CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Containerisation (Docker for PHP)

DevOps PHP 5.0+ Intermediate
debt(d5/e5/b7/t5)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches' (d5). The term's detection_hints.tools lists docker, hadolint, and trivy — these are specialist DevOps tools that can catch issues like single-stage Dockerfiles, missing multi-stage builds, and security vulnerabilities in images. These aren't default linters but require deliberate adoption.

e5 Effort Remediation debt — work required to fix once spotted

Closest to 'touches multiple files / significant refactor in one component' (e5). The quick_fix describes writing a multi-stage Dockerfile, which is more than a one-line patch. Fixing common_mistakes like removing baked secrets, adding proper volume mounts, and refactoring away from root user requires changes to Dockerfile, docker-compose, CI/CD configs, and potentially application code for secret handling.

b7 Burden Structural debt — long-term weight of choosing wrong

Closest to 'strong gravitational pull' (b7). Per applies_to, containerisation affects all PHP contexts (web, cli, queue-worker). Once adopted, every developer must understand Docker workflows, all deployments flow through container builds, local development depends on container parity, and CI/CD pipelines are shaped by image building. It's a load-bearing infrastructure choice that influences how the entire team works, though it doesn't quite reach b9 'defines system shape' since the PHP code itself remains portable.

t5 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'notable trap' (t5). The misconception field explicitly states that developers wrongly believe containers provide VM-level isolation when they actually share the host kernel. This is a documented gotcha that most developers eventually learn but can lead to serious security oversights initially. The common_mistakes reinforce this — running as root, storing data inside containers, using :latest tags are all traps that stem from misunderstanding container ephemerality and isolation boundaries.

About DEBT scoring → scored by claude-opus-4-5-20251101 · 2026-05-06 · reviewed by human

Also Known As

Docker containers container runtime

TL;DR

Packaging PHP applications and their dependencies into Docker containers for consistent, reproducible environments from dev to production.

Explanation

Docker containers bundle PHP, extensions, nginx/FPM configuration, and application code into an immutable image. Benefits: environment parity (eliminates 'works on my machine'), fast deployment, horizontal scaling, and isolation. A PHP production Dockerfile typically: starts from php:8.3-fpm-alpine, installs required extensions with docker-php-ext-install, copies Composer dependencies, and sets non-root user. Multi-stage builds separate build dependencies from runtime — keeping production images lean. Docker Compose orchestrates local development with PHP-FPM, nginx, MySQL, and Redis containers. For production, containers run on Kubernetes, ECS, or similar orchestrators.

Diagram 

flowchart TD
    subgraph Host OS
        KERN[Linux Kernel]
        subgraph Container A
            PHPFPM[PHP-FPM]
            APP[App Code]
        end
        subgraph Container B
            NGINX[nginx]
        end
        subgraph Container C
            MYSQL[MySQL]
        end
    end
    NGINX -->|FastCGI| PHPFPM
    PHPFPM --> MYSQL
    KERN -.->|namespaces + cgroups| PHPFPM & NGINX & MYSQL
style KERN fill:#6e40c9,color:#fff
style PHPFPM fill:#238636,color:#fff
style NGINX fill:#1f6feb,color:#fff
style MYSQL fill:#d29922,color:#fff

Common Misconception

Containers provide the same isolation as virtual machines. Containers share the host OS kernel — a kernel exploit can break container isolation. VMs virtualise hardware and have separate kernels. Containers offer process isolation; VMs offer stronger security boundaries at higher resource cost.

Why It Matters

Containers guarantee that software runs identically on every machine — development, staging, and production all use the same environment. "It works on my machine" becomes "it works in the container" which runs everywhere.

Common Mistakes

  • Running containers as root inside the container — any container escape gives the attacker root on the host.
  • Storing persistent data inside the container — it disappears when the container restarts.
  • Using latest as the image tag in production — you lose control of which version is deployed.
  • Baking secrets into the image — they are visible to anyone who can pull the image.

Code Examples

✗ Vulnerable 
// Dockerfile anti-patterns:
FROM ubuntu:latest          # Unpinned — breaks on new release
RUN apt-get install -y php  # No version pin
COPY . /app                 # Copies .git, node_modules, .env
RUN composer install        # Dev dependencies included
USER root                   # Running as root — security risk

// Better:
FROM php:8.3-fpm-alpine
COPY --chown=www-data:www-data . /app
RUN composer install --no-dev --optimize-autoloader
USER www-data
✓ Fixed 
# Dockerfile — production PHP-FPM image
FROM php:8.3-fpm-alpine AS base
RUN docker-php-ext-install pdo_mysql opcache
COPY php.ini /usr/local/etc/php/conf.d/app.ini

FROM base AS vendor
COPY composer.json composer.lock ./
RUN composer install --no-dev --no-scripts --prefer-dist

FROM base AS production
COPY --from=vendor /app/vendor ./vendor
COPY . .
RUN php artisan config:cache && php artisan route:cache
USER www-data
Added 15 Mar 2026
Edited 22 Mar 2026
Views 81

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 1 ping W 3 pings T 7 pings F 2 pings S 3 pings S 7 pings M 0 pings T 1 ping W 1 ping T 0 pings F 0 pings S 0 pings S 2 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 1 ping S 1 ping M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Scrapy 21 Perplexity 10 Amazonbot 7 Google 6 Ahrefs 5 SEMrush 4 Bing 3 Unknown AI 2 ChatGPT 2 Claude 2 Meta AI 1 Qwen 1 PetalBot 1
Also referenced
PHP-FPM 90 Continuous Deployment (CD) 62 Twelve-Factor App 58 Infrastructure as Code (IaC) 51
How they use it
crawler 61 crawler_json 4
Related categories
php 13k architecture 3.2k devops 2.1k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Medium
⚡ Quick Fix
Write a Dockerfile with a multi-stage build: first stage installs Composer deps, second stage copies only the app and vendor/ — keeps the final image small and without build tools
📦 Applies To
PHP 5.0+ web cli queue-worker
🔗 Prerequisites
🔍 Detection Hints
Single-stage Dockerfile with build tools in production image; no multi-stage build; large image >1GB
Auto-detectable: ✓ Yes docker hadolint trivy
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Medium ✗ Manual fix Fix: Medium Context: File
✓ schema.org compliant