fix: make image rootless and OpenShift-compatible, harden entrypoint

- Drop named user creation; use numeric UID 1000 with GID 0 ownership
  and g+rwX on all writable dirs so OpenShift's arbitrary UID can write
- Make /etc/passwd group-writable and register runtime UID at startup
  so WP-CLI / PHP getpwuid() calls resolve correctly
- Set HOME=/app for WP-CLI cache with arbitrary UID
- Replace grep+sed salt loop with wp config shuffle-salts
- Fix wp-config.php permissions 0644 → 0600
- Drop --allow-root from wp() wrapper
- Use wp db query "SELECT 1" instead of wp db check in readiness loop
- Call configure_wordpress on every start, not only on fresh install
- Only print auto-generated password when WORDPRESS_ADMIN_PASSWORD unset
- Pin imagick/imagick@3.7.0 (was @master)
- Disable opcache timestamp validation (files don't change in container)
- Remove dead TMPDIR mktemp / redundant wp-content chown

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: Corentin Joubert

Dockerfile

@@ -1,15 +1,14 @@
 FROM dunglas/frankenphp:1.11-php8.4
 
-ARG USER=appuser
 ARG WORDPRESS_VERSION=6.9
 COPY entrypoint.sh /docker-entrypoint.sh
 RUN \
-	useradd ${USER}; \
-	setcap -r /usr/local/bin/frankenphp; \
-	# Give write access to /config/caddy and /data/caddy
-	chown -R ${USER}:${USER} /config/caddy /data/caddy /app && \
+    setcap -r /usr/local/bin/frankenphp; \
+    chown -R 1000:0 /config/caddy /data/caddy /app && \
+    chmod -R g+rwX /config/caddy /data/caddy /app && \
     mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini" && \
-    chmod 755 /docker-entrypoint.sh 
+    chmod g=u /etc/passwd && \
+    chmod 755 /docker-entrypoint.sh
 
 RUN install-php-extensions \
     bcmath \
@@ -19,7 +18,7 @@ RUN install-php-extensions \
     mysqli \
     zip \
     # See https://github.com/Imagick/imagick/issues/640#issuecomment-2077206945
-    imagick/imagick@master \
+    imagick/imagick@3.7.0 \
     opcache
 RUN set -eux; \
     apt-get update; \
@@ -33,8 +32,8 @@ RUN set -eux; \
         echo 'opcache.memory_consumption=128'; \
         echo 'opcache.interned_strings_buffer=8'; \
         echo 'opcache.max_accelerated_files=4000'; \
-        echo 'opcache.revalidate_freq=2'; \
-        echo 'opcache.validate_timestamps=1'; \
+        echo 'opcache.revalidate_freq=0'; \
+        echo 'opcache.validate_timestamps=0'; \
         echo 'opcache.save_comments=1'; \
         echo 'opcache.fast_shutdown=1'; \
     } > "$PHP_INI_DIR/conf.d/opcache-recommended.ini" && \
@@ -51,17 +50,15 @@ RUN set -eux; \
     } > "$PHP_INI_DIR/conf.d/error-logging.ini"
 
 RUN \
-    TMPDIR=$(mktemp -d) && \
     curl -L https://wordpress.org/wordpress-${WORDPRESS_VERSION}.tar.gz | \
     tar -xzf - -C /app/public --strip-components=1 && \
-    rm -rf ${TMPDIR} && \
     curl -L -o /usr/local/bin/wp https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar && \
     chmod 755 /usr/local/bin/wp && \
     curl -L -o /app/public/wp-config-docker.php https://raw.githubusercontent.com/docker-library/wordpress/master/wp-config-docker.php && \
-    chown -R ${USER}:${USER}  /app/public && \
-    mkdir -p /app/public/wp-content && \
-    chown -R ${USER}:${USER}  /app/public/wp-content
+    chown -R 1000:0 /app/public && \
+    chmod -R g+rwX /app/public
 
-USER ${USER}
+ENV HOME=/app
+USER 1000
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["frankenphp", "run", "--config", "/etc/caddy/Caddyfile"]

entrypoint.sh

@@ -5,7 +5,7 @@ WORDPRESS_DIR="/app/public"
 WP_CLI="/usr/local/bin/wp"
 
 wp() {
-  "$WP_CLI" --path="$WORDPRESS_DIR" --allow-root "$@"
+  "$WP_CLI" --path="$WORDPRESS_DIR" "$@"
 }
 
 check_wordpress_installation() {
@@ -67,7 +67,9 @@ install_wordpress() {
     echo >&2 "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
     echo >&2 "URL: $WP_URL"
     echo >&2 "Admin: $WP_ADMIN_USER"
-    echo >&2 "Password: $WP_ADMIN_PASSWORD"
+    if [ -z "${WORDPRESS_ADMIN_PASSWORD:-}" ]; then
+      echo >&2 "Password: $WP_ADMIN_PASSWORD"
+    fi
     echo >&2 "Email: $WP_ADMIN_EMAIL"
     echo >&2 "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
 
@@ -93,13 +95,9 @@ generate_wp_config_if_needed() {
 
     cp "$WORDPRESS_DIR/wp-config-docker.php" "$WORDPRESS_DIR/wp-config.php"
 
-    # Remplacer chaque occurrence de "put your unique phrase here" par une clé aléatoire (alphanum uniquement)
-    while grep -q "put your unique phrase here" "$WORDPRESS_DIR/wp-config.php"; do
-      RANDOM_KEY="$(tr -dc 'A-Za-z0-9' </dev/urandom | head -c 64)"
-      sed -i "0,/put your unique phrase here/s/put your unique phrase here/$RANDOM_KEY/" "$WORDPRESS_DIR/wp-config.php"
-    done
+    wp config shuffle-salts >/dev/null 2>&1 || true
 
-    chmod 0644 "$WORDPRESS_DIR/wp-config.php"
+    chmod 0600 "$WORDPRESS_DIR/wp-config.php"
     echo >&2 "✓ wp-config.php créé"
   fi
 
@@ -141,7 +139,7 @@ wait_for_db_wpcli() {
 
     # On capture l’erreur WP-CLI pour la loguer
     local out
-    if out="$(wp db check 2>&1)"; then
+    if out="$(wp db query "SELECT 1" 2>&1)"; then
       echo >&2 "✓ Base de données accessible (WP-CLI) après ${elapsed}s (tentatives: ${attempt})"
       return 0
     fi
@@ -167,6 +165,12 @@ wait_for_db_wpcli() {
 }
 
 main() {
+  # OpenShift assigns an arbitrary UID at runtime; register it in /etc/passwd so
+  # tools that call getpwuid() (WP-CLI, PHP, openssl) can resolve the username.
+  if ! whoami &>/dev/null && [ -w /etc/passwd ]; then
+    echo "appuser:x:$(id -u):0:appuser:/app:/sbin/nologin" >> /etc/passwd
+  fi
+
   cd "$WORDPRESS_DIR"
 
   # Génération du wp-config.php (si nécessaire)
@@ -193,6 +197,8 @@ main() {
       echo >&2 "✗ Installation WordPress échouée → arrêt du conteneur (exit 2)"
       exit 2
     fi
+  else
+    configure_wordpress
   fi
 
   # Lancement du process principal (FrankenPHP)