How to Install Composer on RHEL 7

How to Install Composer on RHEL 7

Composer is the standard dependency manager for PHP, used by virtually every modern PHP framework and library ecosystem. It reads a composer.json file in your project to resolve and download the exact library versions your application requires, storing them in a vendor/ directory and generating an autoloader that makes all classes immediately available without manual require statements. Unlike system package managers such as yum, Composer operates at the application level — each project maintains its own isolated set of dependencies. This guide covers downloading and installing Composer globally on RHEL 7, verifying the installation, creating and working with composer.json, and understanding the difference between global and local installs.

Prerequisites

• RHEL 7 server with root or sudo access
• PHP 7.2 or newer installed (see the PHP installation guide)
• The following PHP extensions enabled: php-curl, php-zip, php-mbstring, php-xml
• curl or wget available on the system
• Internet access from the server, or a local Composer mirror

Step 1: Verify PHP is Installed and Extensions are Available

Composer’s installer script performs its own PHP requirement checks, but it is worth confirming the environment before starting:

php -v
php -m | grep -E 'curl|zip|mbstring|openssl|phar'

If any required extension is missing, install it via Remi/yum before continuing:

sudo yum install -y php-curl php-zip php-mbstring php-xml

Reload PHP-FPM if it is running:

sudo systemctl reload php-fpm

Step 2: Download the Composer Installer

Composer provides an official PHP installer script. Download it to /tmp:

php -r "copy('https://getcomposer.org/installer', '/tmp/composer-setup.php');"

Alternatively, use curl:

curl -sS https://getcomposer.org/installer -o /tmp/composer-setup.php

Step 3: Verify the Installer Checksum

Always verify the integrity of the installer before executing it. Composer publishes the expected SHA-384 hash on its website. Retrieve the current expected hash and compare:

HASH=$(curl -sS https://composer.github.io/installer.sig)
echo "Expected hash: $HASH"

php -r "if (hash_file('sha384', '/tmp/composer-setup.php') === '$HASH') {
    echo 'Installer verified' . PHP_EOL;
} else {
    echo 'Installer corrupt' . PHP_EOL;
    unlink('/tmp/composer-setup.php');
    exit(1);
}"

Proceed only if the output reads Installer verified. A corrupt or tampered installer poses a serious security risk.

Step 4: Run the Installer

Execute the installer with PHP to download the Composer PHAR archive:

php /tmp/composer-setup.php --install-dir=/tmp --filename=composer

Expected output:

All settings correct for using Composer
Downloading...

Composer (version 2.x.x) successfully installed to: /tmp/composer
Use it: php /tmp/composer

Remove the installer script once the PHAR is downloaded:

php -r "unlink('/tmp/composer-setup.php');"

Step 5: Install Composer Globally

Move the Composer PHAR to a directory in your system PATH so it can be run from anywhere as the composer command:

sudo mv /tmp/composer /usr/local/bin/composer
sudo chmod +x /usr/local/bin/composer

Step 6: Verify the Global Installation

Confirm that Composer is accessible system-wide and check the version:

composer --version

Expected output:

Composer version 2.7.x  2024-xx-xx xx:xx:xx

View the full list of available Composer commands:

composer list

Step 7: Understanding Global vs Local Installs

Composer operates in two modes:

• Local (per-project) — The default and recommended mode. Dependencies are installed into a vendor/ directory inside the project. Each project is fully isolated and can use different versions of the same library.
• Global — Installs packages into ~/.composer/vendor/ and makes their binaries available globally. Useful for development tools like phpcs, phpstan, or deployer that you want available everywhere.

To install a package globally:

composer global require squizlabs/php_codesniffer

Add the global Composer bin directory to your PATH so globally installed binaries are accessible:

echo 'export PATH="$HOME/.composer/vendor/bin:$PATH"' >> ~/.bashrc
source ~/.bashrc

Step 8: Creating a composer.json File

The composer.json file is the manifest for your project’s dependencies. Create a new project directory and initialize Composer:

mkdir /var/www/myapp
cd /var/www/myapp
composer init

Composer will ask interactive questions about your project. You can also create a minimal composer.json manually:

{
    "name": "mycompany/myapp",
    "description": "My PHP application",
    "type": "project",
    "require": {
        "php": ">=7.4",
        "monolog/monolog": "^3.0",
        "guzzlehttp/guzzle": "^7.0"
    },
    "autoload": {
        "psr-4": {
            "App\": "src/"
        }
    }
}

Step 9: Installing and Updating Dependencies

Install all packages defined in composer.json:

composer install

Composer creates two important files:

• vendor/ — Contains all downloaded packages
• composer.lock — Records the exact version of every package installed

Commit composer.lock to version control but add vendor/ to .gitignore. This ensures every developer and deployment uses the identical dependency tree:

echo "vendor/" >> .gitignore

To update all packages to their latest allowed versions and regenerate the lock file:

composer update

To update a single package:

composer update monolog/monolog

Add a new package to an existing project:

composer require symfony/http-client

Step 10: Using the Autoloader

Composer generates a PSR-4 autoloader at vendor/autoload.php. Include it at the top of your application entry point:

<?php

require __DIR__ . '/vendor/autoload.php';

use MonologLogger;
use MonologHandlerStreamHandler;

$log = new Logger('app');
$log->pushHandler(new StreamHandler('/var/log/myapp.log', Logger::WARNING));
$log->warning('This is a warning message');

Any class in a namespace mapped in the autoload.psr-4 section of composer.json will be autoloaded from your src/ directory automatically without additional require calls.

Regenerate the autoloader after adding new classes or changing namespace mappings:

composer dump-autoload

Step 11: Keeping Composer Itself Updated

Composer includes a self-update command. Run it periodically to stay on the latest version:

sudo composer self-update

To pin to a specific major version (e.g., stay on Composer 2.x):

sudo composer self-update --2

Conclusion

Composer is now installed globally on your RHEL 7 server and ready to manage PHP dependencies for any project. By placing composer.json under version control and committing composer.lock, your team and deployment pipelines can reproduce the exact same dependency state every time with a single composer install command. The PSR-4 autoloader eliminates manual require statements and makes your project structure cleaner and more maintainable. With Composer in place, you are ready to install frameworks like Laravel or Symfony, which rely on it for all of their package management and bootstrapping.