Legacy PHP Containerization: Securing PHP 5.3.3 with Podman#

Containerizing legacy PHP applications presents unique challenges, especially when dealing with end-of-life operating systems and PHP versions. This guide provides a comprehensive approach to safely containerizing PHP 5.3.3 applications using Podman, focusing on security research environments and migration planning.

Table of Contents#

Introduction#

Legacy PHP applications often run on outdated systems that pose significant security risks. Containerization offers a path to isolate these applications while planning for modernization. This guide focuses on PHP 5.3.3 running on CentOS 6, demonstrating secure containerization practices with Podman.

Why Containerize Legacy PHP?#

Security Isolation: Contain legacy applications in isolated environments
Migration Planning: Enable gradual migration to modern platforms
Research Environments: Safely analyze legacy codebases
Dependency Management: Preserve exact runtime environments
Risk Mitigation: Reduce attack surface through isolation

Podman vs Docker for Legacy Systems#

Advantages of Podman#

Podman offers several advantages for legacy PHP containerization:

Rootless Operation: Enhanced security through unprivileged containers
No Daemon: Eliminates single point of failure and attack surface
Systemd Integration: Better process management for legacy services
OCI Compliance: Standard container formats and compatibility
SELinux Support: Enhanced security through mandatory access controls

Key Differences for Legacy Workloads#

1
# Podman rootless execution
2
podman run --rm -p 8080:8080 php-legacy
3

4
# Docker requires daemon (running as root)
5
docker run --rm -p 8080:8080 php-legacy

Basic PHP 5.3.3 Container#

Dockerfile Configuration#

1
FROM centos:6
2

3
LABEL maintainer="Security Research Environment - NOT FOR PRODUCTION"
4

5
# Configure vault repositories for CentOS 6 (EOL)
6
RUN sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-Base.repo && \
7
    sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-Base.repo
8

9
# Install EPEL repository for additional packages
10
RUN rpm -Uvh https://vault.centos.org/6.10/extras/x86_64/Packages/epel-release-6-8.noarch.rpm
11

12
# Install PHP 5.3.3 and dependencies
13
RUN yum -y update && \
14
    yum -y install \
15
    php \
16
    php-cli \
17
    php-common \
18
    php-mysql \
19
    php-pdo \
20
    php-gd \
21
    php-xml \
22
    php-mbstring \
23
    httpd \
24
    && yum clean all
25

26
# Configure Apache for container environment
27
RUN sed -i 's/Listen 80/Listen 8080/g' /etc/httpd/conf/httpd.conf && \
28
    echo "ServerName localhost" >> /etc/httpd/conf/httpd.conf && \
29
    echo "<?php phpinfo(); ?>" > /var/www/html/info.php
30

31
# Set necessary permissions for rootless container
32
RUN chmod -R 755 /var/www/html/ && \
33
    chmod -R 755 /var/log/httpd/ && \
34
    chmod -R 755 /var/run/httpd/ && \
35
    chown -R root:root /var/log/httpd/ && \
36
    chown -R root:root /var/run/httpd/ && \
37
    chown -R root:root /var/www/html/
38

39
# Create non-root user for security
40
RUN useradd -r -s /bin/false -c "PHP Application User" phpuser && \
41
    chown -R phpuser:phpuser /var/www/html
42

43
EXPOSE 8080
44

45
# Health check
46
HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
47
    CMD curl -f http://localhost:8080/info.php || exit 1
48

49
# Run Apache in foreground
50
CMD ["/usr/sbin/httpd", "-D", "FOREGROUND"]

Enhanced Dockerfile for Production-Like Usage#

1
FROM centos:6
2

3
LABEL maintainer="Legacy PHP Research Environment"
4
LABEL version="1.0"
5
LABEL description="CentOS 6 with PHP 5.3.3 for legacy application research"
6

7
# Security warning label
8
LABEL security.warning="This container contains EOL software and should NOT be used in production"
9

10
# Configure repositories
11
RUN sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-Base.repo && \
12
    sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-Base.repo
13

14
# Install EPEL
15
RUN rpm -Uvh https://vault.centos.org/6.10/extras/x86_64/Packages/epel-release-6-8.noarch.rpm || true
16

17
# Install comprehensive PHP stack
18
RUN yum -y update && \
19
    yum -y install \
20
    # Core PHP
21
    php \
22
    php-cli \
23
    php-common \
24
    php-fpm \
25
    # Database extensions
26
    php-mysql \
27
    php-pgsql \
28
    php-pdo \
29
    # Common extensions
30
    php-gd \
31
    php-xml \
32
    php-mbstring \
33
    php-json \
34
    php-curl \
35
    php-soap \
36
    php-ldap \
37
    php-zip \
38
    # Web server
39
    httpd \
40
    # Utilities
41
    curl \
42
    wget \
43
    vim \
44
    less \
45
    # Security tools
46
    sudo \
47
    && yum clean all && \
48
    rm -rf /var/cache/yum
49

50
# Configure Apache
51
COPY apache/httpd.conf /etc/httpd/conf/httpd.conf
52
COPY apache/security.conf /etc/httpd/conf.d/security.conf
53

54
# Configure PHP
55
COPY php/php.ini /etc/php.ini
56
COPY php/security.ini /etc/php.d/99-security.ini
57

58
# Create application structure
59
RUN mkdir -p /var/www/html/app && \
60
    mkdir -p /var/log/app && \
61
    mkdir -p /var/lib/php/session
62

63
# Create non-privileged user
64
RUN groupadd -r phpapp && \
65
    useradd -r -g phpapp -s /bin/false -c "PHP Application User" phpapp
66

67
# Set ownership and permissions
68
RUN chown -R phpapp:phpapp /var/www/html/app && \
69
    chown -R phpapp:phpapp /var/log/app && \
70
    chown -R phpapp:phpapp /var/lib/php/session && \
71
    chmod -R 755 /var/www/html && \
72
    chmod -R 750 /var/log/app
73

74
# Security hardening
75
RUN chmod 600 /etc/shadow && \
76
    chmod 644 /etc/passwd && \
77
    find /var/www/html -name "*.php" -exec chmod 644 {} \; && \
78
    find /var/www/html -type d -exec chmod 755 {} \;
79

80
EXPOSE 8080
81

82
HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
83
    CMD curl -f http://localhost:8080/ || exit 1
84

85
# Use exec form for better signal handling
86
CMD ["/usr/sbin/httpd", "-D", "FOREGROUND"]

Configuration Files#

Apache Security Configuration#

1
# Hide Apache version
2
ServerTokens Prod
3
ServerSignature Off
4

5
# Disable unnecessary modules
6
LoadModule rewrite_module modules/mod_rewrite.so
7

8
# Security headers
9
Header always set X-Content-Type-Options nosniff
10
Header always set X-Frame-Options DENY
11
Header always set X-XSS-Protection "1; mode=block"
12
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
13

14
# Disable server status
15
<Location "/server-status">
16
    Order deny,allow
17
    Deny from all
18
</Location>
19

20
# Disable server info
21
<Location "/server-info">
22
    Order deny,allow
23
    Deny from all
24
</Location>
25

26
# Hide .git directories
27
<DirectoryMatch "\.git">
28
    Order deny,allow
29
    Deny from all
30
</DirectoryMatch>
31

32
# Hide configuration files
33
<Files ~ "\.(conf|ini|log|sql|md)$">
34
    Order deny,allow
35
    Deny from all
36
</Files>
37

38
# Disable directory browsing
39
Options -Indexes
40

41
# Prevent access to PHP files in uploads directory
42
<Directory "/var/www/html/uploads">
43
    <Files "*.php">
44
        Order deny,allow
45
        Deny from all
46
    </Files>
47
</Directory>

PHP Security Configuration#

1
; /etc/php.d/99-security.ini
2

3
; Disable dangerous functions
4
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,file_get_contents
5

6
; Hide PHP version
7
expose_php = Off
8

9
; Limit script execution
10
max_execution_time = 30
11
max_input_time = 30
12
memory_limit = 64M
13

14
; File upload restrictions
15
file_uploads = On
16
upload_max_filesize = 2M
17
max_file_uploads = 5
18
upload_tmp_dir = /tmp
19

20
; Session security
21
session.cookie_secure = On
22
session.cookie_httponly = On
23
session.use_strict_mode = On
24
session.cookie_samesite = Strict
25

26
; Error handling
27
display_errors = Off
28
log_errors = On
29
error_log = /var/log/app/php_errors.log
30

31
; Open basedir restriction
32
open_basedir = /var/www/html:/tmp:/var/lib/php/session
33

34
; SQL injection protection
35
magic_quotes_gpc = Off
36
magic_quotes_runtime = Off
37

38
; Include path security
39
include_path = ".:/usr/share/php"
40

41
; Allow only specific file extensions
42
; This should be configured per application

Building and Running with Podman#

Build Process#

1
#!/bin/bash
2

3
# Build script for legacy PHP container
4
set -e
5

6
CONTAINER_NAME="php-legacy"
7
TAG="5.3.3-centos6"
8
FULL_NAME="${CONTAINER_NAME}:${TAG}"
9

10
echo "Building legacy PHP container..."
11

12
# Build with Podman
13
podman build \
14
    --tag "$FULL_NAME" \
15
    --label "build.date=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" \
16
    --label "build.version=1.0.0" \
17
    --label "security.scan=required" \
18
    .
19

20
# Verify build
21
if podman images | grep -q "$CONTAINER_NAME"; then
22
    echo "✓ Container built successfully: $FULL_NAME"
23
else
24
    echo "✗ Container build failed"
25
    exit 1
26
fi
27

28
# Security scan (if available)
29
if command -v podman &> /dev/null; then
30
    echo "Running security scan..."
31
    podman run --rm -v /var/run/docker.sock:/var/run/docker.sock \
32
        aquasec/trivy image "$FULL_NAME" || true
33
fi
34

35
echo "Build completed: $FULL_NAME"

Running the Container#

1
#!/bin/bash
2

3
# Run script for legacy PHP container
4
CONTAINER_NAME="php-legacy"
5
TAG="5.3.3-centos6"
6
INSTANCE_NAME="php-legacy-instance"
7

8
# Stop and remove existing instance
9
podman stop "$INSTANCE_NAME" 2>/dev/null || true
10
podman rm "$INSTANCE_NAME" 2>/dev/null || true
11

12
echo "Starting legacy PHP container..."
13

14
# Run with security considerations
15
podman run \
16
    --name "$INSTANCE_NAME" \
17
    --detach \
18
    --publish 8080:8080 \
19
    --volume "./app:/var/www/html/app:Z" \
20
    --volume "./logs:/var/log/app:Z" \
21
    --read-only \
22
    --tmpfs /tmp:rw,noexec,nosuid,size=100m \
23
    --tmpfs /var/run/httpd:rw,size=10m \
24
    --security-opt no-new-privileges \
25
    --cap-drop ALL \
26
    --cap-add SETUID \
27
    --cap-add SETGID \
28
    --cap-add DAC_OVERRIDE \
29
    --memory 256m \
30
    --cpus 0.5 \
31
    --restart unless-stopped \
32
    "$CONTAINER_NAME:$TAG"
33

34
# Verify container is running
35
if podman ps | grep -q "$INSTANCE_NAME"; then
36
    echo "✓ Container started successfully"
37
    echo "Access the application at: http://localhost:8080"
38
    echo "PHP info available at: http://localhost:8080/info.php"
39
else
40
    echo "✗ Container failed to start"
41
    echo "Checking logs..."
42
    podman logs "$INSTANCE_NAME"
43
    exit 1
44
fi

Security Hardening#

Container Security Configuration#

1
# Enhanced security run command
2
run_secure_php_container() {
3
    local container_name="php-legacy-secure"
4
    local image_name="php-legacy:5.3.3-centos6"
5

6
    # Create necessary directories
7
    mkdir -p ./app ./logs ./tmp
8

9
    # Set proper permissions
10
    chmod 755 ./app ./logs
11
    chmod 1777 ./tmp
12

13
    podman run \
14
        --name "$container_name" \
15
        --detach \
16
        --publish 127.0.0.1:8080:8080 \
17
        \
18
        `# Volume mounts with SELinux labels` \
19
        --volume "./app:/var/www/html/app:Z,ro" \
20
        --volume "./logs:/var/log/app:Z" \
21
        \
22
        `# Read-only root filesystem` \
23
        --read-only \
24
        \
25
        `# Temporary filesystems` \
26
        --tmpfs /tmp:rw,noexec,nosuid,nodev,size=50m \
27
        --tmpfs /var/run:rw,noexec,nosuid,nodev,size=10m \
28
        --tmpfs /var/lib/php/session:rw,noexec,nosuid,nodev,size=10m \
29
        \
30
        `# Security options` \
31
        --security-opt no-new-privileges \
32
        --security-opt label=type:container_t \
33
        \
34
        `# Capability restrictions` \
35
        --cap-drop ALL \
36
        --cap-add SETUID \
37
        --cap-add SETGID \
38
        --cap-add DAC_OVERRIDE \
39
        \
40
        `# Resource limits` \
41
        --memory 128m \
42
        --memory-swap 128m \
43
        --cpus 0.25 \
44
        --pids-limit 50 \
45
        \
46
        `# Network security` \
47
        --network slirp4netns:allow_host_loopback=false \
48
        \
49
        `# Process limits` \
50
        --ulimit nproc=50:50 \
51
        --ulimit nofile=1024:1024 \
52
        \
53
        `# Environment restrictions` \
54
        --env-file /dev/null \
55
        \
56
        "$image_name"
57
}

Security Monitoring#

1
#!/bin/bash
2

3
# Security monitoring script for PHP container
4
monitor_container_security() {
5
    local container_name="$1"
6

7
    echo "=== Container Security Monitoring ==="
8

9
    # Check container status
10
    if podman ps | grep -q "$container_name"; then
11
        echo "✓ Container is running"
12
    else
13
        echo "✗ Container is not running"
14
        return 1
15
    fi
16

17
    # Check resource usage
18
    echo "Resource Usage:"
19
    podman stats --no-stream "$container_name" | tail -n +2
20

21
    # Check for privilege escalation attempts
22
    echo "Security Events:"
23
    podman logs "$container_name" 2>&1 | grep -i "permission\|denied\|failed\|error" | tail -5
24

25
    # Check file system integrity
26
    echo "File System Check:"
27
    podman exec "$container_name" find /var/www/html -type f -perm /u+s,g+s 2>/dev/null | head -5
28

29
    # Check network connections
30
    echo "Network Connections:"
31
    podman exec "$container_name" netstat -tuln 2>/dev/null | grep LISTEN || echo "No listening ports found"
32

33
    # Check process list
34
    echo "Running Processes:"
35
    podman exec "$container_name" ps aux | head -10
36
}
37

38
# Usage
39
monitor_container_security "php-legacy-instance"

Migration Strategies#

Assessment and Planning#

1
#!/bin/bash
2

3
# Legacy PHP application assessment script
4
assess_php_application() {
5
    local app_path="$1"
6

7
    echo "=== PHP Application Assessment ==="
8
    echo "Application path: $app_path"
9

10
    # PHP version detection
11
    echo "PHP Version Requirements:"
12
    grep -r "php" "$app_path" | grep -i version | head -5
13

14
    # Framework detection
15
    echo "Framework Detection:"
16
    if [ -f "$app_path/wp-config.php" ]; then
17
        echo "- WordPress detected"
18
    elif [ -f "$app_path/configuration.php" ]; then
19
        echo "- Joomla detected"
20
    elif [ -f "$app_path/config/config.php" ]; then
21
        echo "- Custom framework detected"
22
    fi
23

24
    # Security issues
25
    echo "Potential Security Issues:"
26
    grep -r "mysql_query\|eval\|system\|exec" "$app_path" --include="*.php" | wc -l | xargs echo "Dangerous function calls:"
27
    grep -r "register_globals\|magic_quotes" "$app_path" --include="*.php" | wc -l | xargs echo "Legacy PHP features:"
28

29
    # Database connections
30
    echo "Database Connections:"
31
    grep -r "mysql_connect\|mysqli_connect\|PDO" "$app_path" --include="*.php" | head -3
32

33
    # File upload handling
34
    echo "File Upload Handlers:"
35
    grep -r "\$_FILES\|move_uploaded_file" "$app_path" --include="*.php" | wc -l | xargs echo "Upload handlers found:"
36

37
    # External dependencies
38
    echo "External Dependencies:"
39
    find "$app_path" -name "*.xml" -o -name "composer.json" -o -name "package.json" | head -5
40
}
41

42
# Usage
43
assess_php_application "./legacy-app"

Modernization Path#

1
apiVersion: v1
2
kind: ConfigMap
3
metadata:
4
  name: php-migration-plan
5
data:
6
  phases: |
7
    Phase 1: Containerization (Current)
8
    - Isolate legacy application in container
9
    - Implement security hardening
10
    - Establish monitoring and logging
11

12
    Phase 2: Security Hardening
13
    - Update to PHP 5.6 (last 5.x version)
14
    - Implement WAF protection
15
    - Add vulnerability scanning
16

17
    Phase 3: Framework Modernization
18
    - Identify migration path to PHP 7.4/8.x
19
    - Refactor deprecated functions
20
    - Update database connections
21

22
    Phase 4: Full Migration
23
    - Migrate to modern PHP version
24
    - Implement modern framework
25
    - Deploy to production infrastructure
26

27
  security_checklist: |
28
    - [ ] SQL injection protection
29
    - [ ] XSS prevention
30
    - [ ] CSRF protection
31
    - [ ] File upload validation
32
    - [ ] Session security
33
    - [ ] Error handling
34
    - [ ] Input validation
35
    - [ ] Output encoding
36

37
  compatibility_matrix: |
38
    Legacy (PHP 5.3.3):
39
    - mysql_* functions (deprecated)
40
    - register_globals support
41
    - magic_quotes support
42

43
    Modern (PHP 8.x):
44
    - mysqli_* or PDO required
45
    - Strict type checking
46
    - Improved error handling

Monitoring and Logging#

Container Monitoring Setup#

1
#!/bin/bash
2

3
# Monitoring setup for legacy PHP container
4
setup_monitoring() {
5
    local container_name="$1"
6

7
    # Create monitoring directories
8
    mkdir -p ./monitoring/{logs,metrics,alerts}
9

10
    # Setup log aggregation
11
    cat > ./monitoring/rsyslog.conf << 'EOF'
12
# Forward container logs to central location
13
*.* @@localhost:514
14
EOF
15

16
    # Create monitoring script
17
    cat > ./monitoring/monitor.sh << 'EOF'
18
#!/bin/bash
19

20
CONTAINER_NAME="$1"
21
LOG_DIR="./monitoring/logs"
22

23
while true; do
24
    TIMESTAMP=$(date '+%Y-%m-%d %H:%M:%S')
25

26
    # Resource usage
27
    STATS=$(podman stats --no-stream "$CONTAINER_NAME" 2>/dev/null | tail -n +2)
28
    echo "$TIMESTAMP - STATS: $STATS" >> "$LOG_DIR/resource.log"
29

30
    # Health check
31
    HTTP_STATUS=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:8080/info.php)
32
    echo "$TIMESTAMP - HTTP_STATUS: $HTTP_STATUS" >> "$LOG_DIR/health.log"
33

34
    # Security events
35
    SECURITY_EVENTS=$(podman logs "$CONTAINER_NAME" 2>&1 | grep -i "error\|warning\|failed" | tail -1)
36
    [ -n "$SECURITY_EVENTS" ] && echo "$TIMESTAMP - SECURITY: $SECURITY_EVENTS" >> "$LOG_DIR/security.log"
37

38
    sleep 60
39
done
40
EOF
41

42
    chmod +x ./monitoring/monitor.sh
43

44
    # Start monitoring in background
45
    nohup ./monitoring/monitor.sh "$container_name" > ./monitoring/monitor.out 2>&1 &
46
    echo "Monitoring started for container: $container_name"
47
}
48

49
# Alerting system
50
setup_alerting() {
51
    cat > ./monitoring/alerts.sh << 'EOF'
52
#!/bin/bash
53

54
LOG_DIR="./monitoring/logs"
55
ALERT_EMAIL="admin@example.com"
56

57
# Check for high resource usage
58
check_resources() {
59
    local cpu_threshold=80
60
    local mem_threshold=80
61

62
    if [ -f "$LOG_DIR/resource.log" ]; then
63
        local latest_stats=$(tail -1 "$LOG_DIR/resource.log")
64
        local cpu_usage=$(echo "$latest_stats" | awk '{print $4}' | sed 's/%//')
65
        local mem_usage=$(echo "$latest_stats" | awk '{print $6}' | sed 's/%//')
66

67
        if (( $(echo "$cpu_usage > $cpu_threshold" | bc -l) )); then
68
            echo "ALERT: High CPU usage: $cpu_usage%" | mail -s "Container Alert" "$ALERT_EMAIL"
69
        fi
70

71
        if (( $(echo "$mem_usage > $mem_threshold" | bc -l) )); then
72
            echo "ALERT: High memory usage: $mem_usage%" | mail -s "Container Alert" "$ALERT_EMAIL"
73
        fi
74
    fi
75
}
76

77
# Check for security events
78
check_security() {
79
    if [ -f "$LOG_DIR/security.log" ]; then
80
        local recent_events=$(tail -10 "$LOG_DIR/security.log" | grep "$(date '+%Y-%m-%d')")
81
        if [ -n "$recent_events" ]; then
82
            echo "SECURITY ALERT: Recent security events detected" | mail -s "Security Alert" "$ALERT_EMAIL"
83
        fi
84
    fi
85
}
86

87
check_resources
88
check_security
89
EOF
90

91
    chmod +x ./monitoring/alerts.sh
92

93
    # Add to crontab
94
    (crontab -l 2>/dev/null; echo "*/5 * * * * $(pwd)/monitoring/alerts.sh") | crontab -
95
}

Application Performance Monitoring#

1
<?php
2
// monitoring/apm.php - Simple APM for legacy PHP
3

4
class LegacyAPM {
5
    private $start_time;
6
    private $start_memory;
7
    private $log_file;
8

9
    public function __construct($log_file = '/var/log/app/apm.log') {
10
        $this->start_time = microtime(true);
11
        $this->start_memory = memory_get_usage();
12
        $this->log_file = $log_file;
13

14
        // Register shutdown function
15
        register_shutdown_function(array($this, 'shutdown_handler'));
16
    }
17

18
    public function log_event($event, $data = array()) {
19
        $timestamp = date('Y-m-d H:i:s');
20
        $memory = memory_get_usage();
21
        $elapsed = microtime(true) - $this->start_time;
22

23
        $log_entry = array(
24
            'timestamp' => $timestamp,
25
            'event' => $event,
26
            'memory_mb' => round($memory / 1024 / 1024, 2),
27
            'elapsed_ms' => round($elapsed * 1000, 2),
28
            'data' => $data
29
        );
30

31
        error_log(json_encode($log_entry) . "\n", 3, $this->log_file);
32
    }
33

34
    public function shutdown_handler() {
35
        $error = error_get_last();
36
        $total_time = microtime(true) - $this->start_time;
37
        $peak_memory = memory_get_peak_usage();
38

39
        $this->log_event('request_end', array(
40
            'total_time_ms' => round($total_time * 1000, 2),
41
            'peak_memory_mb' => round($peak_memory / 1024 / 1024, 2),
42
            'error' => $error
43
        ));
44
    }
45

46
    public function track_database_query($query, $execution_time) {
47
        $this->log_event('database_query', array(
48
            'query' => substr($query, 0, 100),
49
            'execution_time_ms' => round($execution_time * 1000, 2)
50
        ));
51
    }
52
}
53

54
// Usage in legacy application
55
$apm = new LegacyAPM();
56
$apm->log_event('request_start', array('uri' => $_SERVER['REQUEST_URI']));
57
?>

Backup and Recovery#

Container Backup Strategy#

1
#!/bin/bash
2

3
# Backup strategy for legacy PHP container
4
backup_container() {
5
    local container_name="$1"
6
    local backup_dir="./backups/$(date +%Y%m%d_%H%M%S)"
7

8
    echo "Creating backup for container: $container_name"
9
    mkdir -p "$backup_dir"
10

11
    # Export container as tar
12
    podman export "$container_name" > "$backup_dir/container.tar"
13

14
    # Backup volumes
15
    if [ -d "./app" ]; then
16
        tar -czf "$backup_dir/app_data.tar.gz" ./app
17
    fi
18

19
    if [ -d "./logs" ]; then
20
        tar -czf "$backup_dir/logs.tar.gz" ./logs
21
    fi
22

23
    # Backup configuration
24
    cp Dockerfile "$backup_dir/"
25
    cp -r ./config "$backup_dir/" 2>/dev/null || true
26

27
    # Create manifest
28
    cat > "$backup_dir/manifest.json" << EOF
29
{
30
    "container_name": "$container_name",
31
    "backup_date": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
32
    "podman_version": "$(podman --version)",
33
    "image_info": $(podman inspect "$container_name" | jq '.[0].Image' || echo "null"),
34
    "files": [
35
        "container.tar",
36
        "app_data.tar.gz",
37
        "logs.tar.gz",
38
        "Dockerfile"
39
    ]
40
}
41
EOF
42

43
    echo "Backup completed: $backup_dir"
44

45
    # Cleanup old backups (keep last 7 days)
46
    find ./backups -type d -mtime +7 -exec rm -rf {} + 2>/dev/null || true
47
}
48

49
# Restore from backup
50
restore_container() {
51
    local backup_dir="$1"
52
    local container_name="$2"
53

54
    if [ ! -d "$backup_dir" ]; then
55
        echo "Backup directory not found: $backup_dir"
56
        return 1
57
    fi
58

59
    echo "Restoring container from: $backup_dir"
60

61
    # Stop existing container
62
    podman stop "$container_name" 2>/dev/null || true
63
    podman rm "$container_name" 2>/dev/null || true
64

65
    # Import container
66
    cat "$backup_dir/container.tar" | podman import - "restored-$container_name"
67

68
    # Restore volumes
69
    if [ -f "$backup_dir/app_data.tar.gz" ]; then
70
        tar -xzf "$backup_dir/app_data.tar.gz"
71
    fi
72

73
    if [ -f "$backup_dir/logs.tar.gz" ]; then
74
        tar -xzf "$backup_dir/logs.tar.gz"
75
    fi
76

77
    echo "Restore completed. You may need to manually start the container."
78
}

Best Practices#

Development Workflow#

Isolated Development: Use containers for all legacy development work
Version Control: Maintain Dockerfile and configurations in version control
Security Scanning: Regular vulnerability assessments of container images
Resource Monitoring: Continuous monitoring of container performance
Backup Strategy: Regular automated backups of container state and data

Security Guidelines#

Principle of Least Privilege: Run containers with minimal required permissions
Network Isolation: Restrict network access to necessary services only
Regular Updates: Keep base images updated within compatibility constraints
Log Monitoring: Implement comprehensive logging and alerting
Incident Response: Prepare procedures for security incidents

Migration Planning#

Assessment Phase: Thoroughly assess legacy application requirements
Compatibility Testing: Test modernization changes in isolated environments
Incremental Updates: Plan gradual migration to avoid breaking changes
Rollback Procedures: Maintain ability to revert to legacy systems
Documentation: Document all changes and migration steps

Conclusion#

Containerizing legacy PHP applications with Podman provides a secure approach to managing outdated systems while planning for modernization. This approach offers:

Security Isolation: Contains legacy vulnerabilities within controlled environments
Migration Path: Enables gradual modernization without service disruption
Research Environment: Provides safe space for security analysis and testing
Operational Continuity: Maintains service availability during transition periods

Remember that this approach is intended for research, migration planning, and controlled environments. Legacy PHP versions contain known security vulnerabilities and should never be exposed to production traffic without proper security controls and isolation measures.

This containerization approach is designed for security research and migration planning only. Always consult security professionals before deploying legacy systems in any environment.