I'm planning on creating a bunch of PHP scripts in a phar archive (for easy deployment) and allowing it to self-update from a known repository.
How should a phar archive, on a live website, update itself? Not update its contents, but just replacing itself (from a new.phar previously downloaded to /tmp or something) would be enough.
I'm specifically concerned about pitfalls on "replacing myself" in PHP, also considering requests could be underway (the script will primarily be called from the web, by AJAX).
You can check how composer does self update:
https://github.com/composer/composer/blob/master/src/Composer/Command/SelfUpdateCommand.php
But like #OddEssay said it would probably be better to use composer as package manager.
Check Distributing CLI PHP App with Ease article.
There is also mentioned PHP-Phar-Update package, that handle PHAR self-updating.
For implementation example, you can check Self-update command of PhpDocumentor
Related
I want to minimize traffic usage with composer packages load, so I need for production loads to only download the source/lib folders without examples/docs/readme.
I haven't found any information in the official composer documentation.
UPD
One of the best solution - add .gitattributes file into your project and add main rows from this gist
This is not really up to composer and instead a responsibility of package maintainers. You can use --prefer-dist to install a distribution instead of checking out the git repository as is usually done during development, but what this distribution contains is managed by the package maintainer.
If the packages you install allow for pull requests & issues, you could ask them to provide a .gitattributes file which is recognized by github when creating an archive or provide a pull request providing one. In this file you can specify which files and folders will be excluded from the archive using export-ignore. In any case since everything is bundled in a zip the bandwidth saved is probably negligible.
So, short answer is the only way to minimize bandwidth usage and allocated disk space for dependencies is using the --prefer-dist option - and omitting dev dependencies with --no-dev - when installing them for production.
I am reading/learning about Composer, the application-level package manager for PHP.
In this blog post written by lead dev Jordi Boggiano, he writes:
Composer on the other hand forces you to declare your project
dependencies in a one-stop location (composer.json at the root). You
just checkout the code, install dependencies, and they will sit in the
project directory, not disturbing anything else on the machine.
Another related feature is the composer.lock file that is generated
when you install or update dependencies. It stores the exact version
of every dependency that was used. If you commit it, anyone checking
out the project will be able to install exactly the same versions as
you did when you last updated that file, avoiding issues because of
minor incompatibilities or regressions in different versions of a
dependency.
If I understand Composer properly, when we're talking about packages downloaded/installed by Composer, we are talking about PHP code packages, ie, programming code written in PHP, and not system-level packages, eg, extensions to the PHP runtime installed on the server. So once these PHP code packages have been downloaded and added to a PHP project, I would have thought those packages become part of the PHP application source code, eg to be checked in to whichever version control system is being used for the project. If another developer comes along and checks out the code, why would they need to then "install the packages", as is stated in the blog post? Wouldn't they get a copy of all code packages when they check out the code from source control? This line in the blog post is confusing me, and making me think I don't understand Composer.
Any clarity on this would be greatly appreciated. Thanks.
The dependencies themselves should not be commited to source control. The composer.json and composer.lock files, on the other hand, should. There's various reasons for this, amongst them:
Every time you update the dependency you would have to commit the changes. That kind of tightly couples your code to the dependency, when it should be exactly the other way around.
The packages themselves are already in their own repository with their own history. Why repeat that in your project's history?
Those repositories can be huge, just muddling the waters around your project. Why carry around all that weight?
Instead, having each developer just run composer install (very important: not composer update) whenever they check out the project is much more efficient. Composer will install the dependencies from composer.lock, making sure everyone running the same commit is on the exact same page. The same goes for deploying.
You can read more about this here.
On the other hand, there might be situations where you have to commit your packages to get around a problem, like for example when you know you won't be able to run composer install on your production server (shared hosting)
Normally packages installed via composer don't get checked in to source control, only the code you write and the composer.json and composer.lock files.
This way the repository for your project does not get bloated with code you did not write and possibly don't really care that much about.
Yes its normal after cloning down your repository a developer will need to run the "composer install" command. The composer.lock file will ensure they get the same modules and versions of them you used when creating your project.
Not including the composer modules in your source control also allow you to easily update to the modules to get bug fixes and new features in new versions of them.
Is there an automated way of updating the version number in composer.json and adding the necessary tags before publishing, like the way npm version does?
I mean, if you had a composer.json with the line "version": "2.1.3", and executed:
composer version minor
It would do the following:
Updating the version number in composer.json to 2.2.0
Triggering composer update to update composer.lock
Making a new git commit
Making a new git tag v2.2.0
I know that the composer version command doesn't exist, but is there an equivalent tool?
npm version does stuff that you very likely do not need for Composer:
The version number is not recorded in composer.json if there are other means available - and because you are referring to Git later on, they are available.
Updating dependencies in the lock file is unnecessary. The lock file will be ignored when the project you are dealing with is included somewhere else.
Because nothing has changed in the project, a git commit wouldn't do anything.
All this leaves you with creating a new tag in the Git repository. Putting this into Composer would mean you'd exchange one command with another, without any big benefit besides you won't have to lookup the current version number you are dealing with if you use some of the relative version parameters.
All in all I'd say that simply tagging your new version is enough for Composer. You'd probably need to have some infrastructure in place and configured to make the world aware of the new version:
If your package is open source and on packagist.org, you should have a post-commit hook to notify them as soon as a new version is available. This is a standard option on Github, I don't know about other source code hosts.
Otherwise if you have to feed closed source code, you'd probably start a new update cycle of whatever system is used to create an alternative package information source (be it Satis, locally hosted Packagist, Toran Proxy or Private Packagist)
This however depends on how you set up things.
If for some reason and despite all voices against it you still want to use a tool like the OP asked for, https://www.npmjs.com/package/composer-version works quite well.
I've created tool, that runs as a server, and allow clients to connect to it through TCP, and run some commands. It's written on python 3
Now I'm going to build package and upload it to Pypi, and have conceptual problem.
This tool have python client library inside, so, after installation of the package, it'll be possible to just import library into python script, and use for connection to the daemon without dealing with raw TCP/IP.
Also, I have PHP library, for connection to me server, and the problem is - I don't know how to include it into my python package the right way.
Variants, that I found and can't choose the right one:
Just include library.php file into package, and after running "pip install my_package", I would write "require('/usr/lib/python3/dist-packages/my_package/library.php')" into my php file. This way allows to distribute library with the server, and update it synchronously, but add long ugly paths to php require instruction.
As library.php in placed on github repository, I could just publish it's url in the docs, and it'll be possible to just clone repository. It makes possible to clone repo, and update library by git pull.
Create separate package with my library.php, upload it into packagist, and use composer to download it when it's needed. Good for all composer users, and allow manual update, but doens't update with server's package.
Maybe I've missed some other variants.
I want to know what would be true python'ic and php'ic way to do this. Thanks.
I've decided to create separate PHP package for my PHP library, and upload it to a packagist.org, so, user could get it using php composer, but not forced to, as it would be in case of including library.php into python package.
I intend to use single phar file with digital signature to deploy a web application. Combined this with event sourcing would make me very easy to follow release early, release often philosophy...
I am using composer as package manager. What I am uncertain:
How to pack the vendors with my application into a single phar?
I am not sure how composer installs a vendor, but I think it can install them as phar files as well. I found almost nothing about phar-s packed into other phars.
Is composer's autoloader prepared to do that, or I have to do some modifications?
Do I have to install composer on the server? (I have no CLI, and I have no rights to do that. Bad for me, yes.)
How can I filter out automatically the tests and documentations of my application and its dependencies. (I want to have a small release package.)
To answer some of your questions:
Composer does not install .phar files as the dependencies. In fact, those common packages that do come as .phar file (namely PHPUnit) do offer .phar as an alternative to using Composer, which is mutually exclusive. So you'd simply run composer install, get a directory tree of your own files and vendor files, and can then add these all into the .phar file you are about to create.
Composer autoloader does use __DIR__ to know where it is, and where other files are relative from this constant. This should be compatible with .phar files.
You have to install Composer on the machine you intend to create the .phar files on.
Filtering unwanted files is the task of your build script that creates the .phar files. It is not the task of Composer.
Note that there are already libraries that help you creating .phar files. Have a look at kherge/box, for example.