Composer: Installation on Docker containers

Created on 28 Jun 2016  ·  3Comments  ·  Source: composer/composer

As the docs says:

WARNING: Please do not redistribute the install code. It will change with every version of the installer. Instead, please link to this page.

it is annoying to use the installation code provided there in a Dockerfile, as the SHA-384 verification will stale really soon and we will get a sad Installer corrupt message every time that we try to build the container.
I used to like the one-liner install but I know it has the corruption problem.

So, what are the guidelines to using it on a Dockerfile? Should we keep using the one-liner install above? Should it be on the docs?

curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
Question
Source
picture ravanscafi

Most helpful comment

https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md

picture Seldaek on 28 Jun 2016
👍2

All 3 comments

I think for Docker, it is probably best to use a known stable release and download it directly.

E.g.:

wget https://getcomposer.org/download/1.1.3/composer.phar
# or if you want snapshot
wget https://getcomposer.org/composer.phar

I know this does not offer you the same security the install script provides.

Another option would be to commit the composer.phar into the repository that also contains the Dockerfile, and then simply use a COPY step to copy it into the container on build time.

alcohol picture alcohol on 28 Jun 2016

https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md

Seldaek picture Seldaek on 28 Jun 2016
👍2

In the case of Docker it can also be verified by chaining commands, as if any of them fails in the RUN statement the whole image build would also fail :

RUN echo "$(curl -sS https://composer.github.io/installer.sig) -" > composer-setup.php.sig \
    && curl -sS https://getcomposer.org/installer | tee composer-setup.php | sha384sum -c composer-setup.php.sig \
    && php composer-setup.php -- --install-dir=/root/bin --filename=composer

It is very common to have this for signature verifications, see php official dockerfile for example.

bamarni picture bamarni on 28 Jun 2016
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mikepmtl picture mikepmtl  ·  3Comments
finwe picture finwe  ·  3Comments
antoscarface picture antoscarface  ·  3Comments
francoispluchino picture francoispluchino  ·  3Comments
GNSubrahmanyam picture GNSubrahmanyam  ·  3Comments