mirror of
https://github.com/mashirozx/docker-php-nginx.git
synced 2024-12-12 09:54:37 +08:00
Run the services in the container as non-privileged user
This commit is contained in:
parent
ba1dd42210
commit
659806c6d0
29
Dockerfile
29
Dockerfile
@ -11,18 +11,35 @@ RUN apk --no-cache add php7 php7-fpm php7-mysqli php7-json php7-openssl php7-cur
|
||||
COPY config/nginx.conf /etc/nginx/nginx.conf
|
||||
|
||||
# Configure PHP-FPM
|
||||
COPY config/fpm-pool.conf /etc/php7/php-fpm.d/zzz_custom.conf
|
||||
COPY config/fpm-pool.conf /etc/php7/php-fpm.d/www.conf
|
||||
COPY config/php.ini /etc/php7/conf.d/zzz_custom.ini
|
||||
|
||||
# Configure supervisord
|
||||
COPY config/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
|
||||
|
||||
# Add application
|
||||
RUN mkdir -p /var/www/html
|
||||
WORKDIR /var/www/html
|
||||
COPY src/ /var/www/html/
|
||||
# Make sure files/folders needed by the processes are accessable when they run under the nobody user
|
||||
RUN touch /run/nginx.pid && \
|
||||
touch /run/supervisord.pid && \
|
||||
chown -R nobody.nobody /run/nginx.pid && \
|
||||
chown -R nobody.nobody /run/supervisord.pid && \
|
||||
chown -R nobody.nobody /var/tmp/nginx && \
|
||||
chown -R nobody.nobody /var/lib/nginx/logs
|
||||
|
||||
EXPOSE 80
|
||||
# Setup document root
|
||||
RUN mkdir -p /var/www/html
|
||||
|
||||
# Switch to use a non-root user from here on
|
||||
USER nobody
|
||||
|
||||
# Add application
|
||||
WORKDIR /var/www/html
|
||||
COPY --chown=nobody src/ /var/www/html/
|
||||
|
||||
# Expose the port nginx is reachable on
|
||||
EXPOSE 8080
|
||||
|
||||
# Let supervisord start nginx & php-fpm
|
||||
CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
|
||||
|
||||
# Configure a healthcheck to validate that everything is up&running
|
||||
HEALTHCHECK --timeout=10s CMD curl --silent --fail http://127.0.0.1/fpm-ping
|
||||
|
28
README.md
28
README.md
@ -1,15 +1,31 @@
|
||||
Docker PHP-FPM 7.2 & Nginx 1.14 on Alpine Linux
|
||||
==============================================
|
||||
# Docker PHP-FPM 7.2 & Nginx 1.14 on Alpine Linux
|
||||
Example PHP-FPM 7.2 & Nginx 1.14 setup for Docker, build on [Alpine Linux](http://www.alpinelinux.org/).
|
||||
The image is only +/- 35MB large.
|
||||
|
||||
|
||||
* Built on the lightweight and secure Alpine Linux distribution
|
||||
* Very small Docker image size (+/-35MB)
|
||||
* Uses PHP 7.2 for better performance, lower cpu usage & memory footprint
|
||||
* Optimized for 100 concurrent users
|
||||
* Optimized to only use resources when there's traffic (by using PHP-FPM's ondemand PM)
|
||||
* The servers Nginx, PHP-FPM and supervisord run under a non-privileged user (nobody) to make it more secure
|
||||
* The logs of all the services are redirected to the output of the Docker container (visible with `docker logs -f <container name>`)
|
||||
|
||||
|
||||
[![Docker Pulls](https://img.shields.io/docker/pulls/trafex/alpine-nginx-php7.svg)](https://hub.docker.com/r/trafex/alpine-nginx-php7/)
|
||||
|
||||
Usage
|
||||
-----
|
||||
Start the Docker containers:
|
||||
### Breaking changes (26/01/2019)
|
||||
|
||||
docker run -p 80:80 trafex/alpine-nginx-php7
|
||||
Please note that the new builds since 26/01/2019 are exposing a different port to access Nginx.
|
||||
To be able to run Nginx as a non-privileged user, the port it's running on needed
|
||||
to change to a non-privileged port (above 1024).
|
||||
|
||||
The last build of the old version that exposed port 80 was `trafex/alpine-nginx-php7:ba1dd422`
|
||||
|
||||
## Usage
|
||||
|
||||
Start the Docker container:
|
||||
|
||||
docker run -p 80:8080 trafex/alpine-nginx-php7
|
||||
|
||||
See the PHP info on http://localhost, or the static html page on http://localhost/test.html
|
||||
|
@ -3,6 +3,18 @@
|
||||
error_log = /dev/stderr
|
||||
|
||||
[www]
|
||||
; The address on which to accept FastCGI requests.
|
||||
; Valid syntaxes are:
|
||||
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
|
||||
; a specific port;
|
||||
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
|
||||
; a specific port;
|
||||
; 'port' - to listen on a TCP socket to all addresses
|
||||
; (IPv6 and IPv4-mapped) on a specific port;
|
||||
; '/path/to/unix/socket' - to listen on a unix socket.
|
||||
; Note: This value is mandatory.
|
||||
listen = 127.0.0.1:9000
|
||||
|
||||
; Enable status page
|
||||
pm.status_path = /fpm-status
|
||||
|
||||
@ -18,7 +30,7 @@ pm = ondemand
|
||||
; forget to tweak pm.* to fit your needs.
|
||||
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
|
||||
; Note: This value is mandatory.
|
||||
pm.max_children = 50
|
||||
pm.max_children = 100
|
||||
|
||||
; The number of seconds after which an idle process will be killed.
|
||||
; Note: Used only when pm is set to 'ondemand'
|
||||
@ -29,7 +41,7 @@ pm.process_idle_timeout = 10s;
|
||||
; This can be useful to work around memory leaks in 3rd party libraries. For
|
||||
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
|
||||
; Default Value: 0
|
||||
pm.max_requests = 500
|
||||
pm.max_requests = 1000
|
||||
|
||||
; Make sure the FPM workers can reach the environment variables for configuration
|
||||
clear_env = no
|
||||
|
@ -1,4 +1,5 @@
|
||||
worker_processes 1;
|
||||
error_log stderr warn;
|
||||
pid /run/nginx.pid;
|
||||
|
||||
events {
|
||||
@ -20,8 +21,8 @@ http {
|
||||
keepalive_timeout 65;
|
||||
|
||||
server {
|
||||
listen [::]:80 default_server;
|
||||
listen 80 default_server;
|
||||
listen [::]:8080 default_server;
|
||||
listen 8080 default_server;
|
||||
server_name _;
|
||||
|
||||
sendfile off;
|
||||
|
@ -1,5 +1,8 @@
|
||||
[supervisord]
|
||||
nodaemon=true
|
||||
logfile=/dev/null
|
||||
logfile_maxbytes=0
|
||||
pidfile=/run/supervisord.pid
|
||||
|
||||
[program:php-fpm]
|
||||
command=php-fpm7 -F
|
||||
|
Loading…
Reference in New Issue
Block a user