[5.x] Request container should be initiated as root

src/php/base-php.dockerfile

@@ -22,9 +22,7 @@ ARG  BUILDKIT_SBOM_SCAN_STAGE=true
 
 # set PHP variables
 ARG PHP_VERSION=${PHP_VERSION:-8.4}
-ARG PHP_VARIANT=${PHP_VARIANT:-fpm}
 ENV PHP_VERSION=${PHP_VERSION//-rc/}
-ENV PHP_VARIANT=$PHP_VARIANT
 
 ################################################################################
 

src/php/common/docker-php-entrypoint

@@ -6,6 +6,7 @@
 # Author:  SHIN Company <[email protected]>
 # License: https://code.shin.company/php/blob/main/LICENSE
 ################################################################################
+if [ "$(id -u)" != "0" ]; then debug-echo -e "!!! Please run this container as the root user !!!" >&2; exit 1; fi
 
 APP_PATH="$(app-path)"
 
@@ -32,7 +33,10 @@ $ENV_CHECK
 " >> ~/.bashrc; fi
 
 # export all env variables for PHP
-if is-true $ALLOW_RUNTIME_PHP_ENVVARS && has-cmd php-envvars; then php-envvars export_envvars 2>&1; fi
+if is-true $ALLOW_RUNTIME_PHP_ENVVARS && has-cmd php && has-cmd php-envvars; then
+    debug-echo "Export all env variables for PHP"
+    php-envvars export_envvars 2>&1
+fi
 
 # change working directory
 if [ -d "$APP_PATH" ]; then cd "$APP_PATH"; fi
@@ -42,6 +46,7 @@ if [ ! -z "$SUPERVISOR_PHP_COMMAND" ]; then
     hook bootstrap
 
     # run custom command defined in $SUPERVISOR_PHP_COMMAND
+    debug-echo "Start container with the command: $SUPERVISOR_PHP_COMMAND $@"
     exec with-env $SUPERVISOR_PHP_COMMAND "$@"
 else
     # run bootstrap hook to initialize the container
@@ -54,7 +59,6 @@ else
     if [ $# -eq 0 ]; then set -- /bin/sh; fi
 
     # start container with command
-    debug-echo "Start container with command $@"
+    debug-echo "Start container with the command: $@"
     exec with-env "$@"
 fi
-

src/php/common/os-base.dockerfile

@@ -47,20 +47,12 @@ RUN <<'EOF'
 echo 'Configure OS middlewares'
 set -e
 
-# setuid bit
-chmod 4755 $(which autorun) /usr/local/sbin/web-*
-
 # install common packages
-APK_PACKAGES='run-parts shadow su-exec tar tzdata unzip xz' \
+APK_PACKAGES='run-parts shadow tar tzdata unzip xz' \
 APT_PACKAGES='procps xz-utils' \
 pkg-add bash ca-certificates coreutils curl htop less openssl
 pkg-add upgrade
 
-# patch su-exec
-if has-cmd su-exec; then
-    chmod u+s $(command -v su-exec)
-fi
-
 # patch sh binary if bash exists
 if has-cmd bash; then
     if has-cmd sh; then
@@ -75,16 +67,30 @@ if [ ! -e /sbin/nologin ] && has-cmd nologin; then
     ln -nsf "$(command -v nologin)" /sbin/nologin
 fi
 
-# Check if the group exists
+# check if the group exists
 if ! getent group $APP_GROUP >/dev/null 2>&1; then
     addgroup --system $APP_GROUP
 fi
 
-# Check if the user exists
+# check if the user exists
 if ! getent passwd $APP_USER >/dev/null 2>&1; then
     adduser --system --no-create-home --ingroup $APP_GROUP $APP_USER
 fi
 
+# install su-exec
+SU_EXEC_PATH=/sbin/su-exec
+SU_EXEC_URL=https://github.com/songdongsheng/su-exec/releases/download/1.3/su-exec-musl-static
+curl -o "$SU_EXEC_PATH" --retry 3 --retry-delay 5 -kLRJ "$SU_EXEC_URL"
+chmod 4755 "$SU_EXEC_PATH"
+
+if ! has-cmd su-exec || [ "$(su-exec $APP_USER:$APP_GROUP whoami)" != "$APP_USER" ]; then
+    echo 'Failed to install su-exec'
+    exit 1
+fi
+
+# setuid bit
+chmod 4755 $(which autorun) /usr/local/sbin/web-*
+
 EOF
 
 ################################################################################

src/php/common/rootfs/etc/hooks/bootstrap/50-crontabs

@@ -50,7 +50,7 @@ fi)
 CRONTAB
 
 chmod 0600 $CRONTAB
-debug-echo -i "Cron is running as $APP_USER.\n\n### Config:\n$(crontab -u $APP_USER -l 2>/dev/null)"
+debug-echo -i "\nCron is running as $APP_USER.\n\n### Config:\n$(crontab -u $APP_USER -l 2>/dev/null)\n"
 
 if ! has-s6 && has-cmd crond; then
     export APP_PATH="$(app-path)"

src/php/common/rootfs/usr/local/bin/debug-echo

@@ -1,27 +1,32 @@
 #!/usr/bin/env sh
-# colors
-NC='\033[0m' # no color
+
+NC='\033[0m'
 case "$1" in
-    -e|--error)   CL='\033[0;31m'; shift ;;
-    -s|--success) CL='\033[0;32m'; shift ;;
-    -w|--warn)    CL='\033[0;33m'; shift ;;
-    -i|--info)    CL='\033[0;34m'; shift ;;
-    -l|--log)     CL='\033[0;90m'; shift ;;
-    *) if ! is-debug; then exit 0; else CL='\033[0;90m'; fi ;;
+    -c|--critical)  CL='\033[0;31m'; shift ;;
+    -e|--error)     CL='\033[0;31m'; shift ;;
+    -s|--success)   CL='\033[0;32m'; shift ;;
+    -w|--warn)      CL='\033[0;33m'; shift ;;
+    -i|--info)      CL='\033[0;34m'; shift ;;
+    -l|--log)       CL='\033[0;90m'; shift ;;
+    *)              CL='\033[0;90m'; if ! is-debug; then exit 0; fi ;;
 esac
 
+if [ ! -t 1 ]; then NC=; CL=; fi
+
 colorize() {
-    if [ -t 1 ] && [ ! -z "$CL" ]; then
-        echo -e "${CL}$@${NC}"
-    else
-        echo -e "$@"
+    if [ -n "$@" ]; then
+        if [ -z "$CL" ]; then
+            echo "$@"
+        else
+            echo -e "${CL}$@${NC}"
+        fi
     fi
 }
 
-if [ -t 0 ]; then
-    colorize "$@" >&2
-else
-    while read line; do
+colorize "$@"
+
+if [ ! -t 0 ]; then
+    while IFS= read -r line; do
         colorize "$line"
     done
 fi