Containerisation (Docker for PHP)
Also Known As
Docker
containers
container runtime
TL;DR
Packaging PHP applications and their dependencies into Docker containers for consistent, reproducible environments from dev to production.
Explanation
Docker containers bundle PHP, extensions, nginx/FPM configuration, and application code into an immutable image. Benefits: environment parity (eliminates 'works on my machine'), fast deployment, horizontal scaling, and isolation. A PHP production Dockerfile typically: starts from php:8.3-fpm-alpine, installs required extensions with docker-php-ext-install, copies Composer dependencies, and sets non-root user. Multi-stage builds separate build dependencies from runtime — keeping production images lean. Docker Compose orchestrates local development with PHP-FPM, nginx, MySQL, and Redis containers. For production, containers run on Kubernetes, ECS, or similar orchestrators.
Diagram
flowchart TD
subgraph Host OS
KERN[Linux Kernel]
subgraph Container A
PHPFPM[PHP-FPM]
APP[App Code]
end
subgraph Container B
NGINX[nginx]
end
subgraph Container C
MYSQL[MySQL]
end
end
NGINX -->|FastCGI| PHPFPM
PHPFPM --> MYSQL
KERN -.->|namespaces + cgroups| PHPFPM & NGINX & MYSQL
style KERN fill:#6e40c9,color:#fff
style PHPFPM fill:#238636,color:#fff
style NGINX fill:#1f6feb,color:#fff
style MYSQL fill:#d29922,color:#fff
Common Misconception
✗ Containers provide the same isolation as virtual machines. Containers share the host OS kernel — a kernel exploit can break container isolation. VMs virtualise hardware and have separate kernels. Containers offer process isolation; VMs offer stronger security boundaries at higher resource cost.
Why It Matters
Containers guarantee that software runs identically on every machine — development, staging, and production all use the same environment. "It works on my machine" becomes "it works in the container" which runs everywhere.
Common Mistakes
- Running containers as root inside the container — any container escape gives the attacker root on the host.
- Storing persistent data inside the container — it disappears when the container restarts.
- Using latest as the image tag in production — you lose control of which version is deployed.
- Baking secrets into the image — they are visible to anyone who can pull the image.
Code Examples
✗ Vulnerable
// Dockerfile anti-patterns:
FROM ubuntu:latest # Unpinned — breaks on new release
RUN apt-get install -y php # No version pin
COPY . /app # Copies .git, node_modules, .env
RUN composer install # Dev dependencies included
USER root # Running as root — security risk
// Better:
FROM php:8.3-fpm-alpine
COPY --chown=www-data:www-data . /app
RUN composer install --no-dev --optimize-autoloader
USER www-data
✓ Fixed
# Dockerfile — production PHP-FPM image
FROM php:8.3-fpm-alpine AS base
RUN docker-php-ext-install pdo_mysql opcache
COPY php.ini /usr/local/etc/php/conf.d/app.ini
FROM base AS vendor
COPY composer.json composer.lock ./
RUN composer install --no-dev --no-scripts --prefer-dist
FROM base AS production
COPY --from=vendor /app/vendor ./vendor
COPY . .
RUN php artisan config:cache && php artisan route:cache
USER www-dataTags
🤝 Adopt this term
£79/year · your link shown here
Added
15 Mar 2026
Edited
22 Mar 2026
Views
34
🤖 AI Guestbook educational data only
|
|
Last 30 days
Agents 0
No pings yet today
No pings yesterday
Perplexity 9
Amazonbot 6
Google 5
Ahrefs 2
Unknown AI 2
SEMrush 2
ChatGPT 2
Also referenced
How they use it
crawler 27
crawler_json 1
Related categories
⚡
DEV INTEL
Tools & Severity
🟡 Medium
⚙ Fix effort: Medium
⚡ Quick Fix
Write a Dockerfile with a multi-stage build: first stage installs Composer deps, second stage copies only the app and vendor/ — keeps the final image small and without build tools
📦 Applies To
PHP 5.0+
web
cli
queue-worker
🔍 Detection Hints
Single-stage Dockerfile with build tools in production image; no multi-stage build; large image >1GB
Auto-detectable:
✓ Yes
docker
hadolint
trivy
⚠ Related Problems
🤖 AI Agent
Confidence: Medium
False Positives: Medium
✗ Manual fix
Fix: Medium
Context: File