refactor(docker, php): modernize image architecture and harden PHP configurations

Refactored the Docker image architecture and PHP configuration to fix vulnerabilities,
improve performance, and align with production best practices.

- Removed Supervisor (CVE-2023-27482) and adopted Docker’s single-process model with
  `docker-entrypoint.sh` managing Redis/PHP-FPM in background and Nginx in foreground.
- Added configurable `ALPINE_VERSION` in `.env` and build scripts for easier base image upgrades.
- Moved critical OPcache directives (INI_SYSTEM) from `www.conf` to `php.ini` to fix FPM initialization errors.
- Removed deprecated OPcache directives (`opcache.fast_shutdown`, `opcache.consistency_checks`).
- Enabled `opcache.save_comments` for framework compatibility (Symfony, Laravel).
- Fixed `session.save_path` to `tcp://redis:6379` for proper container communication.
- Adjusted `disable_functions` list to allow required functions like `curl_exec`.
- Updated Makefile: replaced `supervisorctl` with `nginx -s reload` and added `--env-file .env` to
  `docker run` for proper environment injection.

BREAKING CHANGE: Supervisor was removed. Process management is now handled by `docker-entrypoint.sh`.
Commands using `supervisorctl` will no longer work. To reload Nginx use
`docker exec <container> nginx -s reload`.

Author: walmir-silva

.env.example

@@ -7,6 +7,7 @@
 PHP_VERSION=8.4
 NGINX_VERSION=1.27.3
 REDIS_VERSION=7.2
+ALPINE_VERSION=3.21
 COMPOSER_VERSION=2.8.12
 SYMFONY_CLI_VERSION=7.3.0
 
@@ -61,7 +62,7 @@ PHP_SESSION_SAVE_PATH="tcp://redis:6379"
 
 # PHP-FPM Configuration
 PHP_FPM_PM=dynamic
-PHP_FPM_PM_MAX_CHILDREN=50
+PHP_FPM_PM_MAX_CHILDREN=60
 PHP_FPM_PM_START_SERVERS=5
 PHP_FPM_PM_MIN_SPARE_SERVERS=5
 PHP_FPM_PM_MAX_SPARE_SERVERS=10
@@ -94,9 +95,9 @@ REDIS_LOG_FILE=/var/log/redis/redis.log
 REDIS_SAVE="900 1 300 10 60 10000"
 
 # Supervisor Configuration
-SUPERVISOR_LOG_LEVEL=info
-SUPERVISOR_LOG_FILE=/var/log/supervisor/supervisord.log
-SUPERVISOR_PID_FILE=/var/run/supervisord.pid
+# SUPERVISOR_LOG_LEVEL=info
+# SUPERVISOR_LOG_FILE=/var/log/supervisor/supervisord.log
+# SUPERVISOR_PID_FILE=/var/run/supervisord.pid
 
 # Security Settings
 SECURITY_HEADERS=true

.github/workflows/publish.yml

@@ -6,6 +6,7 @@
 ARG PHP_VERSION=8.4
 ARG NGINX_VERSION=1.27.3
 ARG REDIS_VERSION=7.2
+ARG ALPINE_VERSION=3.21
 ARG VERSION=1.2.0
 
 # Stage 1: Redis binaries
@@ -15,7 +16,7 @@ FROM redis:${REDIS_VERSION}-alpine AS redis-build
 FROM nginx:${NGINX_VERSION}-alpine AS nginx-build
 
 # Stage 3: Main application
-FROM php:${PHP_VERSION}-fpm-alpine AS base
+FROM php:${PHP_VERSION}-fpm-alpine${ALPINE_VERSION} AS base
 
 # Set shell with pipefail for robust error handling
 # Reference: https://docs.docker.com/engine/reference/builder/#shell
@@ -25,6 +26,7 @@ SHELL ["/bin/ash", "-o", "pipefail", "-c"]
 ARG PHP_VERSION
 ARG NGINX_VERSION
 ARG REDIS_VERSION
+ARG ALPINE_VERSION
 ARG COMPOSER_VERSION=2.8.12
 ARG SYMFONY_CLI_VERSION=7.3.0
 ARG PHP_CORE_EXTENSIONS="pdo pdo_mysql opcache intl zip bcmath gd mbstring xml"
@@ -69,7 +71,7 @@ RUN set -eux; \
     shadow \
     su-exec \
     tini \
-    supervisor \
+    # supervisor \
     git \
     curl \
     wget \
@@ -280,7 +282,7 @@ RUN set -eux; \
     /var/log/nginx \
     /var/log/php \
     /var/log/redis \
-    /var/log/supervisor \
+    # /var/log/supervisor \
     /var/log/symfony \
     /var/run \
     /var/run/php \
@@ -345,7 +347,7 @@ COPY php/php.ini /usr/local/etc/php/php.ini.template
 COPY php/php-fpm.conf /usr/local/etc/php-fpm.conf.template
 COPY php/www.conf /usr/local/etc/php-fpm.d/www.conf.template
 COPY redis/redis.conf /etc/redis/redis.conf.template
-COPY supervisor/supervisord.conf /etc/supervisor/supervisord.conf
+# COPY supervisor/supervisord.conf /etc/supervisor/supervisord.conf
 
 # Copy entrypoint script
 COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint
@@ -421,4 +423,5 @@ VOLUME ["/var/www/html", "/var/log", "/var/lib/redis"]
 # Use tini as init system for proper signal handling
 # Reference: https://github.com/krallin/tini
 ENTRYPOINT ["/sbin/tini", "--", "docker-entrypoint"]
-CMD ["supervisord", "-c", "/etc/supervisor/supervisord.conf"]
+# CMD ["supervisord", "-c", "/etc/supervisor/supervisord.conf"]
+CMD ["start"]

DOCKER_HUB_OVERVIEW.md

@@ -136,6 +136,7 @@ run-test: ## run test container with comprehensive health check
 	@docker run -d \
 		--name $(TEST_CONTAINER) \
 		-p 8080:80 \
+		--env-file .env \
 		-v $(PWD)/logs:/var/log \
 		$(FULL_IMAGE):test
 	@echo ""
@@ -275,6 +276,7 @@ run: ## Run local container for demo/testing
 	@docker run -d \
 		--name $(LOCAL_CONTAINER) \
 		-p 8080:80 \
+		--env-file .env \
 		-v $(PWD)/logs:/var/log \
 		$(FULL_IMAGE):latest
 	@echo "$(GREEN)✓ Container running at http://localhost:8080$(NC)"
@@ -309,6 +311,7 @@ run-with-app: ## Run local container with mounted application
 	@docker run -d \
 		--name $(LOCAL_CONTAINER) \
 		-p 8080:80 \
+		--env-file .env \
 		-v $(PWD)/app:/var/www/html \
 		-v $(PWD)/logs:/var/log \
 		$(FULL_IMAGE):latest
@@ -317,7 +320,8 @@ run-with-app: ## Run local container with mounted application
 	@echo ""
 	@echo "$(BLUE)Next steps:$(NC)"
 	@echo "  1. Create your $(CYAN)app/public/index.php$(NC)"
-	@echo "  2. Run $(CYAN)docker exec $(LOCAL_CONTAINER) supervisorctl restart nginx$(NC)"
+# 	@echo "  2. Run $(CYAN)docker exec $(LOCAL_CONTAINER) supervisorctl restart nginx$(NC)"
+	@echo "  2. Run $(CYAN)docker exec $(LOCAL_CONTAINER) nginx -s reload$(NC)"
 	@echo "  3. Visit http://localhost:8080"
 
 .PHONY: stop

Dockerfile

@@ -100,7 +100,7 @@ All configurations via `.env` file:
 PHP_MEMORY_LIMIT=256M
 PHP_OPCACHE_MEMORY=256
 PHP_OPCACHE_JIT=tracing
-PHP_FPM_PM_MAX_CHILDREN=50
+PHP_FPM_PM_MAX_CHILDREN=60
 
 # Environment
 APP_ENV=production

Makefile

@@ -1659,6 +1659,4 @@ For testing issues:
 - [IMAGE_USAGE_GUIDE.md](IMAGE_USAGE_GUIDE.md) - Learn how to use the published image
 - [README.md](README.md) - Project overview
 
----
-
-<sub>Last updated: $(date +%Y-%m-%d) | Version: $(cat VERSION)</sub>
+---

README.md

@@ -141,6 +141,7 @@ echo -e "${YELLOW}Stack Versions:${NC}"
 echo "  • PHP:         ${PHP_VERSION}"
 echo "  • Nginx:       ${NGINX_VERSION}"
 echo "  • Redis:       ${REDIS_VERSION}"
+echo "  • Alpine:      ${ALPINE_VERSION}"
 echo "  • Composer:    ${COMPOSER_VERSION}"
 echo "  • Symfony CLI: ${SYMFONY_CLI_VERSION}"
 echo ""
@@ -212,6 +213,7 @@ BUILD_CMD="$BUILD_CMD \
     --build-arg PHP_VERSION=${PHP_VERSION} \
     --build-arg NGINX_VERSION=${NGINX_VERSION} \
     --build-arg REDIS_VERSION=${REDIS_VERSION} \
+    --build-arg ALPINE_VERSION=${ALPINE_VERSION} \
     --build-arg COMPOSER_VERSION=${COMPOSER_VERSION} \
     --build-arg SYMFONY_CLI_VERSION=${SYMFONY_CLI_VERSION} \
     --build-arg PHP_CORE_EXTENSIONS=\"${PHP_CORE_EXTENSIONS}\" \

TESTING.md

@@ -119,7 +119,7 @@ fi
 log_info "Creating required directories..."
 chown -R nginx:nginx /var/log/php /var/log/nginx /var/run/php
 chown -R redis:redis /var/log/redis || true
-chown -R root:root /var/log/supervisor
+# chown -R root:root /var/log/supervisor
 chown -R nginx:nginx /var/run/nginx # Nginx run dir
 
 # Fix permissions for session directory if using files
@@ -294,12 +294,30 @@ fi
 # ==============================================================================
 # START SERVICES BASED ON COMMAND
 # ==============================================================================
-
-# Comandos específicos
+# removed:
+# supervisord|supervisor)
+#     log_info "Starting all services with Supervisor..."
+#     exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
+#     ;;
+# Especifics commands 
 case "$1" in
-    supervisord|supervisor)
-        log_info "Starting all services with Supervisor..."
-        exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
+    start)
+        log_info "Starting all services..."
+        
+        # Start Redis in background (daemonize)
+        log_info "  -> Starting Redis..."
+        redis-server /etc/redis/redis.conf --daemonize yes
+        
+        # Start PHP-FPM in background (daemonize)
+        log_info "  -> Starting PHP-FPM..."
+        php-fpm -D
+        
+        # Start Nginx in foreground. The `exec` command is crucial here.
+        # It replaces the script process with the Nginx process, making Nginx
+        # the main container process (PID 1). This ensures it receives
+        # Docker signals correctly (e.g., docker stop).
+        log_info "  -> Starting Nginx (foreground)..."
+        exec nginx -g 'daemon off;'
         ;;
     php-fpm)
         log_info "Starting PHP-FPM only..."
@@ -320,12 +338,12 @@ case "$1" in
         ;;
     *)
         # Default: start supervisord if no command given
-        if [ "$#" -eq 0 ]; then
-            log_info "Starting all services with Supervisor (default)..."
-            exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
-        else
+        # if [ "$#" -eq 0 ]; then
+        #     log_info "Starting all services with Supervisor (default)..."
+        #     exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
+        # else
             # Pass through any command
             exec "$@"
-        fi
+        # fi
         ;;
 esac

build-from-env.sh

@@ -104,11 +104,10 @@ opcache.revalidate_freq = ${PHP_OPCACHE_REVALIDATE_FREQ}
 opcache.revalidate_path = 0
 opcache.save_comments = 1
 opcache.enable_file_override = 0
-opcache.optimization_level = 0x7FFFBFFF
+opcache.optimization_level = 0x7FFEBFFF
 opcache.dups_fix = 0
 opcache.blacklist_filename =
 opcache.max_file_size = 0
-opcache.consistency_checks = 0
 opcache.force_restart_timeout = 180
 opcache.error_log =
 opcache.log_verbosity_level = 1