Implement support for multiple PHP versions

This commit provides docker images and scripts to support multiple
Debian and PHP releases via containers.

LICENSE

@@ -0,0 +1,19 @@
+Copyright 2018 Jan Dittberner IT-Consulting & -Solutions
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

build.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+set -e
+
+for dist in wheezy_php5 jessie_php5 stretch_php7 buster_php7; do
+    docker build --pull -t gnuviech/${dist}-base ${dist} -f ${dist}/Dockerfile-base
+    docker build -t gnuviech/${dist} ${dist} -f ${dist}/Dockerfile
+    docker build -t gnuviech/${dist}-mysql ${dist} -f ${dist}/Dockerfile-mysql
+    docker build -t gnuviech/${dist}-pgsql ${dist} -f ${dist}/Dockerfile-pgsql
+done
+
+docker image prune -f

buster_php7/Dockerfile

@@ -0,0 +1,8 @@
+FROM gnuviech/buster_php7-base:latest
+LABEL maintainer="jan@dittberner.info"
+
+COPY start-fpm.sh /usr/local/sbin
+COPY fpm-pool.conf.tmpl /usr/local/etc
+
+ENTRYPOINT ["/usr/bin/dumb-init", "--"]
+CMD ["/usr/local/sbin/start-fpm.sh"]

buster_php7/Dockerfile-base

@@ -0,0 +1,31 @@
+FROM debian:buster
+LABEL maintainer="jan@dittberner.info"
+VOLUME /srv
+
+RUN apt-get update \
+    && DEBIAN_FRONTEND=noninteractive \
+    apt-get install -y --no-install-recommends \
+    dumb-init \
+    libnss-ldap \
+    nullmailer \
+    php-curl \
+    php-fpm \
+    php-gd \
+    php-imagick \
+    php-imap \
+    php-json \
+    php-mail \
+    php-mail-mime \
+    php-mbstring \
+    php-net-smtp \
+    php-net-socket \
+    php7.2-opcache \
+    php-pspell \
+    php-sqlite3 \
+    psmisc \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*.*
+
+ADD --chown=root:root nsswitch.conf libnss-ldap.conf /etc/
+
+RUN rm -f /etc/php/7.2/fpm/pool.d/www.conf

buster_php7/Dockerfile-mysql

@@ -0,0 +1,15 @@
+FROM gnuviech/buster_php7-base:latest
+LABEL maintainer="jan@dittberner.info"
+
+RUN apt-get update \
+    && DEBIAN_FRONTEND=noninteractive \
+    apt-get install -y --no-install-recommends \
+    php-mysql \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*.*
+
+COPY start-fpm.sh /usr/local/sbin
+COPY fpm-pool.conf.tmpl /usr/local/etc
+
+ENTRYPOINT ["/usr/bin/dumb-init", "--"]
+CMD ["/usr/local/sbin/start-fpm.sh"]

buster_php7/Dockerfile-pgsql

@@ -0,0 +1,15 @@
+FROM gnuviech/buster_php7-base:latest
+LABEL maintainer="jan@dittberner.info"
+
+RUN apt-get update \
+    && DEBIAN_FRONTEND=noninteractive \
+    apt-get install -y --no-install-recommends \
+    php-mysql \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*.*
+
+COPY start-fpm.sh /usr/local/sbin
+COPY fpm-pool.conf.tmpl /usr/local/etc
+
+ENTRYPOINT ["/usr/bin/dumb-init", "--"]
+CMD ["/usr/local/sbin/start-fpm.sh"]

buster_php7/fpm-pool.conf.tmpl

@@ -0,0 +1,15 @@
+[@user@]
+user = @user@
+group = @user@
+listen = /var/run/php-fpm-docker/@user@-@variant@.sock
+listen.owner = www-data
+listen.group = www-data
+pm = dynamic
+pm.max_children = 20
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+pm.max_requests = 1000
+chdir = /
+request_slowlog_timeout = 10s
+slowlog = /var/log/php-fpm-docker/@user@-@variant@.slow.log

buster_php7/libnss-ldap.conf

@@ -0,0 +1,323 @@
+###DEBCONF###
+# the configuration of this file will be done by debconf as long as the
+# first line of the file says '###DEBCONF###'
+#
+# you should use dpkg-reconfigure libnss-ldap to configure this file.
+#
+# @(#)$Id: ldap.conf,v 2.48 2008/07/03 02:30:29 lukeh Exp $
+#
+# This is the configuration file for the LDAP nameservice
+# switch library and the LDAP PAM module.
+#
+# PADL Software
+# http://www.padl.com
+#
+
+# Your LDAP server. Must be resolvable without using LDAP.
+# Multiple hosts may be specified, each separated by a 
+# space. How long nss_ldap takes to failover depends on
+# whether your LDAP client library supports configurable
+# network or connect timeouts (see bind_timelimit).
+#host 127.0.0.1
+
+# The distinguished name of the search base.
+base dc=gnuviech,dc=internal
+
+# Another way to specify your LDAP server is to provide an
+uri ldap://10.0.0.11/
+# Unix Domain Sockets to connect to a local LDAP Server.
+#uri ldap://127.0.0.1/
+#uri ldaps://127.0.0.1/   
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
+# Note: %2f encodes the '/' used as directory separator
+
+# The LDAP version to use (defaults to 3
+# if supported by client library)
+ldap_version 3
+
+# The distinguished name to bind to the server with.
+# Optional: default is to bind anonymously.
+# Please do not put double quotes around it as they
+# would be included literally.
+#binddn cn=proxyuser,dc=padl,dc=com
+
+# The credentials to bind with. 
+# Optional: default is no credential.
+#bindpw secret
+
+# The distinguished name to bind to the server with
+# if the effective user ID is root. Password is
+# stored in /etc/libnss-ldap.secret (mode 600)
+# Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead
+# of an editor to create the file.
+#rootbinddn cn=manager,dc=example,dc=net
+
+# The port.
+# Optional: default is 389.
+#port 389
+
+# The search scope.
+#scope sub
+#scope one
+#scope base
+
+# Search timelimit
+#timelimit 30
+
+# Bind/connect timelimit
+#bind_timelimit 30
+
+# Reconnect policy:
+#  hard_open: reconnect to DSA with exponential backoff if
+#             opening connection failed
+#  hard_init: reconnect to DSA with exponential backoff if
+#             initializing connection failed
+#  hard:      alias for hard_open
+#  soft:      return immediately on server failure
+#bind_policy hard
+
+# Connection policy:
+#  persist:   DSA connections are kept open (default)
+#  oneshot:   DSA connections destroyed after request
+#nss_connect_policy persist
+
+# Idle timelimit; client will close connections
+# (nss_ldap only) if the server has not been contacted
+# for the number of seconds specified below.
+#idle_timelimit 3600
+
+# Use paged rseults
+#nss_paged_results yes
+
+# Pagesize: when paged results enable, used to set the
+# pagesize to a custom value
+#pagesize 1000
+
+# Filter to AND with uid=%s
+#pam_filter objectclass=account
+
+# The user ID attribute (defaults to uid)
+#pam_login_attribute uid
+
+# Search the root DSE for the password policy (works
+# with Netscape Directory Server)
+#pam_lookup_policy yes
+
+# Check the 'host' attribute for access control
+# Default is no; if set to yes, and user has no
+# value for the host attribute, and pam_ldap is
+# configured for account management (authorization)
+# then the user will not be allowed to login.
+#pam_check_host_attr yes
+
+# Check the 'authorizedService' attribute for access
+# control
+# Default is no; if set to yes, and the user has no
+# value for the authorizedService attribute, and
+# pam_ldap is configured for account management
+# (authorization) then the user will not be allowed
+# to login.
+#pam_check_service_attr yes
+
+# Group to enforce membership of
+#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
+
+# Group member attribute
+#pam_member_attribute uniquemember
+
+# Specify a minium or maximum UID number allowed
+#pam_min_uid 0
+#pam_max_uid 0
+
+# Template login attribute, default template user
+# (can be overriden by value of former attribute
+# in user's entry)
+#pam_login_attribute userPrincipalName
+#pam_template_login_attribute uid
+#pam_template_login nobody
+
+# HEADS UP: the pam_crypt, pam_nds_passwd,
+# and pam_ad_passwd options are no
+# longer supported.
+#
+# Do not hash the password at all; presume
+# the directory server will do it, if
+# necessary. This is the default.
+#pam_password clear
+
+# Hash password locally; required for University of
+# Michigan LDAP server, and works with Netscape
+# Directory Server if you're using the UNIX-Crypt
+# hash mechanism and not using the NT Synchronization
+# service. 
+#pam_password crypt
+
+# Remove old password first, then update in
+# cleartext. Necessary for use with Novell
+# Directory Services (NDS)
+#pam_password nds
+
+# RACF is an alias for the above. For use with
+# IBM RACF
+#pam_password racf
+
+# Update Active Directory password, by
+# creating Unicode password and updating
+# unicodePwd attribute.
+#pam_password ad
+
+# Use the OpenLDAP password change
+# extended operation to update the password.
+#pam_password exop
+
+# Redirect users to a URL or somesuch on password
+# changes.
+#pam_password_prohibit_message Please visit http://internal to change your password.
+
+# Use backlinks for answering initgroups()
+#nss_initgroups backlink
+
+# Enable support for RFC2307bis (distinguished names in group
+# members)
+#nss_schema rfc2307bis
+
+# RFC2307bis naming contexts
+# Syntax:
+# nss_base_XXX		base?scope?filter
+# where scope is {base,one,sub}
+# and filter is a filter to be &'d with the
+# default filter.
+# You can omit the suffix eg:
+# nss_base_passwd	ou=People,
+# to append the default base DN but this
+# may incur a small performance impact.
+#nss_base_passwd	ou=People,dc=padl,dc=com?one
+#nss_base_shadow	ou=People,dc=padl,dc=com?one
+#nss_base_group		ou=Group,dc=padl,dc=com?one
+#nss_base_hosts		ou=Hosts,dc=padl,dc=com?one
+#nss_base_services	ou=Services,dc=padl,dc=com?one
+#nss_base_networks	ou=Networks,dc=padl,dc=com?one
+#nss_base_protocols	ou=Protocols,dc=padl,dc=com?one
+#nss_base_rpc		ou=Rpc,dc=padl,dc=com?one
+#nss_base_ethers	ou=Ethers,dc=padl,dc=com?one
+#nss_base_netmasks	ou=Networks,dc=padl,dc=com?ne
+#nss_base_bootparams	ou=Ethers,dc=padl,dc=com?one
+#nss_base_aliases	ou=Aliases,dc=padl,dc=com?one
+#nss_base_netgroup	ou=Netgroup,dc=padl,dc=com?one
+
+# attribute/objectclass mapping
+# Syntax:
+#nss_map_attribute	rfc2307attribute	mapped_attribute
+#nss_map_objectclass	rfc2307objectclass	mapped_objectclass
+
+# configure --enable-nds is no longer supported.
+# NDS mappings
+#nss_map_attribute uniqueMember member
+
+# Services for UNIX 3.5 mappings
+#nss_map_objectclass posixAccount User
+#nss_map_objectclass shadowAccount User
+#nss_map_attribute uid msSFU30Name
+#nss_map_attribute uniqueMember msSFU30PosixMember
+#nss_map_attribute userPassword msSFU30Password
+#nss_map_attribute homeDirectory msSFU30HomeDirectory
+#nss_map_attribute homeDirectory msSFUHomeDirectory
+#nss_map_objectclass posixGroup Group
+#pam_login_attribute msSFU30Name
+#pam_filter objectclass=User
+#pam_password ad
+
+# configure --enable-mssfu-schema is no longer supported.
+# Services for UNIX 2.0 mappings
+#nss_map_objectclass posixAccount User
+#nss_map_objectclass shadowAccount user
+#nss_map_attribute uid msSFUName
+#nss_map_attribute uniqueMember posixMember
+#nss_map_attribute userPassword msSFUPassword
+#nss_map_attribute homeDirectory msSFUHomeDirectory
+#nss_map_attribute shadowLastChange pwdLastSet
+#nss_map_objectclass posixGroup Group
+#nss_map_attribute cn msSFUName
+#pam_login_attribute msSFUName
+#pam_filter objectclass=User
+#pam_password ad
+
+# RFC 2307 (AD) mappings
+#nss_map_objectclass posixAccount user
+#nss_map_objectclass shadowAccount user
+#nss_map_attribute uid sAMAccountName
+#nss_map_attribute homeDirectory unixHomeDirectory
+#nss_map_attribute shadowLastChange pwdLastSet
+#nss_map_objectclass posixGroup group
+#nss_map_attribute uniqueMember member
+#pam_login_attribute sAMAccountName
+#pam_filter objectclass=User
+#pam_password ad
+
+# configure --enable-authpassword is no longer supported
+# AuthPassword mappings
+#nss_map_attribute userPassword authPassword
+
+# AIX SecureWay mappings
+#nss_map_objectclass posixAccount aixAccount
+#nss_base_passwd ou=aixaccount,?one
+#nss_map_attribute uid userName
+#nss_map_attribute gidNumber gid
+#nss_map_attribute uidNumber uid
+#nss_map_attribute userPassword passwordChar
+#nss_map_objectclass posixGroup aixAccessGroup
+#nss_base_group ou=aixgroup,?one
+#nss_map_attribute cn groupName
+#nss_map_attribute uniqueMember member
+#pam_login_attribute userName
+#pam_filter objectclass=aixAccount
+#pam_password clear
+
+# For pre-RFC2307bis automount schema
+#nss_map_objectclass automountMap nisMap
+#nss_map_attribute automountMapName nisMapName
+#nss_map_objectclass automount nisObject
+#nss_map_attribute automountKey cn
+#nss_map_attribute automountInformation nisMapEntry
+
+# Netscape SDK LDAPS
+#ssl on
+
+# Netscape SDK SSL options
+#sslpath /etc/ssl/certs
+
+# OpenLDAP SSL mechanism
+# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
+#ssl start_tls
+#ssl on
+
+# OpenLDAP SSL options
+# Require and verify server certificate (yes/no)
+# Default is to use libldap's default behavior, which can be configured in
+# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
+# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
+#tls_checkpeer yes
+
+# CA certificates for server certificate verification
+# At least one of these are required if tls_checkpeer is "yes"
+#tls_cacertfile /etc/ssl/ca.cert
+#tls_cacertdir /etc/ssl/certs
+
+# Seed the PRNG if /dev/urandom is not provided
+#tls_randfile /var/run/egd-pool
+
+# SSL cipher suite
+# See man ciphers for syntax
+#tls_ciphers TLSv1
+
+# Client certificate and key
+# Use these, if your server requires client authentication.
+#tls_cert
+#tls_key
+
+# Disable SASL security layers. This is needed for AD.
+#sasl_secprops maxssf=0
+
+# Override the default Kerberos ticket cache location.
+#krb5_ccname FILE:/etc/.ldapcache
+

buster_php7/nsswitch.conf

@@ -0,0 +1,19 @@
+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+# If you have the `glibc-doc-reference' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
+
+passwd:         compat ldap
+group:          compat ldap
+shadow:         compat
+
+hosts:          files dns
+networks:       files
+
+protocols:      db files
+services:       db files
+ethers:         db files
+rpc:            db files
+
+netgroup:       nis

buster_php7/start-fpm.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -e
+
+sed "s/@user@/${FPM_USER}/g; s/@variant@/${FPM_VARIANT}/g" \
+    < /usr/local/etc/fpm-pool.conf.tmpl \
+    > "/etc/php/7.2/fpm/pool.d/${FPM_USER}.conf"
+
+/etc/init.d/nullmailer start
+mkdir -p /run/php
+/usr/sbin/php-fpm7.2 --nodaemonize

jessie_php5/Dockerfile

@@ -0,0 +1,8 @@
+FROM gnuviech/jessie_php5-base:latest
+LABEL maintainer="jan@dittberner.info"
+
+COPY start-fpm.sh /usr/local/sbin
+COPY fpm-pool.conf.tmpl /usr/local/etc
+
+ENTRYPOINT ["/usr/bin/dumb-init", "--"]
+CMD ["/usr/local/sbin/start-fpm.sh"]

jessie_php5/Dockerfile-base

@@ -0,0 +1,38 @@
+FROM debian:jessie
+LABEL maintainer="jan@dittberner.info"
+VOLUME /srv
+
+RUN apt-get update \
+    && DEBIAN_FRONTEND=noninteractive \
+    apt-get install -y --no-install-recommends \
+    ca-certificates \
+    curl \
+    libnss-ldap \
+    nullmailer \
+    php-apc \
+    php-mail \
+    php-mail-mime \
+    php-mail-mimedecode \
+    php-net-smtp \
+    php-net-socket \
+    php5-apcu \
+    php5-curl \
+    php5-fpm \
+    php5-gd \
+    php5-imagick \
+    php5-imap \
+    php5-json \
+    php5-mcrypt \
+    php5-pspell \
+    php5-sqlite \
+    psmisc \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*.*
+
+RUN curl -o dumb-init_1.2.2.deb -L https://github.com/Yelp/dumb-init/releases/download/v1.2.2/dumb-init_1.2.2_amd64.deb && \
+    dpkg -i dumb-init_1.2.2.deb && \
+    rm -f dumb-init_1.2.2.deb
+
+ADD --chown=root:root nsswitch.conf libnss-ldap.conf /etc/
+
+RUN rm -f /etc/php5/fpm/pool.d/www.conf

jessie_php5/Dockerfile-mysql

@@ -0,0 +1,15 @@
+FROM gnuviech/jessie_php5-base:latest
+LABEL maintainer="jan@dittberner.info"
+
+RUN apt-get update \
+    && DEBIAN_FRONTEND=noninteractive \
+    apt-get install -y --no-install-recommends \
+    php5-mysql \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*.*
+
+COPY start-fpm.sh /usr/local/sbin
+COPY fpm-pool.conf.tmpl /usr/local/etc
+
+ENTRYPOINT ["/usr/bin/dumb-init", "--"]
+CMD ["/usr/local/sbin/start-fpm.sh"]

jessie_php5/Dockerfile-pgsql

@@ -0,0 +1,15 @@
+FROM gnuviech/jessie_php5-base:latest
+LABEL maintainer="jan@dittberner.info"
+
+RUN apt-get update \
+    && DEBIAN_FRONTEND=noninteractive \
+    apt-get install -y --no-install-recommends \
+    php5-pgsql \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*.*
+
+COPY start-fpm.sh /usr/local/sbin
+COPY fpm-pool.conf.tmpl /usr/local/etc
+
+ENTRYPOINT ["/usr/bin/dumb-init", "--"]
+CMD ["/usr/local/sbin/start-fpm.sh"]

jessie_php5/fpm-pool.conf.tmpl

@@ -0,0 +1,15 @@
+[@user@]
+user = @user@
+group = @user@
+listen = /var/run/php-fpm-docker/@user@-@variant@.sock
+listen.owner = www-data
+listen.group = www-data
+pm = dynamic
+pm.max_children = 20
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+pm.max_requests = 1000
+chdir = /
+request_slowlog_timeout = 10s
+slowlog = /var/log/php-fpm-docker/@user@-@variant@.slow.log

jessie_php5/libnss-ldap.conf

@@ -0,0 +1,323 @@
+###DEBCONF###
+# the configuration of this file will be done by debconf as long as the
+# first line of the file says '###DEBCONF###'
+#
+# you should use dpkg-reconfigure libnss-ldap to configure this file.
+#
+# @(#)$Id: ldap.conf,v 2.48 2008/07/03 02:30:29 lukeh Exp $
+#
+# This is the configuration file for the LDAP nameservice
+# switch library and the LDAP PAM module.
+#
+# PADL Software
+# http://www.padl.com
+#
+
+# Your LDAP server. Must be resolvable without using LDAP.
+# Multiple hosts may be specified, each separated by a 
+# space. How long nss_ldap takes to failover depends on
+# whether your LDAP client library supports configurable
+# network or connect timeouts (see bind_timelimit).
+#host 127.0.0.1
+
+# The distinguished name of the search base.
+base dc=gnuviech,dc=internal
+
+# Another way to specify your LDAP server is to provide an
+uri ldap://10.0.0.11/
+# Unix Domain Sockets to connect to a local LDAP Server.
+#uri ldap://127.0.0.1/
+#uri ldaps://127.0.0.1/   
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
+# Note: %2f encodes the '/' used as directory separator
+
+# The LDAP version to use (defaults to 3
+# if supported by client library)
+ldap_version 3
+
+# The distinguished name to bind to the server with.
+# Optional: default is to bind anonymously.
+# Please do not put double quotes around it as they
+# would be included literally.
+#binddn cn=proxyuser,dc=padl,dc=com
+
+# The credentials to bind with. 
+# Optional: default is no credential.
+#bindpw secret
+
+# The distinguished name to bind to the server with
+# if the effective user ID is root. Password is
+# stored in /etc/libnss-ldap.secret (mode 600)
+# Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead
+# of an editor to create the file.
+#rootbinddn cn=manager,dc=example,dc=net
+
+# The port.
+# Optional: default is 389.
+#port 389
+
+# The search scope.
+#scope sub
+#scope one
+#scope base
+
+# Search timelimit
+#timelimit 30
+
+# Bind/connect timelimit
+#bind_timelimit 30
+
+# Reconnect policy:
+#  hard_open: reconnect to DSA with exponential backoff if
+#             opening connection failed
+#  hard_init: reconnect to DSA with exponential backoff if
+#             initializing connection failed
+#  hard:      alias for hard_open
+#  soft:      return immediately on server failure
+#bind_policy hard
+
+# Connection policy:
+#  persist:   DSA connections are kept open (default)
+#  oneshot:   DSA connections destroyed after request
+#nss_connect_policy persist
+
+# Idle timelimit; client will close connections
+# (nss_ldap only) if the server has not been contacted
+# for the number of seconds specified below.
+#idle_timelimit 3600
+
+# Use paged rseults
+#nss_paged_results yes
+
+# Pagesize: when paged results enable, used to set the
+# pagesize to a custom value
+#pagesize 1000
+
+# Filter to AND with uid=%s
+#pam_filter objectclass=account
+
+# The user ID attribute (defaults to uid)
+#pam_login_attribute uid
+
+# Search the root DSE for the password policy (works
+# with Netscape Directory Server)
+#pam_lookup_policy yes
+
+# Check the 'host' attribute for access control
+# Default is no; if set to yes, and user has no
+# value for the host attribute, and pam_ldap is
+# configured for account management (authorization)
+# then the user will not be allowed to login.
+#pam_check_host_attr yes
+
+# Check the 'authorizedService' attribute for access
+# control
+# Default is no; if set to yes, and the user has no
+# value for the authorizedService attribute, and
+# pam_ldap is configured for account management
+# (authorization) then the user will not be allowed
+# to login.
+#pam_check_service_attr yes
+
+# Group to enforce membership of
+#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
+
+# Group member attribute
+#pam_member_attribute uniquemember
+
+# Specify a minium or maximum UID number allowed
+#pam_min_uid 0
+#pam_max_uid 0
+
+# Template login attribute, default template user
+# (can be overriden by value of former attribute
+# in user's entry)
+#pam_login_attribute userPrincipalName
+#pam_template_login_attribute uid
+#pam_template_login nobody
+
+# HEADS UP: the pam_crypt, pam_nds_passwd,
+# and pam_ad_passwd options are no
+# longer supported.
+#
+# Do not hash the password at all; presume
+# the directory server will do it, if
+# necessary. This is the default.
+#pam_password clear
+
+# Hash password locally; required for University of
+# Michigan LDAP server, and works with Netscape
+# Directory Server if you're using the UNIX-Crypt
+# hash mechanism and not using the NT Synchronization
+# service. 
+#pam_password crypt
+
+# Remove old password first, then update in
+# cleartext. Necessary for use with Novell
+# Directory Services (NDS)
+#pam_password nds
+
+# RACF is an alias for the above. For use with
+# IBM RACF
+#pam_password racf
+
+# Update Active Directory password, by
+# creating Unicode password and updating
+# unicodePwd attribute.
+#pam_password ad
+
+# Use the OpenLDAP password change
+# extended operation to update the password.
+#pam_password exop
+
+# Redirect users to a URL or somesuch on password
+# changes.
+#pam_password_prohibit_message Please visit http://internal to change your password.
+
+# Use backlinks for answering initgroups()
+#nss_initgroups backlink
+
+# Enable support for RFC2307bis (distinguished names in group
+# members)
+#nss_schema rfc2307bis
+
+# RFC2307bis naming contexts
+# Syntax:
+# nss_base_XXX		base?scope?filter
+# where scope is {base,one,sub}
+# and filter is a filter to be &'d with the
+# default filter.
+# You can omit the suffix eg:
+# nss_base_passwd	ou=People,
+# to append the default base DN but this
+# may incur a small performance impact.
+#nss_base_passwd	ou=People,dc=padl,dc=com?one
+#nss_base_shadow	ou=People,dc=padl,dc=com?one
+#nss_base_group		ou=Group,dc=padl,dc=com?one
+#nss_base_hosts		ou=Hosts,dc=padl,dc=com?one
+#nss_base_services	ou=Services,dc=padl,dc=com?one
+#nss_base_networks	ou=Networks,dc=padl,dc=com?one
+#nss_base_protocols	ou=Protocols,dc=padl,dc=com?one
+#nss_base_rpc		ou=Rpc,dc=padl,dc=com?one
+#nss_base_ethers	ou=Ethers,dc=padl,dc=com?one
+#nss_base_netmasks	ou=Networks,dc=padl,dc=com?ne
+#nss_base_bootparams	ou=Ethers,dc=padl,dc=com?one
+#nss_base_aliases	ou=Aliases,dc=padl,dc=com?one
+#nss_base_netgroup	ou=Netgroup,dc=padl,dc=com?one
+
+# attribute/objectclass mapping
+# Syntax:
+#nss_map_attribute	rfc2307attribute	mapped_attribute
+#nss_map_objectclass	rfc2307objectclass	mapped_objectclass
+
+# configure --enable-nds is no longer supported.
+# NDS mappings
+#nss_map_attribute uniqueMember member
+
+# Services for UNIX 3.5 mappings
+#nss_map_objectclass posixAccount User
+#nss_map_objectclass shadowAccount User
+#nss_map_attribute uid msSFU30Name
+#nss_map_attribute uniqueMember msSFU30PosixMember
+#nss_map_attribute userPassword msSFU30Password
+#nss_map_attribute homeDirectory msSFU30HomeDirectory
+#nss_map_attribute homeDirectory msSFUHomeDirectory
+#nss_map_objectclass posixGroup Group
+#pam_login_attribute msSFU30Name
+#pam_filter objectclass=User
+#pam_password ad
+
+# configure --enable-mssfu-schema is no longer supported.
+# Services for UNIX 2.0 mappings
+#nss_map_objectclass posixAccount User
+#nss_map_objectclass shadowAccount user
+#nss_map_attribute uid msSFUName
+#nss_map_attribute uniqueMember posixMember
+#nss_map_attribute userPassword msSFUPassword
+#nss_map_attribute homeDirectory msSFUHomeDirectory
+#nss_map_attribute shadowLastChange pwdLastSet
+#nss_map_objectclass posixGroup Group
+#nss_map_attribute cn msSFUName
+#pam_login_attribute msSFUName
+#pam_filter objectclass=User
+#pam_password ad
+
+# RFC 2307 (AD) mappings
+#nss_map_objectclass posixAccount user
+#nss_map_objectclass shadowAccount user
+#nss_map_attribute uid sAMAccountName
+#nss_map_attribute homeDirectory unixHomeDirectory
+#nss_map_attribute shadowLastChange pwdLastSet
+#nss_map_objectclass posixGroup group
+#nss_map_attribute uniqueMember member
+#pam_login_attribute sAMAccountName
+#pam_filter objectclass=User
+#pam_password ad
+
+# configure --enable-authpassword is no longer supported
+# AuthPassword mappings
+#nss_map_attribute userPassword authPassword
+
+# AIX SecureWay mappings
+#nss_map_objectclass posixAccount aixAccount
+#nss_base_passwd ou=aixaccount,?one
+#nss_map_attribute uid userName
+#nss_map_attribute gidNumber gid
+#nss_map_attribute uidNumber uid
+#nss_map_attribute userPassword passwordChar
+#nss_map_objectclass posixGroup aixAccessGroup
+#nss_base_group ou=aixgroup,?one
+#nss_map_attribute cn groupName
+#nss_map_attribute uniqueMember member
+#pam_login_attribute userName
+#pam_filter objectclass=aixAccount
+#pam_password clear
+
+# For pre-RFC2307bis automount schema
+#nss_map_objectclass automountMap nisMap
+#nss_map_attribute automountMapName nisMapName
+#nss_map_objectclass automount nisObject
+#nss_map_attribute automountKey cn
+#nss_map_attribute automountInformation nisMapEntry
+
+# Netscape SDK LDAPS
+#ssl on
+
+# Netscape SDK SSL options
+#sslpath /etc/ssl/certs
+
+# OpenLDAP SSL mechanism
+# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
+#ssl start_tls
+#ssl on
+
+# OpenLDAP SSL options
+# Require and verify server certificate (yes/no)
+# Default is to use libldap's default behavior, which can be configured in
+# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
+# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
+#tls_checkpeer yes
+
+# CA certificates for server certificate verification
+# At least one of these are required if tls_checkpeer is "yes"
+#tls_cacertfile /etc/ssl/ca.cert
+#tls_cacertdir /etc/ssl/certs
+
+# Seed the PRNG if /dev/urandom is not provided
+#tls_randfile /var/run/egd-pool
+
+# SSL cipher suite
+# See man ciphers for syntax
+#tls_ciphers TLSv1
+
+# Client certificate and key
+# Use these, if your server requires client authentication.
+#tls_cert
+#tls_key
+
+# Disable SASL security layers. This is needed for AD.
+#sasl_secprops maxssf=0
+
+# Override the default Kerberos ticket cache location.
+#krb5_ccname FILE:/etc/.ldapcache
+

jessie_php5/nsswitch.conf

@@ -0,0 +1,19 @@
+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+# If you have the `glibc-doc-reference' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
+
+passwd:         compat ldap
+group:          compat ldap
+shadow:         compat
+
+hosts:          files dns
+networks:       files
+
+protocols:      db files
+services:       db files
+ethers:         db files
+rpc:            db files
+
+netgroup:       nis

jessie_php5/start-fpm.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+sed "s/@user@/${FPM_USER}/g; s/@variant@/${FPM_VARIANT}/g" \
+    < /usr/local/etc/fpm-pool.conf.tmpl \
+    > "/etc/php5/fpm/pool.d/${FPM_USER}.conf"
+
+/etc/init.d/nullmailer start
+/usr/sbin/php5-fpm --nodaemonize

run.sh

@@ -0,0 +1,58 @@
+#!/bin/sh
+
+set -e
+valid_users=$(getent passwd | grep ^usr | cut -d : -f 1)
+
+if [ $# -lt 2 ]; then
+    echo "Usage: $0 <dist> [<variant>] <user>"
+    echo
+    echo "<dist> is one of wheezy, jessie, stretch, buster"
+    echo "<variant> is one of mysql or pgsql"
+    echo "<user> is a user name defined in ldap and on file"
+    echo
+    for u in $valid_users; do echo $u; done | xargs -n 10 echo
+    exit 1
+fi
+
+if [ $# -eq 3 ]; then
+    dist=$1
+    username="$3"
+    variant="-$2"
+else
+    dist=$1
+    username="$2"
+    variant=""
+fi
+
+case $dist in
+    wheezy|jessie)
+        image=gnuviech/${dist}_php5${variant}
+        ;;
+    stretch|buster)
+        image=gnuviech/${dist}_php7${variant}
+        ;;
+    *)
+        echo "Unknown distribution $dist"
+        exit 2
+esac
+
+for u in $valid_users; do
+    if [ "$u" = "${username}" ]; then
+        choosen_user=$u
+    fi
+done
+
+if [ -z "$choosen_user" ]; then
+    echo "Invalid user ${username}"
+    exit 3
+fi
+
+docker run \
+    --volume-driver=nfs --net=host --rm --detach \
+    -v "file/web/$choosen_user:/srv" \
+    -v "/var/run/php-fpm-docker:/var/run/php-fpm-docker" \
+    -v "/var/log/php-fpm-docker:/var/log/php-fpm-docker" \
+    -e "FPM_USER=$choosen_user" \
+    -e "FPM_VARIANT=${dist}${variant}" \
+    --name "${choosen_user}_${dist}${variant}" \
+    "$image"

stretch_php7/Dockerfile

@@ -0,0 +1,8 @@
+FROM gnuviech/stretch_php7-base:latest
+LABEL maintainer="jan@dittberner.info"
+
+COPY start-fpm.sh /usr/local/sbin
+COPY fpm-pool.conf.tmpl /usr/local/etc
+
+ENTRYPOINT ["/usr/bin/dumb-init", "--"]
+CMD ["/usr/local/sbin/start-fpm.sh"]

stretch_php7/Dockerfile-base

@@ -0,0 +1,32 @@
+FROM debian:stretch
+LABEL maintainer="jan@dittberner.info"
+VOLUME /srv
+
+RUN apt-get update \
+    && DEBIAN_FRONTEND=noninteractive \
+    apt-get install -y --no-install-recommends \
+    dumb-init \
+    libnss-ldap \
+    nullmailer \
+    php-curl \
+    php-fpm \
+    php-gd \
+    php-imagick \
+    php-imap \
+    php-json \
+    php-mail \
+    php-mail-mime \
+    php-mbstring \
+    php-mcrypt \
+    php-net-smtp \
+    php-net-socket \
+    php-opcache \
+    php-pspell \
+    php-sqlite3 \
+    psmisc \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*.*
+
+ADD --chown=root:root nsswitch.conf libnss-ldap.conf /etc/
+
+RUN rm -f /etc/php/7.0/fpm/pool.d/www.conf

stretch_php7/Dockerfile-mysql

@@ -0,0 +1,15 @@
+FROM gnuviech/stretch_php7-base:latest
+LABEL maintainer="jan@dittberner.info"
+
+RUN apt-get update \
+    && DEBIAN_FRONTEND=noninteractive \
+    apt-get install -y --no-install-recommends \
+    php-mysql \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*.*
+
+COPY start-fpm.sh /usr/local/sbin
+COPY fpm-pool.conf.tmpl /usr/local/etc
+
+ENTRYPOINT ["/usr/bin/dumb-init", "--"]
+CMD ["/usr/local/sbin/start-fpm.sh"]

stretch_php7/Dockerfile-pgsql

@@ -0,0 +1,15 @@
+FROM gnuviech/stretch_php7-base:latest
+LABEL maintainer="jan@dittberner.info"
+
+RUN apt-get update \
+    && DEBIAN_FRONTEND=noninteractive \
+    apt-get install -y --no-install-recommends \
+    php-pgsql \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*.*
+
+COPY start-fpm.sh /usr/local/sbin
+COPY fpm-pool.conf.tmpl /usr/local/etc
+
+ENTRYPOINT ["/usr/bin/dumb-init", "--"]
+CMD ["/usr/local/sbin/start-fpm.sh"]

stretch_php7/fpm-pool.conf.tmpl

@@ -0,0 +1,15 @@
+[@user@]
+user = @user@
+group = @user@
+listen = /var/run/php-fpm-docker/@user@-@variant@.sock
+listen.owner = www-data
+listen.group = www-data
+pm = dynamic
+pm.max_children = 20
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+pm.max_requests = 1000
+chdir = /
+request_slowlog_timeout = 10s
+slowlog = /var/log/php-fpm-docker/@user@-@variant@.slow.log

stretch_php7/libnss-ldap.conf

@@ -0,0 +1,323 @@
+###DEBCONF###
+# the configuration of this file will be done by debconf as long as the
+# first line of the file says '###DEBCONF###'
+#
+# you should use dpkg-reconfigure libnss-ldap to configure this file.
+#
+# @(#)$Id: ldap.conf,v 2.48 2008/07/03 02:30:29 lukeh Exp $
+#
+# This is the configuration file for the LDAP nameservice
+# switch library and the LDAP PAM module.
+#
+# PADL Software
+# http://www.padl.com
+#
+
+# Your LDAP server. Must be resolvable without using LDAP.
+# Multiple hosts may be specified, each separated by a 
+# space. How long nss_ldap takes to failover depends on
+# whether your LDAP client library supports configurable
+# network or connect timeouts (see bind_timelimit).
+#host 127.0.0.1
+
+# The distinguished name of the search base.
+base dc=gnuviech,dc=internal
+
+# Another way to specify your LDAP server is to provide an
+uri ldap://10.0.0.11/
+# Unix Domain Sockets to connect to a local LDAP Server.
+#uri ldap://127.0.0.1/
+#uri ldaps://127.0.0.1/   
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
+# Note: %2f encodes the '/' used as directory separator
+
+# The LDAP version to use (defaults to 3
+# if supported by client library)
+ldap_version 3
+
+# The distinguished name to bind to the server with.
+# Optional: default is to bind anonymously.
+# Please do not put double quotes around it as they
+# would be included literally.
+#binddn cn=proxyuser,dc=padl,dc=com
+
+# The credentials to bind with. 
+# Optional: default is no credential.
+#bindpw secret
+
+# The distinguished name to bind to the server with
+# if the effective user ID is root. Password is
+# stored in /etc/libnss-ldap.secret (mode 600)
+# Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead
+# of an editor to create the file.
+#rootbinddn cn=manager,dc=example,dc=net
+
+# The port.
+# Optional: default is 389.
+#port 389
+
+# The search scope.
+#scope sub
+#scope one
+#scope base
+
+# Search timelimit
+#timelimit 30
+
+# Bind/connect timelimit
+#bind_timelimit 30
+
+# Reconnect policy:
+#  hard_open: reconnect to DSA with exponential backoff if
+#             opening connection failed
+#  hard_init: reconnect to DSA with exponential backoff if
+#             initializing connection failed
+#  hard:      alias for hard_open
+#  soft:      return immediately on server failure
+#bind_policy hard
+
+# Connection policy:
+#  persist:   DSA connections are kept open (default)
+#  oneshot:   DSA connections destroyed after request
+#nss_connect_policy persist
+
+# Idle timelimit; client will close connections
+# (nss_ldap only) if the server has not been contacted
+# for the number of seconds specified below.
+#idle_timelimit 3600
+
+# Use paged rseults
+#nss_paged_results yes
+
+# Pagesize: when paged results enable, used to set the
+# pagesize to a custom value
+#pagesize 1000
+
+# Filter to AND with uid=%s
+#pam_filter objectclass=account
+
+# The user ID attribute (defaults to uid)
+#pam_login_attribute uid
+
+# Search the root DSE for the password policy (works
+# with Netscape Directory Server)
+#pam_lookup_policy yes
+
+# Check the 'host' attribute for access control
+# Default is no; if set to yes, and user has no
+# value for the host attribute, and pam_ldap is
+# configured for account management (authorization)
+# then the user will not be allowed to login.
+#pam_check_host_attr yes
+
+# Check the 'authorizedService' attribute for access
+# control
+# Default is no; if set to yes, and the user has no
+# value for the authorizedService attribute, and
+# pam_ldap is configured for account management
+# (authorization) then the user will not be allowed
+# to login.
+#pam_check_service_attr yes
+
+# Group to enforce membership of
+#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
+
+# Group member attribute
+#pam_member_attribute uniquemember
+
+# Specify a minium or maximum UID number allowed
+#pam_min_uid 0
+#pam_max_uid 0
+
+# Template login attribute, default template user
+# (can be overriden by value of former attribute
+# in user's entry)
+#pam_login_attribute userPrincipalName
+#pam_template_login_attribute uid
+#pam_template_login nobody
+
+# HEADS UP: the pam_crypt, pam_nds_passwd,
+# and pam_ad_passwd options are no
+# longer supported.
+#
+# Do not hash the password at all; presume
+# the directory server will do it, if
+# necessary. This is the default.
+#pam_password clear
+
+# Hash password locally; required for University of
+# Michigan LDAP server, and works with Netscape
+# Directory Server if you're using the UNIX-Crypt
+# hash mechanism and not using the NT Synchronization
+# service. 
+#pam_password crypt
+
+# Remove old password first, then update in
+# cleartext. Necessary for use with Novell
+# Directory Services (NDS)
+#pam_password nds
+
+# RACF is an alias for the above. For use with
+# IBM RACF
+#pam_password racf
+
+# Update Active Directory password, by
+# creating Unicode password and updating
+# unicodePwd attribute.
+#pam_password ad
+
+# Use the OpenLDAP password change
+# extended operation to update the password.
+#pam_password exop
+
+# Redirect users to a URL or somesuch on password
+# changes.
+#pam_password_prohibit_message Please visit http://internal to change your password.
+
+# Use backlinks for answering initgroups()
+#nss_initgroups backlink
+
+# Enable support for RFC2307bis (distinguished names in group
+# members)
+#nss_schema rfc2307bis
+
+# RFC2307bis naming contexts
+# Syntax:
+# nss_base_XXX		base?scope?filter
+# where scope is {base,one,sub}
+# and filter is a filter to be &'d with the
+# default filter.
+# You can omit the suffix eg:
+# nss_base_passwd	ou=People,
+# to append the default base DN but this
+# may incur a small performance impact.
+#nss_base_passwd	ou=People,dc=padl,dc=com?one
+#nss_base_shadow	ou=People,dc=padl,dc=com?one
+#nss_base_group		ou=Group,dc=padl,dc=com?one
+#nss_base_hosts		ou=Hosts,dc=padl,dc=com?one
+#nss_base_services	ou=Services,dc=padl,dc=com?one
+#nss_base_networks	ou=Networks,dc=padl,dc=com?one
+#nss_base_protocols	ou=Protocols,dc=padl,dc=com?one
+#nss_base_rpc		ou=Rpc,dc=padl,dc=com?one
+#nss_base_ethers	ou=Ethers,dc=padl,dc=com?one
+#nss_base_netmasks	ou=Networks,dc=padl,dc=com?ne
+#nss_base_bootparams	ou=Ethers,dc=padl,dc=com?one
+#nss_base_aliases	ou=Aliases,dc=padl,dc=com?one
+#nss_base_netgroup	ou=Netgroup,dc=padl,dc=com?one
+
+# attribute/objectclass mapping
+# Syntax:
+#nss_map_attribute	rfc2307attribute	mapped_attribute
+#nss_map_objectclass	rfc2307objectclass	mapped_objectclass
+
+# configure --enable-nds is no longer supported.
+# NDS mappings
+#nss_map_attribute uniqueMember member
+
+# Services for UNIX 3.5 mappings
+#nss_map_objectclass posixAccount User
+#nss_map_objectclass shadowAccount User
+#nss_map_attribute uid msSFU30Name
+#nss_map_attribute uniqueMember msSFU30PosixMember
+#nss_map_attribute userPassword msSFU30Password
+#nss_map_attribute homeDirectory msSFU30HomeDirectory
+#nss_map_attribute homeDirectory msSFUHomeDirectory
+#nss_map_objectclass posixGroup Group
+#pam_login_attribute msSFU30Name
+#pam_filter objectclass=User
+#pam_password ad
+
+# configure --enable-mssfu-schema is no longer supported.
+# Services for UNIX 2.0 mappings
+#nss_map_objectclass posixAccount User
+#nss_map_objectclass shadowAccount user
+#nss_map_attribute uid msSFUName
+#nss_map_attribute uniqueMember posixMember
+#nss_map_attribute userPassword msSFUPassword
+#nss_map_attribute homeDirectory msSFUHomeDirectory
+#nss_map_attribute shadowLastChange pwdLastSet
+#nss_map_objectclass posixGroup Group
+#nss_map_attribute cn msSFUName
+#pam_login_attribute msSFUName
+#pam_filter objectclass=User
+#pam_password ad
+
+# RFC 2307 (AD) mappings
+#nss_map_objectclass posixAccount user
+#nss_map_objectclass shadowAccount user
+#nss_map_attribute uid sAMAccountName
+#nss_map_attribute homeDirectory unixHomeDirectory
+#nss_map_attribute shadowLastChange pwdLastSet
+#nss_map_objectclass posixGroup group
+#nss_map_attribute uniqueMember member
+#pam_login_attribute sAMAccountName
+#pam_filter objectclass=User
+#pam_password ad
+
+# configure --enable-authpassword is no longer supported
+# AuthPassword mappings
+#nss_map_attribute userPassword authPassword
+
+# AIX SecureWay mappings
+#nss_map_objectclass posixAccount aixAccount
+#nss_base_passwd ou=aixaccount,?one
+#nss_map_attribute uid userName
+#nss_map_attribute gidNumber gid
+#nss_map_attribute uidNumber uid
+#nss_map_attribute userPassword passwordChar
+#nss_map_objectclass posixGroup aixAccessGroup
+#nss_base_group ou=aixgroup,?one
+#nss_map_attribute cn groupName
+#nss_map_attribute uniqueMember member
+#pam_login_attribute userName
+#pam_filter objectclass=aixAccount
+#pam_password clear
+
+# For pre-RFC2307bis automount schema
+#nss_map_objectclass automountMap nisMap
+#nss_map_attribute automountMapName nisMapName
+#nss_map_objectclass automount nisObject
+#nss_map_attribute automountKey cn
+#nss_map_attribute automountInformation nisMapEntry
+
+# Netscape SDK LDAPS
+#ssl on
+
+# Netscape SDK SSL options
+#sslpath /etc/ssl/certs
+
+# OpenLDAP SSL mechanism
+# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
+#ssl start_tls
+#ssl on
+
+# OpenLDAP SSL options
+# Require and verify server certificate (yes/no)
+# Default is to use libldap's default behavior, which can be configured in
+# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
+# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
+#tls_checkpeer yes
+
+# CA certificates for server certificate verification
+# At least one of these are required if tls_checkpeer is "yes"
+#tls_cacertfile /etc/ssl/ca.cert
+#tls_cacertdir /etc/ssl/certs
+
+# Seed the PRNG if /dev/urandom is not provided
+#tls_randfile /var/run/egd-pool
+
+# SSL cipher suite
+# See man ciphers for syntax
+#tls_ciphers TLSv1
+
+# Client certificate and key
+# Use these, if your server requires client authentication.
+#tls_cert
+#tls_key
+
+# Disable SASL security layers. This is needed for AD.
+#sasl_secprops maxssf=0
+
+# Override the default Kerberos ticket cache location.
+#krb5_ccname FILE:/etc/.ldapcache
+

stretch_php7/nsswitch.conf

@@ -0,0 +1,19 @@
+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+# If you have the `glibc-doc-reference' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
+
+passwd:         compat ldap
+group:          compat ldap
+shadow:         compat
+
+hosts:          files dns
+networks:       files
+
+protocols:      db files
+services:       db files
+ethers:         db files
+rpc:            db files
+
+netgroup:       nis

stretch_php7/start-fpm.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -e
+
+sed "s/@user@/${FPM_USER}/g; s/@variant@/${FPM_VARIANT}/g" \
+    < /usr/local/etc/fpm-pool.conf.tmpl \
+    > "/etc/php/7.0/fpm/pool.d/${FPM_USER}.conf"
+
+/etc/init.d/nullmailer start
+mkdir -p /run/php
+/usr/sbin/php-fpm7.0 --nodaemonize

wheezy_php5/Dockerfile

@@ -0,0 +1,8 @@
+FROM gnuviech/wheezy_php5-base:latest
+LABEL maintainer="jan@dittberner.info"
+
+COPY start-fpm.sh /usr/local/sbin
+COPY fpm-pool.conf.tmpl /usr/local/etc
+
+ENTRYPOINT ["/usr/bin/dumb-init", "--"]
+CMD ["/usr/local/sbin/start-fpm.sh"]

wheezy_php5/Dockerfile-base

@@ -0,0 +1,39 @@
+FROM debian:wheezy
+LABEL maintainer="jan@dittberner.info"
+VOLUME /srv
+
+RUN apt-get update \
+    && DEBIAN_FRONTEND=noninteractive \
+    apt-get install -y --no-install-recommends \
+    ca-certificates \
+    curl \
+    libnss-ldap \
+    libphp-adodb \
+    nullmailer \
+    php-apc \
+    php-mail-mime \
+    php-mail-mimedecode \
+    php-net-smtp \
+    php-net-socket \
+    php5-adodb \
+    php5-curl \
+    php5-fpm \
+    php5-gd \
+    php5-gmp \
+    php5-imap \
+    php5-intl \
+    php5-mcrypt \
+    php5-pspell \
+    php5-sqlite \
+    php5-xmlrpc \
+    procps \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*.*
+
+RUN curl -o dumb-init_1.2.2.deb -L https://github.com/Yelp/dumb-init/releases/download/v1.2.2/dumb-init_1.2.2_amd64.deb && \
+    dpkg -i dumb-init_1.2.2.deb && \
+    rm -f dumb-init_1.2.2.deb
+
+ADD --chown=root:root nsswitch.conf libnss-ldap.conf /etc/
+
+RUN rm -f /etc/php5/fpm/pool.d/www.conf

wheezy_php5/Dockerfile-mysql

@@ -0,0 +1,15 @@
+FROM gnuviech/wheezy_php5-base:latest
+LABEL maintainer="jan@dittberner.info"
+
+RUN apt-get update \
+    && DEBIAN_FRONTEND=noninteractive \
+    apt-get install -y --no-install-recommends \
+    php5-mysql \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*.*
+
+COPY start-fpm.sh /usr/local/sbin
+COPY fpm-pool.conf.tmpl /usr/local/etc
+
+ENTRYPOINT ["/usr/bin/dumb-init", "--"]
+CMD ["/usr/local/sbin/start-fpm.sh"]

wheezy_php5/Dockerfile-pgsql

@@ -0,0 +1,15 @@
+FROM gnuviech/wheezy_php5-base:latest
+LABEL maintainer="jan@dittberner.info"
+
+RUN apt-get update \
+    && DEBIAN_FRONTEND=noninteractive \
+    apt-get install -y --no-install-recommends \
+    php5-pgsql \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*.*
+
+COPY start-fpm.sh /usr/local/sbin
+COPY fpm-pool.conf.tmpl /usr/local/etc
+
+ENTRYPOINT ["/usr/bin/dumb-init", "--"]
+CMD ["/usr/local/sbin/start-fpm.sh"]

wheezy_php5/fpm-pool.conf.tmpl

@@ -0,0 +1,15 @@
+[@user@]
+user = @user@
+group = @user@
+listen = /var/run/php-fpm-docker/@user@-@variant@.sock
+listen.owner = www-data
+listen.group = www-data
+pm = dynamic
+pm.max_children = 20
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+pm.max_requests = 1000
+chdir = /
+request_slowlog_timeout = 10s
+slowlog = /var/log/php-fpm-docker/@user@-@variant@.slow.log

wheezy_php5/libnss-ldap.conf

@@ -0,0 +1,323 @@
+###DEBCONF###
+# the configuration of this file will be done by debconf as long as the
+# first line of the file says '###DEBCONF###'
+#
+# you should use dpkg-reconfigure libnss-ldap to configure this file.
+#
+# @(#)$Id: ldap.conf,v 2.48 2008/07/03 02:30:29 lukeh Exp $
+#
+# This is the configuration file for the LDAP nameservice
+# switch library and the LDAP PAM module.
+#
+# PADL Software
+# http://www.padl.com
+#
+
+# Your LDAP server. Must be resolvable without using LDAP.
+# Multiple hosts may be specified, each separated by a 
+# space. How long nss_ldap takes to failover depends on
+# whether your LDAP client library supports configurable
+# network or connect timeouts (see bind_timelimit).
+#host 127.0.0.1
+
+# The distinguished name of the search base.
+base dc=gnuviech,dc=internal
+
+# Another way to specify your LDAP server is to provide an
+uri ldap://10.0.0.11/
+# Unix Domain Sockets to connect to a local LDAP Server.
+#uri ldap://127.0.0.1/
+#uri ldaps://127.0.0.1/   
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
+# Note: %2f encodes the '/' used as directory separator
+
+# The LDAP version to use (defaults to 3
+# if supported by client library)
+ldap_version 3
+
+# The distinguished name to bind to the server with.
+# Optional: default is to bind anonymously.
+# Please do not put double quotes around it as they
+# would be included literally.
+#binddn cn=proxyuser,dc=padl,dc=com
+
+# The credentials to bind with. 
+# Optional: default is no credential.
+#bindpw secret
+
+# The distinguished name to bind to the server with
+# if the effective user ID is root. Password is
+# stored in /etc/libnss-ldap.secret (mode 600)
+# Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead
+# of an editor to create the file.
+#rootbinddn cn=manager,dc=example,dc=net
+
+# The port.
+# Optional: default is 389.
+#port 389
+
+# The search scope.
+#scope sub
+#scope one
+#scope base
+
+# Search timelimit
+#timelimit 30
+
+# Bind/connect timelimit
+#bind_timelimit 30
+
+# Reconnect policy:
+#  hard_open: reconnect to DSA with exponential backoff if
+#             opening connection failed
+#  hard_init: reconnect to DSA with exponential backoff if
+#             initializing connection failed
+#  hard:      alias for hard_open
+#  soft:      return immediately on server failure
+#bind_policy hard
+
+# Connection policy:
+#  persist:   DSA connections are kept open (default)
+#  oneshot:   DSA connections destroyed after request
+#nss_connect_policy persist
+
+# Idle timelimit; client will close connections
+# (nss_ldap only) if the server has not been contacted
+# for the number of seconds specified below.
+#idle_timelimit 3600
+
+# Use paged rseults
+#nss_paged_results yes
+
+# Pagesize: when paged results enable, used to set the
+# pagesize to a custom value
+#pagesize 1000
+
+# Filter to AND with uid=%s
+#pam_filter objectclass=account
+
+# The user ID attribute (defaults to uid)
+#pam_login_attribute uid
+
+# Search the root DSE for the password policy (works
+# with Netscape Directory Server)
+#pam_lookup_policy yes
+
+# Check the 'host' attribute for access control
+# Default is no; if set to yes, and user has no
+# value for the host attribute, and pam_ldap is
+# configured for account management (authorization)
+# then the user will not be allowed to login.
+#pam_check_host_attr yes
+
+# Check the 'authorizedService' attribute for access
+# control
+# Default is no; if set to yes, and the user has no
+# value for the authorizedService attribute, and
+# pam_ldap is configured for account management
+# (authorization) then the user will not be allowed
+# to login.
+#pam_check_service_attr yes
+
+# Group to enforce membership of
+#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
+
+# Group member attribute
+#pam_member_attribute uniquemember
+
+# Specify a minium or maximum UID number allowed
+#pam_min_uid 0
+#pam_max_uid 0
+
+# Template login attribute, default template user
+# (can be overriden by value of former attribute
+# in user's entry)
+#pam_login_attribute userPrincipalName
+#pam_template_login_attribute uid
+#pam_template_login nobody
+
+# HEADS UP: the pam_crypt, pam_nds_passwd,
+# and pam_ad_passwd options are no
+# longer supported.
+#
+# Do not hash the password at all; presume
+# the directory server will do it, if
+# necessary. This is the default.
+#pam_password clear
+
+# Hash password locally; required for University of
+# Michigan LDAP server, and works with Netscape
+# Directory Server if you're using the UNIX-Crypt
+# hash mechanism and not using the NT Synchronization
+# service. 
+#pam_password crypt
+
+# Remove old password first, then update in
+# cleartext. Necessary for use with Novell
+# Directory Services (NDS)
+#pam_password nds
+
+# RACF is an alias for the above. For use with
+# IBM RACF
+#pam_password racf
+
+# Update Active Directory password, by
+# creating Unicode password and updating
+# unicodePwd attribute.
+#pam_password ad
+
+# Use the OpenLDAP password change
+# extended operation to update the password.
+#pam_password exop
+
+# Redirect users to a URL or somesuch on password
+# changes.
+#pam_password_prohibit_message Please visit http://internal to change your password.
+
+# Use backlinks for answering initgroups()
+#nss_initgroups backlink
+
+# Enable support for RFC2307bis (distinguished names in group
+# members)
+#nss_schema rfc2307bis
+
+# RFC2307bis naming contexts
+# Syntax:
+# nss_base_XXX		base?scope?filter
+# where scope is {base,one,sub}
+# and filter is a filter to be &'d with the
+# default filter.
+# You can omit the suffix eg:
+# nss_base_passwd	ou=People,
+# to append the default base DN but this
+# may incur a small performance impact.
+#nss_base_passwd	ou=People,dc=padl,dc=com?one
+#nss_base_shadow	ou=People,dc=padl,dc=com?one
+#nss_base_group		ou=Group,dc=padl,dc=com?one
+#nss_base_hosts		ou=Hosts,dc=padl,dc=com?one
+#nss_base_services	ou=Services,dc=padl,dc=com?one
+#nss_base_networks	ou=Networks,dc=padl,dc=com?one
+#nss_base_protocols	ou=Protocols,dc=padl,dc=com?one
+#nss_base_rpc		ou=Rpc,dc=padl,dc=com?one
+#nss_base_ethers	ou=Ethers,dc=padl,dc=com?one
+#nss_base_netmasks	ou=Networks,dc=padl,dc=com?ne
+#nss_base_bootparams	ou=Ethers,dc=padl,dc=com?one
+#nss_base_aliases	ou=Aliases,dc=padl,dc=com?one
+#nss_base_netgroup	ou=Netgroup,dc=padl,dc=com?one
+
+# attribute/objectclass mapping
+# Syntax:
+#nss_map_attribute	rfc2307attribute	mapped_attribute
+#nss_map_objectclass	rfc2307objectclass	mapped_objectclass
+
+# configure --enable-nds is no longer supported.
+# NDS mappings
+#nss_map_attribute uniqueMember member
+
+# Services for UNIX 3.5 mappings
+#nss_map_objectclass posixAccount User
+#nss_map_objectclass shadowAccount User
+#nss_map_attribute uid msSFU30Name
+#nss_map_attribute uniqueMember msSFU30PosixMember
+#nss_map_attribute userPassword msSFU30Password
+#nss_map_attribute homeDirectory msSFU30HomeDirectory
+#nss_map_attribute homeDirectory msSFUHomeDirectory
+#nss_map_objectclass posixGroup Group
+#pam_login_attribute msSFU30Name
+#pam_filter objectclass=User
+#pam_password ad
+
+# configure --enable-mssfu-schema is no longer supported.
+# Services for UNIX 2.0 mappings
+#nss_map_objectclass posixAccount User
+#nss_map_objectclass shadowAccount user
+#nss_map_attribute uid msSFUName
+#nss_map_attribute uniqueMember posixMember
+#nss_map_attribute userPassword msSFUPassword
+#nss_map_attribute homeDirectory msSFUHomeDirectory
+#nss_map_attribute shadowLastChange pwdLastSet
+#nss_map_objectclass posixGroup Group
+#nss_map_attribute cn msSFUName
+#pam_login_attribute msSFUName
+#pam_filter objectclass=User
+#pam_password ad
+
+# RFC 2307 (AD) mappings
+#nss_map_objectclass posixAccount user
+#nss_map_objectclass shadowAccount user
+#nss_map_attribute uid sAMAccountName
+#nss_map_attribute homeDirectory unixHomeDirectory
+#nss_map_attribute shadowLastChange pwdLastSet
+#nss_map_objectclass posixGroup group
+#nss_map_attribute uniqueMember member
+#pam_login_attribute sAMAccountName
+#pam_filter objectclass=User
+#pam_password ad
+
+# configure --enable-authpassword is no longer supported
+# AuthPassword mappings
+#nss_map_attribute userPassword authPassword
+
+# AIX SecureWay mappings
+#nss_map_objectclass posixAccount aixAccount
+#nss_base_passwd ou=aixaccount,?one
+#nss_map_attribute uid userName
+#nss_map_attribute gidNumber gid
+#nss_map_attribute uidNumber uid
+#nss_map_attribute userPassword passwordChar
+#nss_map_objectclass posixGroup aixAccessGroup
+#nss_base_group ou=aixgroup,?one
+#nss_map_attribute cn groupName
+#nss_map_attribute uniqueMember member
+#pam_login_attribute userName
+#pam_filter objectclass=aixAccount
+#pam_password clear
+
+# For pre-RFC2307bis automount schema
+#nss_map_objectclass automountMap nisMap
+#nss_map_attribute automountMapName nisMapName
+#nss_map_objectclass automount nisObject
+#nss_map_attribute automountKey cn
+#nss_map_attribute automountInformation nisMapEntry
+
+# Netscape SDK LDAPS
+#ssl on
+
+# Netscape SDK SSL options
+#sslpath /etc/ssl/certs
+
+# OpenLDAP SSL mechanism
+# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
+#ssl start_tls
+#ssl on
+
+# OpenLDAP SSL options
+# Require and verify server certificate (yes/no)
+# Default is to use libldap's default behavior, which can be configured in
+# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
+# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
+#tls_checkpeer yes
+
+# CA certificates for server certificate verification
+# At least one of these are required if tls_checkpeer is "yes"
+#tls_cacertfile /etc/ssl/ca.cert
+#tls_cacertdir /etc/ssl/certs
+
+# Seed the PRNG if /dev/urandom is not provided
+#tls_randfile /var/run/egd-pool
+
+# SSL cipher suite
+# See man ciphers for syntax
+#tls_ciphers TLSv1
+
+# Client certificate and key
+# Use these, if your server requires client authentication.
+#tls_cert
+#tls_key
+
+# Disable SASL security layers. This is needed for AD.
+#sasl_secprops maxssf=0
+
+# Override the default Kerberos ticket cache location.
+#krb5_ccname FILE:/etc/.ldapcache
+

wheezy_php5/nsswitch.conf

@@ -0,0 +1,19 @@
+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+# If you have the `glibc-doc-reference' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
+
+passwd:         compat ldap
+group:          compat ldap
+shadow:         compat
+
+hosts:          files dns
+networks:       files
+
+protocols:      db files
+services:       db files
+ethers:         db files
+rpc:            db files
+
+netgroup:       nis

wheezy_php5/start-fpm.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+sed "s/@user@/${FPM_USER}/g; s/@variant@/${FPM_VARIANT}/g" \
+    < /usr/local/etc/fpm-pool.conf.tmpl \
+    > "/etc/php5/fpm/pool.d/${FPM_USER}.conf"
+
+/etc/init.d/nullmailer start
+/usr/sbin/php5-fpm --nodaemonize