From 5df06d354d4a06fc55f427426c79657fe74a52f8 Mon Sep 17 00:00:00 2001 From: Trabelsi Tobias Date: Fri, 11 Jun 2021 10:44:20 +0200 Subject: [PATCH 1/2] preparation for the 9.x release cycle --- .gitignore | 1 + Dockerfile | 44 +++++++++++++++++++++ Kptfile | 13 ++++++ LICENSE | 3 ++ README.md | 10 ++++- hardening_manifest.yaml | 52 ++++++++++++++++++++++++ renovate.json | 73 ++++++++++++++++++++++++++++++++++ scripts/Kptfile | 20 ++++++++++ scripts/docker-healthcheck | 11 ++++++ scripts/run.sh | 81 ++++++++++++++++++++++++++++++++++++++ scripts/sonar.sh | 2 + 11 files changed, 308 insertions(+), 2 deletions(-) create mode 100644 .gitignore create mode 100644 Dockerfile create mode 100644 Kptfile create mode 100644 LICENSE create mode 100644 hardening_manifest.yaml create mode 100644 renovate.json create mode 100644 scripts/Kptfile create mode 100755 scripts/docker-healthcheck create mode 100755 scripts/run.sh create mode 100755 scripts/sonar.sh diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c233e1a --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +scripts/Dockerfile \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..2ce9f6a --- /dev/null +++ b/Dockerfile @@ -0,0 +1,44 @@ +ARG BASE_REGISTRY=registry1.dso.mil +ARG BASE_IMAGE=ironbank/redhat/openjdk/openjdk11 +ARG BASE_TAG=1.11 + +FROM sonarqube:9.0-datacenter-search AS build + +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} + +ARG SONARQUBE_VERSION="9.0-datacenter-search" +ENV SONAR_VERSION="${SONARQUBE_VERSION}" \ + SONARQUBE_HOME="/opt/sonarqube" \ + SQ_DATA_DIR="/opt/sonarqube/data" \ + SQ_EXTENSIONS_DIR="/opt/sonarqube/extensions" \ + SQ_LOGS_DIR="/opt/sonarqube/logs" \ + SQ_TEMP_DIR="/opt/sonarqube/temp" \ + ES_TMPDIR="/opt/sonarqube/temp" \ + SONAR_CLUSTER_NODE_TYPE="search" \ + SONAR_CLUSTER_ENABLED="true" + +USER root +RUN set -ex \ + && groupadd -r -g 1000 sonarqube \ + && useradd -r -u 1000 -g sonarqube sonarqube \ + && dnf update -y \ + && dnf install -y fontconfig freetype hostname iproute \ + && dnf clean all \ + && rm -rf /var/cache/dnf \ + && echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security" \ + && sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security" + +COPY --chown=sonarqube:sonarqube --from=build ${SONARQUBE_HOME} ${SONARQUBE_HOME} +COPY --chown=sonarqube:sonarqube scripts/*.sh ${SONARQUBE_HOME}/bin/ +COPY scripts/docker-healthcheck /usr/local/bin/ + +RUN ln -s ${SONARQUBE_HOME}/lib/sonar-application-*.jar ${SONARQUBE_HOME}/lib/sonar-application-${SONAR_VERSION}.jar + +USER sonarqube +WORKDIR ${SONARQUBE_HOME} +EXPOSE 9000 + +HEALTHCHECK CMD ["docker-healthcheck"] + +ENTRYPOINT ["bin/run.sh"] +CMD ["bin/sonar.sh"] diff --git a/Kptfile b/Kptfile new file mode 100644 index 0000000..3789c05 --- /dev/null +++ b/Kptfile @@ -0,0 +1,13 @@ +apiVersion: kpt.dev/v1alpha1 +kind: Kptfile +metadata: + name: sonarqube-scripts +packageMetadata: + shortDescription: vendor scripts sync +dependencies: + - name: ./scripts + git: + repo: https://github.com/SonarSource/docker-sonarqube + directory: /9/datacenter/search + ref: 9.0 + updateStrategy: resource-merge diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..2adb969 --- /dev/null +++ b/LICENSE @@ -0,0 +1,3 @@ +Copyright (C) ${inceptionYear}-2021 SonarSource SA +All rights reserved +mailto:info AT sonarsource DOT com \ No newline at end of file diff --git a/README.md b/README.md index 5dc6fa6..03ac358 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,9 @@ -# +# SonarQube 9.x Datacenter Search -Project template for all Iron Bank container repositories. \ No newline at end of file +[SonarQube](https://www.sonarqube.org/) is an open source product for continuous inspection of code quality. + +![logo](https://raw.githubusercontent.com/docker-library/docs/84479f149eb7d748d5dc057665eb96f923e60dc1/sonarqube/logo.png) + +## How to use this image + +Please see the official [documentation](https://hub.docker.com/_/sonarqube/) for usage. diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml new file mode 100644 index 0000000..5e715ef --- /dev/null +++ b/hardening_manifest.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: "sonarsource/sonarqube/sonarqube9-datacenter-search" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dsop.io +tags: +- "9.0-datacenter-search" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + BASE_IMAGE: "redhat/openjdk/openjdk11" + BASE_TAG: "1.11" + +# Docker image labels +labels: + org.opencontainers.image.title: "sonarqube9-datacenter-search" + ## Human-readable description of the software packaged in the image + org.opencontainers.image.description: "SonarQube is an automatic code review tool to detect bugs, vulnerabilities and code smells in your code." + ## License(s) under which contained software is distributed + org.opencontainers.image.licenses: "All rights reserved" + ## URL to find more information on the image + org.opencontainers.image.url: "https://docs.sonarqube.org/latest/" + ## Name of the distributing entity, organization or individual + org.opencontainers.image.vendor: "SonarSource SA" + org.opencontainers.image.version: "9.0-datacenter-search" + ## Keywords to help with search (ex. "cicd,gitops,golang") + mil.dso.ironbank.image.keywords: "cicd,devops,sast,review" + ## This value can be "opensource" or "commercial" + mil.dso.ironbank.image.type: "commercial" + ## Product the image belongs to for grouping multiple images + mil.dso.ironbank.product.name: "SonarQube" + +# List of resources to make available to the offline build context +resources: +- url: "docker://docker.io/library/sonarqube@sha256:9ef03851f47284153be39a12d9dc7efbc1739a51ab85032117963a6ef35d171b" + tag: "sonarqube:9.0-datacenter-search" + +# List of project maintainers +maintainers: +- name: "Tobias Trabelsi" + username: "ttrabelsi" +- name: "Malena Ebert" + username: "mebert" +- name: "Sean Melissari" + username: "sean.melissari" + email: "melissari_sean@bah.com" + cht_member: true diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..1ff40b9 --- /dev/null +++ b/renovate.json @@ -0,0 +1,73 @@ +{ + "assignees": [ + "@sean.melissari" + ], + "baseBranches": [ + "development" + ], + "postUpgradeTasks": { + "commands": [ + "kpt pkg sync ." + ], + "fileFilters": [ + "scripts/*" + ] + }, + "regexManagers": [ + { + "fileMatch": [ + "^Dockerfile$" + ], + "matchStrings": [ + "version=\"(?.*?)\"" + ], + "depNameTemplate": "sonarqube", + "datasourceTemplate": "docker", + "versioningTemplate": "docker" + }, + { + "fileMatch": [ + "^Dockerfile$" + ], + "matchStrings": [ + "SONARQUBE_VERSION=\"(?.*?)\"" + ], + "depNameTemplate": "sonarqube", + "datasourceTemplate": "docker", + "versioningTemplate": "docker" + }, + { + "fileMatch": [ + "^Kptfile$" + ], + "matchStrings": [ + "\\s+ref:\\s+(?.*?)\n" + ], + "depNameTemplate": "SonarSource/docker-sonarqube", + "datasourceTemplate": "github-tags", + "versioningTemplate": "loose" + }, + { + "fileMatch": [ + "^hardening_manifest.yaml$" + ], + "matchStrings": [ + "org\\.opencontainers\\.image\\.version:\\s+\"(?.+?)\"" + ], + "depNameTemplate": "sonarqube", + "datasourceTemplate": "docker", + "versioningTemplate": "docker" + }, + { + "fileMatch": [ + "^hardening_manifest.yaml$" + ], + "matchStrings": [ + "tags:\\s+-\\s+\"(?.+?)\"" + ], + "depNameTemplate": "sonarqube", + "datasourceTemplate": "docker", + "versioningTemplate": "docker" + } + ] +} \ No newline at end of file diff --git a/scripts/Kptfile b/scripts/Kptfile new file mode 100644 index 0000000..4f0bfbc --- /dev/null +++ b/scripts/Kptfile @@ -0,0 +1,20 @@ +apiVersion: kpt.dev/v1alpha1 +kind: Kptfile +metadata: + name: sonarqube-scripts +upstream: + type: git + git: + commit: 277ec116b3df9556f975b7af328c053316bb2c2d + repo: https://github.com/SonarSource/docker-sonarqube + directory: /9/datacenter/search + ref: "9.0" +packageMetadata: + shortDescription: vendor scripts sync +dependencies: + - name: ./scripts + git: + repo: https://github.com/SonarSource/docker-sonarqube + directory: /9/datacenter/search + ref: "9.0" + updateStrategy: resource-merge diff --git a/scripts/docker-healthcheck b/scripts/docker-healthcheck new file mode 100755 index 0000000..0b1386b --- /dev/null +++ b/scripts/docker-healthcheck @@ -0,0 +1,11 @@ +#!/bin/bash + +# A Sonarqube container is considered healthy if the status is UP, DB_MIGRATION_NEEDED or DB_MIGRATION_RUNNING +# status about migration are added to prevent the node to be kill while sonarqube is updating himself. +host="$(cat /etc/hostname || echo '127.0.0.1')" + +if curl -Ss http://${host}:9000/api/system/status | grep -q -e '"status":"UP"' -e '"status":"DB_MIGRATION_NEEDED"' -e '"status":"DB_MIGRATION_RUNNING"'; then + exit 0 +fi + +exit 1 diff --git a/scripts/run.sh b/scripts/run.sh new file mode 100755 index 0000000..88e7a3d --- /dev/null +++ b/scripts/run.sh @@ -0,0 +1,81 @@ +#!/usr/bin/env bash + +set -euo pipefail + +HOSTNAME=$(hostname) +IP=$(ip -4 address show scope global | grep inet | awk '{ print $2 }' | head -n 1 | cut -d \/ -f 1) + +declare -a sq_opts=() +set_prop_from_deprecated_env_var() { + if [ "$2" ]; then + sq_opts+=("-D$1=$2") + fi +} + +# if nothing is passed, assume we want to run sonarqube server +if [ "$#" == 0 ]; then + set -- bin/sonar.sh +fi + +# if first arg looks like a flag, assume we want to run sonarqube server with flags +if [ "${1:0:1}" = '-' ]; then + set -- bin/sonar.sh "$@" +fi + +if [[ "$1" = 'bin/sonar.sh' ]]; then + chown -R "$(id -u):$(id -g)" "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}" 2>/dev/null || : + chmod -R 700 "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}" 2>/dev/null || : + + # Allow the container to be started with `--user` + if [[ "$(id -u)" = '0' ]]; then + chown -R sonarqube:sonarqube "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}" + exec su-exec sonarqube "$0" "$@" + fi + + # + # Deprecated way to pass settings to SonarQube that will be removed in future versions. + # Please use environment variables (https://docs.sonarqube.org/latest/setup/environment-variables/) + # instead to customize SonarQube. + # + while IFS='=' read -r envvar_key envvar_value + do + if [[ "$envvar_key" =~ sonar.* ]] || [[ "$envvar_key" =~ ldap.* ]]; then + sq_opts+=("-D${envvar_key}=${envvar_value}") + fi + done < <(env) + + # + # Change log path to ensure every search node can write in their own directory + # This resolves a cluttered log on docker-compose with scale > 1 + # + if [ -z "${SONAR_PATH_LOGS:-}" ] + then + SONAR_CLUSTER_PATH_LOGS="logs/${HOSTNAME}" + mkdir -p ${SONARQUBE_HOME}/${SONAR_CLUSTER_PATH_LOGS} + chown -R sonarqube:sonarqube ${SONARQUBE_HOME}/${SONAR_CLUSTER_PATH_LOGS} + else + SONAR_CLUSTER_PATH_LOGS="${SONAR_PATH_LOGS}/${HOSTNAME}" + mkdir -p ${SONAR_CLUSTER_PATH_LOGS} + chown -R sonarqube:sonarqube ${SONAR_CLUSTER_PATH_LOGS} + fi + + # + # Deprecated environment variable mapping that will be removed in future versions. + # Please use environment variables from https://docs.sonarqube.org/latest/setup/environment-variables/ + # instead of using these 4 environment variables below. + # + set_prop_from_deprecated_env_var "sonar.jdbc.username" "${SONARQUBE_JDBC_USERNAME:-}" + set_prop_from_deprecated_env_var "sonar.jdbc.password" "${SONARQUBE_JDBC_PASSWORD:-}" + set_prop_from_deprecated_env_var "sonar.jdbc.url" "${SONARQUBE_JDBC_URL:-}" + set_prop_from_deprecated_env_var "sonar.web.javaAdditionalOpts" "${SONARQUBE_WEB_JVM_OPTS:-}" + set_prop_from_deprecated_env_var "sonar.cluster.node.search.host" "${IP:-}" + set_prop_from_deprecated_env_var "sonar.cluster.node.es.host" "${IP:-}" + set_prop_from_deprecated_env_var "sonar.cluster.node.host" "${IP:-}" + set_prop_from_deprecated_env_var "sonar.path.logs" "${SONAR_CLUSTER_PATH_LOGS:-}" + + if [ ${#sq_opts[@]} -ne 0 ]; then + set -- "$@" "${sq_opts[@]}" + fi +fi + +exec "$@" diff --git a/scripts/sonar.sh b/scripts/sonar.sh new file mode 100755 index 0000000..0be3fe9 --- /dev/null +++ b/scripts/sonar.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env bash +exec java -jar lib/sonar-application-"${SONAR_VERSION}".jar -Dsonar.log.console=true "$@" -- GitLab From d45c23b5a13c2088d77b833aff7e8496c86225d7 Mon Sep 17 00:00:00 2001 From: Trabelsi Tobias Date: Mon, 5 Jul 2021 08:06:27 +0200 Subject: [PATCH 2/2] 9.0 released --- hardening_manifest.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 5e715ef..cdf02af 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -37,7 +37,7 @@ labels: # List of resources to make available to the offline build context resources: -- url: "docker://docker.io/library/sonarqube@sha256:9ef03851f47284153be39a12d9dc7efbc1739a51ab85032117963a6ef35d171b" +- url: "docker://docker.io/library/sonarqube@sha256:61b7e90a5c0053e53c1be3aed654d1292ca83fc18deb94ad518213d539340906" tag: "sonarqube:9.0-datacenter-search" # List of project maintainers -- GitLab