diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ad9a9033..4bacc7d0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -28,7 +28,15 @@ jobs: - name: Get the version id: get_version - run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//} + run: | + if [[ $GITHUB_REF == refs/tags/* ]]; then + VERSION=${GITHUB_REF#refs/tags/} + elif [[ $GITHUB_REF == refs/heads/* ]]; then + VERSION=${GITHUB_REF#refs/heads/} + else + VERSION=$GITHUB_REF + fi + echo "VERSION=$VERSION" >> $GITHUB_OUTPUT # See https://stackoverflow.com/questions/70312490/github-actions-runner-environment-doesnt-build-for-arm-images - name: Set up QEMU to run ARM images (that were built with Depot) @@ -39,7 +47,7 @@ jobs: - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 with: - role-to-assume: arn:aws:iam::534081306603:role/bref-layer-publisher-github-actions + role-to-assume: arn:aws:iam::873528684822:role/bref-layer-publisher-github-actions role-session-name: bref-layer-publisher-github-actions aws-region: us-east-1 @@ -86,7 +94,7 @@ jobs: owner: 'brefphp', repo: 'bref', workflow_id: 'update-layer-versions.yml', - ref: 'master', + ref: 'v3', inputs: { release_url: '${{ github.event.release.url }}', release_html_url: '${{ github.event.release.html_url }}', @@ -108,5 +116,5 @@ jobs: owner: 'brefphp', repo: 'layers.js', workflow_id: 'release.yml', - ref: 'main' + ref: 'v3' }) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 3ef8d590..c1fe7923 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -25,7 +25,7 @@ jobs: script: | const matrix = { cpu: ['x86', 'arm'], - php_version: ['80', '81', '82', '83', '84'], + php_version: ['82', '83', '84'], } // If this is a third-party pull request, skip ARM builds @@ -73,13 +73,6 @@ jobs: - name: Test that layers can be exported run: | make layer-php-${{ matrix.php_version }} - make layer-php-${{ matrix.php_version }}-fpm - env: - CPU: ${{ matrix.cpu }} - - - name: Test that the "console" layer can be exported - run: make layer-console - if: ${{ matrix.php_version == 80 }} env: CPU: ${{ matrix.cpu }} diff --git a/Makefile b/Makefile index e0e798d7..b8fbe21e 100644 --- a/Makefile +++ b/Makefile @@ -35,21 +35,15 @@ default: docker-images layers # Build Docker images *locally* -docker-images: docker-images-php-80 docker-images-php-81 docker-images-php-82 docker-images-php-83 docker-images-php-84 +docker-images: docker-images-php-82 docker-images-php-83 docker-images-php-84 docker-images-php-%: PHP_VERSION=$* ${BAKE_COMMAND} --load # Build Lambda layers (zip files) *locally* -layers: layer-php-80 layer-php-81 layer-php-82 layer-php-83 layer-php-84 layer-php-80-fpm layer-php-81-fpm layer-php-82-fpm layer-php-83-fpm layer-php-84-fpm - # Build the console layer only once (x86 and single PHP version) - @if [ ${CPU} = "x86" ]; then \ - $(MAKE) layer-console; \ - fi -layer-console: - ./utils/docker-zip-dir.sh bref/console-zip console -# This rule matches with a wildcard, for example `layer-php-80`. -# The `$*` variable will contained the matched part, in this case `php-80`. +layers: layer-php-82 layer-php-83 layer-php-84 +# This rule matches with a wildcard, for example `layer-php-84`. +# The `$*` variable will contained the matched part, in this case `php-84`. layer-%: ./utils/docker-zip-dir.sh bref/${CPU_PREFIX}$* ${CPU_PREFIX}$* @@ -57,20 +51,13 @@ layer-%: # Upload the layers to AWS Lambda # Uses the current AWS_PROFILE. Most users will not want to use this option # as this will publish all layers to all regions + publish all Docker images. -upload-layers: upload-layers-php-80 upload-layers-php-81 upload-layers-php-82 upload-layers-php-83 upload-layers-php-84 - # Upload the console layer only once (x86 and single PHP version) - @if [ ${CPU} = "x86" ]; then \ - LAYER_NAME=console $(MAKE) -C ./utils/lambda-publish publish-parallel; \ - fi +upload-layers: upload-layers-php-82 upload-layers-php-83 upload-layers-php-84 upload-layers-php-%: - # Upload the function layers to AWS LAYER_NAME=${CPU_PREFIX}php-$* $(MAKE) -C ./utils/lambda-publish publish-parallel - # Upload the FPM layers to AWS - LAYER_NAME=${CPU_PREFIX}php-$*-fpm $(MAKE) -C ./utils/lambda-publish publish-parallel # Publish Docker images to Docker Hub. -upload-to-docker-hub: upload-to-docker-hub-php-80 upload-to-docker-hub-php-81 upload-to-docker-hub-php-82 upload-to-docker-hub-php-83 upload-to-docker-hub-php-84 +upload-to-docker-hub: upload-to-docker-hub-php-82 upload-to-docker-hub-php-83 upload-to-docker-hub-php-84 upload-to-docker-hub-php-%: # Make sure we have defined the docker tag (test $(DOCKER_TAG)) && echo "Tagging images with \"${DOCKER_TAG}\"" || echo "You have to define environment variable DOCKER_TAG" @@ -78,23 +65,21 @@ upload-to-docker-hub-php-%: set -e ; \ for image in \ - "bref/${CPU_PREFIX}php-$*" "bref/${CPU_PREFIX}php-$*-fpm" "bref/${CPU_PREFIX}php-$*-console" \ - "bref/${CPU_PREFIX}build-php-$*" "bref/${CPU_PREFIX}php-$*-fpm-dev"; \ + "bref/${CPU_PREFIX}php-$*" "bref/${CPU_PREFIX}build-php-$*" "bref/${CPU_PREFIX}php-$*-dev"; \ do \ - docker tag $$image $$image:2 ; \ + docker tag $$image $$image:3 ; \ docker tag $$image $$image:${DOCKER_TAG} ; \ - docker push $$image:2 ; \ + docker push $$image:3 ; \ docker push $$image:${DOCKER_TAG} ; \ - docker push $$image:latest ; \ done -test: test-80 test-81 test-82 test-83 test-84 +test: test-82 test-83 test-84 test-%: cd tests && $(MAKE) test-$* -clean: clean-80 clean-81 clean-82 clean-83 clean-84 +clean: clean-82 clean-83 clean-84 # Clear the build cache, else all images will be rebuilt using cached layers docker builder prune # Remove zip files @@ -104,7 +89,4 @@ clean-%: docker image rm --force bref/${CPU_PREFIX}build-php-$* \ bref/${CPU_PREFIX}php-$* \ bref/${CPU_PREFIX}php-$*-zip \ - bref/${CPU_PREFIX}php-$*-fpm \ - bref/${CPU_PREFIX}php-$*-fpm-zip \ - bref/${CPU_PREFIX}php-$*-fpm-dev \ - bref/${CPU_PREFIX}php-$*-console + bref/${CPU_PREFIX}php-$*-dev diff --git a/README.md b/README.md index f9b1a67e..6d8541d3 100644 --- a/README.md +++ b/README.md @@ -94,7 +94,7 @@ The published Lambda layers will be public (they are readonly anyway). You can f If you ever need to check out the content of a layer, you can start a `bash` terminal inside the Docker image: ```sh -docker run --rm -it --entrypoint=bash bref/php-80 +docker run --rm -it --entrypoint=bash bref/php-84 ``` > **Note:** @@ -148,10 +148,8 @@ Anything we want to make available in AWS Lambda is possible by preparing the ri bref/ # custom Bref files extensions/ # PHP extensions ... - php-fpm-runtime/ # the built-in FPM runtime etc/php/conf.d/ # automatically loaded php.ini files bref.ini - bootstrap.php # (for the function layer only) bootstrap # entrypoint of the runtime diff --git a/docker-bake.hcl b/docker-bake.hcl index 19aee00b..55660f2c 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ group "default" { - targets = ["build-php", "php", "php-fpm", "console-zip", "console", "php-fpm-dev"] + targets = ["build-php", "php", "php-dev"] } variable "CPU" { @@ -9,7 +9,7 @@ variable "CPU_PREFIX" { default = "" } variable "PHP_VERSION" { - default = "80" + default = "84" } variable "IMAGE_VERSION_SUFFIX" { default = "x86_64" @@ -23,9 +23,9 @@ variable "PHP_COMPILATION_FLAGS" { target "build-php" { dockerfile = "php-${PHP_VERSION}/Dockerfile" - target = "build-environment" - tags = ["bref/${CPU_PREFIX}build-php-${PHP_VERSION}"] - args = { + target = "build-environment" + tags = ["bref/${CPU_PREFIX}build-php-${PHP_VERSION}"] + args = { "IMAGE_VERSION_SUFFIX" = "${IMAGE_VERSION_SUFFIX}" "PHP_COMPILATION_FLAGS" = "${PHP_COMPILATION_FLAGS}" } @@ -34,9 +34,9 @@ target "build-php" { target "php" { dockerfile = "php-${PHP_VERSION}/Dockerfile" - target = "function" - tags = ["bref/${CPU_PREFIX}php-${PHP_VERSION}"] - args = { + target = "function" + tags = ["bref/${CPU_PREFIX}php-${PHP_VERSION}"] + args = { "IMAGE_VERSION_SUFFIX" = "${IMAGE_VERSION_SUFFIX}" "PHP_COMPILATION_FLAGS" = "${PHP_COMPILATION_FLAGS}" } @@ -46,58 +46,18 @@ target "php" { platforms = ["${DOCKER_PLATFORM}"] } -target "php-fpm" { +target "php-dev" { dockerfile = "php-${PHP_VERSION}/Dockerfile" - target = "fpm" - tags = ["bref/${CPU_PREFIX}php-${PHP_VERSION}-fpm"] - args = { + target = "dev" + tags = ["bref/${CPU_PREFIX}php-${PHP_VERSION}-dev"] + args = { "IMAGE_VERSION_SUFFIX" = "${IMAGE_VERSION_SUFFIX}" + "PHP_COMPILATION_FLAGS" = "${PHP_COMPILATION_FLAGS}" } contexts = { "bref/${CPU_PREFIX}build-php-${PHP_VERSION}" = "target:build-php" - "bref/${CPU_PREFIX}php-${PHP_VERSION}" = "target:php" - } - platforms = ["${DOCKER_PLATFORM}"] -} - -target "console-zip" { - context = "layers/console" - target = "console-zip" - tags = ["bref/console-zip"] - args = { - PHP_VERSION = "${PHP_VERSION}" - CPU_PREFIX = "${CPU_PREFIX}" - } - platforms = ["${DOCKER_PLATFORM}"] -} - -target "console" { - context = "layers/console" - target = "console" - tags = ["bref/${CPU_PREFIX}php-${PHP_VERSION}-console"] - args = { - PHP_VERSION = "${PHP_VERSION}" - CPU_PREFIX = "${CPU_PREFIX}" - } - contexts = { - "bref/${CPU_PREFIX}build-php-${PHP_VERSION}" = "target:build-php" - "bref/${CPU_PREFIX}php-${PHP_VERSION}" = "target:php" - } - platforms = ["${DOCKER_PLATFORM}"] -} - -target "php-fpm-dev" { - context = "layers/fpm-dev" - tags = ["bref/${CPU_PREFIX}php-${PHP_VERSION}-fpm-dev"] - args = { - PHP_VERSION = "${PHP_VERSION}" - CPU_PREFIX = "${CPU_PREFIX}" - } - contexts = { - "bref/${CPU_PREFIX}build-php-${PHP_VERSION}" = "target:build-php" - "bref/${CPU_PREFIX}php-${PHP_VERSION}" = "target:php" - "bref/${CPU_PREFIX}php-${PHP_VERSION}-fpm" = "target:php-fpm" - "bref/local-api-gateway" = "docker-image://bref/local-api-gateway:latest" + "bref/${CPU_PREFIX}php-${PHP_VERSION}" = "target:php" + "bref/local-api-gateway" = "docker-image://bref/local-api-gateway:latest" } platforms = ["${DOCKER_PLATFORM}"] } diff --git a/layers/console/Dockerfile b/layers/console/Dockerfile deleted file mode 100644 index cc542416..00000000 --- a/layers/console/Dockerfile +++ /dev/null @@ -1,22 +0,0 @@ -# syntax = docker/dockerfile:1.4 -ARG PHP_VERSION -ARG CPU_PREFIX - - -# This image only contains what's going in the layer zip file, -# i.e. the files specific to the console layer. -# It's used to create the layer zip file. -FROM alpine:3.14 as console-zip - -# Overwrite the "function" bootstrap -COPY --link bootstrap.sh /opt/bootstrap -# Copy files to /var/runtime to support deploying as a Docker image -COPY --link bootstrap.sh /var/runtime/bootstrap - - -# This image is published to Docker Hub and replicates Lambda -FROM bref/${CPU_PREFIX}php-$PHP_VERSION as console - -# Copy the console layer into /opt -COPY --link --from=console-zip /opt /opt -COPY --link --from=console-zip /var/runtime/bootstrap /var/runtime/bootstrap diff --git a/layers/console/README.md b/layers/console/README.md deleted file mode 100644 index 4f9486d7..00000000 --- a/layers/console/README.md +++ /dev/null @@ -1,3 +0,0 @@ -The "console" layer is a layer that comes on top of the PHP runtime. It lets us execute console commands on lambda. - -Read more at [bref.sh/docs/runtimes/console.html](https://bref.sh/docs/runtimes/console.html). diff --git a/layers/console/bootstrap.sh b/layers/console/bootstrap.sh deleted file mode 100755 index d8f73ba3..00000000 --- a/layers/console/bootstrap.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/sh - -# Fail on error -set -e - -# check if the RUNTIME_CLASS is already set -if [ -z "${RUNTIME_CLASS}" ]; then - export RUNTIME_CLASS="Bref\ConsoleRuntime\Main" -fi - -while true -do - if [ -z "${EXPERIMENTAL_AWS_LAMBDA_EXEC_WRAPPER}" ]; then - # Default behavior - - # We redirect stderr to stdout so that everything - # written on the output ends up in Cloudwatch automatically - php "/opt/bref/bootstrap.php" 2>&1 - else - # A wrapper script is configured - # See https://docs.aws.amazon.com/lambda/latest/dg/runtimes-modify.html#runtime-wrapper - # NOTE: EXPERIMENTAL FEATURE, DO NOT USE!!! - # Note: If you do use it, open an issue or GitHub discussion or Slack thread - # and let us know why it's useful to you, we might turn it into an official feature - "${EXPERIMENTAL_AWS_LAMBDA_EXEC_WRAPPER}" php "/opt/bref/bootstrap.php" 2>&1 - fi -done diff --git a/layers/fpm-dev/Dockerfile b/layers/fpm-dev/Dockerfile deleted file mode 100644 index 72991f53..00000000 --- a/layers/fpm-dev/Dockerfile +++ /dev/null @@ -1,45 +0,0 @@ -# syntax = docker/dockerfile:1.4 -ARG CPU_PREFIX -ARG PHP_VERSION - - -FROM bref/${CPU_PREFIX}build-php-$PHP_VERSION as build_extensions - -ARG PHP_VERSION - -RUN mkdir -p /opt/bref/extensions - -# Install xdebug -RUN pecl install xdebug-3.4.3 -RUN cp $(php -r "echo ini_get('extension_dir');")/xdebug.so /opt/bref/extensions - -# Install Blackfire -# https://blackfire.io/docs/up-and-running/installation?action=install&mode=full&version=latest&mode=full&location=server&os=manual&language=php#install-the-php-probe -ARG BLACKFIRE_VERSION=1.87.2 -RUN if [ $PHP_VERSION != "83" ] && [ $PHP_VERSION != "84" ] && [ $CPU_PREFIX == "" ]; then curl -A "Docker" -o /opt/bref/extensions/blackfire.so -L -s "https://packages.blackfire.io/binaries/blackfire-php/$BLACKFIRE_VERSION/blackfire-php-linux_amd64-php-"$PHP_VERSION".so"; fi -RUN if [ $PHP_VERSION != "83" ] && [ $PHP_VERSION != "84" ] && [ $CPU_PREFIX == "arm-" ]; then curl -A "Docker" -o /opt/bref/extensions/blackfire.so -L -s "https://packages.blackfire.io/binaries/blackfire-php/$BLACKFIRE_VERSION/blackfire-php-linux_arm64-php-"$PHP_VERSION".so"; fi - - -FROM bref/${CPU_PREFIX}php-${PHP_VERSION}-fpm - -COPY --link --from=build_extensions /opt /opt -COPY --link bref-entrypoint.sh / -RUN chmod +x /bref-entrypoint.sh - -# Install node to run the JS app below -RUN yum install https://rpm.nodesource.com/pub_16.x/nodistro/repo/nodesource-release-nodistro-1.noarch.rpm -y -RUN yum install --setopt=nodesource-nodejs.module_hotfixes=1 --setopt=skip_missing_names_on_install=False -y nodejs - -# Install the bref/local-api-gateway app in our container (avoids running 2 containers) -COPY --link --from=bref/local-api-gateway /app /local-api-gateway -EXPOSE 8000 - -# Add `php/conf.dev.d` to the path where PHP looks for configuration files -ENV PHP_INI_SCAN_DIR="/opt/bref/etc/php/conf.d:/var/task/php/conf.d:/var/task/php/conf.dev.d" - -# Add composer -COPY --link --from=composer/composer:2-bin /composer /usr/bin/composer - -# Originally the entrypoint is `/lambda-entrypoint.sh` and CMD contains the handler name -# We override the entrypoint to run our own logic -ENTRYPOINT [ "/bref-entrypoint.sh" ] diff --git a/layers/fpm/bootstrap.sh b/layers/fpm/bootstrap.sh deleted file mode 100644 index fd9d396a..00000000 --- a/layers/fpm/bootstrap.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/sh - -# Fail on error -set -e - -# check if the RUNTIME_CLASS is already set -if [ -z "${RUNTIME_CLASS}" ]; then - export RUNTIME_CLASS="Bref\FpmRuntime\Main" -fi - -while true -do - if [ -z "${EXPERIMENTAL_AWS_LAMBDA_EXEC_WRAPPER}" ]; then - # Default behavior - - # We redirect stderr to stdout so that everything - # written on the output ends up in Cloudwatch automatically - php "/opt/bref/bootstrap.php" 2>&1 - else - # A wrapper script is configured - # See https://docs.aws.amazon.com/lambda/latest/dg/runtimes-modify.html#runtime-wrapper - # NOTE: EXPERIMENTAL FEATURE, DO NOT USE!!! - # Note: If you do use it, open an issue or GitHub discussion or Slack thread - # and let us know why it's useful to you, we might turn it into an official feature - "${EXPERIMENTAL_AWS_LAMBDA_EXEC_WRAPPER}" php "/opt/bref/bootstrap.php" 2>&1 - fi -done diff --git a/layers/fpm/bref.ini b/layers/fpm/bref.ini deleted file mode 100644 index e7f260b9..00000000 --- a/layers/fpm/bref.ini +++ /dev/null @@ -1,50 +0,0 @@ -; Do not display errors in production because with PHP-FPM that means -; errors will be output in the HTTP response -display_errors=0 - -; Since PHP 7.4 the default value is E_ALL -; We override it to set the recommended configuration value for production. -; See https://github.com/php/php-src/blob/d91abf76e01a3c39424e8192ad049f473f900936/php.ini-production#L463 -error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT - -memory_limit=10240M - -opcache.enable=1 - -; Skip this check to save a bit -opcache.validate_permission=0 - -; The code is readonly on lambdas so it never changes -; This setting is now disabled: code could be written to /tmp which is read/write -; (e.g. a compiled container) Such a performance optimization can be done by users. -;opcache.validate_timestamps=0 - -; Set sane values, modern PHP applications have higher needs than opcache's defaults -; See https://tideways.com/profiler/blog/fine-tune-your-opcache-configuration-to-avoid-caching-suprises -opcache.memory_consumption=128 -opcache.max_accelerated_files=10000 - -; This directive determines which super global arrays are registered when PHP -; starts up. G,P,C,E & S are abbreviations for the following respective super -; globals: GET, POST, COOKIE, ENV and SERVER. -; We explicitly populate all variables else ENV is not populated by default. -; See https://github.com/brefphp/bref/pull/291 -variables_order="EGPCS" - -; The lambda environment is not compatible with fastcgi_finish_request -; See https://github.com/brefphp/bref/issues/214 -disable_functions=fastcgi_finish_request - -; API Gateway has a timeout of 29 seconds. Setting this to 28 will give PHP some -; time to properly finish up its resources and flush logs to CloudWatch. -max_execution_time=28 - -; The total upload size limit is 6Mb, we override the defaults to match this limit -; API Gateway has a 10Mb limit, but Lambda's is 6Mb -post_max_size=6M -upload_max_filesize=6M - -extension_dir=/opt/bref/extensions -; Extensions enabled by default -extension=pdo_mysql.so -zend_extension=opcache.so diff --git a/layers/function/bootstrap.sh b/layers/function/bootstrap.sh deleted file mode 100644 index 68ac19c4..00000000 --- a/layers/function/bootstrap.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/sh - -# Fail on error -set -e - -# check if the RUNTIME_CLASS is already set -if [ -z "${RUNTIME_CLASS}" ]; then - export RUNTIME_CLASS="Bref\FunctionRuntime\Main" -fi - -while true -do - if [ -z "${EXPERIMENTAL_AWS_LAMBDA_EXEC_WRAPPER}" ]; then - # Default behavior - - # We redirect stderr to stdout so that everything - # written on the output ends up in Cloudwatch automatically - php "/opt/bref/bootstrap.php" 2>&1 - else - # A wrapper script is configured - # See https://docs.aws.amazon.com/lambda/latest/dg/runtimes-modify.html#runtime-wrapper - # NOTE: EXPERIMENTAL FEATURE, DO NOT USE!!! - # Note: If you do use it, open an issue or GitHub discussion or Slack thread - # and let us know why it's useful to you, we might turn it into an official feature - "${EXPERIMENTAL_AWS_LAMBDA_EXEC_WRAPPER}" php "/opt/bref/bootstrap.php" 2>&1 - fi -done diff --git a/php-80/Dockerfile b/php-80/Dockerfile deleted file mode 100644 index de4501fc..00000000 --- a/php-80/Dockerfile +++ /dev/null @@ -1,546 +0,0 @@ -# syntax = docker/dockerfile:1.4 - -# Can be "x86_64" or "arm64" -ARG IMAGE_VERSION_SUFFIX - -# https://www.php.net/downloads -ARG VERSION_PHP=8.0.30 - - -# Lambda uses a custom AMI named Amazon Linux 2 -# https://docs.aws.amazon.com/lambda/latest/dg/current-supported-versions.html -# AWS provides a Docker image that we use here: -# https://github.com/amazonlinux/container-images/tree/amzn2 -FROM public.ecr.aws/lambda/provided:al2-${IMAGE_VERSION_SUFFIX} as build-environment - - -RUN set -xe \ - # Download yum repository data to cache - && yum makecache \ - # Install default development tools (gcc, make, etc) - && yum groupinstall -y "Development Tools" --setopt=group_package_types=mandatory,default - - -# The default version of cmake is 2.8.12. We need cmake to build a few of -# our libraries, and at least one library requires a version of cmake greater than that. -# Needed to build: -# - libzip: minimum required CMAKE version 3.0. -RUN LD_LIBRARY_PATH= yum install -y cmake3 -# Override the default `cmake` -RUN ln -s /usr/bin/cmake3 /usr/bin/cmake - - -# We need a base path for all the sourcecode we will build from. -ENV BUILD_DIR="/tmp/build" - -# Target installation path for all the binaries and libraries we will compile. -# We need to use /opt because that's where AWS Lambda layers are unzipped, -# and we need binaries (e.g. /opt/bin/php) to look for libraries in /opt/lib. -# Indeed, `/opt/lib` is a path Lambda looks for libraries by default (it is in `LD_LIBRARY_PATH`) -# AND the `/opt/lib` path will be hardcoded in the compiled binaries and libraries (called "rpath"). -# -# Note: the /opt directory will be completely recreated from scratch in the final images, -# so it's ok at this stage if we "pollute" it with plenty of extra libs/build artifacts. -ENV INSTALL_DIR="/opt" - -# We need some default compiler variables setup -ENV PKG_CONFIG_PATH="${INSTALL_DIR}/lib64/pkgconfig:${INSTALL_DIR}/lib/pkgconfig" \ - PKG_CONFIG="/usr/bin/pkg-config" \ - PATH="${INSTALL_DIR}/bin:${PATH}" - -ENV LD_LIBRARY_PATH="${INSTALL_DIR}/lib64:${INSTALL_DIR}/lib" - -# Enable parallelism by default for make and cmake (like make -j) -# See https://stackoverflow.com/a/50883540/245552 -ENV CMAKE_BUILD_PARALLEL_LEVEL=4 -ENV MAKEFLAGS='-j4' - -# Ensure we have all the directories we require in the container. -RUN mkdir -p ${BUILD_DIR} \ - ${INSTALL_DIR}/bin \ - ${INSTALL_DIR}/doc \ - ${INSTALL_DIR}/etc/php \ - ${INSTALL_DIR}/etc/php/conf.d \ - ${INSTALL_DIR}/include \ - ${INSTALL_DIR}/lib \ - ${INSTALL_DIR}/lib64 \ - ${INSTALL_DIR}/libexec \ - ${INSTALL_DIR}/sbin \ - ${INSTALL_DIR}/share - - -############################################################################### -# ZLIB Build -# We compile a newer version because Lambda uses an old version (1.2.7) that -# has a security vulnerability (CVE-2022-37434). -# See https://github.com/brefphp/aws-lambda-layers/pull/110 -# Can be removed once Lambda updates their version. -# https://github.com/madler/zlib/releases -ENV VERSION_ZLIB=1.3.1 -ENV ZLIB_BUILD_DIR=${BUILD_DIR}/zlib -RUN set -xe; \ - mkdir -p ${ZLIB_BUILD_DIR}; \ - curl -Ls https://github.com/madler/zlib/releases/download/v${VERSION_ZLIB}/zlib-${VERSION_ZLIB}.tar.gz \ - | tar xzC ${ZLIB_BUILD_DIR} --strip-components=1 -WORKDIR ${ZLIB_BUILD_DIR}/ -RUN set -xe; \ - make distclean \ - && CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ - LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ - ./configure \ - --prefix=${INSTALL_DIR} -RUN set -xe; \ - make install \ - && rm ${INSTALL_DIR}/lib/libz.a - - -############################################################################### -# OPENSSL -# https://github.com/openssl/openssl/releases -# Needs: -# - zlib -# Needed by: -# - curl -# - php -ENV VERSION_OPENSSL=1.1.1w -ENV OPENSSL_BUILD_DIR=${BUILD_DIR}/openssl -ENV CA_BUNDLE_SOURCE="https://curl.se/ca/cacert.pem" -ENV CA_BUNDLE="${INSTALL_DIR}/bref/ssl/cert.pem" -RUN set -xe; \ - mkdir -p ${OPENSSL_BUILD_DIR}; \ - curl -Ls https://github.com/openssl/openssl/archive/OpenSSL_${VERSION_OPENSSL//./_}.tar.gz \ - | tar xzC ${OPENSSL_BUILD_DIR} --strip-components=1 -WORKDIR ${OPENSSL_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ - LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ - ./config \ - --prefix=${INSTALL_DIR} \ - --openssldir=${INSTALL_DIR}/bref/ssl \ - --release \ - enable-tls1_3 \ - no-tests \ - shared \ - zlib -# Explicitly compile make without parallelism because it fails if we use -jX (no error message) -# I'm not 100% sure why, and I already lost 4 hours on this, but I found this: -# https://github.com/openssl/openssl/issues/9931 -# https://stackoverflow.com/questions/28639207/why-cant-i-compile-openssl-with-multiple-threads-make-j3 -# Run `make install_sw install_ssldirs` instead of `make install` to skip installing man pages https://github.com/openssl/openssl/issues/8170 -RUN make -j1 install_sw install_ssldirs -RUN mkdir -p ${INSTALL_DIR}/bref/ssl && curl -Lk -o ${CA_BUNDLE} ${CA_BUNDLE_SOURCE} - - -############################################################################### -# LIBXML2 -# https://gitlab.gnome.org/GNOME/libxml2/-/releases -# Uses: -# - zlib -# Needed by: -# - php -# - libnghttp2 -ENV VERSION_XML2=2.11.9 -ENV XML2_BUILD_DIR=${BUILD_DIR}/xml2 -RUN set -xe; \ - mkdir -p ${XML2_BUILD_DIR}; \ - curl -Ls https://download.gnome.org/sources/libxml2/${VERSION_XML2%.*}/libxml2-${VERSION_XML2}.tar.xz \ - | tar xJC ${XML2_BUILD_DIR} --strip-components=1 -WORKDIR ${XML2_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ - LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ - ./configure \ - --prefix=${INSTALL_DIR} \ - --with-sysroot=${INSTALL_DIR} \ - --enable-shared \ - --disable-static \ - --with-html \ - --with-history \ - --enable-ipv6=no \ - --with-icu \ - --with-zlib \ - --without-python -RUN make install \ - && cp xml2-config ${INSTALL_DIR}/bin/xml2-config - - -############################################################################### -# LIBSSH2 -# https://github.com/libssh2/libssh2/releases -# Needs: -# - zlib -# - OpenSSL -# Needed by: -# - curl -ENV VERSION_LIBSSH2=1.11.1 -ENV LIBSSH2_BUILD_DIR=${BUILD_DIR}/libssh2 -RUN set -xe; \ - mkdir -p ${LIBSSH2_BUILD_DIR}/bin; \ - curl -Ls https://github.com/libssh2/libssh2/releases/download/libssh2-${VERSION_LIBSSH2}/libssh2-${VERSION_LIBSSH2}.tar.gz \ - | tar xzC ${LIBSSH2_BUILD_DIR} --strip-components=1 -WORKDIR ${LIBSSH2_BUILD_DIR}/bin/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ - LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ - cmake .. \ - # Build as a shared library (.so) instead of a static one - -DBUILD_SHARED_LIBS=ON \ - # Build with OpenSSL support - -DCRYPTO_BACKEND=OpenSSL \ - # Build with zlib support - -DENABLE_ZLIB_COMPRESSION=ON \ - -DCMAKE_INSTALL_PREFIX=${INSTALL_DIR} \ - -DCMAKE_BUILD_TYPE=RELEASE -RUN cmake --build . --target install - - -############################################################################### -# LIBNGHTTP2 -# This adds support for HTTP 2 requests in curl. -# See https://github.com/brefphp/bref/issues/727 and https://github.com/brefphp/bref/pull/740 -# https://github.com/nghttp2/nghttp2/releases -# Needs: -# - zlib -# - OpenSSL -# - libxml2 -# Needed by: -# - curl -ENV VERSION_NGHTTP2=1.65.0 -ENV NGHTTP2_BUILD_DIR=${BUILD_DIR}/nghttp2 -RUN set -xe; \ - mkdir -p ${NGHTTP2_BUILD_DIR}; \ - curl -Ls https://github.com/nghttp2/nghttp2/releases/download/v${VERSION_NGHTTP2}/nghttp2-${VERSION_NGHTTP2}.tar.gz \ - | tar xzC ${NGHTTP2_BUILD_DIR} --strip-components=1 -WORKDIR ${NGHTTP2_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ - LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ - ./configure \ - --enable-lib-only \ - --prefix=${INSTALL_DIR} -RUN make install - - -############################################################################### -# LIBPSL -# This adds support for the public suffix list in curl. -# https://github.com/rockdaboot/libpsl/releases -# Needed by: -# - curl -ENV VERSION_LIBPSL=0.21.5 -ENV LIBPSL_BUILD_DIR=${BUILD_DIR}/libpsl -RUN set -xe; \ - mkdir -p ${LIBPSL_BUILD_DIR}; \ - curl -Ls https://github.com/rockdaboot/libpsl/releases/download/${VERSION_LIBPSL}/libpsl-${VERSION_LIBPSL}.tar.gz \ - | tar xzC ${LIBPSL_BUILD_DIR} --strip-components=1 -WORKDIR ${LIBPSL_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ - LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ - ./configure \ - --prefix=${INSTALL_DIR} -RUN make -j $(nproc) && make install - - -############################################################################### -# CURL -# # https://github.com/curl/curl/releases -# # Needs: -# # - zlib -# # - OpenSSL -# # - libssh2 -# # - libnghttp2 -# # Needed by: -# # - php -ENV VERSION_CURL=8.14.1 -ENV CURL_BUILD_DIR=${BUILD_DIR}/curl -RUN set -xe; \ - mkdir -p ${CURL_BUILD_DIR}/bin; \ - curl -Ls https://github.com/curl/curl/archive/curl-${VERSION_CURL//./_}.tar.gz \ - | tar xzC ${CURL_BUILD_DIR} --strip-components=1 -WORKDIR ${CURL_BUILD_DIR}/ -RUN ./buildconf \ - && CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ - LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ - ./configure \ - --prefix=${INSTALL_DIR} \ - --with-ca-bundle=${CA_BUNDLE} \ - --enable-shared \ - --disable-static \ - --enable-optimize \ - --disable-warnings \ - --disable-dependency-tracking \ - --with-zlib \ - --enable-http \ - --enable-ftp \ - --enable-file \ - --enable-proxy \ - --enable-tftp \ - --enable-ipv6 \ - --enable-openssl-auto-load-config \ - --enable-cookies \ - --with-gnu-ld \ - --with-ssl \ - --with-libssh2 \ - --with-nghttp2 -RUN make install - - -############################################################################### -# LIBZIP -# https://github.com/nih-at/libzip/releases -# Needed by: -# - php -ENV VERSION_ZIP=1.11.4 -ENV ZIP_BUILD_DIR=${BUILD_DIR}/zip -RUN set -xe; \ - mkdir -p ${ZIP_BUILD_DIR}/bin/; \ - curl -Ls https://github.com/nih-at/libzip/releases/download/v${VERSION_ZIP}/libzip-${VERSION_ZIP}.tar.gz \ - | tar xzC ${ZIP_BUILD_DIR} --strip-components=1 -WORKDIR ${ZIP_BUILD_DIR}/bin/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ - LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ - cmake .. \ - -DCMAKE_INSTALL_PREFIX=${INSTALL_DIR} \ - -DCMAKE_BUILD_TYPE=RELEASE -RUN cmake --build . --target install - - -############################################################################### -# LIBSODIUM -# https://github.com/jedisct1/libsodium/releases -# Needed by: -# - php -ENV VERSION_LIBSODIUM=1.0.20 -ENV LIBSODIUM_BUILD_DIR=${BUILD_DIR}/libsodium -RUN set -xe; \ - mkdir -p ${LIBSODIUM_BUILD_DIR}; \ - curl -Ls https://github.com/jedisct1/libsodium/archive/${VERSION_LIBSODIUM}-RELEASE.tar.gz \ - | tar xzC ${LIBSODIUM_BUILD_DIR} --strip-components=1 -WORKDIR ${LIBSODIUM_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ - LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ - ./autogen.sh \ -&& ./configure --prefix=${INSTALL_DIR} -RUN make install - - -############################################################################### -# Postgres -# https://github.com/postgres/postgres/tags -# Needs: -# - OpenSSL -# Needed by: -# - php -ENV VERSION_POSTGRES=17.5 -ENV POSTGRES_BUILD_DIR=${BUILD_DIR}/postgres -RUN set -xe; \ - mkdir -p ${POSTGRES_BUILD_DIR}/bin; \ - curl -Ls https://github.com/postgres/postgres/archive/REL_${VERSION_POSTGRES//./_}.tar.gz \ - | tar xzC ${POSTGRES_BUILD_DIR} --strip-components=1 -WORKDIR ${POSTGRES_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ - LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ - ./configure --prefix=${INSTALL_DIR} --with-openssl --without-icu --without-readline -RUN cd ${POSTGRES_BUILD_DIR}/src/interfaces/libpq && make && make install -RUN cd ${POSTGRES_BUILD_DIR}/src/bin/pg_config && make && make install -RUN cd ${POSTGRES_BUILD_DIR}/src/backend && make generated-headers -RUN cd ${POSTGRES_BUILD_DIR}/src/include && make install - - -############################################################################### -# Oniguruma -# This library is not packaged in PHP since PHP 7.4. -# See https://github.com/php/php-src/blob/43dc7da8e3719d3e89bd8ec15ebb13f997bbbaa9/UPGRADING#L578-L581 -# We do not install the system version because I didn't manage to make it work... -# Ideally we shouldn't compile it ourselves. -# https://github.com/kkos/oniguruma/releases -# Needed by: -# - php mbstring -ENV VERSION_ONIG=6.9.10 -ENV ONIG_BUILD_DIR=${BUILD_DIR}/oniguruma -RUN set -xe; \ - mkdir -p ${ONIG_BUILD_DIR}; \ - curl -Ls https://github.com/kkos/oniguruma/releases/download/v${VERSION_ONIG}/onig-${VERSION_ONIG}.tar.gz \ - | tar xzC ${ONIG_BUILD_DIR} --strip-components=1 -WORKDIR ${ONIG_BUILD_DIR} -RUN ./configure --prefix=${INSTALL_DIR} -RUN make && make install - - -############################################################################### -# Install some dev files for using old libraries already on the system -# readline-devel : needed for the readline extension -# gettext-devel : needed for the --with-gettext flag -# libicu-devel : needed for intl -# libxslt-devel : needed for the XSL extension -# sqlite-devel : Since PHP 7.4 this must be installed (https://github.com/php/php-src/blob/99b8e67615159fc600a615e1e97f2d1cf18f14cb/UPGRADING#L616-L619) -# libffi-devel : needed for the FFI extension -RUN LD_LIBRARY_PATH= yum install -y readline-devel gettext-devel libicu-devel libxslt-devel sqlite-devel libffi-devel - -# Note: this variable is used when building extra/custom extensions, do not remove -ENV PHP_BUILD_DIR=/tmp/php - -# PHP Build -# https://github.com/php/php-src/releases -# Needs: -# - zlib -# - libxml2 -# - openssl -# - readline -# - sodium -RUN mkdir -p ${PHP_BUILD_DIR} -WORKDIR ${PHP_BUILD_DIR} - -# Download and unpack the source code -# --location will follow redirects -# --silent will hide the progress, but also the errors: we restore error messages with --show-error -# --fail makes sure that curl returns an error instead of fetching the 404 page -ARG VERSION_PHP -RUN curl --location --silent --show-error --fail https://www.php.net/get/php-${VERSION_PHP}.tar.gz/from/this/mirror \ - | tar xzC . --strip-components=1 - -# Configure the build -# -fstack-protector-strong : Be paranoid about stack overflows -# -fpic : Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64) -# -fpie : Support Address Space Layout Randomization (see -fpic) -# -O3 : Optimize for fastest binaries possible. -# -I : Add the path to the list of directories to be searched for header files during preprocessing. -# --enable-option-checking=fatal: make sure invalid --configure-flags are fatal errors instead of just warnings -# --enable-ftp: because ftp_ssl_connect() needs ftp to be compiled statically (see https://github.com/docker-library/php/issues/236) -# --enable-mbstring: because otherwise there's no way to get pecl to use it properly (see https://github.com/docker-library/php/issues/195) -# --with-zlib and --with-zlib-dir: See https://stackoverflow.com/a/42978649/245552 -ARG PHP_COMPILATION_FLAGS -RUN ./buildconf --force -RUN CFLAGS="-fstack-protector-strong -fpic -fpie -O3 -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ - CPPFLAGS="-fstack-protector-strong -fpic -fpie -O3 -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ - LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib -Wl,-O1 -Wl,--strip-all -Wl,--hash-style=both -pie" \ - ./configure \ - --prefix=${INSTALL_DIR} \ - --enable-option-checking=fatal \ - --enable-sockets \ - --with-config-file-path=/opt/bref/etc/php \ - --with-config-file-scan-dir=/opt/bref/etc/php/conf.d:/var/task/php/conf.d \ - --enable-fpm \ - --disable-cgi \ - --enable-cli \ - --disable-phpdbg \ - --with-sodium \ - --with-readline \ - --with-openssl \ - --with-zlib \ - --with-zlib-dir \ - --with-curl \ - --enable-exif \ - --enable-ftp \ - --with-gettext \ - --enable-mbstring \ - --with-pdo-mysql=shared,mysqlnd \ - --with-mysqli \ - --enable-pcntl \ - --with-zip \ - --enable-bcmath \ - --with-pdo-pgsql=shared,${INSTALL_DIR} \ - --enable-intl=shared \ - --enable-soap \ - --with-xsl=${INSTALL_DIR} \ - --with-ffi \ - # necessary for `pecl` to work (to install PHP extensions) - --with-pear \ - # extra compilation flags - ${PHP_COMPILATION_FLAGS} -RUN make -j $(nproc) -# Run `make install` and override PEAR's PHAR URL because pear.php.net is down -RUN set -xe; \ - make install PEAR_INSTALLER_URL='https://github.com/pear/pearweb_phars/raw/master/install-pear-nozlib.phar'; \ - { find ${INSTALL_DIR}/bin ${INSTALL_DIR}/sbin -type f -perm +0111 -exec strip --strip-all '{}' + || true; }; \ - make clean; \ - cp php.ini-production ${INSTALL_DIR}/etc/php/php.ini - - -# Install extensions -# We can install extensions manually or using `pecl` -ENV VERSION_APCU=5.1.24 -RUN pecl install apcu-${VERSION_APCU} - - -# --------------------------------------------------------------- -# Now we copy everything we need for the layers into /bref-layer (which will be used for the real /opt later) -RUN mkdir -p /bref-layer/bin \ -&& mkdir -p /bref-layer/lib \ -&& mkdir -p /bref-layer/bref/extensions \ -&& mkdir -p /bref-layer/bref/ssl - -# Copy the PHP binary -RUN cp ${INSTALL_DIR}/bin/php /bref-layer/bin/php && chmod +x /bref-layer/bin/php - -# Copy all the external PHP extensions -RUN cp $(php -r 'echo ini_get("extension_dir");')/* /bref-layer/bref/extensions/ - -# Copy all the required system libraries from: -# - /lib | /lib64 (system libraries installed with `yum`) -# - /opt/bin | /opt/lib | /opt/lib64 (libraries compiled from source) -# into `/bref-layer` (the temp directory for the future Lambda layer) -COPY --link utils/lib-copy /bref/lib-copy -RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bin/php /bref-layer/lib -RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bref/extensions/apcu.so /bref-layer/lib -RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bref/extensions/intl.so /bref-layer/lib -RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bref/extensions/opcache.so /bref-layer/lib -RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bref/extensions/pdo_mysql.so /bref-layer/lib -RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bref/extensions/pdo_pgsql.so /bref-layer/lib - -# Copy the OpenSSL certificates file -RUN cp ${CA_BUNDLE} /bref-layer/bref/ssl/cert.pem - -# Copy the OpenSSL config -RUN cp ${INSTALL_DIR}/bref/ssl/openssl.cnf /bref-layer/bref/ssl/openssl.cnf - - -# --------------------------------------------------------------- -# Start from a clean image to copy only the files we need -FROM public.ecr.aws/lambda/provided:al2-${IMAGE_VERSION_SUFFIX} as isolation - -# We selected the files in /bref-layer, now we copy them to /opt (the real directory for the Lambda layer) -COPY --link --from=build-environment /bref-layer /opt - -COPY --link layers/bootstrap.php /opt/bref/bootstrap.php - - -FROM isolation as function - -COPY --link layers/function/bref.ini /opt/bref/etc/php/conf.d/ - -COPY --link layers/function/bootstrap.sh /opt/bootstrap -# Copy files to /var/runtime to support deploying as a Docker image -COPY --link layers/function/bootstrap.sh /var/runtime/bootstrap -RUN chmod +x /opt/bootstrap && chmod +x /var/runtime/bootstrap - - -# Up until here the entire file has been designed as a top-down reading/execution. -# Everything necessary for the `function` layer has been installed, isolated and -# packaged. Now we'll go back one step and start from the extensions so that we -# can install fpm. Then we'll start the fpm layer and quickly isolate fpm. - -FROM build-environment as fpm-extension - -RUN cp ${INSTALL_DIR}/sbin/php-fpm /bref-layer/bin/php-fpm -RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bin/php-fpm /bref-layer/lib - - -FROM isolation as fpm - -COPY --link --from=fpm-extension /bref-layer /opt - -COPY --link layers/fpm/bref.ini /opt/bref/etc/php/conf.d/ - -COPY --link layers/fpm/bootstrap.sh /opt/bootstrap -# Copy files to /var/runtime to support deploying as a Docker image -COPY --link layers/fpm/bootstrap.sh /var/runtime/bootstrap -RUN chmod +x /opt/bootstrap && chmod +x /var/runtime/bootstrap - -COPY --link layers/fpm/php-fpm.conf /opt/bref/etc/php-fpm.conf diff --git a/php-81/Dockerfile b/php-81/Dockerfile deleted file mode 100644 index 3c5ca0ca..00000000 --- a/php-81/Dockerfile +++ /dev/null @@ -1,568 +0,0 @@ -# syntax = docker/dockerfile:1.4 - -# Can be "x86_64" or "arm64" -ARG IMAGE_VERSION_SUFFIX - -# https://www.php.net/downloads -ARG VERSION_PHP=8.1.32 - - -# Lambda uses a custom AMI named Amazon Linux 2 -# https://docs.aws.amazon.com/lambda/latest/dg/current-supported-versions.html -# AWS provides a Docker image that we use here: -# https://github.com/amazonlinux/container-images/tree/amzn2 -FROM public.ecr.aws/lambda/provided:al2-${IMAGE_VERSION_SUFFIX} as build-environment - - -RUN set -xe \ - # Download yum repository data to cache - && yum makecache \ - # Install default development tools (gcc, make, etc) - && yum groupinstall -y "Development Tools" --setopt=group_package_types=mandatory,default - - -# The default version of cmake is 2.8.12. We need cmake to build a few of -# our libraries, and at least one library requires a version of cmake greater than that. -# Needed to build: -# - libzip: minimum required CMAKE version 3.0. -RUN LD_LIBRARY_PATH= yum install -y cmake3 -# Override the default `cmake` -RUN ln -s /usr/bin/cmake3 /usr/bin/cmake - - -# We need a base path for all the sourcecode we will build from. -ENV BUILD_DIR="/tmp/build" - -# Target installation path for all the binaries and libraries we will compile. -# We need to use /opt because that's where AWS Lambda layers are unzipped, -# and we need binaries (e.g. /opt/bin/php) to look for libraries in /opt/lib. -# Indeed, `/opt/lib` is a path Lambda looks for libraries by default (it is in `LD_LIBRARY_PATH`) -# AND the `/opt/lib` path will be hardcoded in the compiled binaries and libraries (called "rpath"). -# -# Note: the /opt directory will be completely recreated from scratch in the final images, -# so it's ok at this stage if we "pollute" it with plenty of extra libs/build artifacts. -ENV INSTALL_DIR="/opt" - -# We need some default compiler variables setup -ENV PKG_CONFIG_PATH="${INSTALL_DIR}/lib64/pkgconfig:${INSTALL_DIR}/lib/pkgconfig" \ - PKG_CONFIG="/usr/bin/pkg-config" \ - PATH="${INSTALL_DIR}/bin:${PATH}" - -ENV LD_LIBRARY_PATH="${INSTALL_DIR}/lib64:${INSTALL_DIR}/lib" - -# Enable parallelism by default for make and cmake (like make -j) -# See https://stackoverflow.com/a/50883540/245552 -ENV CMAKE_BUILD_PARALLEL_LEVEL=4 -ENV MAKEFLAGS='-j4' - -# Ensure we have all the directories we require in the container. -RUN mkdir -p ${BUILD_DIR} \ - ${INSTALL_DIR}/bin \ - ${INSTALL_DIR}/doc \ - ${INSTALL_DIR}/etc/php \ - ${INSTALL_DIR}/etc/php/conf.d \ - ${INSTALL_DIR}/include \ - ${INSTALL_DIR}/lib \ - ${INSTALL_DIR}/lib64 \ - ${INSTALL_DIR}/libexec \ - ${INSTALL_DIR}/sbin \ - ${INSTALL_DIR}/share - - -############################################################################### -# ZLIB Build -# We compile a newer version because Lambda uses an old version (1.2.7) that -# has a security vulnerability (CVE-2022-37434). -# See https://github.com/brefphp/aws-lambda-layers/pull/110 -# Can be removed once Lambda updates their version. -# https://github.com/madler/zlib/releases -ENV VERSION_ZLIB=1.3.1 -ENV ZLIB_BUILD_DIR=${BUILD_DIR}/zlib -RUN set -xe; \ - mkdir -p ${ZLIB_BUILD_DIR}; \ - curl -Ls https://github.com/madler/zlib/releases/download/v${VERSION_ZLIB}/zlib-${VERSION_ZLIB}.tar.gz \ - | tar xzC ${ZLIB_BUILD_DIR} --strip-components=1 -WORKDIR ${ZLIB_BUILD_DIR}/ -RUN set -xe; \ - make distclean \ - && CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ - LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ - ./configure \ - --prefix=${INSTALL_DIR} -RUN set -xe; \ - make install \ - && rm ${INSTALL_DIR}/lib/libz.a - - -############################################################################### -# OPENSSL -# https://github.com/openssl/openssl/releases -# Needs: -# - zlib -# Needed by: -# - curl -# - php -RUN yum install -y perl-IPC-Cmd -ENV VERSION_OPENSSL=3.3.3 -ENV OPENSSL_BUILD_DIR=${BUILD_DIR}/openssl -ENV CA_BUNDLE_SOURCE="https://curl.se/ca/cacert.pem" -ENV CA_BUNDLE="${INSTALL_DIR}/bref/ssl/cert.pem" -RUN set -xe; \ - mkdir -p ${OPENSSL_BUILD_DIR}; \ - curl -Ls https://github.com/openssl/openssl/releases/download/openssl-${VERSION_OPENSSL}/openssl-${VERSION_OPENSSL}.tar.gz \ - | tar xzC ${OPENSSL_BUILD_DIR} --strip-components=1 -WORKDIR ${OPENSSL_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ - LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ - ./config \ - --prefix=${INSTALL_DIR} \ - --openssldir=${INSTALL_DIR}/bref/ssl \ - --release \ - enable-tls1_3 \ - no-tests \ - shared \ - zlib -# Explicitly compile make without parallelism because it fails if we use -jX (no error message) -# I'm not 100% sure why, and I already lost 4 hours on this, but I found this: -# https://github.com/openssl/openssl/issues/9931 -# https://stackoverflow.com/questions/28639207/why-cant-i-compile-openssl-with-multiple-threads-make-j3 -# Run `make install_sw install_ssldirs` instead of `make install` to skip installing man pages https://github.com/openssl/openssl/issues/8170 -RUN make -j1 install_sw install_ssldirs -RUN mkdir -p ${INSTALL_DIR}/bref/ssl && curl -Lk -o ${CA_BUNDLE} ${CA_BUNDLE_SOURCE} - - -############################################################################### -# LIBXML2 -# https://gitlab.gnome.org/GNOME/libxml2/-/releases -# Uses: -# - zlib -# Needed by: -# - php -# - libnghttp2 -ENV VERSION_XML2=2.12.10 -ENV XML2_BUILD_DIR=${BUILD_DIR}/xml2 -RUN set -xe; \ - mkdir -p ${XML2_BUILD_DIR}; \ - curl -Ls https://download.gnome.org/sources/libxml2/${VERSION_XML2%.*}/libxml2-${VERSION_XML2}.tar.xz \ - | tar xJC ${XML2_BUILD_DIR} --strip-components=1 -WORKDIR ${XML2_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ - LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ - ./configure \ - --prefix=${INSTALL_DIR} \ - --with-sysroot=${INSTALL_DIR} \ - --enable-shared \ - --disable-static \ - --with-html \ - --with-history \ - --enable-ipv6=no \ - --with-icu \ - --with-zlib \ - --without-python -RUN make install \ - && cp xml2-config ${INSTALL_DIR}/bin/xml2-config - - -############################################################################### -# LIBSSH2 -# https://github.com/libssh2/libssh2/releases -# Needs: -# - zlib -# - OpenSSL -# Needed by: -# - curl -ENV VERSION_LIBSSH2=1.11.1 -ENV LIBSSH2_BUILD_DIR=${BUILD_DIR}/libssh2 -RUN set -xe; \ - mkdir -p ${LIBSSH2_BUILD_DIR}/bin; \ - curl -Ls https://github.com/libssh2/libssh2/releases/download/libssh2-${VERSION_LIBSSH2}/libssh2-${VERSION_LIBSSH2}.tar.gz \ - | tar xzC ${LIBSSH2_BUILD_DIR} --strip-components=1 -WORKDIR ${LIBSSH2_BUILD_DIR}/bin/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ - LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ - cmake .. \ - # Build as a shared library (.so) instead of a static one - -DBUILD_SHARED_LIBS=ON \ - # Build with OpenSSL support - -DCRYPTO_BACKEND=OpenSSL \ - # Build with zlib support - -DENABLE_ZLIB_COMPRESSION=ON \ - -DCMAKE_INSTALL_PREFIX=${INSTALL_DIR} \ - -DCMAKE_BUILD_TYPE=RELEASE -RUN cmake --build . --target install - - -############################################################################### -# LIBNGHTTP2 -# This adds support for HTTP 2 requests in curl. -# See https://github.com/brefphp/bref/issues/727 and https://github.com/brefphp/bref/pull/740 -# https://github.com/nghttp2/nghttp2/releases -# Needs: -# - zlib -# - OpenSSL -# - libxml2 -# Needed by: -# - curl -ENV VERSION_NGHTTP2=1.65.0 -ENV NGHTTP2_BUILD_DIR=${BUILD_DIR}/nghttp2 -RUN set -xe; \ - mkdir -p ${NGHTTP2_BUILD_DIR}; \ - curl -Ls https://github.com/nghttp2/nghttp2/releases/download/v${VERSION_NGHTTP2}/nghttp2-${VERSION_NGHTTP2}.tar.gz \ - | tar xzC ${NGHTTP2_BUILD_DIR} --strip-components=1 -WORKDIR ${NGHTTP2_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ - LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ - ./configure \ - --enable-lib-only \ - --prefix=${INSTALL_DIR} -RUN make install - - -############################################################################### -# LIBPSL -# This adds support for the public suffix list in curl. -# https://github.com/rockdaboot/libpsl/releases -# Needed by: -# - curl -ENV VERSION_LIBPSL=0.21.5 -ENV LIBPSL_BUILD_DIR=${BUILD_DIR}/libpsl -RUN set -xe; \ - mkdir -p ${LIBPSL_BUILD_DIR}; \ - curl -Ls https://github.com/rockdaboot/libpsl/releases/download/${VERSION_LIBPSL}/libpsl-${VERSION_LIBPSL}.tar.gz \ - | tar xzC ${LIBPSL_BUILD_DIR} --strip-components=1 -WORKDIR ${LIBPSL_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ - LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ - ./configure \ - --prefix=${INSTALL_DIR} -RUN make -j $(nproc) && make install - - -############################################################################### -# CURL -# # https://github.com/curl/curl/releases -# # Needs: -# # - zlib -# # - OpenSSL -# # - libssh2 -# # - libnghttp2 -# # Needed by: -# # - php -ENV VERSION_CURL=8.14.1 -ENV CURL_BUILD_DIR=${BUILD_DIR}/curl -RUN set -xe; \ - mkdir -p ${CURL_BUILD_DIR}/bin; \ - curl -Ls https://github.com/curl/curl/archive/curl-${VERSION_CURL//./_}.tar.gz \ - | tar xzC ${CURL_BUILD_DIR} --strip-components=1 -WORKDIR ${CURL_BUILD_DIR}/ -RUN ./buildconf \ - && CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ - LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ - ./configure \ - --prefix=${INSTALL_DIR} \ - --with-ca-bundle=${CA_BUNDLE} \ - --enable-shared \ - --disable-static \ - --enable-optimize \ - --disable-warnings \ - --disable-dependency-tracking \ - --with-zlib \ - --enable-http \ - --enable-ftp \ - --enable-file \ - --enable-proxy \ - --enable-tftp \ - --enable-ipv6 \ - --enable-openssl-auto-load-config \ - --enable-cookies \ - --with-gnu-ld \ - --with-ssl \ - --with-libssh2 \ - --with-nghttp2 -RUN make install - - -############################################################################### -# LIBZIP -# https://github.com/nih-at/libzip/releases -# Needed by: -# - php -ENV VERSION_ZIP=1.11.4 -ENV ZIP_BUILD_DIR=${BUILD_DIR}/zip -RUN set -xe; \ - mkdir -p ${ZIP_BUILD_DIR}/bin/; \ - curl -Ls https://github.com/nih-at/libzip/releases/download/v${VERSION_ZIP}/libzip-${VERSION_ZIP}.tar.gz \ - | tar xzC ${ZIP_BUILD_DIR} --strip-components=1 -WORKDIR ${ZIP_BUILD_DIR}/bin/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ - LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ - cmake .. \ - -DCMAKE_INSTALL_PREFIX=${INSTALL_DIR} \ - -DCMAKE_BUILD_TYPE=RELEASE -RUN cmake --build . --target install - - -############################################################################### -# LIBSODIUM -# https://github.com/jedisct1/libsodium/releases -# Needed by: -# - php -ENV VERSION_LIBSODIUM=1.0.20 -ENV LIBSODIUM_BUILD_DIR=${BUILD_DIR}/libsodium -RUN set -xe; \ - mkdir -p ${LIBSODIUM_BUILD_DIR}; \ - curl -Ls https://github.com/jedisct1/libsodium/archive/${VERSION_LIBSODIUM}-RELEASE.tar.gz \ - | tar xzC ${LIBSODIUM_BUILD_DIR} --strip-components=1 -WORKDIR ${LIBSODIUM_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ - LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ - ./autogen.sh \ -&& ./configure --prefix=${INSTALL_DIR} -RUN make install - - -############################################################################### -# Postgres -# https://github.com/postgres/postgres/tags -# Needs: -# - OpenSSL -# Needed by: -# - php -ENV VERSION_POSTGRES=17.5 -ENV POSTGRES_BUILD_DIR=${BUILD_DIR}/postgres -RUN set -xe; \ - mkdir -p ${POSTGRES_BUILD_DIR}/bin; \ - curl -Ls https://github.com/postgres/postgres/archive/REL_${VERSION_POSTGRES//./_}.tar.gz \ - | tar xzC ${POSTGRES_BUILD_DIR} --strip-components=1 -WORKDIR ${POSTGRES_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ - LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ - ./configure --prefix=${INSTALL_DIR} --with-openssl --without-icu --without-readline -RUN cd ${POSTGRES_BUILD_DIR}/src/interfaces/libpq && make && make install -RUN cd ${POSTGRES_BUILD_DIR}/src/bin/pg_config && make && make install -RUN cd ${POSTGRES_BUILD_DIR}/src/backend && make generated-headers -RUN cd ${POSTGRES_BUILD_DIR}/src/include && make install - - -############################################################################### -# Oniguruma -# This library is not packaged in PHP since PHP 7.4. -# See https://github.com/php/php-src/blob/43dc7da8e3719d3e89bd8ec15ebb13f997bbbaa9/UPGRADING#L578-L581 -# We do not install the system version because I didn't manage to make it work... -# Ideally we shouldn't compile it ourselves. -# https://github.com/kkos/oniguruma/releases -# Needed by: -# - php mbstring -ENV VERSION_ONIG=6.9.10 -ENV ONIG_BUILD_DIR=${BUILD_DIR}/oniguruma -RUN set -xe; \ - mkdir -p ${ONIG_BUILD_DIR}; \ - curl -Ls https://github.com/kkos/oniguruma/releases/download/v${VERSION_ONIG}/onig-${VERSION_ONIG}.tar.gz \ - | tar xzC ${ONIG_BUILD_DIR} --strip-components=1 -WORKDIR ${ONIG_BUILD_DIR} -RUN ./configure --prefix=${INSTALL_DIR} -RUN make && make install - - -############################################################################### -# SQLite -# Since PHP 7.4, libsqlite must be installed (https://github.com/php/php-src/blob/99b8e67615159fc600a615e1e97f2d1cf18f14cb/UPGRADING#L616-L619) -# Laravel 11 requires SQLite 3.35.0 or higher and Drupal 10 also requires a -# newer version than the system version of 3.7.17. -# https://laravel.com/docs/11.x/upgrade#sqlite-minimum-version -# https://www.sqlite.org/changes.html -# Needed by: -# - php -RUN LD_LIBRARY_PATH= yum install -y tcl -ENV VERSION_SQLITE=3.50.0 -ENV SQLITE_BUILD_DIR=${BUILD_DIR}/sqlite -RUN set -xe; \ - mkdir -p ${SQLITE_BUILD_DIR}; \ - curl -Ls https://github.com/sqlite/sqlite/archive/refs/tags/version-${VERSION_SQLITE}.tar.gz \ - | tar xzC ${SQLITE_BUILD_DIR} --strip-components=1 -WORKDIR ${SQLITE_BUILD_DIR} -RUN ./configure --prefix=${INSTALL_DIR} -RUN make && make install - - -############################################################################### -# Install some dev files for using old libraries already on the system -# readline-devel : needed for the readline extension -# gettext-devel : needed for the --with-gettext flag -# libicu-devel : needed for intl -# libxslt-devel : needed for the XSL extension -# libffi-devel : needed for the FFI extension -RUN LD_LIBRARY_PATH= yum install -y readline-devel gettext-devel libicu-devel libxslt-devel libffi-devel - - -# Note: this variable is used when building extra/custom extensions, do not remove -ENV PHP_BUILD_DIR=/tmp/php - -# PHP Build -# https://github.com/php/php-src/releases -# Needs: -# - zlib -# - libxml2 -# - openssl -# - readline -# - sodium -RUN mkdir -p ${PHP_BUILD_DIR} -WORKDIR ${PHP_BUILD_DIR} - -# Download and unpack the source code -# --location will follow redirects -# --silent will hide the progress, but also the errors: we restore error messages with --show-error -# --fail makes sure that curl returns an error instead of fetching the 404 page -ARG VERSION_PHP -RUN curl --location --silent --show-error --fail https://www.php.net/get/php-${VERSION_PHP}.tar.gz/from/this/mirror \ - | tar xzC . --strip-components=1 - -# Configure the build -# -fstack-protector-strong : Be paranoid about stack overflows -# -fpic : Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64) -# -fpie : Support Address Space Layout Randomization (see -fpic) -# -O3 : Optimize for fastest binaries possible. -# -I : Add the path to the list of directories to be searched for header files during preprocessing. -# --enable-option-checking=fatal: make sure invalid --configure-flags are fatal errors instead of just warnings -# --enable-ftp: because ftp_ssl_connect() needs ftp to be compiled statically (see https://github.com/docker-library/php/issues/236) -# --enable-mbstring: because otherwise there's no way to get pecl to use it properly (see https://github.com/docker-library/php/issues/195) -# --with-zlib and --with-zlib-dir: See https://stackoverflow.com/a/42978649/245552 -ARG PHP_COMPILATION_FLAGS -RUN ./buildconf --force -RUN CFLAGS="-fstack-protector-strong -fpic -fpie -O3 -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ - CPPFLAGS="-fstack-protector-strong -fpic -fpie -O3 -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ - LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib -Wl,-O1 -Wl,--strip-all -Wl,--hash-style=both -pie" \ - ./configure \ - --prefix=${INSTALL_DIR} \ - --enable-option-checking=fatal \ - --enable-sockets \ - --with-config-file-path=/opt/bref/etc/php \ - --with-config-file-scan-dir=/opt/bref/etc/php/conf.d:/var/task/php/conf.d \ - --enable-fpm \ - --disable-cgi \ - --enable-cli \ - --disable-phpdbg \ - --with-sodium \ - --with-readline \ - --with-openssl \ - --with-zlib \ - --with-zlib-dir \ - --with-curl \ - --enable-exif \ - --enable-ftp \ - --with-gettext \ - --enable-mbstring \ - --with-pdo-mysql=shared,mysqlnd \ - --with-mysqli \ - --enable-pcntl \ - --with-zip \ - --enable-bcmath \ - --with-pdo-pgsql=shared,${INSTALL_DIR} \ - --enable-intl=shared \ - --enable-soap \ - --with-xsl=${INSTALL_DIR} \ - --with-ffi \ - # necessary for `pecl` to work (to install PHP extensions) - --with-pear \ - # extra compilation flags - ${PHP_COMPILATION_FLAGS} -RUN make -j $(nproc) -# Run `make install` and override PEAR's PHAR URL because pear.php.net is down -RUN set -xe; \ - make install PEAR_INSTALLER_URL='https://github.com/pear/pearweb_phars/raw/master/install-pear-nozlib.phar'; \ - { find ${INSTALL_DIR}/bin ${INSTALL_DIR}/sbin -type f -perm +0111 -exec strip --strip-all '{}' + || true; }; \ - make clean; \ - cp php.ini-production ${INSTALL_DIR}/etc/php/php.ini - - -# Install extensions -# We can install extensions manually or using `pecl` -ENV VERSION_APCU=5.1.24 -RUN pecl install apcu-${VERSION_APCU} - - -# --------------------------------------------------------------- -# Now we copy everything we need for the layers into /bref-layer (which will be used for the real /opt later) -RUN mkdir -p /bref-layer/bin \ -&& mkdir -p /bref-layer/lib \ -&& mkdir -p /bref-layer/bref/extensions \ -&& mkdir -p /bref-layer/bref/ssl - -# Copy the PHP binary -RUN cp ${INSTALL_DIR}/bin/php /bref-layer/bin/php && chmod +x /bref-layer/bin/php - -# Copy all the external PHP extensions -RUN cp $(php -r 'echo ini_get("extension_dir");')/* /bref-layer/bref/extensions/ - -# Copy all the required system libraries from: -# - /lib | /lib64 (system libraries installed with `yum`) -# - /opt/bin | /opt/lib | /opt/lib64 (libraries compiled from source) -# into `/bref-layer` (the temp directory for the future Lambda layer) -COPY --link utils/lib-copy /bref/lib-copy -RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bin/php /bref-layer/lib -RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bref/extensions/apcu.so /bref-layer/lib -RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bref/extensions/intl.so /bref-layer/lib -RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bref/extensions/opcache.so /bref-layer/lib -RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bref/extensions/pdo_mysql.so /bref-layer/lib -RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bref/extensions/pdo_pgsql.so /bref-layer/lib - -# Copy the OpenSSL certificates file -RUN cp ${CA_BUNDLE} /bref-layer/bref/ssl/cert.pem - -# Copy the OpenSSL config -RUN cp ${INSTALL_DIR}/bref/ssl/openssl.cnf /bref-layer/bref/ssl/openssl.cnf - - -# --------------------------------------------------------------- -# Start from a clean image to copy only the files we need -FROM public.ecr.aws/lambda/provided:al2-${IMAGE_VERSION_SUFFIX} as isolation - -# We selected the files in /bref-layer, now we copy them to /opt (the real directory for the Lambda layer) -COPY --link --from=build-environment /bref-layer /opt - -COPY --link layers/bootstrap.php /opt/bref/bootstrap.php - - -FROM isolation as function - -COPY --link layers/function/bref.ini /opt/bref/etc/php/conf.d/ - -COPY --link layers/function/bootstrap.sh /opt/bootstrap -# Copy files to /var/runtime to support deploying as a Docker image -COPY --link layers/function/bootstrap.sh /var/runtime/bootstrap -RUN chmod +x /opt/bootstrap && chmod +x /var/runtime/bootstrap - - -# Up until here the entire file has been designed as a top-down reading/execution. -# Everything necessary for the `function` layer has been installed, isolated and -# packaged. Now we'll go back one step and start from the extensions so that we -# can install fpm. Then we'll start the fpm layer and quickly isolate fpm. - -FROM build-environment as fpm-extension - -RUN cp ${INSTALL_DIR}/sbin/php-fpm /bref-layer/bin/php-fpm -RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bin/php-fpm /bref-layer/lib - - -FROM isolation as fpm - -COPY --link --from=fpm-extension /bref-layer /opt - -COPY --link layers/fpm/bref.ini /opt/bref/etc/php/conf.d/ - -COPY --link layers/fpm/bootstrap.sh /opt/bootstrap -# Copy files to /var/runtime to support deploying as a Docker image -COPY --link layers/fpm/bootstrap.sh /var/runtime/bootstrap -RUN chmod +x /opt/bootstrap && chmod +x /var/runtime/bootstrap - -COPY --link layers/fpm/php-fpm.conf /opt/bref/etc/php-fpm.conf diff --git a/php-82/Dockerfile b/php-82/Dockerfile index deb80b6f..cae132f6 100644 --- a/php-82/Dockerfile +++ b/php-82/Dockerfile @@ -85,8 +85,8 @@ RUN set -xe; \ WORKDIR ${ZLIB_BUILD_DIR}/ RUN set -xe; \ make distclean \ - && CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ + && CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --prefix=${INSTALL_DIR} @@ -113,8 +113,8 @@ RUN set -xe; \ curl -Ls https://github.com/openssl/openssl/releases/download/openssl-${VERSION_OPENSSL}/openssl-${VERSION_OPENSSL}.tar.gz \ | tar xzC ${OPENSSL_BUILD_DIR} --strip-components=1 WORKDIR ${OPENSSL_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./config \ --prefix=${INSTALL_DIR} \ @@ -148,8 +148,8 @@ RUN set -xe; \ curl -Ls https://download.gnome.org/sources/libxml2/${VERSION_XML2%.*}/libxml2-${VERSION_XML2}.tar.xz \ | tar xJC ${XML2_BUILD_DIR} --strip-components=1 WORKDIR ${XML2_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --prefix=${INSTALL_DIR} \ @@ -181,8 +181,8 @@ RUN set -xe; \ curl -Ls https://github.com/libssh2/libssh2/releases/download/libssh2-${VERSION_LIBSSH2}/libssh2-${VERSION_LIBSSH2}.tar.gz \ | tar xzC ${LIBSSH2_BUILD_DIR} --strip-components=1 WORKDIR ${LIBSSH2_BUILD_DIR}/bin/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ cmake .. \ # Build as a shared library (.so) instead of a static one @@ -214,8 +214,8 @@ RUN set -xe; \ curl -Ls https://github.com/nghttp2/nghttp2/releases/download/v${VERSION_NGHTTP2}/nghttp2-${VERSION_NGHTTP2}.tar.gz \ | tar xzC ${NGHTTP2_BUILD_DIR} --strip-components=1 WORKDIR ${NGHTTP2_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --enable-lib-only \ @@ -236,8 +236,8 @@ RUN set -xe; \ curl -Ls https://github.com/rockdaboot/libpsl/releases/download/${VERSION_LIBPSL}/libpsl-${VERSION_LIBPSL}.tar.gz \ | tar xzC ${LIBPSL_BUILD_DIR} --strip-components=1 WORKDIR ${LIBPSL_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --prefix=${INSTALL_DIR} @@ -262,8 +262,8 @@ RUN set -xe; \ | tar xzC ${CURL_BUILD_DIR} --strip-components=1 WORKDIR ${CURL_BUILD_DIR}/ RUN ./buildconf \ - && CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ + && CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --prefix=${INSTALL_DIR} \ @@ -301,8 +301,8 @@ RUN set -xe; \ curl -Ls https://github.com/nih-at/libzip/releases/download/v${VERSION_ZIP}/libzip-${VERSION_ZIP}.tar.gz \ | tar xzC ${ZIP_BUILD_DIR} --strip-components=1 WORKDIR ${ZIP_BUILD_DIR}/bin/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ cmake .. \ -DCMAKE_INSTALL_PREFIX=${INSTALL_DIR} \ @@ -322,8 +322,8 @@ RUN set -xe; \ curl -Ls https://github.com/jedisct1/libsodium/archive/${VERSION_LIBSODIUM}-RELEASE.tar.gz \ | tar xzC ${LIBSODIUM_BUILD_DIR} --strip-components=1 WORKDIR ${LIBSODIUM_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./autogen.sh \ && ./configure --prefix=${INSTALL_DIR} @@ -344,8 +344,8 @@ RUN set -xe; \ curl -Ls https://github.com/postgres/postgres/archive/REL_${VERSION_POSTGRES//./_}.tar.gz \ | tar xzC ${POSTGRES_BUILD_DIR} --strip-components=1 WORKDIR ${POSTGRES_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure --prefix=${INSTALL_DIR} --with-openssl --without-icu --without-readline RUN cd ${POSTGRES_BUILD_DIR}/src/interfaces/libpq && make && make install @@ -370,7 +370,7 @@ RUN set -xe; \ curl -Ls https://github.com/kkos/oniguruma/releases/download/v${VERSION_ONIG}/onig-${VERSION_ONIG}.tar.gz \ | tar xzC ${ONIG_BUILD_DIR} --strip-components=1 WORKDIR ${ONIG_BUILD_DIR} -RUN ./configure --prefix=${INSTALL_DIR} +RUN CFLAGS="-Os" CPPFLAGS="-Os" ./configure --prefix=${INSTALL_DIR} RUN make && make install @@ -391,7 +391,7 @@ RUN set -xe; \ curl -Ls https://github.com/sqlite/sqlite/archive/refs/tags/version-${VERSION_SQLITE}.tar.gz \ | tar xzC ${SQLITE_BUILD_DIR} --strip-components=1 WORKDIR ${SQLITE_BUILD_DIR} -RUN ./configure --prefix=${INSTALL_DIR} +RUN CFLAGS="-Os" CPPFLAGS="-Os" ./configure --prefix=${INSTALL_DIR} RUN make && make install @@ -439,8 +439,8 @@ RUN curl --location --silent --show-error --fail https://www.php.net/get/php-${V # --with-zlib and --with-zlib-dir: See https://stackoverflow.com/a/42978649/245552 ARG PHP_COMPILATION_FLAGS RUN ./buildconf --force -RUN CFLAGS="-fstack-protector-strong -fpic -fpie -O3 -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ - CPPFLAGS="-fstack-protector-strong -fpic -fpie -O3 -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ +RUN CFLAGS="-fstack-protector-strong -fpic -fpie -Os -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ + CPPFLAGS="-fstack-protector-strong -fpic -fpie -Os -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib -Wl,-O1 -Wl,--strip-all -Wl,--hash-style=both -pie" \ ./configure \ --prefix=${INSTALL_DIR} \ @@ -462,14 +462,17 @@ RUN CFLAGS="-fstack-protector-strong -fpic -fpie -O3 -I${INSTALL_DIR}/include -I --enable-ftp \ --with-gettext \ --enable-mbstring \ - --with-pdo-mysql=shared,mysqlnd \ + --with-pdo-mysql=mysqlnd \ --with-mysqli \ --enable-pcntl \ --with-zip \ --enable-bcmath \ --with-pdo-pgsql=shared,${INSTALL_DIR} \ + # Separate .so extension so that it is not loaded by default --enable-intl=shared \ - --enable-soap \ + # Separate .so extension so that it is not loaded by default + --enable-soap=shared \ + # Separate .so extension so that it is not loaded by default --with-xsl=${INSTALL_DIR} \ --with-ffi \ # necessary for `pecl` to work (to install PHP extensions) @@ -501,6 +504,9 @@ RUN mkdir -p /bref-layer/bin \ # Copy the PHP binary RUN cp ${INSTALL_DIR}/bin/php /bref-layer/bin/php && chmod +x /bref-layer/bin/php +# Copy the PHP-FPM binary +RUN cp ${INSTALL_DIR}/sbin/php-fpm /bref-layer/bin/php-fpm + # Copy all the external PHP extensions RUN cp $(php -r 'echo ini_get("extension_dir");')/* /bref-layer/bref/extensions/ @@ -510,6 +516,7 @@ RUN cp $(php -r 'echo ini_get("extension_dir");')/* /bref-layer/bref/extensions/ # into `/bref-layer` (the temp directory for the future Lambda layer) COPY --link utils/lib-copy /bref/lib-copy RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bin/php /bref-layer/lib +RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bin/php-fpm /bref-layer/lib RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bref/extensions/apcu.so /bref-layer/lib RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bref/extensions/intl.so /bref-layer/lib RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bref/extensions/opcache.so /bref-layer/lib @@ -522,47 +529,59 @@ RUN cp ${CA_BUNDLE} /bref-layer/bref/ssl/cert.pem # Copy the OpenSSL config RUN cp ${INSTALL_DIR}/bref/ssl/openssl.cnf /bref-layer/bref/ssl/openssl.cnf +# Run `strip` over all libraries and extensions to reduce their size +RUN find /bref-layer/bref/extensions -type f -exec strip --strip-all {} + +RUN find /bref-layer/lib -type f -exec strip --strip-all {} + -# --------------------------------------------------------------- -# Start from a clean image to copy only the files we need -FROM public.ecr.aws/lambda/provided:al2-${IMAGE_VERSION_SUFFIX} as isolation + +# ---------------------------------------------------------------------------- +# Start from a clean image to copy only the files we need for the Lambda layer +FROM public.ecr.aws/lambda/provided:al2-${IMAGE_VERSION_SUFFIX} as function # We selected the files in /bref-layer, now we copy them to /opt (the real directory for the Lambda layer) COPY --link --from=build-environment /bref-layer /opt -COPY --link layers/bootstrap.php /opt/bref/bootstrap.php - - -FROM isolation as function +COPY --link src/php.ini /opt/bref/etc/php/conf.d/bref.ini +COPY --link src/php-fpm.conf /opt/bref/etc/php-fpm.conf -COPY --link layers/function/bref.ini /opt/bref/etc/php/conf.d/ - -COPY --link layers/function/bootstrap.sh /opt/bootstrap +COPY --link src/bootstrap.sh /opt/bootstrap # Copy files to /var/runtime to support deploying as a Docker image -COPY --link layers/function/bootstrap.sh /var/runtime/bootstrap +COPY --link src/bootstrap.sh /var/runtime/bootstrap RUN chmod +x /opt/bootstrap && chmod +x /var/runtime/bootstrap +COPY --link src/bootstrap.php /opt/bref/bootstrap.php -# Up until here the entire file has been designed as a top-down reading/execution. -# Everything necessary for the `function` layer has been installed, isolated and -# packaged. Now we'll go back one step and start from the extensions so that we -# can install fpm. Then we'll start the fpm layer and quickly isolate fpm. +# ---------------------------------------------------------------------------- +# Build the dev image with xdebug +FROM build-environment as build_dev -FROM build-environment as fpm-extension +RUN mkdir -p /opt/bref/extensions -RUN cp ${INSTALL_DIR}/sbin/php-fpm /bref-layer/bin/php-fpm -RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bin/php-fpm /bref-layer/lib +# Install xdebug +RUN pecl install xdebug-3.4.2 +RUN cp $(php -r "echo ini_get('extension_dir');")/xdebug.so /opt/bref/extensions -FROM isolation as fpm +FROM function as dev -COPY --link --from=fpm-extension /bref-layer /opt +COPY --link --from=build_dev /opt /opt +COPY --link src/dev-entrypoint.sh /bref-entrypoint.sh +RUN chmod +x /bref-entrypoint.sh -COPY --link layers/fpm/bref.ini /opt/bref/etc/php/conf.d/ +# Install node to run the JS app below +RUN yum install https://rpm.nodesource.com/pub_16.x/nodistro/repo/nodesource-release-nodistro-1.noarch.rpm -y +RUN yum install --setopt=nodesource-nodejs.module_hotfixes=1 --setopt=skip_missing_names_on_install=False -y nodejs -COPY --link layers/fpm/bootstrap.sh /opt/bootstrap -# Copy files to /var/runtime to support deploying as a Docker image -COPY --link layers/fpm/bootstrap.sh /var/runtime/bootstrap -RUN chmod +x /opt/bootstrap && chmod +x /var/runtime/bootstrap +# Install the bref/local-api-gateway app in our container (avoids running 2 containers) +COPY --link --from=bref/local-api-gateway /app /local-api-gateway +EXPOSE 8000 + +# Add `php/conf.dev.d` to the path where PHP looks for configuration files +ENV PHP_INI_SCAN_DIR="/opt/bref/etc/php/conf.d:/var/task/php/conf.d:/var/task/php/conf.dev.d" + +# Add composer +COPY --link --from=composer/composer:2-bin /composer /usr/bin/composer -COPY --link layers/fpm/php-fpm.conf /opt/bref/etc/php-fpm.conf +# Originally the entrypoint is `/lambda-entrypoint.sh` and CMD contains the handler name +# We override the entrypoint to run our own logic +ENTRYPOINT [ "/bref-entrypoint.sh" ] diff --git a/php-83/Dockerfile b/php-83/Dockerfile index 8bc2ee5a..9c1334cd 100644 --- a/php-83/Dockerfile +++ b/php-83/Dockerfile @@ -85,8 +85,8 @@ RUN set -xe; \ WORKDIR ${ZLIB_BUILD_DIR}/ RUN set -xe; \ make distclean \ - && CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ + && CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --prefix=${INSTALL_DIR} @@ -113,8 +113,8 @@ RUN set -xe; \ curl -Ls https://github.com/openssl/openssl/releases/download/openssl-${VERSION_OPENSSL}/openssl-${VERSION_OPENSSL}.tar.gz \ | tar xzC ${OPENSSL_BUILD_DIR} --strip-components=1 WORKDIR ${OPENSSL_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./config \ --prefix=${INSTALL_DIR} \ @@ -148,8 +148,8 @@ RUN set -xe; \ curl -Ls https://download.gnome.org/sources/libxml2/${VERSION_XML2%.*}/libxml2-${VERSION_XML2}.tar.xz \ | tar xJC ${XML2_BUILD_DIR} --strip-components=1 WORKDIR ${XML2_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --prefix=${INSTALL_DIR} \ @@ -181,8 +181,8 @@ RUN set -xe; \ curl -Ls https://github.com/libssh2/libssh2/releases/download/libssh2-${VERSION_LIBSSH2}/libssh2-${VERSION_LIBSSH2}.tar.gz \ | tar xzC ${LIBSSH2_BUILD_DIR} --strip-components=1 WORKDIR ${LIBSSH2_BUILD_DIR}/bin/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ cmake .. \ # Build as a shared library (.so) instead of a static one @@ -214,8 +214,8 @@ RUN set -xe; \ curl -Ls https://github.com/nghttp2/nghttp2/releases/download/v${VERSION_NGHTTP2}/nghttp2-${VERSION_NGHTTP2}.tar.gz \ | tar xzC ${NGHTTP2_BUILD_DIR} --strip-components=1 WORKDIR ${NGHTTP2_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --enable-lib-only \ @@ -236,8 +236,8 @@ RUN set -xe; \ curl -Ls https://github.com/rockdaboot/libpsl/releases/download/${VERSION_LIBPSL}/libpsl-${VERSION_LIBPSL}.tar.gz \ | tar xzC ${LIBPSL_BUILD_DIR} --strip-components=1 WORKDIR ${LIBPSL_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --prefix=${INSTALL_DIR} @@ -262,8 +262,8 @@ RUN set -xe; \ | tar xzC ${CURL_BUILD_DIR} --strip-components=1 WORKDIR ${CURL_BUILD_DIR}/ RUN ./buildconf \ - && CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ + && CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --prefix=${INSTALL_DIR} \ @@ -301,8 +301,8 @@ RUN set -xe; \ curl -Ls https://github.com/nih-at/libzip/releases/download/v${VERSION_ZIP}/libzip-${VERSION_ZIP}.tar.gz \ | tar xzC ${ZIP_BUILD_DIR} --strip-components=1 WORKDIR ${ZIP_BUILD_DIR}/bin/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ cmake .. \ -DCMAKE_INSTALL_PREFIX=${INSTALL_DIR} \ @@ -322,8 +322,8 @@ RUN set -xe; \ curl -Ls https://github.com/jedisct1/libsodium/archive/${VERSION_LIBSODIUM}-RELEASE.tar.gz \ | tar xzC ${LIBSODIUM_BUILD_DIR} --strip-components=1 WORKDIR ${LIBSODIUM_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./autogen.sh \ && ./configure --prefix=${INSTALL_DIR} @@ -344,8 +344,8 @@ RUN set -xe; \ curl -Ls https://github.com/postgres/postgres/archive/REL_${VERSION_POSTGRES//./_}.tar.gz \ | tar xzC ${POSTGRES_BUILD_DIR} --strip-components=1 WORKDIR ${POSTGRES_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure --prefix=${INSTALL_DIR} --with-openssl --without-icu --without-readline RUN cd ${POSTGRES_BUILD_DIR}/src/interfaces/libpq && make && make install @@ -370,7 +370,7 @@ RUN set -xe; \ curl -Ls https://github.com/kkos/oniguruma/releases/download/v${VERSION_ONIG}/onig-${VERSION_ONIG}.tar.gz \ | tar xzC ${ONIG_BUILD_DIR} --strip-components=1 WORKDIR ${ONIG_BUILD_DIR} -RUN ./configure --prefix=${INSTALL_DIR} +RUN CFLAGS="-Os" CPPFLAGS="-Os" ./configure --prefix=${INSTALL_DIR} RUN make && make install @@ -391,7 +391,7 @@ RUN set -xe; \ curl -Ls https://github.com/sqlite/sqlite/archive/refs/tags/version-${VERSION_SQLITE}.tar.gz \ | tar xzC ${SQLITE_BUILD_DIR} --strip-components=1 WORKDIR ${SQLITE_BUILD_DIR} -RUN ./configure --prefix=${INSTALL_DIR} +RUN CFLAGS="-Os" CPPFLAGS="-Os" ./configure --prefix=${INSTALL_DIR} RUN make && make install @@ -439,8 +439,8 @@ RUN curl --location --silent --show-error --fail https://www.php.net/get/php-${V # --with-zlib and --with-zlib-dir: See https://stackoverflow.com/a/42978649/245552 ARG PHP_COMPILATION_FLAGS RUN ./buildconf --force -RUN CFLAGS="-fstack-protector-strong -fpic -fpie -O3 -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ - CPPFLAGS="-fstack-protector-strong -fpic -fpie -O3 -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ +RUN CFLAGS="-fstack-protector-strong -fpic -fpie -Os -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ + CPPFLAGS="-fstack-protector-strong -fpic -fpie -Os -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib -Wl,-O1 -Wl,--strip-all -Wl,--hash-style=both -pie" \ ./configure \ --prefix=${INSTALL_DIR} \ @@ -462,14 +462,17 @@ RUN CFLAGS="-fstack-protector-strong -fpic -fpie -O3 -I${INSTALL_DIR}/include -I --enable-ftp \ --with-gettext \ --enable-mbstring \ - --with-pdo-mysql=shared,mysqlnd \ + --with-pdo-mysql=mysqlnd \ --with-mysqli \ --enable-pcntl \ --with-zip \ --enable-bcmath \ --with-pdo-pgsql=shared,${INSTALL_DIR} \ + # Separate .so extension so that it is not loaded by default --enable-intl=shared \ - --enable-soap \ + # Separate .so extension so that it is not loaded by default + --enable-soap=shared \ + # Separate .so extension so that it is not loaded by default --with-xsl=${INSTALL_DIR} \ --with-ffi \ # necessary for `pecl` to work (to install PHP extensions) @@ -501,6 +504,9 @@ RUN mkdir -p /bref-layer/bin \ # Copy the PHP binary RUN cp ${INSTALL_DIR}/bin/php /bref-layer/bin/php && chmod +x /bref-layer/bin/php +# Copy the PHP-FPM binary +RUN cp ${INSTALL_DIR}/sbin/php-fpm /bref-layer/bin/php-fpm + # Copy all the external PHP extensions RUN cp $(php -r 'echo ini_get("extension_dir");')/* /bref-layer/bref/extensions/ @@ -510,6 +516,7 @@ RUN cp $(php -r 'echo ini_get("extension_dir");')/* /bref-layer/bref/extensions/ # into `/bref-layer` (the temp directory for the future Lambda layer) COPY --link utils/lib-copy /bref/lib-copy RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bin/php /bref-layer/lib +RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bin/php-fpm /bref-layer/lib RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bref/extensions/apcu.so /bref-layer/lib RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bref/extensions/intl.so /bref-layer/lib RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bref/extensions/opcache.so /bref-layer/lib @@ -522,47 +529,59 @@ RUN cp ${CA_BUNDLE} /bref-layer/bref/ssl/cert.pem # Copy the OpenSSL config RUN cp ${INSTALL_DIR}/bref/ssl/openssl.cnf /bref-layer/bref/ssl/openssl.cnf +# Run `strip` over all libraries and extensions to reduce their size +RUN find /bref-layer/bref/extensions -type f -exec strip --strip-all {} + +RUN find /bref-layer/lib -type f -exec strip --strip-all {} + -# --------------------------------------------------------------- -# Start from a clean image to copy only the files we need -FROM public.ecr.aws/lambda/provided:al2-${IMAGE_VERSION_SUFFIX} as isolation + +# ---------------------------------------------------------------------------- +# Start from a clean image to copy only the files we need for the Lambda layer +FROM public.ecr.aws/lambda/provided:al2-${IMAGE_VERSION_SUFFIX} as function # We selected the files in /bref-layer, now we copy them to /opt (the real directory for the Lambda layer) COPY --link --from=build-environment /bref-layer /opt -COPY --link layers/bootstrap.php /opt/bref/bootstrap.php - - -FROM isolation as function +COPY --link src/php.ini /opt/bref/etc/php/conf.d/bref.ini +COPY --link src/php-fpm.conf /opt/bref/etc/php-fpm.conf -COPY --link layers/function/bref.ini /opt/bref/etc/php/conf.d/ - -COPY --link layers/function/bootstrap.sh /opt/bootstrap +COPY --link src/bootstrap.sh /opt/bootstrap # Copy files to /var/runtime to support deploying as a Docker image -COPY --link layers/function/bootstrap.sh /var/runtime/bootstrap +COPY --link src/bootstrap.sh /var/runtime/bootstrap RUN chmod +x /opt/bootstrap && chmod +x /var/runtime/bootstrap +COPY --link src/bootstrap.php /opt/bref/bootstrap.php -# Up until here the entire file has been designed as a top-down reading/execution. -# Everything necessary for the `function` layer has been installed, isolated and -# packaged. Now we'll go back one step and start from the extensions so that we -# can install fpm. Then we'll start the fpm layer and quickly isolate fpm. +# ---------------------------------------------------------------------------- +# Build the dev image with xdebug +FROM build-environment as build_dev -FROM build-environment as fpm-extension +RUN mkdir -p /opt/bref/extensions -RUN cp ${INSTALL_DIR}/sbin/php-fpm /bref-layer/bin/php-fpm -RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bin/php-fpm /bref-layer/lib +# Install xdebug +RUN pecl install xdebug-3.4.2 +RUN cp $(php -r "echo ini_get('extension_dir');")/xdebug.so /opt/bref/extensions -FROM isolation as fpm +FROM function as dev -COPY --link --from=fpm-extension /bref-layer /opt +COPY --link --from=build_dev /opt /opt +COPY --link src/dev-entrypoint.sh /bref-entrypoint.sh +RUN chmod +x /bref-entrypoint.sh -COPY --link layers/fpm/bref.ini /opt/bref/etc/php/conf.d/ +# Install node to run the JS app below +RUN yum install https://rpm.nodesource.com/pub_16.x/nodistro/repo/nodesource-release-nodistro-1.noarch.rpm -y +RUN yum install --setopt=nodesource-nodejs.module_hotfixes=1 --setopt=skip_missing_names_on_install=False -y nodejs -COPY --link layers/fpm/bootstrap.sh /opt/bootstrap -# Copy files to /var/runtime to support deploying as a Docker image -COPY --link layers/fpm/bootstrap.sh /var/runtime/bootstrap -RUN chmod +x /opt/bootstrap && chmod +x /var/runtime/bootstrap +# Install the bref/local-api-gateway app in our container (avoids running 2 containers) +COPY --link --from=bref/local-api-gateway /app /local-api-gateway +EXPOSE 8000 + +# Add `php/conf.dev.d` to the path where PHP looks for configuration files +ENV PHP_INI_SCAN_DIR="/opt/bref/etc/php/conf.d:/var/task/php/conf.d:/var/task/php/conf.dev.d" + +# Add composer +COPY --link --from=composer/composer:2-bin /composer /usr/bin/composer -COPY --link layers/fpm/php-fpm.conf /opt/bref/etc/php-fpm.conf +# Originally the entrypoint is `/lambda-entrypoint.sh` and CMD contains the handler name +# We override the entrypoint to run our own logic +ENTRYPOINT [ "/bref-entrypoint.sh" ] diff --git a/php-84/Dockerfile b/php-84/Dockerfile index 031dec20..82ce8de2 100644 --- a/php-84/Dockerfile +++ b/php-84/Dockerfile @@ -85,8 +85,8 @@ RUN set -xe; \ WORKDIR ${ZLIB_BUILD_DIR}/ RUN set -xe; \ make distclean \ - && CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ + && CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --prefix=${INSTALL_DIR} @@ -113,8 +113,8 @@ RUN set -xe; \ curl -Ls https://github.com/openssl/openssl/releases/download/openssl-${VERSION_OPENSSL}/openssl-${VERSION_OPENSSL}.tar.gz \ | tar xzC ${OPENSSL_BUILD_DIR} --strip-components=1 WORKDIR ${OPENSSL_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./config \ --prefix=${INSTALL_DIR} \ @@ -148,8 +148,8 @@ RUN set -xe; \ curl -Ls https://download.gnome.org/sources/libxml2/${VERSION_XML2%.*}/libxml2-${VERSION_XML2}.tar.xz \ | tar xJC ${XML2_BUILD_DIR} --strip-components=1 WORKDIR ${XML2_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --prefix=${INSTALL_DIR} \ @@ -181,8 +181,8 @@ RUN set -xe; \ curl -Ls https://github.com/libssh2/libssh2/releases/download/libssh2-${VERSION_LIBSSH2}/libssh2-${VERSION_LIBSSH2}.tar.gz \ | tar xzC ${LIBSSH2_BUILD_DIR} --strip-components=1 WORKDIR ${LIBSSH2_BUILD_DIR}/bin/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ cmake .. \ # Build as a shared library (.so) instead of a static one @@ -214,8 +214,8 @@ RUN set -xe; \ curl -Ls https://github.com/nghttp2/nghttp2/releases/download/v${VERSION_NGHTTP2}/nghttp2-${VERSION_NGHTTP2}.tar.gz \ | tar xzC ${NGHTTP2_BUILD_DIR} --strip-components=1 WORKDIR ${NGHTTP2_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --enable-lib-only \ @@ -236,8 +236,8 @@ RUN set -xe; \ curl -Ls https://github.com/rockdaboot/libpsl/releases/download/${VERSION_LIBPSL}/libpsl-${VERSION_LIBPSL}.tar.gz \ | tar xzC ${LIBPSL_BUILD_DIR} --strip-components=1 WORKDIR ${LIBPSL_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --prefix=${INSTALL_DIR} @@ -262,8 +262,8 @@ RUN set -xe; \ | tar xzC ${CURL_BUILD_DIR} --strip-components=1 WORKDIR ${CURL_BUILD_DIR}/ RUN ./buildconf \ - && CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ + && CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --prefix=${INSTALL_DIR} \ @@ -301,8 +301,8 @@ RUN set -xe; \ curl -Ls https://github.com/nih-at/libzip/releases/download/v${VERSION_ZIP}/libzip-${VERSION_ZIP}.tar.gz \ | tar xzC ${ZIP_BUILD_DIR} --strip-components=1 WORKDIR ${ZIP_BUILD_DIR}/bin/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ cmake .. \ -DCMAKE_INSTALL_PREFIX=${INSTALL_DIR} \ @@ -322,8 +322,8 @@ RUN set -xe; \ curl -Ls https://github.com/jedisct1/libsodium/archive/${VERSION_LIBSODIUM}-RELEASE.tar.gz \ | tar xzC ${LIBSODIUM_BUILD_DIR} --strip-components=1 WORKDIR ${LIBSODIUM_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./autogen.sh \ && ./configure --prefix=${INSTALL_DIR} @@ -344,8 +344,8 @@ RUN set -xe; \ curl -Ls https://github.com/postgres/postgres/archive/REL_${VERSION_POSTGRES//./_}.tar.gz \ | tar xzC ${POSTGRES_BUILD_DIR} --strip-components=1 WORKDIR ${POSTGRES_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure --prefix=${INSTALL_DIR} --with-openssl --without-icu --without-readline RUN cd ${POSTGRES_BUILD_DIR}/src/interfaces/libpq && make && make install @@ -370,7 +370,7 @@ RUN set -xe; \ curl -Ls https://github.com/kkos/oniguruma/releases/download/v${VERSION_ONIG}/onig-${VERSION_ONIG}.tar.gz \ | tar xzC ${ONIG_BUILD_DIR} --strip-components=1 WORKDIR ${ONIG_BUILD_DIR} -RUN ./configure --prefix=${INSTALL_DIR} +RUN CFLAGS="-Os" CPPFLAGS="-Os" ./configure --prefix=${INSTALL_DIR} RUN make && make install @@ -394,7 +394,7 @@ RUN set -xe; \ curl -Ls https://github.com/sqlite/sqlite/archive/refs/tags/version-${VERSION_SQLITE}.tar.gz \ | tar xzC ${SQLITE_BUILD_DIR} --strip-components=1 WORKDIR ${SQLITE_BUILD_DIR} -RUN ./configure --prefix=${INSTALL_DIR} +RUN CFLAGS="-Os" CPPFLAGS="-Os" ./configure --prefix=${INSTALL_DIR} RUN make && make install @@ -441,8 +441,8 @@ RUN curl --location --silent --show-error --fail https://www.php.net/get/php-${V # --enable-mbstring: because otherwise there's no way to get pecl to use it properly (see https://github.com/docker-library/php/issues/195) ARG PHP_COMPILATION_FLAGS RUN ./buildconf --force -RUN CFLAGS="-fstack-protector-strong -fpic -fpie -O3 -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ - CPPFLAGS="-fstack-protector-strong -fpic -fpie -O3 -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ +RUN CFLAGS="-fstack-protector-strong -fpic -fpie -Os -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ + CPPFLAGS="-fstack-protector-strong -fpic -fpie -Os -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib -Wl,-O1 -Wl,--strip-all -Wl,--hash-style=both -pie" \ ./configure \ --prefix=${INSTALL_DIR} \ @@ -463,14 +463,17 @@ RUN CFLAGS="-fstack-protector-strong -fpic -fpie -O3 -I${INSTALL_DIR}/include -I --enable-ftp \ --with-gettext \ --enable-mbstring \ - --with-pdo-mysql=shared,mysqlnd \ + --with-pdo-mysql=mysqlnd \ --with-mysqli \ --enable-pcntl \ --with-zip \ --enable-bcmath \ --with-pdo-pgsql=shared,${INSTALL_DIR} \ + # Separate .so extension so that it is not loaded by default --enable-intl=shared \ - --enable-soap \ + # Separate .so extension so that it is not loaded by default + --enable-soap=shared \ + # Separate .so extension so that it is not loaded by default --with-xsl=${INSTALL_DIR} \ --with-ffi \ # necessary for `pecl` to work (to install PHP extensions) @@ -502,6 +505,9 @@ RUN mkdir -p /bref-layer/bin \ # Copy the PHP binary RUN cp ${INSTALL_DIR}/bin/php /bref-layer/bin/php && chmod +x /bref-layer/bin/php +# Copy the PHP-FPM binary +RUN cp ${INSTALL_DIR}/sbin/php-fpm /bref-layer/bin/php-fpm + # Copy all the external PHP extensions RUN cp $(php -r 'echo ini_get("extension_dir");')/* /bref-layer/bref/extensions/ @@ -511,6 +517,7 @@ RUN cp $(php -r 'echo ini_get("extension_dir");')/* /bref-layer/bref/extensions/ # into `/bref-layer` (the temp directory for the future Lambda layer) COPY --link utils/lib-copy /bref/lib-copy RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bin/php /bref-layer/lib +RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bin/php-fpm /bref-layer/lib RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bref/extensions/apcu.so /bref-layer/lib RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bref/extensions/intl.so /bref-layer/lib RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bref/extensions/opcache.so /bref-layer/lib @@ -523,47 +530,59 @@ RUN cp ${CA_BUNDLE} /bref-layer/bref/ssl/cert.pem # Copy the OpenSSL config RUN cp ${INSTALL_DIR}/bref/ssl/openssl.cnf /bref-layer/bref/ssl/openssl.cnf +# Run `strip` over all libraries and extensions to reduce their size +RUN find /bref-layer/bref/extensions -type f -exec strip --strip-all {} + +RUN find /bref-layer/lib -type f -exec strip --strip-all {} + -# --------------------------------------------------------------- -# Start from a clean image to copy only the files we need -FROM public.ecr.aws/lambda/provided:al2-${IMAGE_VERSION_SUFFIX} as isolation + +# ---------------------------------------------------------------------------- +# Start from a clean image to copy only the files we need for the Lambda layer +FROM public.ecr.aws/lambda/provided:al2-${IMAGE_VERSION_SUFFIX} as function # We selected the files in /bref-layer, now we copy them to /opt (the real directory for the Lambda layer) COPY --link --from=build-environment /bref-layer /opt -COPY --link layers/bootstrap.php /opt/bref/bootstrap.php - - -FROM isolation as function +COPY --link src/php.ini /opt/bref/etc/php/conf.d/bref.ini +COPY --link src/php-fpm.conf /opt/bref/etc/php-fpm.conf -COPY --link layers/function/bref.ini /opt/bref/etc/php/conf.d/ - -COPY --link layers/function/bootstrap.sh /opt/bootstrap +COPY --link src/bootstrap.sh /opt/bootstrap # Copy files to /var/runtime to support deploying as a Docker image -COPY --link layers/function/bootstrap.sh /var/runtime/bootstrap +COPY --link src/bootstrap.sh /var/runtime/bootstrap RUN chmod +x /opt/bootstrap && chmod +x /var/runtime/bootstrap +COPY --link src/bootstrap.php /opt/bref/bootstrap.php -# Up until here the entire file has been designed as a top-down reading/execution. -# Everything necessary for the `function` layer has been installed, isolated and -# packaged. Now we'll go back one step and start from the extensions so that we -# can install fpm. Then we'll start the fpm layer and quickly isolate fpm. +# ---------------------------------------------------------------------------- +# Build the dev image with xdebug +FROM build-environment as build_dev -FROM build-environment as fpm-extension +RUN mkdir -p /opt/bref/extensions -RUN cp ${INSTALL_DIR}/sbin/php-fpm /bref-layer/bin/php-fpm -RUN php /bref/lib-copy/copy-dependencies.php /bref-layer/bin/php-fpm /bref-layer/lib +# Install xdebug +RUN pecl install xdebug-3.4.2 +RUN cp $(php -r "echo ini_get('extension_dir');")/xdebug.so /opt/bref/extensions -FROM isolation as fpm +FROM function as dev -COPY --link --from=fpm-extension /bref-layer /opt +COPY --link --from=build_dev /opt /opt +COPY --link src/dev-entrypoint.sh /bref-entrypoint.sh +RUN chmod +x /bref-entrypoint.sh -COPY --link layers/fpm/bref.ini /opt/bref/etc/php/conf.d/ +# Install node to run the JS app below +RUN yum install https://rpm.nodesource.com/pub_16.x/nodistro/repo/nodesource-release-nodistro-1.noarch.rpm -y +RUN yum install --setopt=nodesource-nodejs.module_hotfixes=1 --setopt=skip_missing_names_on_install=False -y nodejs -COPY --link layers/fpm/bootstrap.sh /opt/bootstrap -# Copy files to /var/runtime to support deploying as a Docker image -COPY --link layers/fpm/bootstrap.sh /var/runtime/bootstrap -RUN chmod +x /opt/bootstrap && chmod +x /var/runtime/bootstrap +# Install the bref/local-api-gateway app in our container (avoids running 2 containers) +COPY --link --from=bref/local-api-gateway /app /local-api-gateway +EXPOSE 8000 + +# Add `php/conf.dev.d` to the path where PHP looks for configuration files +ENV PHP_INI_SCAN_DIR="/opt/bref/etc/php/conf.d:/var/task/php/conf.d:/var/task/php/conf.dev.d" + +# Add composer +COPY --link --from=composer/composer:2-bin /composer /usr/bin/composer -COPY --link layers/fpm/php-fpm.conf /opt/bref/etc/php-fpm.conf +# Originally the entrypoint is `/lambda-entrypoint.sh` and CMD contains the handler name +# We override the entrypoint to run our own logic +ENTRYPOINT [ "/bref-entrypoint.sh" ] diff --git a/layers/bootstrap.php b/src/bootstrap.php similarity index 55% rename from layers/bootstrap.php rename to src/bootstrap.php index cca63f2d..03492281 100644 --- a/layers/bootstrap.php +++ b/src/bootstrap.php @@ -1,11 +1,5 @@ 'Bref\FunctionRuntime\Main', + 'fpm' => 'Bref\FpmRuntime\Main', + 'console' => 'Bref\ConsoleRuntime\Main', + default => $runtime, +}; if (! class_exists($runtimeClass)) { throw new RuntimeException("Bref is not installed in your application (could not find the class \"$runtimeClass\" in Composer dependencies). Did you run \"composer require bref/bref\"?"); diff --git a/src/bootstrap.sh b/src/bootstrap.sh new file mode 100644 index 00000000..411ce829 --- /dev/null +++ b/src/bootstrap.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +# Fail on error +set -e + +while true +do + # We redirect stderr to stdout so that everything + # written on the output ends up in Cloudwatch automatically + php "/opt/bref/bootstrap.php" 2>&1 +done diff --git a/layers/fpm-dev/bref-entrypoint.sh b/src/dev-entrypoint.sh similarity index 100% rename from layers/fpm-dev/bref-entrypoint.sh rename to src/dev-entrypoint.sh diff --git a/layers/fpm/php-fpm.conf b/src/php-fpm.conf similarity index 100% rename from layers/fpm/php-fpm.conf rename to src/php-fpm.conf diff --git a/layers/function/bref.ini b/src/php.ini similarity index 71% rename from layers/function/bref.ini rename to src/php.ini index bd23234b..ae985507 100644 --- a/layers/function/bref.ini +++ b/src/php.ini @@ -1,4 +1,5 @@ ; On the CLI we want errors to be sent to stdout -> those will end up in CloudWatch +; In FPM workers we don't want that, but that is overridden by Bref when it starts PHP-FPM display_errors=1 ; Since PHP 7.4 the default value is E_ALL @@ -11,8 +12,10 @@ memory_limit=10240M opcache.enable=1 opcache.enable_cli=1 -; Store the opcodes into a file cache instead of memory -; Since PHP runs on lambdas with a new process each time the memory cache is lost +; Store the opcodes into a file cache (on top of storing in memory) +; With FPM, this is only useful if FPM restarts or if the shared memory cache is full. +; With the function runtime, this is useful when the function restarts the PHP +; process on every invocation. ; TODO store in a subdirectory (but the problem is that the subdirectory doesn't exist when PHP starts...) opcache.file_cache="/tmp" ; Disable the memory cache since it's useless @@ -38,7 +41,15 @@ opcache.max_accelerated_files=10000 ; See https://github.com/brefphp/bref/pull/291 variables_order="EGPCS" +; The lambda environment is not compatible with fastcgi_finish_request +; See https://github.com/brefphp/bref/issues/214 +disable_functions=fastcgi_finish_request + +; The total upload size limit is 6Mb, we override the defaults to match this limit +; API Gateway has a 10Mb limit, but Lambda's is 6Mb +post_max_size=6M +upload_max_filesize=6M + extension_dir=/opt/bref/extensions ; Extensions enabled by default -extension=pdo_mysql.so zend_extension=opcache.so diff --git a/tests/Makefile b/tests/Makefile index 0f0ea452..bb6a3526 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -1,17 +1,15 @@ export CPU_PREFIX ?= -test: test-80 test-81 test-82 test-83 test-84 +test: test-82 test-83 test-84 -# This rule matches with a wildcard, for example `test-80`. -# The `$*` variable will contained the matched part, in this case `80`. +# This rule matches with a wildcard, for example `test-84`. +# The `$*` variable will contained the matched part, in this case `84`. test-%: vendor docker run --platform=${DOCKER_PLATFORM} --rm -v=$(PWD):/var/task:ro --entrypoint=php bref/${CPU_PREFIX}php-$* test_1_binary.php $* - docker run --platform=${DOCKER_PLATFORM} --rm -v=$(PWD):/var/task:ro --entrypoint=php bref/${CPU_PREFIX}php-$*-fpm test_1_binary.php $* - docker run --platform=${DOCKER_PLATFORM} --rm -v=$(PWD):/var/task:ro --entrypoint=php bref/${CPU_PREFIX}php-$*-fpm-dev test_1_binary.php $* + docker run --platform=${DOCKER_PLATFORM} --rm -v=$(PWD):/var/task:ro --entrypoint=php bref/${CPU_PREFIX}php-$*-dev test_1_binary.php $* docker run --platform=${DOCKER_PLATFORM} --rm -v=$(PWD):/var/task:ro --entrypoint=php bref/${CPU_PREFIX}php-$* test_2_extensions.php - docker run --platform=${DOCKER_PLATFORM} --rm -v=$(PWD):/var/task:ro --entrypoint=php bref/${CPU_PREFIX}php-$*-fpm test_2_extensions.php - docker run --platform=${DOCKER_PLATFORM} --rm -v=$(PWD):/var/task:ro --entrypoint=php bref/${CPU_PREFIX}php-$*-fpm-dev test_2_extensions.php + docker run --platform=${DOCKER_PLATFORM} --rm -v=$(PWD):/var/task:ro --entrypoint=php bref/${CPU_PREFIX}php-$*-dev test_2_extensions.php docker run --platform=${DOCKER_PLATFORM} --rm -v=$(PWD):/var/task:ro --entrypoint=php \ -e PHP_INI_SCAN_DIR="/opt/bref/etc/php/conf.d/:/var/task/" bref/${CPU_PREFIX}php-$* \ @@ -20,30 +18,34 @@ test-%: vendor # Test function handler docker stop test-${CPU_PREFIX}php-$* 2> /dev/null || true # silence errors docker run --platform=${DOCKER_PLATFORM} --rm --detach -v=$(PWD):/var/task:ro --name test-${CPU_PREFIX}php-$* \ + -e BREF_RUNTIME=function \ bref/${CPU_PREFIX}php-$* test_4_function_handler.php docker exec test-${CPU_PREFIX}php-$* php test_4_function_invocation.php \ || (docker logs test-${CPU_PREFIX}php-$* && exit 1) docker stop test-${CPU_PREFIX}php-$* # Test FPM handler - docker stop test-${CPU_PREFIX}php-$*-fpm 2> /dev/null || true # silence errors - docker run --platform=${DOCKER_PLATFORM} --rm --detach -v=$(PWD):/var/task:ro --name test-${CPU_PREFIX}php-$*-fpm \ - bref/${CPU_PREFIX}php-$*-fpm test_5_fpm_handler.php - docker exec test-${CPU_PREFIX}php-$*-fpm php test_5_fpm_invocation.php \ - || (docker logs test-${CPU_PREFIX}php-$*-fpm && exit 1) # print logs in case of failure - docker stop test-${CPU_PREFIX}php-$*-fpm + docker stop test-${CPU_PREFIX}php-$* 2> /dev/null || true # silence errors + docker run --platform=${DOCKER_PLATFORM} --rm --detach -v=$(PWD):/var/task:ro --name test-${CPU_PREFIX}php-$* \ + -e BREF_RUNTIME=fpm \ + bref/${CPU_PREFIX}php-$* test_5_fpm_handler.php + docker exec test-${CPU_PREFIX}php-$* php test_5_fpm_invocation.php \ + || (docker logs test-${CPU_PREFIX}php-$* && exit 1) # print logs in case of failure + docker stop test-${CPU_PREFIX}php-$* # Test console handler - docker stop test-${CPU_PREFIX}php-$*-console 2> /dev/null || true # silence errors - docker run --platform=${DOCKER_PLATFORM} --rm --detach -v=$(PWD):/var/task:ro --name test-${CPU_PREFIX}php-$*-console \ - bref/${CPU_PREFIX}php-$*-console test_6_console_handler.php - docker exec test-${CPU_PREFIX}php-$*-console php test_6_console_invocation.php \ - || (docker logs test-${CPU_PREFIX}php-$*-console && exit 1) # print logs in case of failure - docker stop test-${CPU_PREFIX}php-$*-console + docker stop test-${CPU_PREFIX}php-$* 2> /dev/null || true # silence errors + docker run --platform=${DOCKER_PLATFORM} --rm --detach -v=$(PWD):/var/task:ro --name test-${CPU_PREFIX}php-$* \ + -e BREF_RUNTIME=console \ + bref/${CPU_PREFIX}php-$* test_6_console_handler.php + docker exec test-${CPU_PREFIX}php-$* php test_6_console_invocation.php \ + || (docker logs test-${CPU_PREFIX}php-$* && exit 1) # print logs in case of failure + docker stop test-${CPU_PREFIX}php-$* # Test that we can override PHP_INI_SCAN_DIR docker stop test-${CPU_PREFIX}php-$*-test7 2> /dev/null || true # silence errors docker run --platform=${DOCKER_PLATFORM} --rm --detach -v=$(PWD):/var/task:ro --name test-${CPU_PREFIX}php-$*-test7 \ + -e BREF_RUNTIME=function \ -e PHP_INI_SCAN_DIR="/opt/bref/etc/php/conf.d/:/var/task/" \ bref/${CPU_PREFIX}php-$* test_4_function_handler.php docker exec test-${CPU_PREFIX}php-$*-test7 php test_7_custom_ini_scan_dir.php \ diff --git a/tests/composer.json b/tests/composer.json index 3b49f929..322b647b 100644 --- a/tests/composer.json +++ b/tests/composer.json @@ -1,10 +1,10 @@ { "require": { - "bref/bref": "dev-master" + "bref/bref": "v3.x-dev" }, "config": { "platform": { - "php": "8.0.7" + "php": "8.2.0" } } } diff --git a/tests/test_2_extensions.php b/tests/test_2_extensions.php index 932f55ed..a3fbda12 100644 --- a/tests/test_2_extensions.php +++ b/tests/test_2_extensions.php @@ -34,7 +34,6 @@ 'session', 'SimpleXML', 'sodium', - 'soap', 'sockets', 'SPL', 'sqlite3', @@ -119,7 +118,6 @@ 'posix' => function_exists('posix_getpgid'), 'simplexml' => class_exists(\SimpleXMLElement::class), 'sodium' => defined('PASSWORD_ARGON2I'), - 'soap' => class_exists(\SoapClient::class), 'sockets' => function_exists('socket_connect'), 'spl' => class_exists(\SplQueue::class), 'sqlite3' => class_exists(\SQLite3::class), diff --git a/tests/test_3_manual_enabling_extensions.php b/tests/test_3_manual_enabling_extensions.php index 7a49d266..780f049c 100644 --- a/tests/test_3_manual_enabling_extensions.php +++ b/tests/test_3_manual_enabling_extensions.php @@ -6,6 +6,7 @@ 'intl' => class_exists(\Collator::class), 'apcu' => function_exists('apcu_add'), 'pdo_pgsql' => extension_loaded('pdo_pgsql'), + 'soap' => class_exists(\SoapClient::class), ]; $extensionDir = ini_get('extension_dir'); diff --git a/tests/test_3_manual_extensions.ini b/tests/test_3_manual_extensions.ini index 3b322d90..2c935b26 100644 --- a/tests/test_3_manual_extensions.ini +++ b/tests/test_3_manual_extensions.ini @@ -1,3 +1,4 @@ -extension=intl.so -extension=apcu.so -extension=pdo_pgsql.so +extension=intl +extension=apcu +extension=pdo_pgsql +extension=soap diff --git a/tests/test_5_fpm_handler.php b/tests/test_5_fpm_handler.php index d2c3e7af..5af8df72 100644 --- a/tests/test_5_fpm_handler.php +++ b/tests/test_5_fpm_handler.php @@ -1,3 +1,6 @@