Compiling from the source
To run crap like PHP or NodeJS (and even decent things like nginx with uwsgi) fast and safely (with better security) one have to compile the engine itself and all the dependencies with hardened compiler flags (
-fstack-protector-all and perhaps
-Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack, etc).
Ideally, one shall use hardened Gentoo as the hosting distro, but even Ubuntu LTS will do - just recompile everything user-facing, everything that listens to connections and everything that runs the code, with all the libs.
The easiest and most robust way is to use scripts similar to FreeBSD Ports, which installs everything into
/usr/local (and, sometimes, into
/opt). This strategy is still more than good-enough. It is simple and robust.
No fucking Docker (which uses
apt), no Kubernetes or whatever over-"engineered" useless crap is being memed nowadays. Just
FreeBSD ports-like shell scripts
The simplest and the most robust way is just to do
git clone --depth=1 --recurse-submodules --shallow-submodules git://github.com/xxx/xxxx.git cd xxx ./configure --prefix=/usr/local make sudo make install
The Compiler flags (
CFLAGS, CXXFLAGS, etc) in this case should be provided in environment variables, the way the
configure script expects them to be specified.
Debian/Ubuntu/SRPM source packages
Each particular distro has its own source packages which are used to produce binary packages (for every supported architecture).
CFLAGS, recompile then upgrade the package.
To avoid further automatic upgrades explicitly forbid to upgrade this particular package.
If you need to install your own sources/versions - just package them and add set up an external repo. This is how Google Chrome is distributed.
It is just that simple. No fucking Docker images is needed.