc" +ENV PHP_SHA256="cf43384a7806241bc2ff22022619baa4abb9710f12ec1656d0173de992e32a90" + +RUN set -eux; \ + \ + apk add --no-cache --virtual .fetch-deps gnupg; \ + \ + mkdir -p /usr/src; \ + cd /usr/src; \ + \ + curl -fsSL -o php.tar.xz "$PHP_URL"; \ + \ + if [ -n "$PHP_SHA256" ]; then \ + echo "$PHP_SHA256 *php.tar.xz" | sha256sum -c -; \ + fi; \ + \ + if [ -n "$PHP_ASC_URL" ]; then \ + curl -fsSL -o php.tar.xz.asc "$PHP_ASC_URL"; \ + export GNUPGHOME="$(mktemp -d)"; \ + for key in $GPG_KEYS; do \ + gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ + done; \ + gpg --batch --verify php.tar.xz.asc php.tar.xz; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + fi; \ + \ + apk del --no-network .fetch-deps + +COPY docker-php-source /usr/local/bin/ + +RUN set -eux; \ + apk add --no-cache --virtual .build-deps \ + $PHPIZE_DEPS \ + argon2-dev \ + coreutils \ + curl-dev \ + libedit-dev \ + libsodium-dev \ + libxml2-dev \ + linux-headers \ + oniguruma-dev \ + openssl-dev \ + sqlite-dev \ + ; \ + \ + export CFLAGS="$PHP_CFLAGS" \ + CPPFLAGS="$PHP_CPPFLAGS" \ + LDFLAGS="$PHP_LDFLAGS" \ + ; \ + docker-php-source extract; \ + cd /usr/src/php; \ + gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ + ./configure \ + --build="$gnuArch" \ + --with-config-file-path="$PHP_INI_DIR" \ + --with-config-file-scan-dir="$PHP_INI_DIR/conf.d" \ + \ +# make sure invalid --configure-flags are fatal errors instead of just warnings + --enable-option-checking=fatal \ + \ +# https://github.com/docker-library/php/issues/439 + --with-mhash \ + \ +# https://github.com/docker-library/php/issues/822 + --with-pic \ + \ +# --enable-ftp is included here because ftp_ssl_connect() needs ftp to be compiled statically (see https://github.com/docker-library/php/issues/236) + --enable-ftp \ +# --enable-mbstring is included here because otherwise there's no way to get pecl to use it properly (see https://github.com/docker-library/php/issues/195) + --enable-mbstring \ +# --enable-mysqlnd is included here because it's harder to compile after the fact than extensions are (since it's a plugin for several extensions, not an extension in itself) + --enable-mysqlnd \ +# https://wiki.php.net/rfc/argon2_password_hash (7.2+) + --with-password-argon2 \ +# https://wiki.php.net/rfc/libsodium + --with-sodium=shared \ +# always build against system sqlite3 (https://github.com/php/php-src/commit/6083a387a81dbbd66d6316a3a12a63f06d5f7109) + --with-pdo-sqlite=/usr \ + --with-sqlite3=/usr \ + \ + --with-curl \ + --with-libedit \ + --with-openssl \ + --with-zlib \ + \ +# in PHP 7.4+, the pecl/pear installers are officially deprecated (requiring an explicit "--with-pear") + --with-pear \ + \ +# bundled pcre does not support JIT on s390x +# https://manpages.debian.org/stretch/libpcre3-dev/pcrejit.3.en.html#AVAILABILITY_OF_JIT_SUPPORT + $(test "$gnuArch" = 's390x-linux-musl' && echo '--without-pcre-jit') \ + \ + ${PHP_EXTRA_CONFIGURE_ARGS:-} \ + ; \ + make -j "$(nproc)"; \ + find -type f -name '*.a' -delete; \ + make install; \ + find /usr/local/bin /usr/local/sbin -type f -perm +0111 -exec strip --strip-all '{}' + || true; \ + make clean; \ + \ +# https://github.com/docker-library/php/issues/692 (copy default example "php.ini" files somewhere easily discoverable) + cp -v php.ini-* "$PHP_INI_DIR/"; \ + \ + cd /; \ + docker-php-source delete; \ + \ + runDeps="$( \ + scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \ + | tr ',' '\n' \ + | sort -u \ + | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ + )"; \ + apk add --no-cache $runDeps; \ + \ + apk del --no-network .build-deps; \ + \ +# update pecl channel definitions https://github.com/docker-library/php/issues/443 + pecl update-channels; \ + rm -rf /tmp/pear ~/.pearrc; \ + \ +# smoke test + php --version + +COPY docker-php-ext-* docker-php-entrypoint /usr/local/bin/ + +# sodium was built as a shared module (so that it can be replaced later if so desired), so let's enable it too (https://github.com/docker-library/php/issues/598) +RUN docker-php-ext-enable sodium + +ENTRYPOINT ["docker-php-entrypoint"] +CMD ["php", "-a"] diff --git a/Dockerfile.template b/Dockerfile.template deleted file mode 100644 index 76939d8..0000000 --- a/Dockerfile.template +++ /dev/null @@ -1,5 +0,0 @@ -FROM {{base_image}} - -RUN apk add --no-cache php7 - -COPY docker-php-* /usr/local/bin/ From fa692dbbc520beadb62b23ff72150a62f3457a59 Mon Sep 17 00:00:00 2001 From: Derek Yeh Date: Thu, 22 Jul 2021 23:27:09 -0700 Subject: [PATCH 14/23] Rename Dockerfile to Dockerfile.template --- Dockerfile => Dockerfile.template | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Dockerfile => Dockerfile.template (100%) diff --git a/Dockerfile b/Dockerfile.template similarity index 100% rename from Dockerfile rename to Dockerfile.template From 22e157475337201ebac1a5024108b66f85fa4afe Mon Sep 17 00:00:00 2001 From: Derek Yeh Date: Fri, 23 Jul 2021 15:48:29 -0700 Subject: [PATCH 15/23] Update Dockerfile.template --- Dockerfile.template | 186 +------------------------------------------- 1 file changed, 3 insertions(+), 183 deletions(-) diff --git a/Dockerfile.template b/Dockerfile.template index 81bfdb7..76939d8 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -1,185 +1,5 @@ -FROM alpine:3.14 +FROM {{base_image}} -# dependencies required for running "phpize" -# these get automatically installed and removed by "docker-php-ext-*" (unless they're already installed) -ENV PHPIZE_DEPS \ - autoconf \ - dpkg-dev dpkg \ - file \ - g++ \ - gcc \ - libc-dev \ - make \ - pkgconf \ - re2c +RUN apk add --no-cache php7 -# persistent / runtime deps -RUN apk add --no-cache \ - ca-certificates \ - curl \ - tar \ - xz \ -# https://github.com/docker-library/php/issues/494 - openssl - -# ensure www-data user exists -RUN set -eux; \ - adduser -u 82 -D -S -G www-data www-data -# 82 is the standard uid/gid for "www-data" in Alpine -# https://git.alpinelinux.org/aports/tree/main/apache2/apache2.pre-install?h=3.14-stable -# https://git.alpinelinux.org/aports/tree/main/lighttpd/lighttpd.pre-install?h=3.14-stable -# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.pre-install?h=3.14-stable - -ENV PHP_INI_DIR /usr/local/etc/php -RUN set -eux; \ - mkdir -p "$PHP_INI_DIR/conf.d"; \ -# allow running as an arbitrary user (https://github.com/docker-library/php/issues/743) - [ ! -d /var/www/html ]; \ - mkdir -p /var/www/html; \ - chown www-data:www-data /var/www/html; \ - chmod 777 /var/www/html - -# Apply stack smash protection to functions using local buffers and alloca() -# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64) -# Enable optimization (-O2) -# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default) -# https://github.com/docker-library/php/issues/272 -# -D_LARGEFILE_SOURCE and -D_FILE_OFFSET_BITS=64 (https://www.php.net/manual/en/intro.filesystem.php) -ENV PHP_CFLAGS="-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64" -ENV PHP_CPPFLAGS="$PHP_CFLAGS" -ENV PHP_LDFLAGS="-Wl,-O1 -pie" - -ENV GPG_KEYS 42670A7FE4D0441C8E4632349E4FDC074A4EF02D 5A52880781F755608BF815FC910DEB46F53EA312 - -ENV PHP_VERSION 7.4.21 -ENV PHP_URL="https://www.php.net/distributions/php-7.4.21.tar.xz" PHP_ASC_URL="https://www.php.net/distributions/php-7.4.21.tar.xz.asc" -ENV PHP_SHA256="cf43384a7806241bc2ff22022619baa4abb9710f12ec1656d0173de992e32a90" - -RUN set -eux; \ - \ - apk add --no-cache --virtual .fetch-deps gnupg; \ - \ - mkdir -p /usr/src; \ - cd /usr/src; \ - \ - curl -fsSL -o php.tar.xz "$PHP_URL"; \ - \ - if [ -n "$PHP_SHA256" ]; then \ - echo "$PHP_SHA256 *php.tar.xz" | sha256sum -c -; \ - fi; \ - \ - if [ -n "$PHP_ASC_URL" ]; then \ - curl -fsSL -o php.tar.xz.asc "$PHP_ASC_URL"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for key in $GPG_KEYS; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ - done; \ - gpg --batch --verify php.tar.xz.asc php.tar.xz; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME"; \ - fi; \ - \ - apk del --no-network .fetch-deps - -COPY docker-php-source /usr/local/bin/ - -RUN set -eux; \ - apk add --no-cache --virtual .build-deps \ - $PHPIZE_DEPS \ - argon2-dev \ - coreutils \ - curl-dev \ - libedit-dev \ - libsodium-dev \ - libxml2-dev \ - linux-headers \ - oniguruma-dev \ - openssl-dev \ - sqlite-dev \ - ; \ - \ - export CFLAGS="$PHP_CFLAGS" \ - CPPFLAGS="$PHP_CPPFLAGS" \ - LDFLAGS="$PHP_LDFLAGS" \ - ; \ - docker-php-source extract; \ - cd /usr/src/php; \ - gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ - ./configure \ - --build="$gnuArch" \ - --with-config-file-path="$PHP_INI_DIR" \ - --with-config-file-scan-dir="$PHP_INI_DIR/conf.d" \ - \ -# make sure invalid --configure-flags are fatal errors instead of just warnings - --enable-option-checking=fatal \ - \ -# https://github.com/docker-library/php/issues/439 - --with-mhash \ - \ -# https://github.com/docker-library/php/issues/822 - --with-pic \ - \ -# --enable-ftp is included here because ftp_ssl_connect() needs ftp to be compiled statically (see https://github.com/docker-library/php/issues/236) - --enable-ftp \ -# --enable-mbstring is included here because otherwise there's no way to get pecl to use it properly (see https://github.com/docker-library/php/issues/195) - --enable-mbstring \ -# --enable-mysqlnd is included here because it's harder to compile after the fact than extensions are (since it's a plugin for several extensions, not an extension in itself) - --enable-mysqlnd \ -# https://wiki.php.net/rfc/argon2_password_hash (7.2+) - --with-password-argon2 \ -# https://wiki.php.net/rfc/libsodium - --with-sodium=shared \ -# always build against system sqlite3 (https://github.com/php/php-src/commit/6083a387a81dbbd66d6316a3a12a63f06d5f7109) - --with-pdo-sqlite=/usr \ - --with-sqlite3=/usr \ - \ - --with-curl \ - --with-libedit \ - --with-openssl \ - --with-zlib \ - \ -# in PHP 7.4+, the pecl/pear installers are officially deprecated (requiring an explicit "--with-pear") - --with-pear \ - \ -# bundled pcre does not support JIT on s390x -# https://manpages.debian.org/stretch/libpcre3-dev/pcrejit.3.en.html#AVAILABILITY_OF_JIT_SUPPORT - $(test "$gnuArch" = 's390x-linux-musl' && echo '--without-pcre-jit') \ - \ - ${PHP_EXTRA_CONFIGURE_ARGS:-} \ - ; \ - make -j "$(nproc)"; \ - find -type f -name '*.a' -delete; \ - make install; \ - find /usr/local/bin /usr/local/sbin -type f -perm +0111 -exec strip --strip-all '{}' + || true; \ - make clean; \ - \ -# https://github.com/docker-library/php/issues/692 (copy default example "php.ini" files somewhere easily discoverable) - cp -v php.ini-* "$PHP_INI_DIR/"; \ - \ - cd /; \ - docker-php-source delete; \ - \ - runDeps="$( \ - scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \ - | tr ',' '\n' \ - | sort -u \ - | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ - )"; \ - apk add --no-cache $runDeps; \ - \ - apk del --no-network .build-deps; \ - \ -# update pecl channel definitions https://github.com/docker-library/php/issues/443 - pecl update-channels; \ - rm -rf /tmp/pear ~/.pearrc; \ - \ -# smoke test - php --version - -COPY docker-php-ext-* docker-php-entrypoint /usr/local/bin/ - -# sodium was built as a shared module (so that it can be replaced later if so desired), so let's enable it too (https://github.com/docker-library/php/issues/598) -RUN docker-php-ext-enable sodium - -ENTRYPOINT ["docker-php-entrypoint"] -CMD ["php", "-a"] +COPY docker-php-* /usr/local/bin/ From 83b2d258fe315c227ec55ed0bec9c16e62716290 Mon Sep 17 00:00:00 2001 From: Derek Yeh Date: Fri, 23 Jul 2021 15:52:00 -0700 Subject: [PATCH 16/23] add x permission --- docker-php-entrypoint | 0 docker-php-ext-configure | 0 docker-php-ext-enable | 0 docker-php-ext-install | 0 docker-php-source | 0 5 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 docker-php-entrypoint mode change 100644 => 100755 docker-php-ext-configure mode change 100644 => 100755 docker-php-ext-enable mode change 100644 => 100755 docker-php-ext-install mode change 100644 => 100755 docker-php-source diff --git a/docker-php-entrypoint b/docker-php-entrypoint old mode 100644 new mode 100755 diff --git a/docker-php-ext-configure b/docker-php-ext-configure old mode 100644 new mode 100755 diff --git a/docker-php-ext-enable b/docker-php-ext-enable old mode 100644 new mode 100755 diff --git a/docker-php-ext-install b/docker-php-ext-install old mode 100644 new mode 100755 diff --git a/docker-php-source b/docker-php-source old mode 100644 new mode 100755 From c155d261a2d26b15936e4bc35683c5928e644a96 Mon Sep 17 00:00:00 2001 From: Derek Yeh Date: Fri, 23 Jul 2021 20:40:56 -0700 Subject: [PATCH 17/23] Update Dockerfile.template --- Dockerfile.template | 190 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 188 insertions(+), 2 deletions(-) diff --git a/Dockerfile.template b/Dockerfile.template index 76939d8..3c837cb 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -1,5 +1,191 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + FROM {{base_image}} -RUN apk add --no-cache php7 +# dependencies required for running "phpize" +# these get automatically installed and removed by "docker-php-ext-*" (unless they're already installed) +ENV PHPIZE_DEPS \ + autoconf \ + dpkg-dev dpkg \ + file \ + g++ \ + gcc \ + libc-dev \ + make \ + pkgconf \ + re2c + +# persistent / runtime deps +RUN apk add --no-cache \ + ca-certificates \ + curl \ + tar \ + xz \ +# https://github.com/docker-library/php/issues/494 + openssl + +# ensure www-data user exists +RUN set -eux; \ + adduser -u 82 -D -S -G www-data www-data +# 82 is the standard uid/gid for "www-data" in Alpine +# https://git.alpinelinux.org/aports/tree/main/apache2/apache2.pre-install?h=3.14-stable +# https://git.alpinelinux.org/aports/tree/main/lighttpd/lighttpd.pre-install?h=3.14-stable +# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.pre-install?h=3.14-stable + +ENV PHP_INI_DIR /usr/local/etc/php +RUN set -eux; \ + mkdir -p "$PHP_INI_DIR/conf.d"; \ +# allow running as an arbitrary user (https://github.com/docker-library/php/issues/743) + [ ! -d /var/www/html ]; \ + mkdir -p /var/www/html; \ + chown www-data:www-data /var/www/html; \ + chmod 777 /var/www/html + +# Apply stack smash protection to functions using local buffers and alloca() +# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64) +# Enable optimization (-O2) +# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default) +# https://github.com/docker-library/php/issues/272 +# -D_LARGEFILE_SOURCE and -D_FILE_OFFSET_BITS=64 (https://www.php.net/manual/en/intro.filesystem.php) +ENV PHP_CFLAGS="-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64" +ENV PHP_CPPFLAGS="$PHP_CFLAGS" +ENV PHP_LDFLAGS="-Wl,-O1 -pie" + +ENV GPG_KEYS 42670A7FE4D0441C8E4632349E4FDC074A4EF02D 5A52880781F755608BF815FC910DEB46F53EA312 + +ENV PHP_VERSION 7.4.21 +ENV PHP_URL="https://www.php.net/distributions/php-7.4.21.tar.xz" PHP_ASC_URL="https://www.php.net/distributions/php-7.4.21.tar.xz.asc" +ENV PHP_SHA256="cf43384a7806241bc2ff22022619baa4abb9710f12ec1656d0173de992e32a90" + +RUN set -eux; \ + \ + apk add --no-cache --virtual .fetch-deps gnupg; \ + \ + mkdir -p /usr/src; \ + cd /usr/src; \ + \ + curl -fsSL -o php.tar.xz "$PHP_URL"; \ + \ + if [ -n "$PHP_SHA256" ]; then \ + echo "$PHP_SHA256 *php.tar.xz" | sha256sum -c -; \ + fi; \ + \ + if [ -n "$PHP_ASC_URL" ]; then \ + curl -fsSL -o php.tar.xz.asc "$PHP_ASC_URL"; \ + export GNUPGHOME="$(mktemp -d)"; \ + for key in $GPG_KEYS; do \ + gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ + done; \ + gpg --batch --verify php.tar.xz.asc php.tar.xz; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + fi; \ + \ + apk del --no-network .fetch-deps + +COPY docker-php-source /usr/local/bin/ + +RUN set -eux; \ + apk add --no-cache --virtual .build-deps \ + $PHPIZE_DEPS \ + argon2-dev \ + coreutils \ + curl-dev \ + libedit-dev \ + libsodium-dev \ + libxml2-dev \ + linux-headers \ + oniguruma-dev \ + openssl-dev \ + sqlite-dev \ + ; \ + \ + export CFLAGS="$PHP_CFLAGS" \ + CPPFLAGS="$PHP_CPPFLAGS" \ + LDFLAGS="$PHP_LDFLAGS" \ + ; \ + docker-php-source extract; \ + cd /usr/src/php; \ + gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ + ./configure \ + --build="$gnuArch" \ + --with-config-file-path="$PHP_INI_DIR" \ + --with-config-file-scan-dir="$PHP_INI_DIR/conf.d" \ + \ +# make sure invalid --configure-flags are fatal errors instead of just warnings + --enable-option-checking=fatal \ + \ +# https://github.com/docker-library/php/issues/439 + --with-mhash \ + \ +# https://github.com/docker-library/php/issues/822 + --with-pic \ + \ +# --enable-ftp is included here because ftp_ssl_connect() needs ftp to be compiled statically (see https://github.com/docker-library/php/issues/236) + --enable-ftp \ +# --enable-mbstring is included here because otherwise there's no way to get pecl to use it properly (see https://github.com/docker-library/php/issues/195) + --enable-mbstring \ +# --enable-mysqlnd is included here because it's harder to compile after the fact than extensions are (since it's a plugin for several extensions, not an extension in itself) + --enable-mysqlnd \ +# https://wiki.php.net/rfc/argon2_password_hash (7.2+) + --with-password-argon2 \ +# https://wiki.php.net/rfc/libsodium + --with-sodium=shared \ +# always build against system sqlite3 (https://github.com/php/php-src/commit/6083a387a81dbbd66d6316a3a12a63f06d5f7109) + --with-pdo-sqlite=/usr \ + --with-sqlite3=/usr \ + \ + --with-curl \ + --with-libedit \ + --with-openssl \ + --with-zlib \ + \ +# in PHP 7.4+, the pecl/pear installers are officially deprecated (requiring an explicit "--with-pear") + --with-pear \ + \ +# bundled pcre does not support JIT on s390x +# https://manpages.debian.org/stretch/libpcre3-dev/pcrejit.3.en.html#AVAILABILITY_OF_JIT_SUPPORT + $(test "$gnuArch" = 's390x-linux-musl' && echo '--without-pcre-jit') \ + \ + ${PHP_EXTRA_CONFIGURE_ARGS:-} \ + ; \ + make -j "$(nproc)"; \ + find -type f -name '*.a' -delete; \ + make install; \ + find /usr/local/bin /usr/local/sbin -type f -perm +0111 -exec strip --strip-all '{}' + || true; \ + make clean; \ + \ +# https://github.com/docker-library/php/issues/692 (copy default example "php.ini" files somewhere easily discoverable) + cp -v php.ini-* "$PHP_INI_DIR/"; \ + \ + cd /; \ + docker-php-source delete; \ + \ + runDeps="$( \ + scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \ + | tr ',' '\n' \ + | sort -u \ + | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ + )"; \ + apk add --no-cache $runDeps; \ + \ + apk del --no-network .build-deps; \ + \ +# update pecl channel definitions https://github.com/docker-library/php/issues/443 + pecl update-channels; \ + rm -rf /tmp/pear ~/.pearrc; \ + \ +# smoke test + php --version + +COPY docker-php-ext-* docker-php-entrypoint /usr/local/bin/ + +# sodium was built as a shared module (so that it can be replaced later if so desired), so let's enable it too (https://github.com/docker-library/php/issues/598) +RUN docker-php-ext-enable sodium -COPY docker-php-* /usr/local/bin/ +ENTRYPOINT ["docker-php-entrypoint"] +CMD ["php", "-a"] From 2fc460000812377c6ea067cf797007f96d505b00 Mon Sep 17 00:00:00 2001 From: Derek Yeh Date: Fri, 23 Jul 2021 20:47:05 -0700 Subject: [PATCH 18/23] Update Dockerfile.template --- Dockerfile.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.template b/Dockerfile.template index 3c837cb..5aef232 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -4,7 +4,7 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # -FROM {{base_image}} +FROM alpine:3.14 # dependencies required for running "phpize" # these get automatically installed and removed by "docker-php-ext-*" (unless they're already installed) From b848f09e3fd2f0493a56924ab3b9ea89e78d3f96 Mon Sep 17 00:00:00 2001 From: Derek Yeh Date: Fri, 23 Jul 2021 20:56:09 -0700 Subject: [PATCH 19/23] Update Dockerfile.template --- Dockerfile.template | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile.template b/Dockerfile.template index 5aef232..dea84c2 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -30,6 +30,7 @@ RUN apk add --no-cache \ # ensure www-data user exists RUN set -eux; \ + addgroup -g 82 -S www-data; \ adduser -u 82 -D -S -G www-data www-data # 82 is the standard uid/gid for "www-data" in Alpine # https://git.alpinelinux.org/aports/tree/main/apache2/apache2.pre-install?h=3.14-stable From cddde46448e1fc2b13177056a2942dcf84859839 Mon Sep 17 00:00:00 2001 From: Derek Yeh Date: Fri, 23 Jul 2021 20:56:21 -0700 Subject: [PATCH 20/23] Update Dockerfile.template --- Dockerfile.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.template b/Dockerfile.template index dea84c2..f9c8df2 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -4,7 +4,7 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # -FROM alpine:3.14 +FROM {{base_image}} # dependencies required for running "phpize" # these get automatically installed and removed by "docker-php-ext-*" (unless they're already installed) From 3767e48b914fd0e138c62a30f10e7339fec796b4 Mon Sep 17 00:00:00 2001 From: Derek Yeh Date: Sun, 25 Jul 2021 18:21:14 -0700 Subject: [PATCH 21/23] Update Dockerfile.template --- Dockerfile.template | 6 ------ 1 file changed, 6 deletions(-) diff --git a/Dockerfile.template b/Dockerfile.template index f9c8df2..4d80bd1 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -1,9 +1,3 @@ -# -# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" -# -# PLEASE DO NOT EDIT IT DIRECTLY. -# - FROM {{base_image}} # dependencies required for running "phpize" From 548d002c0acfe81c0ce8a8a17cd2cf48bbf8574b Mon Sep 17 00:00:00 2001 From: Derek Yeh Date: Sun, 25 Jul 2021 18:22:08 -0700 Subject: [PATCH 22/23] Update Dockerfile.template From 784d91a6d93d869b408bca4eabd4db8d47be1678 Mon Sep 17 00:00:00 2001 From: Derek Yeh Date: Sun, 25 Jul 2021 18:23:37 -0700 Subject: [PATCH 23/23] Update php.yml --- .github/workflows/php.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml index 8739791..c9ac089 100644 --- a/.github/workflows/php.yml +++ b/.github/workflows/php.yml @@ -20,8 +20,8 @@ jobs: - name: treehouses php run: | export DOCKER_CLI_EXPERIMENTAL=enabled - repo="dyeh123/php" - base="dyeh123/alpine" + repo="treehouses/php" + base="treehouses/alpine" source .github/workflows/utils.sh echo "amd64" baseamd64=$(get_variant_sha "$base" "latest" "amd64")