Request to Include ext-ctype and ext-xml Extensions in PHP Chainguard Images

[IshtarStar]

Which image/versions are related to this issue/feature request?

php:latest-dev
php:latest-fpm-dev
php:latest-fpm
php:latest

Issue/Feature description

Hello Chainguard Team,

I hope this message finds you well. I'm reaching out to suggest an enhancement to the PHP Chainguard images that I believe would greatly benefit the PHP developer community. Specifically, I propose adding the ext-ctype and ext-xml (not to be confused with ext-simplexml, which serves a different purpose) extensions to the PHP Chainguard images.

Here's a brief context: Running the command docker run --rm cgr.dev/chainguard/php --modules currently lists the following PHP modules:

[PHP Modules]
Core
curl
date
filter
hash
iconv
json
libxml
mbstring
mysqlnd
openssl
pcre
PDO
pdo_mysql
pdo_sqlite
Phar
random
readline
Reflection
session
sodium
SPL
sqlite3
standard
tokenizer
zlib

[Zend Modules]

As evident from this output, ext-ctype and ext-xml are not present. Here are my reasons for suggesting their inclusion:

1. Essential for Symfony Compatibility
   Symfony, a popular PHP framework, relies on ext-ctype and ext-xml. Without these, developers face challenges in running Symfony-based applications, which rely on these extensions for character type checking and XML processing.

2. Support for a Wide Range of PHP Applications
   Beyond Symfony, many PHP applications and libraries depend on these extensions for essential functionalities. Their inclusion would thus enhance the utility of the Chainguard images for a variety of PHP projects.

3. Backward Compatibility Concerns
   The absence of these extensions in the Chainguard images complicates backward compatibility, particularly for projects transitioning to containerized environments. This inclusion would ease the transition and ensure ongoing support for these projects.

4. Alignment with PHP Docker Standards
   Official PHP Docker images include these extensions. Aligning Chainguard images with these standards would ease transitions between environments and maintain consistency for PHP developers.

5. Low Overhead, High Value
   Adding these extensions would incur minimal overhead in terms of image size and maintenance, while significantly enhancing functionality and developer experience.

The inclusion of ext-ctype and ext-xml would make the Chainguard images more versatile and user-friendly, particularly for developers working with legacy projects and frameworks like Symfony.

Thank you for considering this proposal. Your efforts in maintaining these images are highly valued, and this addition would be a substantial benefit for the PHP community.

Best regards,
Marc

@erikaheidi @imjasonh FYI

[erikaheidi]

Deciding which extensions to include has been tricky, but I believe this is a legit request. Both extensions are widely used and it would be beneficial to support Symfony applications. Should I send a PR @imjasonh ?

[imjasonh]

Sorry I missed this message! Yeah @erikaheidi any changes you think we should make, send a PR and I'll take a look.

If there are more tests we can add to demonstrate what features we do/don't support, that would be helpful too. It'd also guard against accidental regression.

Thanks for raising this!

[IshtarStar]

@erikaheidi

I would like to ensure that the Chainguard PHP image aligns with the official Symfony documentation requirements, particularly in terms of the necessary PHP extensions. As per the Symfony docs (https://symfony.com/doc/current/setup.html), the following PHP extensions are essential and should be active for optimal performance and compatibility. Some
Of them are already compiled eg. activated:

1. Ctype
2. iconv
3. PCRE
4. Session
5. SimpleXML
6. Tokenizer

These extensions are usually installed and enabled by default in most PHP 8 installations. I believe it would be beneficial for us to double-check and confirm their presence and activation in the Chainguard PHP image. This step will ensure that the image is fully compatible with the most frameworks that rely on these extensions.

Could we discuss the possibility of verifying and, if necessary, incorporating these extensions into the Chainguard PHP image?

[erikaheidi]

I think most of these are already available, but we'll double check! I am starting work on this issue.

[erikaheidi]

A quick update on this: I created a demo repository with a Docker Compose setup that runs a basic Symfony app. I wanted to do this to validate which extensions we will need. I did the same with a Laravel app.

Here are the extensions I needed to add:

• php-ctype
• php-xml
• php-dom
• php-simplexml
• php-pecl-mcrypt
• php-fileinfo

These are all already available in Wolfi. I will send a PR to include them by default, but I will make some additional tests first.

[IshtarStar]

Hello everyone.

A month has already passed. Are there any further tasks or information available here? Is there anything I can do from my side? In the meantime, I am compiling my own CVE-free images for PHP, distroless.

Cheers