Establishing PHP dev and pod environments
Still continuing my 2024-jul-13 journey. Because there are no any Dev/Prod enviroment whatsoever… I need to create one. At the same time I have no experience with PHP runtimes and need to learn a bit about it.
At this day, I managed to create working containerized Nginx, PHP-FPM and MariaDB workload to run PHP applications.
I used Ansible roles/playbooks and Podman Quadlets (Systemd units) for the container management as they don’t need Kubernetes for sure.
Basically, I am using Ansible templates to create Dev and Prod manifests and to run them.
Currently considering switching from TCP sockets to Unix sockets for Nginx -> FPM commuication for security and little speed improvements. This requires to create shared volume where the socket can be shared between the booth containers.
Also, I need to create usable Dev MariaDB database. Current plan is to use some old backup as I don’t need the latest data to play with.
My learnings
- Learned about general layout of Nginx and PHP configuration
- Understood, how Nginx are passing
fastcgi
requests to the PHP-FPM. - Learned about UID/GID mappings for the root-less volumes. Ability to run Nginx and PHP-FPM as non-root user in the container and to run containers as non-root user as well. To be able easy modify the source code or configs from your regular user, you need to use UID/GID mapping. Building images every time you change single CSS property is not what I call “rapid development”.
- Disliked Nginx/PHP stack just because of it’s convoluted runtime. Looking at the Internet, I got a feeling that there is no single person, who knows, how to set up idiomatic/secure environment for this stack. This tells me that problem is not the people, but the stack itself. 3,7 gazillions of config options and nobody knows which does what. Yes, you can get it running. But… is it secure? Is it optimal? Is it efficient? Is it correct? Is it maintainable?
- Learned that creating PHP image from scratch is easier than fighting with “official images”. For example, official image is not optimized to run as non-root user. You can’t install PHP extensions. Etc. (Hmmm… probably I should try to look into Quay registry?)
Further work
- Tidy all the configurations
- Write backup roles
- Write teardown roles
- Write host server runtime and tooling roles
- Mby to write some blog post about the Podman Quadlets for this stack