v4.0.0-beta

[jaydrogers]

🌎 Latest Documentation

Use the link below to reference the latest documentation (it will automatically update as we keep improving the docs).

View the latest documentation →

🐳 How to find the beta images

Anything tagged with beta will reference the latest beta release and should be tested.

serversideup/php:beta-*

View Beta Images on Dockerhub →

⚡️ What's new

🧟‍♂️ FrankenPHP variations now added

The highly anticipated release of FrankenPHP is now available. These images come with many enhancements compared to the official FrankenPHP images.

Images are unprivileged by default

For best security practices, we're running things as www-data. This dramatically reduces your security footprint when running PHP in production. Because of this, we're listening on 8080 (HTTP) and 8443 (HTTPS). This follows the same design pattern as our other images.

Native health checks

Health checks are critical for ensureing zero-downtime deployments. Our images come "batteries included" with intelligent health check endpoints that can easily be customized with $HEALTHCHECK_PATH. By default, our images ensure /healthcheck is alive with Caddy, but you can change this variable to HEALTHCHECK_PATH=/up and it will use the built-in Laravel health check endpoint to ensure Laravel is actually ready to accept requests.

Extremely flexible and production-grade Caddyfile by default

The default FrankenPHP Caddyfile gives you enough to get started, but we spent a ton of time making sure that we're shipping production-grade and secure configurations by default. This includes:

1. Native CloudFlare support with trusted IP addresses
2. Performance and caching rules made available by default
3. Security headers included by default
4. Flexible and powerful logging defaults
5. Simple and intelligent self-signed certificate generation (but still allowing you to use Let's Encrypt if you wanted)

Designed for mass-scale production deployments

It's almost unbelievable and amazing how well FrankenPHP works with Caddy as a proxy. This tight integration allows you to do magical things like deploy trusted SSLs with Let's Encrypt. The only problem is, you probably have something else serving SSL termination and you most likely would not use that feature in a single container.

Our approach is "orchestrator first", meaning the image is designed for mass-scale in mind.

This means we're shipping the image assuming that you're doing TLS termination elsewhere. This makes it easier for you to scale and perform zero-downtime deployments:

flowchart TD
    A["Reverse Proxy 
    (Not FrankenPHP)"] -->C{Container Service}
    C -->|STOP| D[MyApp:v1]
    C -->|START| E[MyApp:v2]

Loading

Flexible environment configuration

Just like the experience with our other PHP variations, we also have things like SSL_MODE, LOG_OUTPUT_LEVEL, changing PHP INI settings with environment variables, all our helper scripts for changing permissions, etc. that make it a breeze for you to customize how the PHP image behaves.

More operating system variations

We are able to compile FrankenPHP by source, which allows us to open up support for many operating systems.

How tagging works
There's more to it, but in general the primary principle is:

{php-minor-version}-{variation}-{os-version}

This means we're offering FrankenPHP with the following operating systems:

1. trixie: Debian Trixie (13)
2. bookworm: Debian Bookworm (12)
3. alpine3.22: Alpine 3.22
4. alpine3.21: Alpine 3.21

🌎 New Environment Variables

The following environment variables are now available:

Environment Variable	Default	Authored By
AUTORUN_DEBUG	false	@jaydrogers
AUTORUN_LARAVEL_OPTIMIZE	true	@aSeriousDeveloper
AUTORUN_LARAVEL_MIGRATION_FORCE	true	@jaydrogers
AUTORUN_LARAVEL_MIGRATION_MODE	default	@jaydrogers
AUTORUN_LARAVEL_MIGRATION_SEED	false	@jaydrogers
AUTORUN_LARAVEL_MIGRATION_SKIP_DB_CHECK	false	@jaydrogers
NGINX_ACCESS_LOG	/dev/stdout	@robsontenorio
NGINX_CLIENT_MAX_BODY_SIZE	100M	@dlundgren
NGINX_ERROR_LOG	/dev/stderr	@robsontenorio
NGINX_LISTEN_IP_PROTOCOL	all	@yuuzukatsu, @jaydrogers
PHP_FPM_PM_MAX_REQUESTS	0	@ifaridjalilov, @thueske
PHP_FPM_PM_STATUS_PATH	/status	@jaydrogers
PHP_MAX_INPUT_VARS	1000	@RadeJR
PHP_OPCACHE_ENABLE_FILE_OVERRIDE	0	@jaydrogers
PHP_OPCACHE_FORCE_RESTART_TIMEOUT	180	@aSeriousDeveloper, @jaydrogers
PHP_OPCACHE_JIT	off	@aSeriousDeveloper, @jaydrogers
PHP_OPCACHE_JIT_BUFFER_SIZE	0	@aSeriousDeveloper, @jaydrogers
PHP_OPCACHE_SAVE_COMMENTS	1	@aSeriousDeveloper, @jaydrogers
PHP_OPCACHE_VALIDATE_TIMESTAMPS	1	@aSeriousDeveloper, @jaydrogers
PHP_REALPATH_CACHE_TTL	120	@jaydrogers
PHP_ZEND_DETECT_UNICODE	null	@jaydrogers
PHP_ZEND_MULTIBYTE	Off	@jaydrogers

🤩 New Features

Laravel Automations Script Improvements

The Laravel Automations script has been completely refactored to make it easier to support advanced Laravel features. Tons of new features are now available:

"php artisan optmize" now run by default

Instead of setting AUTORUN_LARAVEL_ROUTE_CACHE, AUTORUN_LARAVEL_VIEW_CACHE etc, we use AUTORUN_LARAVEL_OPTIMIZE by default, which calls php artisan optimize. Readjusting our logic to this new structure not only simplifies our approach to follow Laravel's best practices, it allows you to hook into the optimize command if you need to use it for your own application.

If you don't want to use php artisan optimize or if you're running an older version of Laravel, no sweat! Our refactored approach is backwards compatible and you can enable/disable certain functions by just setting your desired values to AUTORUN_LARAVEL_ROUTE_CACHE, AUTORUN_LARAVEL_VIEW_CACHE etc.

Added support for "migration modes"

We now support different migration modes of refresh or fresh by Laravel. This is super helpful if you need to seed a preview environment.

Migration Mode	Description
default (our default behavior)	Runs php artisan migrate - standard forward migrations
fresh	Runs php artisan migrate:fresh - drops all tables and re-runs migrations
refresh	Runs php artisan migrate:refresh - rolls back and re-runs migrations

Specify which database connections to run migrations with

If you run multiple databases with a multi-tenant Laravel application, you may need to specify your exact database connection that you'd like to use. We created AUTORUN_LARAVEL_MIGRATION_DATABASE so you can set the configuration name of the database connection you'd like to run migrations on (ie. mysql). Supports running against multiple databases too (ie. mysql,pgsql).

Added "--seed" option to migrations

Laravel has a helpful flag of --seed that you can run with php artisan migrate that will indicate if the seed task should be re-run. If you need this, just set AUTORUN_LARAVEL_MIGRATION_SEED to true.

Easier debugging

If you're running into issues with automations, set AUTORUN_DEBUG to true and you'll get helpful output to help you figure out why you're running into issues.

Control NGINX IP listening protocols with NGINX_LISTEN_IP_PROTOCOL

Are you running an IPv6 only cluster with fpm-nginx? Now you can set NGINX_LISTEN_IP_PROTOCOL: ipv6 and NGINX will listen on IPv6 stacks only. Same thing works if you set it to ipv4, then IPv6 will be disabled.

Great for Kubernetes clusters! 🤓

Default behavior is to keep a non-breaking change of all which will listen on IPv4 and IPv6.

🧘‍♂️ Quality Of Life Improvements

Improved health checks

A brilliant PR by @aSeriousDeveloper was merged which dramatically improves our "definition of healthy", especially on container start up. This approach utilizes start-period and start-interval which will give us more accurate readings and flexibility for container start up.

Option	Description	Old Value	New Value
start-period	start period provides initialization time for containers that need time to bootstrap. Probe failure during that period will not be counted towards the maximum number of retries. However, if a health check succeeds during the start period, the container is considered started and all consecutive failures will be counted towards the maximum number of retries.	-	60s
start-interval	start interval is the time between health checks during the start period.	-	3s
timeout	If a single run of the check takes longer than timeout seconds then the check is considered to have failed.	3s	3s
retries	It takes retries consecutive failures of the health check for the container to be considered unhealthy.	3	3
interval	The health check will first run interval seconds after the container is started, and then again interval seconds after each previous check completes.	5s	10s

Startup and Entrypoint Scripts

• Changed approach to executing entrypoint.d scripts so we can gracefully handle exit 0 in a entrypoint script
• Re-designed container start up info script

Changing file permissions (docker-php-serversideup-set-file-permissions)

• Added automated service detection (--service is now optional)
• Added --dir parameter for specifying extra directories (you can specify multiple --dir flags for multiple directories)

Quiet health check access logs

• Improved fpm-nginx and fpm-apache logs to never show access log output for any request$HEALTHCHECK_PATH. Things are much quieter now 😃

🐛 Bug Fixes

All images

• Fixed deprecation notices for session.sid_bits_per_character and session.sid_length (using PHP defaults now) (session.sid_bits_per_character INI setting is deprecated & session.sid_length INI setting is deprecated #560)

S6-based images (fpm-nginx and fpm-apache)

• Re-added docker-serversideup-php-s6-init back for advanced S6 dependency use cases (Custom s6 services dependencies no longer works #479)

fpm-nginx

• Added absolute_redirect off; to have redirects return relative redirects (helpful for proxies like Traefik) (Add absolute_redirect off; to prevent broken redirects in containerized environments #567)
• Fixed a bug with svgz with Symphony's asset mapper with FPM-NGINX (Move SVG handling to media assets block for Symfony's Asset Mapper compatibility #530)
• Fixed notice of /package/admin/s6-overlay/libexec/preinit: info: /run belongs to uid X instead of Y when using the docker-php-serversideup-set-file-permisisons script on FPM-NGINX Alpine instances

fpm-apache

• Added "Referer" and "User Agent" in Apache access logs (Apache: Unable to get user agent in access logs #540)

⏫ Dependency updates

• Updates install-php-extensions script to v2.9.11

What's Changed

• Add PHP_FPM_PM_MAX_REQUESTS as ENV by @twiesing in Add PHP_FPM_PM_MAX_REQUESTS as ENV #513
• Add environment variable: PHP_MAX_INPUT_VARS by @RadeJR in Add environment variable: PHP_MAX_INPUT_VARS #500
• Add additional OPCache environment variables by @aSeriousDeveloper in Add additional OPCache environment variables #510
• Refactor Laravel Autorun Script, adjust entrypoint behavior, contianer info improvements by @aSeriousDeveloper in Refactor Laravel Autorun Script, adjust entrypoint behavior, contianer info improvements #511
• Adding Cache-Control header to assets and media files by @guillaumebriday in Adding Cache-Control header to assets and media files #487
• Add opt-int database seeding support by @DarkGhostHunter in Add opt-int database seeding support #404
• Add default Caddyfile for FrankenPHP that mimics the FPM-NGINX experience by @hookenz in Add default Caddyfile for FrankenPHP that mimics the FPM-NGINX experience #527
• Add NGINX_ACCESS_LOG and NGINX_ERROR_LOG by @robsontenorio in Add NGINX_ACCESS_LOG and NGINX_ERROR_LOG #534
• FEAT: add NGINX_IP_LISTENING_PROTOCOL by @yuuzukatsu in FEAT: add NGINX_IP_LISTENING_PROTOCOL #539
• feat: allow nginx client_max_body_size to be configurable by @dlundgren in feat: allow nginx client_max_body_size to be configurable #558
• Move SVG handling to media assets block for Symfony's Asset Mapper compatibility by @ricardomm85 in Move SVG handling to media assets block for Symfony's Asset Mapper compatibility #530
• introduce start-period and start-interval parameters to HEALTHCHECK by @aSeriousDeveloper in introduce start-period and start-interval parameters to HEALTHCHECK #547

New Contributors

• @twiesing made their first contribution in Add PHP_FPM_PM_MAX_REQUESTS as ENV #513
• @aSeriousDeveloper made their first contribution in Add additional OPCache environment variables #510
• @guillaumebriday made their first contribution in Adding Cache-Control header to assets and media files #487
• @DarkGhostHunter made their first contribution in Add opt-int database seeding support #404
• @hookenz made their first contribution in Add default Caddyfile for FrankenPHP that mimics the FPM-NGINX experience #527
• @robsontenorio made their first contribution in Add NGINX_ACCESS_LOG and NGINX_ERROR_LOG #534
• @yuuzukatsu made their first contribution in FEAT: add NGINX_IP_LISTENING_PROTOCOL #539
• @dlundgren made their first contribution in feat: allow nginx client_max_body_size to be configurable #558
• @ricardomm85 made their first contribution in Move SVG handling to media assets block for Symfony's Asset Mapper compatibility #530

Full Changelog: v3.6.1...v4.0.0-beta1

---

This discussion was created from the release v4.0.0-beta1.

[DarkGhostHunter]

Yay! Time to test!

Is there a local development version for this, with the idea of having 1:1 reproduction on production?

[jaydrogers]

You mean replicating production to development?

For sure! Check out Spin: https://serversideup.net/open-source/spin/

When you run spin new laravel, just change the image in the Dockerfile 🥳

[nick-potts]

Is it possible to have http health checks for workers?

[jaydrogers]

That's a great question!

Now the beta is out, my focus is getting the docs ready for the 4.0 release. I'll likely have to default the health check to php artisan octane:status, but I will definitely get more docs around how to set this up.

Stay tuned!

[nick-potts]

I only ask because I use railway to deploy these images, and they only support http healthchecks. Meaning that only my web worker has health checks at the moment.

[jaydrogers]

I'll have to play around with this and experiment!

Since we're loading the worker, it should still support HTTP responses, so things like /up should respond in Laravel.

I have to play around with it more though. I've been so busy building, I haven't had a chance to play around with Octane yet 🤪

I'll definitely circle back to this conversation and make sure these questions are answered in the docs. Thanks for sharing!

[nick-potts]

Ahh I didn't mean octane specifically. I more mean queue and scheduler images.

[jaydrogers]

With those, there is not an HTTP endpoint unfortunately. It's only exit code of 0 or 1, and it unfortunately makes sense to keep it that way since a queue does NOT run a web server.

It sounds like a limitation that you might need to push up the chain @ Railway if you want the health to be accurate.

More how it works here: https://280-create-a-frankenphp-vari.serversideup-php.pages.dev/docs/laravel/laravel-queue

[akulmehta]

@jaydrogers this is a stupid question but are there docs on how to run this, i.e. the Franken php version vs the normal version?

[akulmehta]

@jaydrogers tried it on my phone but the link doesn't seem to be working for me.

[jaydrogers]

Whoops, try here instead: https://280-create-a-frankenphp-vari.serversideup-php.pages.dev/

[DarkGhostHunter]

404 still

[jaydrogers]

Tracking this issue here 🙃🔥

#599

[jaydrogers]

Friggen CloudFlare pages. It was a cache issue 🙃

Go here: https://280-create-a-frankenphp-vari.serversideup-php.pages.dev/open-source/docker-php/docs/getting-started

[tsterker]

Q: Enable OPcache by default?

@jaydrogers

At a recent PHP conference, I had a chat with somebody from tideways about your base image and the fact that you disable OPcache by default, to "to keep developers sane".

He was curious about why this was considered the safe bet, given that OPcache can apparently be configured in a way to be rather safe for development. If this would generally be the case, I wonder if enabling OPcache by default would be a sane way forward.

☝️😲 NOTE: I'm not sure if it's worth opening such a discussion close to the v4 release and I don't expect any changes.
Is am still curious to understand the motivation behind disabling OPcache by default and if there could be an argument made to enable it in future versions.

If we could find sane defaults that allow it to be enabled, it would bring some performance benefits out of the box and anybody who's interested could still tune the sane defaults to get more peformance.

For any unpredictable, esoteric cases, there could still be a clear warning (recommendation?) that OPcache could be disabled for development.

I have not done extensive research, but at a glance, it looks indeed as if OPcache can be configured in a way that is safe for development.

With the help of ChatGPT and the PHP docs, here's an example config that seems sensible:

; Enable opcache
opcache.enable=1
opcache.enable_cli=1

; Always see code changes immediately
opcache.validate_timestamps=1
opcache.revalidate_freq=0           ; check mtime every request
opcache.revalidate_path=1           ; follow realpath changes

; Avoid “just edited but not seen” delays
opcache.file_update_protection=0    ; no grace period after file writes

; Disable persistence that can survive process restarts
opcache.file_cache_only=0
opcache.file_cache=

; Keep attributes available for frameworks/annotations
opcache.save_comments=1

[jaydrogers]

This is interesting! I am sure there are ways to run it in development with defaults, but I left it disabled for simplicity reasons (and to make sure there was a 0% chance in development people were getting cache issues when they are trying to get something to work 🤪).

My biggest question is:

👉 Why would everyone want OPCache enabled by default?

I get the point we market them as "production-ready", but in this case I left it disabled because everyone starts by pulling the image to development before putting them in production.

My approach was to disable it by default, but show notifications there is potential improvement if they wanted (especially with the experience of setting a single variable to get the improvements).

I am open to hearing more thoughts and learning more 😃

[tsterker]

@jaydrogers

My biggest question is:

👉 Why would everyone want OPCache enabled by default?

That's a fair question. My consideration was that it might be a guaranteed benefit for production, with no downside for development. So, to flip your question once more (🙃), I was thinking:

👉 If there were absolutely no pitfalls, why would we want to require an explicit opt-in?

Granted, that would assume that one could gain enough confidence that there is an opcache configuration that makes it absolutely safe for development and still somewhat beneficial for production.
And from your perspective, I totally understand that it's probably not worth taking the risk, given that the performance-aware people could simply go ahead and tune things to their liking.

So, at the end of the day, I would probably also go with the disabled-by-default approach, given the current lack of detailed understanding on my part.

But I would also be curious to learn more about the risks (or lack of?) to having opcache enabled in development.

---

Aside: I will probably start enabling opcache by default also for my development environments. Why? Because that's the simplest way to get a production-ready image with opcache without the need to do multi-target (i.e. development & production) image builds from the start. And I fully acknowledge that this is just a topic I haven't spent enough time on as well :)

[DarkGhostHunter]

I believe Opcache options should have three switches: Completely On (for production), Partially On (for staging or previews), Off (for local development).