Dockerfile.litespeed

## cac-litespeed — OpenLiteSpeed customer container, LSAPI-native.
##
## Built on top of the LiteSpeed-maintained prebuilt image rather than
## installed-from-RPM on AlmaLinux 10. Rationale:
##   - The EL10 RPM ships an empty /usr/local/lsws/cgid/ directory (the
##     lscgid suexec helper is built by the upstream tarball install.sh,
##     not packaged), which makes LSAPI unusable.
##   - The prebuilt image is Ubuntu 24.04-based and includes lsphp +
##     everything WP/WooCommerce needs out of the box (memcached, redis,
##     imagick, mbstring, mysqlnd, intl, gd, soap, bcmath, gmp, sodium,
##     opcache, ...) — saves us a dozen explicit installs and avoids the
##     libonig.so.105 packaging bug entirely.
##   - LiteSpeed Inc maintains it; OLS upgrades become a base-image bump.
##
## Tradeoff vs the rest of the CAC family: this image is Ubuntu-based,
## not AlmaLinux. The "cac" naming is now slightly misleading (it's no
## longer Cloud *Apache* Container, it's Cloud LiteSpeed Container) but
## the panel doesn't care and the customer-facing contract is identical.

## ARG before FROM is special — it can be used in the FROM line, but the
## value goes out of scope inside the image, so we re-declare ARG PHPVER
## after FROM for any RUN steps that need it.
ARG OLS_VERSION=1.8.5
ARG PHPVER=83
FROM litespeedtech/openlitespeed:${OLS_VERSION}-lsphp${PHPVER}
ARG PHPVER=83
ENV PHPVER=${PHPVER}

## Tooling we layer on top of the base:
##   - gettext-base: envsubst for runtime template rendering
##   - sudo: install-lscache-wp.sh runs wp-cli as the customer user
##   - composer: not in the base image (wp-cli is)
##   - cron: customer crontab support (mirror cac:phpXX behaviour)
##   - lsphp83-ldap: not in base image, useful for some WP plugins
##
## NOTE: mariadb-server + memcached were previously installed here for
## DEV-mode parity but bloated the PROD image by ~500MB. They are now
## installed at runtime by entrypoint-litespeed.sh ONLY when
## environment=DEV, mirroring the cac:phpNN pattern. The mysql CLI
## client (used by the DEV creds-bootstrap and by wp-cli) is already
## present in the litespeedtech/openlitespeed base via the mysql-client
## package, so no client-side install is needed at build time.
##
## All apt cache is cleaned in the same layer to keep image size down.
## lsphp${PHPVER}-ldap is the only extra ext we add (everything else WP needs
## ships in the prebuilt base). lsphp84 + lsphp85 don't ship imap or pspell
## from LiteSpeed — customers needing imap should pin to 8.3 or earlier.
RUN apt-get update && \
    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
        gettext-base sudo cron \
        ca-certificates curl wget \
        lsphp${PHPVER}-ldap && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*

## Composer (matches the wp-cli pattern in the existing CAC Dockerfile —
## phar download, no `php install` pipe since lsphp's CLI mode is fine).
RUN curl -fsSL -o /usr/local/bin/composer https://getcomposer.org/download/latest-stable/composer.phar && \
    chmod +x /usr/local/bin/composer

## Our scripts + config templates layer in last (they change most often,
## keep them off the slow apt layer).
COPY ./scripts/entrypoint-litespeed.sh \
     ./scripts/create-vhost-litespeed.sh \
     ./scripts/detect-memory-litespeed.sh \
     ./scripts/install-lscache-wp.sh \
     ./scripts/log-rotate.sh \
     /scripts/
RUN chmod +x /scripts/*
COPY ./configs/litespeed/ /etc/lsws-templates/

## Apply our production lsphp ini overrides. Ask lsphp for its scan dir
## directly (varies by PHP minor version: 8.3/8.4/8.5 each have their own
## /usr/local/lsws/lsphpNN/etc/php/8.M/mods-available/). Dockerfile RUN uses
## /bin/sh so we explicitly `bash -c` for safer scripting.
RUN bash -c 'set -e; \
    SCAN_DIR=$(/usr/local/lsws/lsphp${PHPVER}/bin/lsphp -i 2>/dev/null | awk -F"=> " "/^Scan this dir/ {print \$2; exit}"); \
    mkdir -p "$SCAN_DIR"; \
    cp /etc/lsws-templates/lsphp-overrides.ini "$SCAN_DIR/99-prod-overrides.ini"; \
    echo "wrote overrides to $SCAN_DIR"'

## Disable the OLS WebAdmin port for customer-facing containers. Bind admin
## listener to loopback so it's unreachable even from the docker network.
RUN sed -i 's|^[[:space:]]*address[[:space:]]\+\*:|  address               127.0.0.1:|' \
        /usr/local/lsws/admin/conf/admin_config.conf 2>/dev/null || true

## Cron entry for log rotation (mirrors cac:phpXX).
RUN echo "15 */12 * * * root /scripts/log-rotate.sh" >> /etc/crontab

EXPOSE 80 443

## Healthcheck: the entrypoint drops a static /healthz into the customer
## docroot at boot, so this passes even before any customer files exist.
HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \
  CMD curl -fsSk https://127.0.0.1/healthz || exit 1

ENTRYPOINT ["/scripts/entrypoint-litespeed.sh"]
Add cac-litespeed image family (OpenLiteSpeed, native LSAPI) New paid-tier per-customer image built on litespeedtech/openlitespeed:1.8.4-lsphpNN. Matrix: 8.1-8.5. Native LSAPI suexec to customer uid, server-level LSCache, all WP/WooCommerce extensions (memcached, redis, imagick, mbstring, etc.) baked in. Files: - Dockerfile.litespeed (FROM prebuilt LiteSpeed base, layers wp-cli/composer/mariadb) - configs/litespeed/{httpd_config,site-template,lsphp-overrides}.tpl - scripts/{entrypoint,create-vhost,detect-memory}-litespeed.sh + install-lscache-wp.sh CI: new Build-LiteSpeed-Images matrix job. OLS_VERSION pinned to 1.8.4 (only release with prebuilt images for all 5 PHP versions on Docker Hub). Spec: whp/docs/superpowers/specs/2026-06-01-cac-litespeed-design.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-06-02 07:32:47 -07:00			`## cac-litespeed — OpenLiteSpeed customer container, LSAPI-native.`
			`##`
			`## Built on top of the LiteSpeed-maintained prebuilt image rather than`
			`## installed-from-RPM on AlmaLinux 10. Rationale:`
			`## - The EL10 RPM ships an empty /usr/local/lsws/cgid/ directory (the`
			`## lscgid suexec helper is built by the upstream tarball install.sh,`
			`## not packaged), which makes LSAPI unusable.`
			`## - The prebuilt image is Ubuntu 24.04-based and includes lsphp +`
			`## everything WP/WooCommerce needs out of the box (memcached, redis,`
			`## imagick, mbstring, mysqlnd, intl, gd, soap, bcmath, gmp, sodium,`
			`## opcache, ...) — saves us a dozen explicit installs and avoids the`
			`## libonig.so.105 packaging bug entirely.`
			`## - LiteSpeed Inc maintains it; OLS upgrades become a base-image bump.`
			`##`
			`## Tradeoff vs the rest of the CAC family: this image is Ubuntu-based,`
			`## not AlmaLinux. The "cac" naming is now slightly misleading (it's no`
			`## longer Cloud Apache Container, it's Cloud LiteSpeed Container) but`
			`## the panel doesn't care and the customer-facing contract is identical.`

			`## ARG before FROM is special — it can be used in the FROM line, but the`
			`## value goes out of scope inside the image, so we re-declare ARG PHPVER`
			`## after FROM for any RUN steps that need it.`
			`ARG OLS_VERSION=1.8.5`
			`ARG PHPVER=83`
			`FROM litespeedtech/openlitespeed:${OLS_VERSION}-lsphp${PHPVER}`
			`ARG PHPVER=83`
			`ENV PHPVER=${PHPVER}`

			`## Tooling we layer on top of the base:`
			`## - gettext-base: envsubst for runtime template rendering`
			`## - sudo: install-lscache-wp.sh runs wp-cli as the customer user`
			`## - composer: not in the base image (wp-cli is)`
			`## - cron: customer crontab support (mirror cac:phpXX behaviour)`
			`## - lsphp83-ldap: not in base image, useful for some WP plugins`
			`##`
perf(litespeed): defer mariadb-server + memcached install to DEV runtime Drops these from the build-time apt install in Dockerfile.litespeed; they now install at entrypoint time only when environment=DEV, guarded by 'command -v mysqld' so container restarts skip the apt step. Mirrors the cac:phpNN pattern. The mysql CLI client is already in the litespeedtech/openlitespeed base, so wp-cli + DEV creds-bootstrap still work without a build-time client install. Measured (php83 / OLS 1.8.4): PROD image: 1.64 GB -> 1.20 GB (~440 MB savings) PROD first-200 boot: unchanged at ~1.5s DEV first boot: ~51s (apt install cost — one-time per container) DEV second boot: ~6s (cache hit, same as PROD) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-06-02 08:26:19 -07:00			`## NOTE: mariadb-server + memcached were previously installed here for`
			`## DEV-mode parity but bloated the PROD image by ~500MB. They are now`
			`## installed at runtime by entrypoint-litespeed.sh ONLY when`
			`## environment=DEV, mirroring the cac:phpNN pattern. The mysql CLI`
			`## client (used by the DEV creds-bootstrap and by wp-cli) is already`
			`## present in the litespeedtech/openlitespeed base via the mysql-client`
			`## package, so no client-side install is needed at build time.`
			`##`
Add cac-litespeed image family (OpenLiteSpeed, native LSAPI) New paid-tier per-customer image built on litespeedtech/openlitespeed:1.8.4-lsphpNN. Matrix: 8.1-8.5. Native LSAPI suexec to customer uid, server-level LSCache, all WP/WooCommerce extensions (memcached, redis, imagick, mbstring, etc.) baked in. Files: - Dockerfile.litespeed (FROM prebuilt LiteSpeed base, layers wp-cli/composer/mariadb) - configs/litespeed/{httpd_config,site-template,lsphp-overrides}.tpl - scripts/{entrypoint,create-vhost,detect-memory}-litespeed.sh + install-lscache-wp.sh CI: new Build-LiteSpeed-Images matrix job. OLS_VERSION pinned to 1.8.4 (only release with prebuilt images for all 5 PHP versions on Docker Hub). Spec: whp/docs/superpowers/specs/2026-06-01-cac-litespeed-design.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-06-02 07:32:47 -07:00			`## All apt cache is cleaned in the same layer to keep image size down.`
			`## lsphp${PHPVER}-ldap is the only extra ext we add (everything else WP needs`
			`## ships in the prebuilt base). lsphp84 + lsphp85 don't ship imap or pspell`
			`## from LiteSpeed — customers needing imap should pin to 8.3 or earlier.`
			`RUN apt-get update && \`
			`DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \`
			`gettext-base sudo cron \`
			`ca-certificates curl wget \`
			`lsphp${PHPVER}-ldap && \`
			`apt-get clean && \`
			`rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*`

			`## Composer (matches the wp-cli pattern in the existing CAC Dockerfile —`
			## phar download, no `php install` pipe since lsphp's CLI mode is fine).
			`RUN curl -fsSL -o /usr/local/bin/composer https://getcomposer.org/download/latest-stable/composer.phar && \`
			`chmod +x /usr/local/bin/composer`

			`## Our scripts + config templates layer in last (they change most often,`
			`## keep them off the slow apt layer).`
			`COPY ./scripts/entrypoint-litespeed.sh \`
			`./scripts/create-vhost-litespeed.sh \`
			`./scripts/detect-memory-litespeed.sh \`
			`./scripts/install-lscache-wp.sh \`
			`./scripts/log-rotate.sh \`
			`/scripts/`
			`RUN chmod +x /scripts/*`
			`COPY ./configs/litespeed/ /etc/lsws-templates/`

			`## Apply our production lsphp ini overrides. Ask lsphp for its scan dir`
			`## directly (varies by PHP minor version: 8.3/8.4/8.5 each have their own`
			`## /usr/local/lsws/lsphpNN/etc/php/8.M/mods-available/). Dockerfile RUN uses`
			## /bin/sh so we explicitly `bash -c` for safer scripting.
			`RUN bash -c 'set -e; \`
			`SCAN_DIR=$(/usr/local/lsws/lsphp${PHPVER}/bin/lsphp -i 2>/dev/null \| awk -F"=> " "/^Scan this dir/ {print \$2; exit}"); \`
			`mkdir -p "$SCAN_DIR"; \`
			`cp /etc/lsws-templates/lsphp-overrides.ini "$SCAN_DIR/99-prod-overrides.ini"; \`
			`echo "wrote overrides to $SCAN_DIR"'`

			`## Disable the OLS WebAdmin port for customer-facing containers. Bind admin`
			`## listener to loopback so it's unreachable even from the docker network.`
			`RUN sed -i 's\|^[[:space:]]address[[:space:]]\+\:\| address 127.0.0.1:\|' \`
			`/usr/local/lsws/admin/conf/admin_config.conf 2>/dev/null \|\| true`

			`## Cron entry for log rotation (mirrors cac:phpXX).`
			`RUN echo "15 /12 * * root /scripts/log-rotate.sh" >> /etc/crontab`

			`EXPOSE 80 443`

			`## Healthcheck: the entrypoint drops a static /healthz into the customer`
			`## docroot at boot, so this passes even before any customer files exist.`
			`HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \`
			`CMD curl -fsSk https://127.0.0.1/healthz \|\| exit 1`

			`ENTRYPOINT ["/scripts/entrypoint-litespeed.sh"]`