scripts/create-vhost-litespeed.sh

#!/usr/bin/env bash
## create-vhost-litespeed.sh — sets up OLS config for one customer site.
##
## Approach: keep the stock LiteSpeed-shipped httpd_config.conf VERBATIM
## (it has all the cgid/lscgid plumbing that lscgid needs to actually
## create its IPC socket), and just APPEND our listeners + vhTemplate.
## The custom vhost template lives at conf/templates/site.conf and points
## at /home/${user}/public_html. envsubst renders our user/domain into
## both files at container start.
##
## Expects in env: user, domain, serveralias (optional).
set -euo pipefail

TPL_DIR=${TPL_DIR:-/etc/lsws-templates}
LSWS_CONF=/usr/local/lsws/conf

## Ensure the conf dir has stock config to append to. On first boot with
## a fresh image this is a no-op (image ships with conf/ populated). With
## a future volume mount of conf/, the upstream entrypoint pattern would
## copy from .conf/* — keep parity:
if [ -z "$(ls -A -- "$LSWS_CONF/" 2>/dev/null)" ]; then
  cp -R /usr/local/lsws/.conf/* "$LSWS_CONF/"
fi

## Build the serveralias suffix for vhDomain. Empty for none, else
## ",alias1,alias2" prepended to the comma list.
vhost_map_aliases=""
if [ -n "${serveralias:-}" ]; then
  for alias in $(echo "$serveralias" | tr ',' ' '); do
    [ -z "$alias" ] && continue
    vhost_map_aliases="${vhost_map_aliases},${alias}"
  done
fi
export vhost_map_aliases user domain

## --- prep the stock httpd_config.conf before appending ours ---
## Stock ships with `listener HTTP {*:80}`, `listener HTTPS {*:443}`, and
## a `vhTemplate docker` mapped to /var/www/vhosts/$VH_NAME/html — these
## conflict with our ports and would shadow our siteVH vhost. Strip them
## and the demo `virtualHost Example`, but KEEP `listener Default` (it's
## bound to 8088 — harmless internally, removing risks unrelated breakage).
## Always restart from a stock copy so re-runs are idempotent (otherwise
## a second sed pass on already-stripped config corrupts it).
cp /usr/local/lsws/.conf/httpd_config.conf "$LSWS_CONF/httpd_config.conf"

## Strip the stock blocks we replace. Use awk: easier than sed range-deletes
## to skip a NAMED block of arbitrary length terminated by a top-level `}`.
## extProcessor lsphp is stripped because the stock one hard-codes
## PHP_LSAPI_CHILDREN=10 regardless of container size — our appended
## extProcessor scales it from detect-memory-litespeed.sh.
awk '
  BEGIN { skip = 0 }
  /^listener HTTP \{/ || /^listener HTTPS \{/ || /^vhTemplate docker \{/ || /^extProcessor lsphp\{/ || /^extProcessor lsphp \{/ { skip = 1; next }
  skip && /^\}/ { skip = 0; next }
  !skip { print }
' "$LSWS_CONF/httpd_config.conf" > "$LSWS_CONF/httpd_config.conf.new"
mv "$LSWS_CONF/httpd_config.conf.new" "$LSWS_CONF/httpd_config.conf"

## Server-level user/group → customer. Without this, OLS runs as nobody and
## either can't read customer files (no setUIDMode) or has to lscgid-spawn a
## per-uid lsphp for every httpd worker (the setUIDMode 2 pathway). With OLS
## itself running as ${user}, a single shared lsphp parent serves all httpd
## workers, LSAPI children-mode actually engages, and shmem stops fanning out.
## OLS still starts as root (PID 1 binds 80/443) then drops privs after bind.
sed -i \
  -e "s|^user[[:space:]].*|user                             ${user}|" \
  -e "s|^group[[:space:]].*|group                            ${user}|" \
  "$LSWS_CONF/httpd_config.conf"

## --- append our listeners + vhTemplate ---
SENTINEL="## ---- cac-litespeed append (do not edit below) ----"
{
  echo ""
  echo "$SENTINEL"
  envsubst '${user} ${domain} ${vhost_map_aliases} ${PHPVER} ${LSAPI_CHILDREN}' < "$TPL_DIR/httpd_config.tpl"
} >> "$LSWS_CONF/httpd_config.conf"

## --- write our vhost template to /usr/local/lsws/conf/templates/site.conf ---
envsubst '${user}' < "$TPL_DIR/site-template.tpl" \
  > "$LSWS_CONF/templates/site.conf"

## --- per-vhost config file the vhTemplate will reference ---
## OLS creates conf/vhosts/$VH_NAME/ at template-instantiation time, but
## we pre-create it to satisfy the configFile path and write a minimal
## vhconf.conf (empty body — all real config is inline in the template's
## virtualHostConfig{} block).
mkdir -p "$LSWS_CONF/vhosts/siteVH"
echo "## auto-generated; real vhost config is in templates/site.conf" \
  > "$LSWS_CONF/vhosts/siteVH/vhconf.conf"

## Permissions: OLS reads conf/ as lsadm. Don't break that.
chown -R lsadm:nogroup "$LSWS_CONF" 2>/dev/null || true
Add cac-litespeed image family (OpenLiteSpeed, native LSAPI) New paid-tier per-customer image built on litespeedtech/openlitespeed:1.8.4-lsphpNN. Matrix: 8.1-8.5. Native LSAPI suexec to customer uid, server-level LSCache, all WP/WooCommerce extensions (memcached, redis, imagick, mbstring, etc.) baked in. Files: - Dockerfile.litespeed (FROM prebuilt LiteSpeed base, layers wp-cli/composer/mariadb) - configs/litespeed/{httpd_config,site-template,lsphp-overrides}.tpl - scripts/{entrypoint,create-vhost,detect-memory}-litespeed.sh + install-lscache-wp.sh CI: new Build-LiteSpeed-Images matrix job. OLS_VERSION pinned to 1.8.4 (only release with prebuilt images for all 5 PHP versions on Docker Hub). Spec: whp/docs/superpowers/specs/2026-06-01-cac-litespeed-design.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-06-02 07:32:47 -07:00			`#!/usr/bin/env bash`
			`## create-vhost-litespeed.sh — sets up OLS config for one customer site.`
			`##`
			`## Approach: keep the stock LiteSpeed-shipped httpd_config.conf VERBATIM`
			`## (it has all the cgid/lscgid plumbing that lscgid needs to actually`
			`## create its IPC socket), and just APPEND our listeners + vhTemplate.`
			`## The custom vhost template lives at conf/templates/site.conf and points`
			`## at /home/${user}/public_html. envsubst renders our user/domain into`
			`## both files at container start.`
			`##`
			`## Expects in env: user, domain, serveralias (optional).`
			`set -euo pipefail`

			`TPL_DIR=${TPL_DIR:-/etc/lsws-templates}`
			`LSWS_CONF=/usr/local/lsws/conf`

			`## Ensure the conf dir has stock config to append to. On first boot with`
			`## a fresh image this is a no-op (image ships with conf/ populated). With`
			`## a future volume mount of conf/, the upstream entrypoint pattern would`
			`## copy from .conf/* — keep parity:`
			`if [ -z "$(ls -A -- "$LSWS_CONF/" 2>/dev/null)" ]; then`
			`cp -R /usr/local/lsws/.conf/* "$LSWS_CONF/"`
			`fi`

			`## Build the serveralias suffix for vhDomain. Empty for none, else`
			`## ",alias1,alias2" prepended to the comma list.`
			`vhost_map_aliases=""`
			`if [ -n "${serveralias:-}" ]; then`
			`for alias in $(echo "$serveralias" \| tr ',' ' '); do`
			`[ -z "$alias" ] && continue`
			`vhost_map_aliases="${vhost_map_aliases},${alias}"`
			`done`
			`fi`
			`export vhost_map_aliases user domain`

			`## --- prep the stock httpd_config.conf before appending ours ---`
			## Stock ships with `listener HTTP {:80}`, `listener HTTPS {:443}`, and
			## a `vhTemplate docker` mapped to /var/www/vhosts/$VH_NAME/html — these
			`## conflict with our ports and would shadow our siteVH vhost. Strip them`
			## and the demo `virtualHost Example`, but KEEP `listener Default` (it's
			`## bound to 8088 — harmless internally, removing risks unrelated breakage).`
			`## Always restart from a stock copy so re-runs are idempotent (otherwise`
			`## a second sed pass on already-stripped config corrupts it).`
			`cp /usr/local/lsws/.conf/httpd_config.conf "$LSWS_CONF/httpd_config.conf"`

			`## Strip the stock blocks we replace. Use awk: easier than sed range-deletes`
			## to skip a NAMED block of arbitrary length terminated by a top-level `}`.
feat(litespeed): wire up dynamic LSAPI tuning + idle reduction Two correctness fixes and a tuning improvement. CORRECTNESS: 1. Strip the stock 'extProcessor lsphp' from httpd_config.conf before appending ours. Previously the stock block (hard-coded PHP_LSAPI_CHILDREN=10 regardless of container memory) always won because our APPEND fragment didn't include an extProcessor block. detect-memory-litespeed.sh was computing LSAPI_CHILDREN but never plumbing it anywhere — silent dead code. 2. Bump LSPHP_WORKER_ESTIMATE_MB from 96 → 115 per the 2026-06-02 memory-sizing finding (vantagehealth OOM-spawn loop). Each lsphp carries ~115 MB shmem-rss accounted per worker. 115 MB matches the real per-worker baseline. TUNING (idle reduction, the original ask): - LSAPI_MAX_IDLE_CHILDREN=2 (was CHILDREN/2 = 5 default) - LSAPI_MAX_IDLE=60s (was 300s default) - PHP_LSAPI_MAX_REQUESTS=500 (recycle workers, prevents bloat) - memSoftLimit=1024M / memHardLimit=1500M per worker (RLIMIT_AS; catches runaway scripts at the worker level, cgroup still backstops the container) Effective LSAPI_CHILDREN per container: 2 GiB → ~17 (was 10 — brain-jar was saturating) 1 GiB → ~8 512 MiB → ~3 (cap-marginal per the memory note; bump container if site grows) Dropped LSAPI_MEM_SOFT/HARD computation in detect-memory: AVAILABLE/CHILDREN was conflating VSZ with RSS-budget arithmetic and would have killed legitimate workers. The 1024/1500 hard-coded values in the template comfortably fit typical Divi/WooCommerce VSZ (280-365 MB). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-06-02 16:36:25 -07:00			`## extProcessor lsphp is stripped because the stock one hard-codes`
			`## PHP_LSAPI_CHILDREN=10 regardless of container size — our appended`
			`## extProcessor scales it from detect-memory-litespeed.sh.`
Add cac-litespeed image family (OpenLiteSpeed, native LSAPI) New paid-tier per-customer image built on litespeedtech/openlitespeed:1.8.4-lsphpNN. Matrix: 8.1-8.5. Native LSAPI suexec to customer uid, server-level LSCache, all WP/WooCommerce extensions (memcached, redis, imagick, mbstring, etc.) baked in. Files: - Dockerfile.litespeed (FROM prebuilt LiteSpeed base, layers wp-cli/composer/mariadb) - configs/litespeed/{httpd_config,site-template,lsphp-overrides}.tpl - scripts/{entrypoint,create-vhost,detect-memory}-litespeed.sh + install-lscache-wp.sh CI: new Build-LiteSpeed-Images matrix job. OLS_VERSION pinned to 1.8.4 (only release with prebuilt images for all 5 PHP versions on Docker Hub). Spec: whp/docs/superpowers/specs/2026-06-01-cac-litespeed-design.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-06-02 07:32:47 -07:00			`awk '`
			`BEGIN { skip = 0 }`
feat(litespeed): wire up dynamic LSAPI tuning + idle reduction Two correctness fixes and a tuning improvement. CORRECTNESS: 1. Strip the stock 'extProcessor lsphp' from httpd_config.conf before appending ours. Previously the stock block (hard-coded PHP_LSAPI_CHILDREN=10 regardless of container memory) always won because our APPEND fragment didn't include an extProcessor block. detect-memory-litespeed.sh was computing LSAPI_CHILDREN but never plumbing it anywhere — silent dead code. 2. Bump LSPHP_WORKER_ESTIMATE_MB from 96 → 115 per the 2026-06-02 memory-sizing finding (vantagehealth OOM-spawn loop). Each lsphp carries ~115 MB shmem-rss accounted per worker. 115 MB matches the real per-worker baseline. TUNING (idle reduction, the original ask): - LSAPI_MAX_IDLE_CHILDREN=2 (was CHILDREN/2 = 5 default) - LSAPI_MAX_IDLE=60s (was 300s default) - PHP_LSAPI_MAX_REQUESTS=500 (recycle workers, prevents bloat) - memSoftLimit=1024M / memHardLimit=1500M per worker (RLIMIT_AS; catches runaway scripts at the worker level, cgroup still backstops the container) Effective LSAPI_CHILDREN per container: 2 GiB → ~17 (was 10 — brain-jar was saturating) 1 GiB → ~8 512 MiB → ~3 (cap-marginal per the memory note; bump container if site grows) Dropped LSAPI_MEM_SOFT/HARD computation in detect-memory: AVAILABLE/CHILDREN was conflating VSZ with RSS-budget arithmetic and would have killed legitimate workers. The 1024/1500 hard-coded values in the template comfortably fit typical Divi/WooCommerce VSZ (280-365 MB). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-06-02 16:36:25 -07:00			`/^listener HTTP \{/ \|\| /^listener HTTPS \{/ \|\| /^vhTemplate docker \{/ \|\| /^extProcessor lsphp\{/ \|\| /^extProcessor lsphp \{/ { skip = 1; next }`
Add cac-litespeed image family (OpenLiteSpeed, native LSAPI) New paid-tier per-customer image built on litespeedtech/openlitespeed:1.8.4-lsphpNN. Matrix: 8.1-8.5. Native LSAPI suexec to customer uid, server-level LSCache, all WP/WooCommerce extensions (memcached, redis, imagick, mbstring, etc.) baked in. Files: - Dockerfile.litespeed (FROM prebuilt LiteSpeed base, layers wp-cli/composer/mariadb) - configs/litespeed/{httpd_config,site-template,lsphp-overrides}.tpl - scripts/{entrypoint,create-vhost,detect-memory}-litespeed.sh + install-lscache-wp.sh CI: new Build-LiteSpeed-Images matrix job. OLS_VERSION pinned to 1.8.4 (only release with prebuilt images for all 5 PHP versions on Docker Hub). Spec: whp/docs/superpowers/specs/2026-06-01-cac-litespeed-design.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-06-02 07:32:47 -07:00			`skip && /^\}/ { skip = 0; next }`
			`!skip { print }`
			`' "$LSWS_CONF/httpd_config.conf" > "$LSWS_CONF/httpd_config.conf.new"`
			`mv "$LSWS_CONF/httpd_config.conf.new" "$LSWS_CONF/httpd_config.conf"`

refactor(litespeed): drop setUIDMode for shared lsphp + cut opcache 128→32M OLS runs as the customer user end-to-end (server-level user/group set by create-vhost-litespeed.sh), so lsphp inherits that uid without per-request suEXEC. Eliminates the per-httpd-worker lsphp instance fan-out — one shared lsphp parent now serves all httpd workers via the shared socket. Combined with opcache.memory_consumption 128→32M, brain-jar measured shmem dropped from ~880 MiB → 32 MiB and memory.current from ~1.1 GiB → 67 MiB at the 1.5 GiB cap. No new oom_kills since the change. Safe because cac-litespeed is one-customer-per-container — the container boundary is the privsep boundary. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-06-02 20:06:56 -07:00			`## Server-level user/group → customer. Without this, OLS runs as nobody and`
			`## either can't read customer files (no setUIDMode) or has to lscgid-spawn a`
			`## per-uid lsphp for every httpd worker (the setUIDMode 2 pathway). With OLS`
			`## itself running as ${user}, a single shared lsphp parent serves all httpd`
			`## workers, LSAPI children-mode actually engages, and shmem stops fanning out.`
			`## OLS still starts as root (PID 1 binds 80/443) then drops privs after bind.`
			`sed -i \`
			`-e "s\|^user[[:space:]].*\|user ${user}\|" \`
			`-e "s\|^group[[:space:]].*\|group ${user}\|" \`
			`"$LSWS_CONF/httpd_config.conf"`

Add cac-litespeed image family (OpenLiteSpeed, native LSAPI) New paid-tier per-customer image built on litespeedtech/openlitespeed:1.8.4-lsphpNN. Matrix: 8.1-8.5. Native LSAPI suexec to customer uid, server-level LSCache, all WP/WooCommerce extensions (memcached, redis, imagick, mbstring, etc.) baked in. Files: - Dockerfile.litespeed (FROM prebuilt LiteSpeed base, layers wp-cli/composer/mariadb) - configs/litespeed/{httpd_config,site-template,lsphp-overrides}.tpl - scripts/{entrypoint,create-vhost,detect-memory}-litespeed.sh + install-lscache-wp.sh CI: new Build-LiteSpeed-Images matrix job. OLS_VERSION pinned to 1.8.4 (only release with prebuilt images for all 5 PHP versions on Docker Hub). Spec: whp/docs/superpowers/specs/2026-06-01-cac-litespeed-design.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-06-02 07:32:47 -07:00			`## --- append our listeners + vhTemplate ---`
			`SENTINEL="## ---- cac-litespeed append (do not edit below) ----"`
			`{`
			`echo ""`
			`echo "$SENTINEL"`
feat(litespeed): wire up dynamic LSAPI tuning + idle reduction Two correctness fixes and a tuning improvement. CORRECTNESS: 1. Strip the stock 'extProcessor lsphp' from httpd_config.conf before appending ours. Previously the stock block (hard-coded PHP_LSAPI_CHILDREN=10 regardless of container memory) always won because our APPEND fragment didn't include an extProcessor block. detect-memory-litespeed.sh was computing LSAPI_CHILDREN but never plumbing it anywhere — silent dead code. 2. Bump LSPHP_WORKER_ESTIMATE_MB from 96 → 115 per the 2026-06-02 memory-sizing finding (vantagehealth OOM-spawn loop). Each lsphp carries ~115 MB shmem-rss accounted per worker. 115 MB matches the real per-worker baseline. TUNING (idle reduction, the original ask): - LSAPI_MAX_IDLE_CHILDREN=2 (was CHILDREN/2 = 5 default) - LSAPI_MAX_IDLE=60s (was 300s default) - PHP_LSAPI_MAX_REQUESTS=500 (recycle workers, prevents bloat) - memSoftLimit=1024M / memHardLimit=1500M per worker (RLIMIT_AS; catches runaway scripts at the worker level, cgroup still backstops the container) Effective LSAPI_CHILDREN per container: 2 GiB → ~17 (was 10 — brain-jar was saturating) 1 GiB → ~8 512 MiB → ~3 (cap-marginal per the memory note; bump container if site grows) Dropped LSAPI_MEM_SOFT/HARD computation in detect-memory: AVAILABLE/CHILDREN was conflating VSZ with RSS-budget arithmetic and would have killed legitimate workers. The 1024/1500 hard-coded values in the template comfortably fit typical Divi/WooCommerce VSZ (280-365 MB). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-06-02 16:36:25 -07:00			`envsubst '${user} ${domain} ${vhost_map_aliases} ${PHPVER} ${LSAPI_CHILDREN}' < "$TPL_DIR/httpd_config.tpl"`
Add cac-litespeed image family (OpenLiteSpeed, native LSAPI) New paid-tier per-customer image built on litespeedtech/openlitespeed:1.8.4-lsphpNN. Matrix: 8.1-8.5. Native LSAPI suexec to customer uid, server-level LSCache, all WP/WooCommerce extensions (memcached, redis, imagick, mbstring, etc.) baked in. Files: - Dockerfile.litespeed (FROM prebuilt LiteSpeed base, layers wp-cli/composer/mariadb) - configs/litespeed/{httpd_config,site-template,lsphp-overrides}.tpl - scripts/{entrypoint,create-vhost,detect-memory}-litespeed.sh + install-lscache-wp.sh CI: new Build-LiteSpeed-Images matrix job. OLS_VERSION pinned to 1.8.4 (only release with prebuilt images for all 5 PHP versions on Docker Hub). Spec: whp/docs/superpowers/specs/2026-06-01-cac-litespeed-design.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-06-02 07:32:47 -07:00			`} >> "$LSWS_CONF/httpd_config.conf"`

			`## --- write our vhost template to /usr/local/lsws/conf/templates/site.conf ---`
			`envsubst '${user}' < "$TPL_DIR/site-template.tpl" \`
			`> "$LSWS_CONF/templates/site.conf"`

			`## --- per-vhost config file the vhTemplate will reference ---`
			`## OLS creates conf/vhosts/$VH_NAME/ at template-instantiation time, but`
			`## we pre-create it to satisfy the configFile path and write a minimal`
			`## vhconf.conf (empty body — all real config is inline in the template's`
			`## virtualHostConfig{} block).`
			`mkdir -p "$LSWS_CONF/vhosts/siteVH"`
			`echo "## auto-generated; real vhost config is in templates/site.conf" \`
			`> "$LSWS_CONF/vhosts/siteVH/vhconf.conf"`

			`## Permissions: OLS reads conf/ as lsadm. Don't break that.`
			`chown -R lsadm:nogroup "$LSWS_CONF" 2>/dev/null \|\| true`