Menu
I can potentially have a docker file that looks like this:
COPY . ./
RUN composer install --no-dev --no-interaction -o
but I have private repos in my composer.json and this requires me to copy in the ssh keys for the docker build to work properly. I feel uncomfortable packing my ssh keys inside my php application docker image.
Alternatively, I can run composer install outside of the docker build (in a build.sh bash script for example) and COPY the directory after the vendor/ has been populated. Is this a correct approach?
Are there any other ways to deal with this issue?
581
asked Apr 24 '17 09:04
This is a really good question which describes a principle that I've faced a few times now, actually two separate but related issues:
1.) How To Best Deal With Transient Files in Docker
Docker is great at encapsulating the total and utter recreation of an environment. If you handle part of the process 'outside' the container i.e. you run composer install outside of the docker build process then you have a less portable build process because you may have introduced machine/environment dependencies that you are not aware of.
If you always rebuild the full environment within Docker then you are guaranteeing that your dependencies are always satisfied and that you could give the dockerfile to anyone else and they too will have a high confidence of being able to rebuild locally without issue.
Transient files are ideal for building within Docker ! So I would try to build them within the container whenever possible.
2.) How to de-couple authorisation from Docker build process
Which leads us on to the second issue, how to de-couple authorisation from build?
Option 1 - Bake In composer auth.json with creds for a dedicated build user:
As other answers have said you could 'bake in' the credentials and then remove them again. However you wouldn't want to 'bake in' something as sensitive as your ssh keys. Composer supports an auth.json file so why not create a dedicated build user and store its creds (instead of yours) in the auth.json file? If it is ever compromised you can change the password. Once composer install has finished remove or overwrite the file.
COPY . ./
RUN composer install --no-dev --no-interaction -o
RUN rm -f ./auth.json
Option 2 - Make the creds themselves transient and pass them into the Docker container using docker exec:
I haven't completely tested this approach but I can't see why something like this wouldn't work.
1.) You build a base PHP container which is capable of running 'composer install' (or use one from docker hub)
2.) You spin up this base container so that it is running
3.) You use docker exec to pass in your creds to a wrapper script which is already baked into your container. The wrapper scripts will run composer install using HTTP basic authentication - it will already have the username baked in so you'll just need to provide the password as per the http-basic technique
docker exec -d my_base_php_container php -f /my_wrapper_script.php ${PASSWORD}
4.) You commit this container as a new image
docker commit --change "composer install" ${CONTAINER_ID} my_installed_image:1.0
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
