From 9308e72dbd4f571329952267c3cea0981557fcde Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 30 Mar 2026 09:42:50 +0000 Subject: [PATCH 1/3] feat(php-lol): run nginx and php-fpm as non-root user - Remove 'user www-data' directive from nginx.conf (not needed for rootless) - Move PID files to /tmp for nginx, php-fpm, and supervisord - Change nginx listen port from 80 to 8080 (non-root can't bind < 1024) - Remove 'user = root' from supervisord.conf and app.conf - Set php-fpm pool user/group to nobody:nogroup - Change /var/cache/nginx and /var/lib/php/session ownership to 65534:65534 - Add USER 65534:65534 directive in all 4 Dockerfiles - Update EXPOSE from 80/443 to 8080 - Update test checksums for modified config files Agent-Logs-Url: https://github.com/bdossantos/dockerfiles/sessions/4a2f865b-f62a-4d89-92d7-df6224b6e8c6 Co-authored-by: bdossantos <245284+bdossantos@users.noreply.github.com> --- dockerfiles/php-lol/Dockerfile.8.1 | 8 +++++--- dockerfiles/php-lol/Dockerfile.8.2 | 8 +++++--- dockerfiles/php-lol/Dockerfile.8.3 | 8 +++++--- dockerfiles/php-lol/Dockerfile.8.4 | 8 +++++--- dockerfiles/php-lol/app.conf | 2 -- dockerfiles/php-lol/nginx.conf | 8 ++++---- dockerfiles/php-lol/supervisord.conf | 7 +++---- dockerfiles/php-lol/zzz-php-fpm-tuning.conf | 4 +++- tests/php-lol.yaml | 8 ++++---- 9 files changed, 34 insertions(+), 27 deletions(-) diff --git a/dockerfiles/php-lol/Dockerfile.8.1 b/dockerfiles/php-lol/Dockerfile.8.1 index 8edd3475..9a95a7b6 100644 --- a/dockerfiles/php-lol/Dockerfile.8.1 +++ b/dockerfiles/php-lol/Dockerfile.8.1 @@ -65,7 +65,7 @@ RUN set -eux \ && curl -L -o /usr/local/bin/pickle https://github.com/FriendsOfPHP/pickle/releases/latest/download/pickle.phar \ && chmod +x /usr/local/bin/pickle \ && mkdir -p /var/lib/php/session \ - && chown -R www-data.www-data /var/lib/php/session \ + && chown -R 65534:65534 /var/lib/php/session \ && pickle install amqp@2.2.0 \ && pickle install --no-interaction apcu@5.1.28 \ && pickle install igbinary@3.2.16 \ @@ -181,7 +181,7 @@ RUN set -eux \ && make \ && make install \ && mkdir -p /var/cache/nginx \ - && chown -R www-data.www-data /var/cache/nginx \ + && chown -R 65534:65534 /var/cache/nginx \ && chsh -s /usr/sbin/nologin www-data \ && apt-get purge -y $BUILD_DEPENDENCIES \ && docker-php-source delete \ @@ -247,7 +247,9 @@ LABEL org.label-schema.build-date="$BUILD_DATE" \ WORKDIR /usr/src/app -EXPOSE 80/tcp 443/tcp +EXPOSE 8080/tcp + +USER 65534:65534 ENTRYPOINT ["/entrypoint.sh"] CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"] diff --git a/dockerfiles/php-lol/Dockerfile.8.2 b/dockerfiles/php-lol/Dockerfile.8.2 index 96a7aff0..51cad9ae 100644 --- a/dockerfiles/php-lol/Dockerfile.8.2 +++ b/dockerfiles/php-lol/Dockerfile.8.2 @@ -65,7 +65,7 @@ RUN set -eux \ && curl -L -o /usr/local/bin/pickle https://github.com/FriendsOfPHP/pickle/releases/latest/download/pickle.phar \ && chmod +x /usr/local/bin/pickle \ && mkdir -p /var/lib/php/session \ - && chown -R www-data.www-data /var/lib/php/session \ + && chown -R 65534:65534 /var/lib/php/session \ && pickle install amqp@2.2.0 \ && pickle install --no-interaction apcu@5.1.28 \ && pickle install igbinary@3.2.16 \ @@ -181,7 +181,7 @@ RUN set -eux \ && make \ && make install \ && mkdir -p /var/cache/nginx \ - && chown -R www-data.www-data /var/cache/nginx \ + && chown -R 65534:65534 /var/cache/nginx \ && chsh -s /usr/sbin/nologin www-data \ && apt-get purge -y $BUILD_DEPENDENCIES \ && docker-php-source delete \ @@ -247,7 +247,9 @@ LABEL org.label-schema.build-date="$BUILD_DATE" \ WORKDIR /usr/src/app -EXPOSE 80/tcp 443/tcp +EXPOSE 8080/tcp + +USER 65534:65534 ENTRYPOINT ["/entrypoint.sh"] CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"] diff --git a/dockerfiles/php-lol/Dockerfile.8.3 b/dockerfiles/php-lol/Dockerfile.8.3 index 56b5e075..ebbdf5cf 100644 --- a/dockerfiles/php-lol/Dockerfile.8.3 +++ b/dockerfiles/php-lol/Dockerfile.8.3 @@ -65,7 +65,7 @@ RUN set -eux \ && curl -L -o /usr/local/bin/pickle https://github.com/FriendsOfPHP/pickle/releases/latest/download/pickle.phar \ && chmod +x /usr/local/bin/pickle \ && mkdir -p /var/lib/php/session \ - && chown -R www-data.www-data /var/lib/php/session \ + && chown -R 65534:65534 /var/lib/php/session \ && pickle install amqp@2.2.0 \ && pickle install --no-interaction apcu@5.1.28 \ && pickle install igbinary@3.2.16 \ @@ -181,7 +181,7 @@ RUN set -eux \ && make \ && make install \ && mkdir -p /var/cache/nginx \ - && chown -R www-data.www-data /var/cache/nginx \ + && chown -R 65534:65534 /var/cache/nginx \ && chsh -s /usr/sbin/nologin www-data \ && apt-get purge -y $BUILD_DEPENDENCIES \ && docker-php-source delete \ @@ -247,7 +247,9 @@ LABEL org.label-schema.build-date="$BUILD_DATE" \ WORKDIR /usr/src/app -EXPOSE 80/tcp 443/tcp +EXPOSE 8080/tcp + +USER 65534:65534 ENTRYPOINT ["/entrypoint.sh"] CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"] diff --git a/dockerfiles/php-lol/Dockerfile.8.4 b/dockerfiles/php-lol/Dockerfile.8.4 index b9517283..b69df6df 100644 --- a/dockerfiles/php-lol/Dockerfile.8.4 +++ b/dockerfiles/php-lol/Dockerfile.8.4 @@ -65,7 +65,7 @@ RUN set -eux \ && curl -L -o /usr/local/bin/pickle https://github.com/FriendsOfPHP/pickle/releases/latest/download/pickle.phar \ && chmod +x /usr/local/bin/pickle \ && mkdir -p /var/lib/php/session \ - && chown -R www-data.www-data /var/lib/php/session \ + && chown -R 65534:65534 /var/lib/php/session \ && pickle install amqp@2.2.0 \ && pickle install --no-interaction apcu@5.1.28 \ && pickle install igbinary@3.2.16 \ @@ -179,7 +179,7 @@ RUN set -eux \ && make \ && make install \ && mkdir -p /var/cache/nginx \ - && chown -R www-data.www-data /var/cache/nginx \ + && chown -R 65534:65534 /var/cache/nginx \ && chsh -s /usr/sbin/nologin www-data \ && apt-get purge -y $BUILD_DEPENDENCIES \ && docker-php-source delete \ @@ -245,7 +245,9 @@ LABEL org.label-schema.build-date="$BUILD_DATE" \ WORKDIR /usr/src/app -EXPOSE 80/tcp 443/tcp +EXPOSE 8080/tcp + +USER 65534:65534 ENTRYPOINT ["/entrypoint.sh"] CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"] diff --git a/dockerfiles/php-lol/app.conf b/dockerfiles/php-lol/app.conf index 0e136dd2..8de82670 100644 --- a/dockerfiles/php-lol/app.conf +++ b/dockerfiles/php-lol/app.conf @@ -3,7 +3,6 @@ command = /usr/local/sbin/php-fpm -F -y /usr/local/etc/php-fpm.conf stdout_logfile = /dev/stdout stdout_logfile_maxbytes = 0 redirect_stderr = true -user = root autostart = true autorestart = true priority = 5 @@ -13,7 +12,6 @@ command = /usr/sbin/nginx -g "daemon off;" stdout_logfile = /dev/stdout stdout_logfile_maxbytes = 0 redirect_stderr = true -user = root autostart = true autorestart = true priority = 10 diff --git a/dockerfiles/php-lol/nginx.conf b/dockerfiles/php-lol/nginx.conf index ba196c43..37c53d81 100644 --- a/dockerfiles/php-lol/nginx.conf +++ b/dockerfiles/php-lol/nginx.conf @@ -1,6 +1,6 @@ -user www-data www-data; +# Run as non-root (no user directive needed) -pid /dev/shm/nginx.pid; +pid /tmp/nginx.pid; worker_processes auto; worker_rlimit_nofile 8192; @@ -76,8 +76,8 @@ http { open_file_cache_errors on; server { - listen [::]:80 default_server; - listen 80 default_server; + listen [::]:8080 default_server; + listen 8080 default_server; # PHP fpm status location ~ ^/(php-fpm-status|php-fpm-ping)$ { diff --git a/dockerfiles/php-lol/supervisord.conf b/dockerfiles/php-lol/supervisord.conf index c72ea901..56e0c38b 100644 --- a/dockerfiles/php-lol/supervisord.conf +++ b/dockerfiles/php-lol/supervisord.conf @@ -1,18 +1,17 @@ [unix_http_server] chmod = 0700 chown = nobody:nogroup -file = /dev/shm/supervisord.sock +file = /tmp/supervisord.sock [supervisord] logfile = /dev/stdout logfile_maxbytes = 0 loglevel = error nodaemon = true -pidfile = /dev/shm/supervisord.pid -user = root +pidfile = /tmp/supervisord.pid [supervisorctl] -serverurl=unix:///dev/shm/supervisord.sock +serverurl=unix:///tmp/supervisord.sock [rpcinterface:supervisor] supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface diff --git a/dockerfiles/php-lol/zzz-php-fpm-tuning.conf b/dockerfiles/php-lol/zzz-php-fpm-tuning.conf index a79eb83f..2f9a68ad 100644 --- a/dockerfiles/php-lol/zzz-php-fpm-tuning.conf +++ b/dockerfiles/php-lol/zzz-php-fpm-tuning.conf @@ -1,9 +1,11 @@ [global] error_log = /proc/self/fd/2 log_level = warning -pid = /dev/shm/php-fpm.pid +pid = /tmp/php-fpm.pid [www] +user = nobody +group = nogroup access.log = /dev/null catch_workers_output = yes clear_env = no diff --git a/tests/php-lol.yaml b/tests/php-lol.yaml index b4062ccd..6e901350 100644 --- a/tests/php-lol.yaml +++ b/tests/php-lol.yaml @@ -112,7 +112,7 @@ commandTests: command: 'sha256sum' args: ['/usr/local/etc/php-fpm.d/zzz-php-fpm-tuning.conf'] expectedOutput: - - 'e3772ca736903a1a4c27a715adae6c2ef35059119b527cefb30bac50af94ffef' + - '3df0e2db044284e0492309bbafe18ddd3ddfe899b544c843c5900b5dfeb77270' - name: 'php hardening config checksum' command: 'sha256sum' @@ -124,7 +124,7 @@ commandTests: command: 'sha256sum' args: ['/etc/nginx/nginx.conf'] expectedOutput: - - '0c21ca2a7522fee98b6d5a0f28e0f6b1840d3df4d23b0b182b5c45c9d8b5ff8f' + - 'b1861c352bc1e15f265dcd36a1e1753ee1cb5ee686ccb7664feb4f81226e86a9' - name: 'nginx mime.types checksum' command: 'sha256sum' @@ -136,13 +136,13 @@ commandTests: command: 'sha256sum' args: ['/etc/supervisor/supervisord.conf'] expectedOutput: - - 'cbf3f7370b1fd9f24360c20cc9e909f3298635d456fa76d97f531af0136a390c' + - '4b1fdfb861af749e6024c35d7bc1bb40e18811be4f55ec4e27eef698584b5555' - name: 'supervisor app.conf checksum' command: 'sha256sum' args: ['/etc/supervisor/conf.d/app.conf'] expectedOutput: - - 'bbdd21d87a9b30770de6b434673caf6594eb67bc4ff5c124f8c0ccb453c62d6b' + - 'ffaca82839725c81b62f59a5da6fc941f2643eee5e649654725e01c80b28b1b4' - name: 'php-fpm config test' command: '/usr/local/sbin/php-fpm' From 7fd32596a13a562720a46e18cb5380186bef4113 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 30 Mar 2026 09:46:55 +0000 Subject: [PATCH 2/3] fix(php-lol): keep /dev/shm paths for read-only container compatibility Agent-Logs-Url: https://github.com/bdossantos/dockerfiles/sessions/4a2f865b-f62a-4d89-92d7-df6224b6e8c6 Co-authored-by: bdossantos <245284+bdossantos@users.noreply.github.com> --- dockerfiles/php-lol/nginx.conf | 2 +- dockerfiles/php-lol/supervisord.conf | 6 +++--- dockerfiles/php-lol/zzz-php-fpm-tuning.conf | 2 +- tests/php-lol.yaml | 6 +++--- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/dockerfiles/php-lol/nginx.conf b/dockerfiles/php-lol/nginx.conf index 37c53d81..2c66bd2c 100644 --- a/dockerfiles/php-lol/nginx.conf +++ b/dockerfiles/php-lol/nginx.conf @@ -1,6 +1,6 @@ # Run as non-root (no user directive needed) -pid /tmp/nginx.pid; +pid /dev/shm/nginx.pid; worker_processes auto; worker_rlimit_nofile 8192; diff --git a/dockerfiles/php-lol/supervisord.conf b/dockerfiles/php-lol/supervisord.conf index 56e0c38b..cb08ece2 100644 --- a/dockerfiles/php-lol/supervisord.conf +++ b/dockerfiles/php-lol/supervisord.conf @@ -1,17 +1,17 @@ [unix_http_server] chmod = 0700 chown = nobody:nogroup -file = /tmp/supervisord.sock +file = /dev/shm/supervisord.sock [supervisord] logfile = /dev/stdout logfile_maxbytes = 0 loglevel = error nodaemon = true -pidfile = /tmp/supervisord.pid +pidfile = /dev/shm/supervisord.pid [supervisorctl] -serverurl=unix:///tmp/supervisord.sock +serverurl=unix:///dev/shm/supervisord.sock [rpcinterface:supervisor] supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface diff --git a/dockerfiles/php-lol/zzz-php-fpm-tuning.conf b/dockerfiles/php-lol/zzz-php-fpm-tuning.conf index 2f9a68ad..a926111c 100644 --- a/dockerfiles/php-lol/zzz-php-fpm-tuning.conf +++ b/dockerfiles/php-lol/zzz-php-fpm-tuning.conf @@ -1,7 +1,7 @@ [global] error_log = /proc/self/fd/2 log_level = warning -pid = /tmp/php-fpm.pid +pid = /dev/shm/php-fpm.pid [www] user = nobody diff --git a/tests/php-lol.yaml b/tests/php-lol.yaml index 6e901350..e00657eb 100644 --- a/tests/php-lol.yaml +++ b/tests/php-lol.yaml @@ -112,7 +112,7 @@ commandTests: command: 'sha256sum' args: ['/usr/local/etc/php-fpm.d/zzz-php-fpm-tuning.conf'] expectedOutput: - - '3df0e2db044284e0492309bbafe18ddd3ddfe899b544c843c5900b5dfeb77270' + - '0d66730a9658f8c8553e73878b214a5c96084248a406660f593299f8dc8940ab' - name: 'php hardening config checksum' command: 'sha256sum' @@ -124,7 +124,7 @@ commandTests: command: 'sha256sum' args: ['/etc/nginx/nginx.conf'] expectedOutput: - - 'b1861c352bc1e15f265dcd36a1e1753ee1cb5ee686ccb7664feb4f81226e86a9' + - 'bc8b1c9ca19a7e588b19bf9677c29b25a9112a103bc7be786756a2f05cde76d2' - name: 'nginx mime.types checksum' command: 'sha256sum' @@ -136,7 +136,7 @@ commandTests: command: 'sha256sum' args: ['/etc/supervisor/supervisord.conf'] expectedOutput: - - '4b1fdfb861af749e6024c35d7bc1bb40e18811be4f55ec4e27eef698584b5555' + - '7c1b6af616372d69f9beb279834b4b9bab0deb31ed454a21193b563817bf9304' - name: 'supervisor app.conf checksum' command: 'sha256sum' From 545410249b43daaf3d41bc3802d5919a2b404f8f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 12 May 2026 09:14:57 +0000 Subject: [PATCH 3/3] feat(php-lol): add -rootless image tag suffix via .rootless marker Agent-Logs-Url: https://github.com/bdossantos/dockerfiles/sessions/9c4fbd26-a8d4-4ed3-8303-d67c3c4da409 Co-authored-by: bdossantos <245284+bdossantos@users.noreply.github.com> --- .github/actions/docker/action.yml | 3 +++ dockerfiles/php-lol/.rootless | 0 2 files changed, 3 insertions(+) create mode 100644 dockerfiles/php-lol/.rootless diff --git a/.github/actions/docker/action.yml b/.github/actions/docker/action.yml index 57009752..a8ad8093 100644 --- a/.github/actions/docker/action.yml +++ b/.github/actions/docker/action.yml @@ -32,6 +32,9 @@ runs: vcs_ref=$(git rev-parse --short HEAD) image_name=$(cd $(dirname ${{ inputs.dockerfile }}) && echo "${PWD##*/}") tags=bdossantos/${image_name}:latest,bdossantos/${image_name}:${version},bdossantos/${image_name}:${version}-${vcs_ref},bdossantos/${image_name}:${version%.*} + if [[ -f "$(dirname ${{ inputs.dockerfile }})/.rootless" ]]; then + tags=${tags},bdossantos/${image_name}:latest-rootless,bdossantos/${image_name}:${version}-rootless,bdossantos/${image_name}:${version%.*}-rootless + fi cache_image=bdossantos/${image_name}:buildcache echo "build_date=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT echo "cache_image=${cache_image}" >> $GITHUB_OUTPUT diff --git a/dockerfiles/php-lol/.rootless b/dockerfiles/php-lol/.rootless new file mode 100644 index 00000000..e69de29b