## cac-litespeed — OpenLiteSpeed customer container, LSAPI-native. ## ## Built on top of the LiteSpeed-maintained prebuilt image rather than ## installed-from-RPM on AlmaLinux 10. Rationale: ## - The EL10 RPM ships an empty /usr/local/lsws/cgid/ directory (the ## lscgid suexec helper is built by the upstream tarball install.sh, ## not packaged), which makes LSAPI unusable. ## - The prebuilt image is Ubuntu 24.04-based and includes lsphp + ## everything WP/WooCommerce needs out of the box (memcached, redis, ## imagick, mbstring, mysqlnd, intl, gd, soap, bcmath, gmp, sodium, ## opcache, ...) — saves us a dozen explicit installs and avoids the ## libonig.so.105 packaging bug entirely. ## - LiteSpeed Inc maintains it; OLS upgrades become a base-image bump. ## ## Tradeoff vs the rest of the CAC family: this image is Ubuntu-based, ## not AlmaLinux. The "cac" naming is now slightly misleading (it's no ## longer Cloud *Apache* Container, it's Cloud LiteSpeed Container) but ## the panel doesn't care and the customer-facing contract is identical. ## ARG before FROM is special — it can be used in the FROM line, but the ## value goes out of scope inside the image, so we re-declare ARG PHPVER ## after FROM for any RUN steps that need it. ARG OLS_VERSION=1.8.5 ARG PHPVER=83 FROM litespeedtech/openlitespeed:${OLS_VERSION}-lsphp${PHPVER} ARG PHPVER=83 ENV PHPVER=${PHPVER} ## Tooling we layer on top of the base: ## - gettext-base: envsubst for runtime template rendering ## - sudo: install-lscache-wp.sh runs wp-cli as the customer user ## - composer: not in the base image (wp-cli is) ## - cron: customer crontab support (mirror cac:phpXX behaviour) ## - mariadb-server + memcached: DEV-mode parity with the existing CAC ## entrypoints. PROD mode never starts these. ## - lsphp83-ldap: not in base image, useful for some WP plugins ## ## All apt cache is cleaned in the same layer to keep image size down. ## lsphp${PHPVER}-ldap is the only extra ext we add (everything else WP needs ## ships in the prebuilt base). lsphp84 + lsphp85 don't ship imap or pspell ## from LiteSpeed — customers needing imap should pin to 8.3 or earlier. RUN apt-get update && \ DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ gettext-base sudo cron \ ca-certificates curl wget \ mariadb-server memcached \ lsphp${PHPVER}-ldap && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/* ## Composer (matches the wp-cli pattern in the existing CAC Dockerfile — ## phar download, no `php install` pipe since lsphp's CLI mode is fine). RUN curl -fsSL -o /usr/local/bin/composer https://getcomposer.org/download/latest-stable/composer.phar && \ chmod +x /usr/local/bin/composer ## Our scripts + config templates layer in last (they change most often, ## keep them off the slow apt layer). COPY ./scripts/entrypoint-litespeed.sh \ ./scripts/create-vhost-litespeed.sh \ ./scripts/detect-memory-litespeed.sh \ ./scripts/install-lscache-wp.sh \ ./scripts/log-rotate.sh \ /scripts/ RUN chmod +x /scripts/* COPY ./configs/litespeed/ /etc/lsws-templates/ ## Apply our production lsphp ini overrides. Ask lsphp for its scan dir ## directly (varies by PHP minor version: 8.3/8.4/8.5 each have their own ## /usr/local/lsws/lsphpNN/etc/php/8.M/mods-available/). Dockerfile RUN uses ## /bin/sh so we explicitly `bash -c` for safer scripting. RUN bash -c 'set -e; \ SCAN_DIR=$(/usr/local/lsws/lsphp${PHPVER}/bin/lsphp -i 2>/dev/null | awk -F"=> " "/^Scan this dir/ {print \$2; exit}"); \ mkdir -p "$SCAN_DIR"; \ cp /etc/lsws-templates/lsphp-overrides.ini "$SCAN_DIR/99-prod-overrides.ini"; \ echo "wrote overrides to $SCAN_DIR"' ## Disable the OLS WebAdmin port for customer-facing containers. Bind admin ## listener to loopback so it's unreachable even from the docker network. RUN sed -i 's|^[[:space:]]*address[[:space:]]\+\*:| address 127.0.0.1:|' \ /usr/local/lsws/admin/conf/admin_config.conf 2>/dev/null || true ## Cron entry for log rotation (mirrors cac:phpXX). RUN echo "15 */12 * * * root /scripts/log-rotate.sh" >> /etc/crontab EXPOSE 80 443 ## Healthcheck: the entrypoint drops a static /healthz into the customer ## docroot at boot, so this passes even before any customer files exist. HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \ CMD curl -fsSk https://127.0.0.1/healthz || exit 1 ENTRYPOINT ["/scripts/entrypoint-litespeed.sh"]