ci: build .rpm and .deb packages (#1497)

* add ./create-rpm.sh file to build a "frankenphp" rpm package

* also build a deb package

* renamed to build-packages

* linter...

* add depends

* linter again?

* linter number 3

* linter number 4

* set default locations for ini file, conf files and extensions

* set unified path for modules that should be ok on all dists

* add default content into "package" folder

* make file executable

* worker is in public folder

* what on earth did I do x)

* use same FRANKENPHP_VERSION and make sure to let pr's run the rpm generation too (version 0.0.0) to see issues

* install ruby, fpm and rpm-build

* move to after changing base urls because it would fail with packages not found

* ruby 3 build needs gcc 10

* rpm-build is necessary too...

* and I forgot to link the package folder

* create directories if they don't exist

* copy out all frankenphp* files?

* lint fix

* only copy frankenphp-* files

* only copy frankenphp-* files

* the .deb file is name frankenphp_1.5.0... - create output folder instead and upload all things inside that
will simplify things when later adding xdebug.so and ffi.so

* update the last two steps to use the gh-output directory

* add post install script to set frankenphp able to bind to port 80 for non-root users

* dnf over yum, I think the yum alias was removed in RH 9.5

* newlines

* newlines

* add text what missing libcap means

* copy php.ini-production from php-src, linter, update ruby version

* move Caddyfile to /etc/frankenphp/Caddyfile

* linter

* fix a copy and paste error

* better describe fallback to 0.0.0

* linter

* copy installation scripts from official caddy packages, change user to frankenphp too

* bombombom

* make files executable

* tabs

* linter

* linter again

* use empty directory for three different destinations instead of keeping three empty local directories

* caddy says the file is incorrectly formatted without these spaces

* remove wildcard matcher from root directive

* Apply suggestions from code review

commit suggested changes to preinstall/postinstall scripts

Co-authored-by: Kévin Dunglas <kevin@dunglas.fr>

* Update dev.Dockerfile

Co-authored-by: Kévin Dunglas <kevin@dunglas.fr>

* remove misleading comment

* update documentation for paths

* update documentation for paths some more

* fix musl opcache-jit issue

* markdown linter

* the damn tab

* Apply suggestions from code review

Co-authored-by: Kévin Dunglas <kevin@dunglas.fr>

* drop dev.Dockerfile php location from config.md

* add php config note to CONTRIBUTING.md

* dashes instead of asterisks in chinese docs

* fix package building

* create frankenphp user in case it doesn't exist for deb packages

* create users if they don't exist, delete them again if they didn't exist

* satisfy linter

* create the user with the same commands as the postinst/preinstall scripts

* Removes toolchain requirements.

* trigger

* Removes explicit calls to go get

* trigger

* setcap by default

* simplify example project

* bring page more in line with the caddy / apache / nginx default page

* update to html 5

* oopsies

* revert style to original

* remove https:// (caddy uses http:// on RHEL, :80 on Debian)

---------

Co-authored-by: Kévin Dunglas <kevin@dunglas.fr>
Co-authored-by: Alliballibaba <alliballibaba@gmail.com>

Author: 3 people

.github/workflows/static.yaml

@@ -218,6 +218,7 @@ jobs:
           targets: static-builder-gnu
           set: |
             ${{ (github.event_name == 'pull_request' || matrix.platform == 'linux/arm64') && 'static-builder-gnu.args.NO_COMPRESS=1' || '' }}
+            static-builder-gnu.args.BUILD_PACKAGES=1
             *.tags=
             *.platform=${{ matrix.platform }}
             *.cache-from=type=gha,scope=${{ needs.prepare.outputs.ref || github.ref }}-static-builder-gnu
@@ -247,30 +248,36 @@ jobs:
           path: /tmp/metadata-gnu/*
           if-no-files-found: error
           retention-days: 1
-      - name: Copy binary
+      - name: Copy all frankenphp* files
         run: |
           # shellcheck disable=SC2034
           digest=$(jq -r '."static-builder-gnu"."${{ fromJson(needs.prepare.outputs.push) && 'containerimage.digest' || 'containerimage.config.digest' }}"' <<< "${METADATA}")
-          docker create --platform=${{ matrix.platform }} --name static-builder-gnu "${{ fromJson(needs.prepare.outputs.push) && '${IMAGE_NAME}@${digest}' || '${digest}' }}"
-          docker cp "static-builder-gnu:/go/src/app/dist/${BINARY}" "${BINARY}-gnu"
+          container_id=$(docker create --platform=${{ matrix.platform }} "${{ fromJson(needs.prepare.outputs.push) && '${IMAGE_NAME}@${digest}' || '${digest}' }}")
+          mkdir -p gh-output
+          cd gh-output
+          for file in $(docker run --rm "${{ fromJson(needs.prepare.outputs.push) && '${IMAGE_NAME}@${digest}' || '${digest}' }}" sh -c "ls /go/src/app/dist | grep '^frankenphp'"); do
+            docker cp "${container_id}:/go/src/app/dist/${file}" "./${file}"
+          done
+          docker rm "${container_id}"
+          mv "${BINARY}" "${BINARY}-gnu"
         env:
           METADATA: ${{ steps.build.outputs.metadata }}
           BINARY: frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}
       - name: Upload artifact
         if: ${{ !fromJson(needs.prepare.outputs.push) }}
         uses: actions/upload-artifact@v4
         with:
-          name: frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}-gnu
-          path: frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}-gnu
+          name: frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}-gnu-files
+          path: gh-output/*
       - name: Upload assets
         if: fromJson(needs.prepare.outputs.push) && (needs.prepare.outputs.ref || github.ref_type == 'tag')
-        run: gh release upload "${{ (github.ref_type == 'tag' && github.ref_name) || needs.prepare.outputs.ref }}" frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}-gnu --repo dunglas/frankenphp --clobber
+        run: gh release upload "${{ (github.ref_type == 'tag' && github.ref_name) || needs.prepare.outputs.ref }}" gh-output/* --repo dunglas/frankenphp --clobber
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - if: fromJson(needs.prepare.outputs.push) && (needs.prepare.outputs.ref || github.ref_type == 'tag')
         uses: actions/attest-build-provenance@v2
         with:
-          subject-path: ${{ github.workspace }}/frankenphp-linux-*-gnu
+          subject-path: ${{ github.workspace }}/gh-output/frankenphp-linux-*-gnu
       - name: Run sanity checks
         run: |
           "${BINARY}" version
@@ -281,7 +288,7 @@ jobs:
           "${BINARY}" list-modules | grep http.handlers.vulcain
           "${BINARY}" php-cli -r "echo 'Sanity check passed';"
         env:
-          BINARY: ./frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}-gnu
+          BINARY: ./gh-output/frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}-gnu
 
   # Adapted from https://docs.docker.com/build/ci/github-actions/multi-platform/
   push:

.gitignore

@@ -8,4 +8,5 @@
 __debug_bin
 frankenphp.test
 caddy/frankenphp/Build
+package/etc/php.ini
 *.log

CONTRIBUTING.md

@@ -11,9 +11,13 @@ docker build -t frankenphp-dev -f dev.Dockerfile .
 docker run --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -p 8080:8080 -p 443:443 -p 443:443/udp -v $PWD:/go/src/app -it frankenphp-dev
 ```
 
-The image contains the usual development tools (Go, GDB, Valgrind, Neovim...).
+The image contains the usual development tools (Go, GDB, Valgrind, Neovim...) and uses the following php setting locations
 
-If docker version is lower than 23.0, build is failed by dockerignore [pattern issue](https://github.com/moby/moby/pull/42676). Add directories to `.dockerignore`.
+- php.ini: `/etc/frankenphp/php.ini` A php.ini file with development presets is provided by default.
+- additional configuration files: `/etc/frankenphp/php.d/*.ini`
+- php extensions: `/usr/lib/frankenphp/modules/`
+
+If your docker version is lower than 23.0, the build will fail due to dockerignore [pattern issue](https://github.com/moby/moby/pull/42676). Add directories to `.dockerignore`.
 
 ```patch
  !testdata/*.php

Dockerfile

@@ -19,17 +19,17 @@ RUN set -eux; \
 		/app/public \
 		/config/caddy \
 		/data/caddy \
-		/etc/caddy; \
+		/etc/frankenphp; \
 	sed -i 's/php/frankenphp run/g' /usr/local/bin/docker-php-entrypoint; \
 	echo '<?php phpinfo();' > /app/public/index.php
 
-COPY --link caddy/frankenphp/Caddyfile /etc/caddy/Caddyfile
+COPY --link caddy/frankenphp/Caddyfile /etc/frankenphp/Caddyfile
 RUN curl -sSLf \
 		-o /usr/local/bin/install-php-extensions \
 		https://github.com/mlocati/docker-php-extension-installer/releases/latest/download/install-php-extensions && \
 	chmod +x /usr/local/bin/install-php-extensions
 
-CMD ["--config", "/etc/caddy/Caddyfile", "--adapter", "caddyfile"]
+CMD ["--config", "/etc/frankenphp/Caddyfile", "--adapter", "caddyfile"]
 HEALTHCHECK CMD curl -f http://localhost:2019/metrics || exit 1
 
 # See https://caddyserver.com/docs/conventions#file-locations for details
@@ -113,7 +113,7 @@ RUN echo $CGO_LDFLAGS
 WORKDIR /go/src/app/caddy/frankenphp
 RUN GOBIN=/usr/local/bin go install -tags 'nobadger,nomysql,nopgx' -ldflags "-w -s -X 'github.com/caddyserver/caddy/v2.CustomVersion=FrankenPHP $FRANKENPHP_VERSION PHP $PHP_VERSION Caddy'" -buildvcs=true && \
 	setcap cap_net_bind_service=+ep /usr/local/bin/frankenphp && \
-	cp Caddyfile /etc/caddy/Caddyfile && \
+	cp Caddyfile /etc/frankenphp/Caddyfile && \
 	frankenphp version && \
  	frankenphp build-info
 

alpine.Dockerfile

@@ -18,17 +18,17 @@ RUN set -eux; \
 		/app/public \
 		/config/caddy \
 		/data/caddy \
-		/etc/caddy; \
+		/etc/frankenphp; \
 	sed -i 's/php/frankenphp run/g' /usr/local/bin/docker-php-entrypoint; \
 	echo '<?php phpinfo();' > /app/public/index.php
 
-COPY --link caddy/frankenphp/Caddyfile /etc/caddy/Caddyfile
+COPY --link caddy/frankenphp/Caddyfile /etc/frankenphp/Caddyfile
 RUN curl -sSLf \
 		-o /usr/local/bin/install-php-extensions \
 		https://github.com/mlocati/docker-php-extension-installer/releases/latest/download/install-php-extensions && \
 	chmod +x /usr/local/bin/install-php-extensions
 
-CMD ["--config", "/etc/caddy/Caddyfile", "--adapter", "caddyfile"]
+CMD ["--config", "/etc/frankenphp/Caddyfile", "--adapter", "caddyfile"]
 HEALTHCHECK CMD curl -f http://localhost:2019/metrics || exit 1
 
 # See https://caddyserver.com/docs/conventions#file-locations for details

build-packages.sh

@@ -0,0 +1,135 @@
+#!/bin/bash
+
+set -o errexit
+set -x
+
+# Ensure required tools are installed
+if ! command -v rpmbuild &>/dev/null; then
+	echo "Error: rpm-build is required to create RPM packages."
+	echo "Install it with: sudo dnf install rpm-build"
+	exit 1
+fi
+
+if ! command -v ruby &>/dev/null; then
+	echo "Error: Ruby is required by FPM."
+	echo "Install it with: sudo dnf install ruby"
+	exit 1
+fi
+
+if ! command -v fpm &>/dev/null; then
+	echo "Error: FPM (rubygem-fpm) is required to create RPM packages."
+	echo "Install it with: sudo gem install fpm"
+	exit 1
+fi
+
+arch="$(uname -m)"
+os="$(uname -s | tr '[:upper:]' '[:lower:]')"
+bin="frankenphp-${os}-${arch}"
+
+if [ ! -f "dist/$bin" ]; then
+	echo "Error: dist/$bin not found. Run './build-static.sh' first"
+	exit 1
+fi
+
+if [ -z "${FRANKENPHP_VERSION}" ]; then
+	FRANKENPHP_VERSION="$(git rev-parse --verify HEAD)"
+	export FRANKENPHP_VERSION
+elif [ -d ".git/" ]; then
+	CURRENT_REF="$(git rev-parse --abbrev-ref HEAD)"
+	export CURRENT_REF
+
+	if echo "${FRANKENPHP_VERSION}" | grep -F -q "."; then
+		# Tag
+
+		# Trim "v" prefix if any
+		FRANKENPHP_VERSION=${FRANKENPHP_VERSION#v}
+		export FRANKENPHP_VERSION
+
+		git checkout "v${FRANKENPHP_VERSION}"
+	else
+		git checkout "${FRANKENPHP_VERSION}"
+	fi
+fi
+
+if [[ ! "${FRANKENPHP_VERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+	echo "Warning: FRANKENPHP_VERSION must be set to X.Y.Z (e.g. 1.5.1), got '${FRANKENPHP_VERSION}'"
+	echo "Falling back to non-release version 0.0.0"
+	FRANKENPHP_VERSION=0.0.0
+fi
+
+group_preexists=0
+user_preexists=0
+
+if getent group frankenphp >/dev/null; then
+	group_preexists=1
+else
+	groupadd --system frankenphp
+fi
+
+if getent passwd frankenphp >/dev/null; then
+	user_preexists=1
+else
+	useradd --system \
+		--gid frankenphp \
+		--create-home \
+		--home-dir /var/lib/frankenphp \
+		--shell /usr/sbin/nologin \
+		--comment "FrankenPHP web server" \
+		frankenphp
+fi
+
+mkdir -p package/empty
+mkdir -p package/etc
+[ -f ./dist/static-php-cli/source/php-src/php.ini-production ] && cp -f ./dist/static-php-cli/source/php-src/php.ini-production ./package/etc/php.ini
+
+cd dist
+iteration=1
+glibc_version=$(ldd -v "$bin" | awk '/GLIBC_/ {gsub(/[()]/, "", $2); print $2}' | grep -v GLIBC_PRIVATE | sort -V | tail -n1)
+cxxabi_version=$(strings "$bin" | grep -oP 'CXXABI_\d+\.\d+(\.\d+)?' | sort -V | tail -n1)
+
+fpm -s dir -t rpm -n frankenphp -v "${FRANKENPHP_VERSION}" \
+	--config-files /etc/frankenphp/Caddyfile \
+	--config-files /etc/frankenphp/php.ini \
+	--depends "libc.so.6(${glibc_version})(64bit)" \
+	--depends "libstdc++.so.6(${cxxabi_version})(64bit)" \
+	--before-install ../package/rhel/preinstall.sh \
+	--after-install ../package/rhel/postinstall.sh \
+	--before-remove ../package/rhel/preuninstall.sh \
+	--after-remove ../package/rhel/postuninstall.sh \
+	--iteration "${iteration}" \
+	--rpm-user frankenphp --rpm-group frankenphp \
+	"${bin}=/usr/bin/frankenphp" \
+	"../package/rhel/frankenphp.service=/usr/lib/systemd/system/frankenphp.service" \
+	"../package/Caddyfile=/etc/frankenphp/Caddyfile" \
+	"../package/content/=/usr/share/frankenphp" \
+	"../package/etc/php.ini=/etc/frankenphp/php.ini" \
+	"../package/empty/=/etc/frankenphp/php.d" \
+	"../package/empty/=/usr/lib/frankenphp/modules" \
+	"../package/empty/=/var/lib/frankenphp"
+
+glibc_version=$(ldd -v "$bin" | awk '/GLIBC_/ {gsub(/[()]/, "", $2); print $2}' | grep -v GLIBC_PRIVATE | sed 's/GLIBC_//' | sort -V | tail -n1)
+cxxabi_version=$(strings "$bin" | grep -oP 'CXXABI_\d+\.\d+(\.\d+)?' | sed 's/CXXABI_//' | sort -V | tail -n1)
+
+fpm -s dir -t deb -n frankenphp -v "${FRANKENPHP_VERSION}" \
+	--config-files /etc/frankenphp/Caddyfile \
+	--config-files /etc/frankenphp/php.ini \
+	--depends "libc6 (>= ${glibc_version})" \
+	--depends "libstdc++6 (>= ${cxxabi_version})" \
+	--after-install ../package/debian/postinst.sh \
+	--before-remove ../package/debian/prerm.sh \
+	--after-remove ../package/debian/postrm.sh \
+	--iteration "${iteration}" \
+	--deb-user frankenphp --deb-group frankenphp \
+	"${bin}=/usr/bin/frankenphp" \
+	"../package/debian/frankenphp.service=/usr/lib/systemd/system/frankenphp.service" \
+	"../package/Caddyfile=/etc/frankenphp/Caddyfile" \
+	"../package/content/=/usr/share/frankenphp" \
+	"../package/etc/php.ini=/etc/frankenphp/php.ini" \
+	"../package/empty/=/etc/frankenphp/php.d" \
+	"../package/empty/=/usr/lib/frankenphp/modules" \
+	"../package/empty/=/var/lib/frankenphp"
+
+[ "$user_preexists" -eq 0 ] && userdel frankenphp
+[ "$group_preexists" -eq 0 ] && groupdel frankenphp
+
+cd ..

build-static.sh

@@ -40,9 +40,9 @@ fi
 # init spc build additional args
 if [ -z "${SPC_OPT_BUILD_ARGS}" ]; then
 	SPC_OPT_BUILD_ARGS=""
-	if [ "${SPC_LIBC}" = "musl" ]; then
-		SPC_OPT_BUILD_ARGS="${SPC_OPT_BUILD_ARGS} --disable-opcache-jit"
-	fi
+fi
+if [ "${SPC_LIBC}" = "musl" ] && [[ "${SPC_OPT_BUILD_ARGS}" != *"--disable-opcache-jit"* ]]; then
+	SPC_OPT_BUILD_ARGS="${SPC_OPT_BUILD_ARGS} --disable-opcache-jit"
 fi
 # init spc download additional args
 if [ -z "${SPC_OPT_DOWNLOAD_ARGS}" ]; then

caddy/frankenphp/Caddyfile

@@ -1,3 +1,8 @@
+# The Caddyfile is an easy way to configure FrankenPHP and the Caddy web server.
+#
+# https://frankenphp.dev/docs/config
+# https://caddyserver.com/docs/caddyfile
+
 {
 	{$CADDY_GLOBAL_OPTIONS}
 
@@ -43,3 +48,9 @@
 
 	php_server
 }
+
+# As an alternative to editing the above site block, you can add your own site
+# block files in the Caddyfile.d directory, and they will be included as long
+# as they use the .caddyfile extension.
+
+import Caddyfile.d/*.caddyfile

dev-alpine.Dockerfile

@@ -51,18 +51,21 @@ WORKDIR /usr/local/src/php
 RUN git clone --branch=PHP-8.4 https://github.com/php/php-src.git . && \
 	# --enable-embed is only necessary to generate libphp.so, we don't use this SAPI directly
 	./buildconf --force && \
-	./configure \
+	EXTENSION_DIR=/usr/lib/frankenphp/modules ./configure \
 		--enable-embed \
 		--enable-zts \
 		--disable-zend-signals \
 		--enable-zend-max-execution-timers \
+		--with-config-file-path=/etc/frankenphp/php.ini \
+		--with-config-file-scan-dir=/etc/frankenphp/php.d \
 		--enable-debug && \
 	make -j"$(nproc)" && \
 	make install && \
 	ldconfig /etc/ld.so.conf.d && \
-	cp php.ini-development /usr/local/lib/php.ini && \
-	echo "zend_extension=opcache.so" >> /usr/local/lib/php.ini && \
-	echo "opcache.enable=1" >> /usr/local/lib/php.ini && \
+		mkdir -p /etc/frankenphp/php.d && \
+			cp php.ini-development /etc/frankenphp/php.ini && \
+			echo "zend_extension=opcache.so" >> /etc/frankenphp/php.ini && \
+			echo "opcache.enable=1" >> /etcfrankenphp/php.ini && \
 	php --version
 
 # Install e-dant/watcher (necessary for file watching)

dev.Dockerfile

@@ -53,18 +53,21 @@ WORKDIR /usr/local/src/php
 RUN git clone --branch=PHP-8.4 https://github.com/php/php-src.git . && \
 	# --enable-embed is only necessary to generate libphp.so, we don't use this SAPI directly
 	./buildconf --force && \
-	./configure \
+	EXTENSION_DIR=/usr/lib/frankenphp/modules ./configure \
 		--enable-embed \
 		--enable-zts \
 		--disable-zend-signals \
 		--enable-zend-max-execution-timers \
+		--with-config-file-path=/etc/frankenphp/php.ini \
+		--with-config-file-scan-dir=/etc/frankenphp/php.d \
 		--enable-debug && \
 	make -j"$(nproc)" && \
 	make install && \
 	ldconfig && \
-	cp php.ini-development /usr/local/lib/php.ini && \
-	echo "zend_extension=opcache.so" >> /usr/local/lib/php.ini && \
-	echo "opcache.enable=1" >> /usr/local/lib/php.ini && \
+		mkdir -p /etc/frankenphp/php.d && \
+			cp php.ini-development /etc/frankenphp/php.ini && \
+			echo "zend_extension=opcache.so" >> /etc/frankenphp/php.ini && \
+			echo "opcache.enable=1" >> /etcfrankenphp/php.ini && \
 	php --version
 
 # Install e-dant/watcher (necessary for file watching)