Add new image flavor with Alpine + PHP-FPM + Nginx

[ngosang]

First of all, thank you for providing Docker images.
Currently I'm using the "apache" flavor because I don't have an external web server. My only complain is the image is heavy.
I think it will be easy to extend the "fpm-alpine" image to include a Nginx server. The total size will be similar to "fpm-alpine", about 1 / 3 of the size of "apache" image.

[williamdes]

Hi,
I would also love to have a nginx alpine variant

@J0WI @tianon would that be accepted on the official repository?

[tianon]

There's not a way to create such a thing without adding some kind of process supervisor, right? That brings a lot of other problems with it, unfortunately. 😞

[tianon]

See also docker-library/php#54 (and linked issues) for more discussion around this.

[williamdes]

There's not a way to create such a thing without adding some kind of process supervisor, right? That brings a lot of other problems with it, unfortunately.

I am not sure you need any supervisor, here is my working example: https://github.com/sudo-bot/gh-deployer-container/blob/main/docker/Dockerfile

For me, as I do in my Docker images: the fpm service runs in background and then nginx service runs in foreground as the last command run

[williamdes]

See also docker-library/php#54 (and linked issues) for more discussion around this.

Thanks :)
Will read this soon

[tianon]

In that example, /bin/sh is the (very poor 😬) supervisor.

[ngosang]

Yes, you need a supervisor and I recommend s6. It's really lightweight, can spawn several processes (2 in this case), can restart failing tasks (it's configurable), can redirect stdout/stderr of all processes to the docker log, etc...
Kanboard uses same technologies Php-fpm+Nginx (s6 supervisor and Mysql backend) and the image is just 20MB compressed:
https://github.com/kanboard/kanboard/blob/master/Dockerfile
s6 supervisor is really easy to configure. Just create one folder + sh script for each process (we don't need cron here):
https://github.com/kanboard/kanboard/tree/master/docker/etc/services.d

Update: I can open a PR if you are willing to consider making it official.

[williamdes]

In that example, /bin/sh is the (very poor 😬) supervisor.

Oh, I did not think it like that but now that you say that it's obvious

s6 looks very cool and does not depend on an orgy of python things

I just read the thread and am not sure about the conclusion
If it is: no second process in an official container, then we can provide a nginx alpine only container to plug with the fpm alpine container

[J0WI]

then we can provide a nginx alpine only container to plug with the fpm alpine container

There is already a nginx:alpine image available.

[williamdes]

then we can provide a nginx alpine only container to plug with the fpm alpine container

There is already a nginx:alpine image available.

That's true, best we can do is support back decompressing phpmyadmin into the www folder to make fpm/nginx setups work

[yosifkit]

Official-images should not be using a process supervisor. It should be "one process" per container; this keeps things consistent, composable, and (hopefully) scalable.

Similar, now closed issue of adding a Apache2 + php-fpm image: docker-library/php#785. Related: https://github.com/docker-library/official-images/tree/ff0ef95394f0dfe67ac66d5293c0f6b2afdce6f5#init.

[williamdes]

Thank you for all your comments, it will be easier to reply to newer questions now

We should document and example with fpm and nginx like roundcube mail does: https://github.com/roundcube/roundcubemail-docker/blob/master/examples/docker-compose-fpm-alpine.yaml

[ngosang]

I just built a tiny Docker image for phpPgAdmin. It should work for phpMyAdmin just changing the download URL in the Dockerfile and adding missing php extensions. Feel free to copy the code or whatever you want.

phppgadmin/phppgadmin#144

Official-images should not be using a process supervisor. It should be "one process" per container; this keeps things consistent, composable, and (hopefully) scalable.

That is true, but, since this is an administrative tool and hence, it is not critical in a production environment we can make an exception in favor of convenience. I guarantee you that all the software packaged in that image is solid rock. It also manages stdout/stderr of all processes, clean restarts, clean shutdowns... all of it in 12 MB of disk and 10 MB of RAM, no external dependencies. phpmyadmin:5.1.1-apache is 178 MB of disk, 60 MB of RAM and the performance is worse.

[qeepcologne]

sounds fine. Current image is fat and has many unnecessary packages, don't know why intermediate php image is not using slim variant. I also prefer fully working alpine version, web-server don't matter (nginx, apache2 or lighttpd).

[tianon]

Current image is fat and has many unnecessary packages, don't know why intermediate php image is not using slim variant.

Can you point me to which Debian-based variant of PHP isn't using the slim variant?
(I can't seem to find any -- all the ones I check are appropriately FROM debian:bullseye-slim or FROM debian:buster-slim)

[qeepcologne]

ups sorry, you are right, slim images are in use, but adding all the packages later.
I think after compilation all the make cpp gcc stuff is absolete (except for pecl, but we don't need this for pma).

[tianon]

Right, which is why gcc and friends get removed after use (in the same image layer, so they don't take up extra space): https://github.com/docker-library/php/blob/b4b4093acd612a1b489c6442585379275e9e4df6/8.1/bullseye/apache/Dockerfile#L263

[tianon]

Oops, sorry, got myself confused with Alpine where re-installing them is fast, they do get kept on Debian builds for phpize: https://github.com/docker-library/php/blob/b4b4093acd612a1b489c6442585379275e9e4df6/8.1/bullseye/apache/Dockerfile#L18-L29

[williamdes]

@tianon is providing an alpine version going to be accepted in the official repository?
I am willing to port the work I did on https://github.com/sudo-bot/gh-deployer-container

[tianon]

Unfortunately, https://github.com/sudo-bot/gh-deployer-container/blob/7f72d26f3a971cde2a5b3ee046b13c2980e97493/docker/docker-entrypoint.sh#L99-L101 is going to a be no-go. 🙈

[williamdes]

Unfortunately, https://github.com/sudo-bot/gh-deployer-container/blob/7f72d26f3a971cde2a5b3ee046b13c2980e97493/docker/docker-entrypoint.sh#L99-L101 is going to a be no-go. see_no_evil

Yeah 😄, there is probably an apache way for this ;)

[serut]

I struggle to use use the image proposed by @ngosang with the PR #144, as I'm running the container with nobody user and read-only.
I end up to use an intermediate image with NGINX + PHP. He is the Dockerfile I use :

FROM trafex/alpine-nginx-php7:1.10.0
EXPOSE 8080
USER root

RUN apk --no-cache --update add php7-mbstring php7-pgsql

ENV ARTIFACT_VERSION=REL_7-13-0/phpPgAdmin-7.13.0.tar.gz

RUN curl -L -o /phpPgAdmin.tar.gz https://github.com/phppgadmin/phppgadmin/releases/download/${ARTIFACT_VERSION} \
    && tar -xvzf /phpPgAdmin.tar.gz -C / \
    && rm /phpPgAdmin.tar.gz \
    && mv /phpPgAdmin-*/* /var/www/html

COPY config.inc.php /var/www/html/conf/

RUN chmod 0444 /var/www/html/conf/config.inc.php \
    && chmod 0777 /run /var/lib/nginx/logs/ \
    && chmod 0755 /var/lib/nginx

USER nobody

The config.inc.php changes are :

....
  // Display name for the server on the login screen
  // Use DB_NAME if defined, or DB_HOST otherwise
  if (getenv("DB_NAME")) {
    $conf['servers'][0]['desc'] = getenv("DB_NAME");
  } else {
    $conf['servers'][0]['desc'] = getenv("DB_HOST");
  }

  // Hostname or IP address for server.  Use '' for UNIX domain socket.
  // use 'localhost' for TCP/IP connection on this computer
  $conf['servers'][0]['host'] = getenv("DB_HOST");

  // Database port on server (5432 is the PostgreSQL default)
  $conf['servers'][0]['port'] = getenv("DB_PORT");

....

  // Default database
  $conf['servers'][0]['defaultdb'] = 'postgres';
....

I think s6 is too hard to use with nobody user, whereas supervisord is running fine.
If you want to use my Dockerfile, remove all chmod as you may not launch the container with nobody user.

[beeyev]

Here is custom solution: https://hub.docker.com/r/beeyev/phpmyadmin-lightweight

This project is built on top of the official phpMyAdmin fpm-alpine image, it includes Caddy webserver (instead of nginx) and extra dark themes.
The image is automatically updated, so the latest phpMyAdmin version is always supported.

Compressed size is just 61.56 MB

[williamdes]

Here is custom solution: https://hub.docker.com/r/beeyev/phpmyadmin-lightweight

This project is built on top of the official phpMyAdmin fpm-alpine image, it includes Caddy webserver (instead of nginx) and extra dark themes. The image is automatically updated, so the latest phpMyAdmin version is always supported.

Compressed size is just 61.56 MB

Thanks for this, some notes about your project

• one link on the README is broken: link to GitHub
• do not use the themes repository, please download themes from our website as zips

[qeepcologne]

i just replaced the fat image with this and runs out of the box with 1/3 of the size and even faster.
only downside is that is is amd64 only (arm64 would be great).

[williamdes]

We should probably try to do an apache2 alpine variant
It would suit users
Sad for nginx.. but anyway

[tms0]

Here's my version (nginx + php-fpm) : https://framagit.org/colibris-xyz/phpmyadmin-docker

Very simple, built on top of the official image, automatically updated.
Currently there is only linux/amd64 support but I can add other platforms if needed.

[williamdes]

I would perfer that users do not use different images that are not officially supported by phpmyadmin itself

I am glad to see images created by users, but there is quite a lot of ways to make an image that is not perfect or insecure
Maybe someone can contribute an alpine apache2 variant that we can officially support on the official docker registry?

[beeyev]

I can do that.
But why apache2 and not nginx or caddy? (Just curious)

[williamdes]

I can do that. But why apache2 and not nginx or caddy? (Just curious)

Because of this comment: #346 (comment)

Docker Official registry images can only have one process running 🤷

PS: I also prefer nginx

[ngosang]

I would perfer that users do not use different images that are not officially supported by phpmyadmin itself

You are not giving the users what they want...

Docker Official registry images can only have one process running shrug

I think you have to be pragmatic here. The advantages of having an image with Alpine + S6 + PHP-FPM + Nginx are huge even if you are breaking that rule.

• Really small Docker image ~50 MB
• PHP-FPM + Nginx uses less RAM and it's more performant (at least in my tests)
• Alpine is more secure because the attack surface is smaller
• S6 is a battle tested supervisor. I know several companies (mine too) who uses it in production with millions of requests per day. See my comment => Add new image flavor with Alpine + PHP-FPM + Nginx #346 (comment)
• Running 2 containers is costly in may ways. You have to orchestrate them, configure network communication.... Even if it's easy with docker-compose you are using more resources in the host machine

[williamdes]

Hi all,

I did have an idea to avoid the current multi process policy issue, maybe we can use https://frankenphp.dev/
It claims to be a single process to handle everything. I have not tested this, if anyone wants to build an alpine container to see if it would workout then let us know

[foremtehan]

I don't understand how Apache can be included in the image with FPM, but Nginx cannot. Isn't Apache also a separate process?

[williamdes]

I don't understand how Apache can be included in the image with FPM, but Nginx cannot. Isn't Apache also a separate process?

because Apache2 is the one and single process the container is running. And FPM+Nginx requires some 3rd tool to watch over them and start them. So they are not a single process.