EZSCALE/website
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(docker): drop git from runtime, remove orphaned opcache.preload_user

Browse Source 
Production runtime image doesn't need git (composer install runs in a
separate stage); cuts a non-trivial CVE surface. opcache.preload_user
without opcache.preload produces a startup warning — drop it; we don't
have a preload script.

Image still builds cleanly and php-fpm boots without warnings.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Andrew Murray
2026-04-26 23:07:59 -04:00
parent e264326b0b
commit 548fc5f1ee
1 changed files with 1 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
Dockerfile
View File

@@ -39,7 +39,7 @@ ENV COMPOSER_ALLOW_SUPERUSER=1 \
RUN apt-get update \ RUN apt-get update \
&& apt-get install -y --no-install-recommends \ && apt-get install -y --no-install-recommends \
git unzip curl ca-certificates \ curl ca-certificates \
libzip-dev libpng-dev libjpeg-dev libfreetype6-dev libwebp-dev \ libzip-dev libpng-dev libjpeg-dev libfreetype6-dev libwebp-dev \
libicu-dev libonig-dev libxml2-dev libcurl4-openssl-dev libssl-dev \ libicu-dev libonig-dev libxml2-dev libcurl4-openssl-dev libssl-dev \
pkg-config \ pkg-config \
@@ -68,7 +68,6 @@ RUN { \
echo 'opcache.memory_consumption=256'; \ echo 'opcache.memory_consumption=256'; \
echo 'opcache.interned_strings_buffer=16'; \ echo 'opcache.interned_strings_buffer=16'; \
echo 'opcache.max_accelerated_files=20000'; \ echo 'opcache.max_accelerated_files=20000'; \
echo 'opcache.preload_user=www-data'; \
} > /usr/local/etc/php/conf.d/zz-opcache.ini } > /usr/local/etc/php/conf.d/zz-opcache.ini
# php-fpm pool — listen on 0.0.0.0:9000 (sidecar nginx connects to localhost) # php-fpm pool — listen on 0.0.0.0:9000 (sidecar nginx connects to localhost)