Installer et Configurer SonarQube sur AWS

De My Limbic Wiki
Aller à : navigation, rechercher

Installer SonarQube sur une EC2 AWS sous Ubuntu 18.04 LTS

/ ! \ Ne fonctionne pas avec AWS t2.micro qui ne sont pas assez puissances

Accès: http://*.ca-central-1.compute.amazonaws.com/

Prerequisites & Java installation - 11 is needed for the last SonarQube version

sudo apt update
sudo apt upgrade -y
sudo apt-get install -y software-properties-common
sudo apt install openjdk-11-jdk -y
java -version
sudo apt-get install unzip

PostgreSql Installation

sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt/ `lsb_release -cs`-pgdg main" >> /etc/apt/sources.list.d/pgdg.list'
wget -q https://www.postgresql.org/media/keys/ACCC4CF8.asc -O - | sudo apt-key add -
sudo apt-get -y install postgresql postgresql-contrib

# Add secured User to the OS
sudo adduser sonar 

# PostgreSql Configuration for SonarQube
sudo passwd postgres
su - postgres
createuser sqube
psql
ALTER USER sqube WITH ENCRYPTED password 'Alithya123!';
CREATE DATABASE sqube OWNER sqube;
\q
exit

SonarQube Installation

sudo wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-8.2.0.32929.zip
sudo unzip sonarqube-8.2.0.32929.zip

# SonarQube Server Configuration to use PostgreSql Database
sudo nano sonarqube-8.2.0.32929/conf/sonar.properties
	sonar.jdbc.username=sqube
	sonar.jdbc.password=Alithya123!
	sonar.jdbc.url=jdbc:postgresql://localhost/sqube
	sonar.web.host=0.0.0.0
	sonar.ce.javaAdditionalOpts=-server
	
# SonarQube Security, Run as sonar user with limited rights
sudo nano sonarqube-8.2.0.32929/bin/linux-x86-64/sonar.sh
	RUN_AS_USER=sonar
sudo nano sonarqube-8.2.0.32929/elasticsearch/config/elasticsearch.yml
	node.name:${hostname}
	network.host: 0.0.0.0
sudo visudo
	root ALL=(ALL:ALL) ALL
	sonar ALL=(ALL) NOPASSWD: ALL

# SonarQube files, move to Optional folder	
sudo mkdir /opt/sonar/
sudo chown -R sonar:sonar /opt/sonar
sudo mv sonarqube-8.2.0.32929 /opt/sonar/	
cd /opt/sonar/
sudo chown -R sonar:sonar /opt/sonar

# Configure SonarQube - extend allowed virtual memory
su - sonar
sudo sysctl -w vm.max_map_count=262144

# Start SonarQube and check if it is running as expected using ports 9000 and 9001.
/opt/sonar/sonarqube-8.2.0.32929/bin/linux-x86-64/sonar.sh start
sudo netstat -plnt
# If any error, Check the logs
# cat /opt/sonar/sonarqube-8.2.0.32929/logs/sonar.log
# cat /opt/sonar/sonarqube-8.2.0.32929/logs/es.log
# cat /opt/sonar/sonarqube-8.2.0.32929/logs/web.log
# cat /opt/sonar/sonarqube-8.2.0.32929/logs/access.log

Apache minimal Installation and Configuration

# Apache installation and configuration
sudo apt-get install apache2 -y
sudo a2enmod proxy
sudo a2enmod proxy_http

# Apache creation of a website for SonarQube
sudo nano /etc/apache2/sites-available/sonar.conf
<VirtualHost *:80>
	ServerName sub.domain.com
	ServerAdmin admin@example.com
	ProxyPreserveHost On
	ProxyPass / http://127.0.0.1:9000/
	ProxyPassReverse / http://127.0.0.1:9000/
	TransferLog /var/log/apache2/sonarm_access.log
	ErrorLog /var/log/apache2/sonar_error.log
</VirtualHost>

# apache and the newly created site
sudo a2ensite sonar
sudo systemctl restart apache2

Ajouter le SSL

Créer un certificat

Installer Cerbot

cd
wget https://dl.eff.org/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chown root /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto
/usr/local/bin/certbot-auto --help

Créer les VirtualHosts pour la validation Cerbot

sudo vim /etc/apache2/sites-available/sonar.conf

Ajouter:

<VirtualHost *:80>
        ServerName letsencrypt.org
        ServerAlias acme-v02.api.letsencrypt.org
        ServerAdmin contact@letsencrypt.org
        DocumentRoot /var/www/cerbot/
</VirtualHost>
<VirtualHost *:80>
        ServerName sub.domain.com
        ServerAlias sub.domain.com
        ServerAdmin contact@alithya.com
        DocumentRoot /var/www/cerbot/
</VirtualHost>

Redémarrer Apache

#Restart apache
sudo service apache2 restart

Créer le certificat avec Cerbot

cd /usr/local/bin/
sudo mkdir /var/www/cerbot/
sudo ./certbot-auto --debug -v --server https://acme-v02.api.letsencrypt.org/directory certonly --webroot -w /var/www/cerbot/ -d sub.domain.com -d sub.domain.com
#All files are generated here
#/etc/letsencrypt/live/sub.domain.com/

Configurer Apache pour utiliser le SSL

#copy files
sudo cp /etc/letsencrypt/live/sonar.bullhubs.com/cert.pem ~/ssl/sonar.bullhubs.com/cert.pem
sudo cp /etc/letsencrypt/live/sonar.bullhubs.com/chain.pem ~/ssl/sonar.bullhubs.com/chain.pem
sudo cp /etc/letsencrypt/live/sonar.bullhubs.com/fullchain.pem ~/ssl/sonar.bullhubs.com/fullchain.pem
sudo cp /etc/letsencrypt/live/sonar.bullhubs.com/privkey.pem ~/ssl/sonar.bullhubs.com/privkey.pem
# /!\ Check if the files are fully copied, especially the private key, open it

sudo a2enmod headers #For SSL Headers
sudo a2enmod ssl #For SSLEngine

Ajouter le virtual host pour le port 443

<VirtualHost *:80>
        ServerName sub.domain.com
        Redirect permanent / https://sub.domain.com/
</VirtualHost>
<VirtualHost *:443>
        ServerName sonar.bullhubs.com
        ServerAdmin contact@alithya.com
        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>

        SSLEngine On
        SSLProxyEngine On
        SSLCertificateFile "/home/ubuntu/ssl/sub.domain.com/cert.pem"
        SSLCertificateKeyFile "/home/ubuntu/ssl/sub.domain.com/privkey.pem"

        ProxyRequests Off
        ProxyPreserveHost On
        ProxyPass / http://127.0.0.1:9000/
        ProxyPassReverse / http://127.0.0.1:9000/

        RequestHeader set X_FORWARDED_PROTO "https"
        RequestHeader set X-Forwarded-Port "443"
        SetEnv force-proxy-request-1.0 1
        SetEnv proxy-nokeepalive 1

        TransferLog /var/log/apache2/sonarm_access.log
        ErrorLog /var/log/apache2/sonar_error.log
</VirtualHost>

Redémarrer Apache et le serveur sonarqube

#Restart servers
sudo service apache2 restart
/opt/sonar/sonarqube-8.2.0.32929/bin/linux-x86-64/sonar.sh restart

Logs Utiles

#Usefull Logs
journalctl | tail
systemctl status apache2.service
journalctl -xe
tail -f /var/log/apache2/sonarm_access.log
#lets encrypt logs
/var/log/letsencrypt

Configuration AWS de la EC2

Inbound Rules

SSH: 22

HTTP: 80

HTTPS: 443

Accès Sonar-Scanner: 9000

Rôles

Ajouter / modifier un rôle pour autoriser Code Build à lire les valeurs de Secrets Manager sur les bonnes resources:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:ListSecretVersionIds"
            ],
            "Resource": [
                "arn:aws:secretsmanager:ca-central-1:545456465465:secret:stage/sonar-IfKMVF",
                "arn:aws:secretsmanager:ca-central-1:545456465465:secret:dev/sonar-bAEKiI",
                "arn:aws:secretsmanager:ca-central-1:545456465465:secret:prod/sonar-cIyZAC"
            ]
        },
        ........

Optionnel - Installer Sonar Scanner sur les EC2 Linux

Si l’on veut pouvoir lancer des exécutions de Sonar-Scanner manuellement depuis les l’environnement ElasticBeankStalk, c’est possible

L’api Bullhubs de Alithya l’a installé sur ses environnements de: Dev, Stage, Prod1, Prod2

wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.2.0.1873-linux.zip
unzip sonar-scanner-cli-4.2.0.1873-linux.zip
sudo mv sonar-scanner-4.2.0.1873-linux /opt/sonar-scanner-4.2.0.1873-linux
rm sonar-scanner-cli-4.2.0.1873-linux.zip
export PATH="$PATH:/opt/sonar-scanner-4.2.0.1873-linux/bin"
sudo nano .bashrc
	export PATH="$PATH:/opt/sonar-scanner-4.2.0.1873-linux/bin"
sonar-scanner -h
# pour info: sudo nano /opt/sonar-scanner-4.2.0.1873-linux/conf/sonar-scanner.properties

Optionnel - Installer Sonar-Scanner pour Windows

Télecharger le zip https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/

Extraire dans Program Files

Ajouter le chemin vers Bin dans les variables d'environnement C:\Program Files\Sonar\sonar-scanner-4.2.0.1873-windows\bin

Ouvrir une nouvelle fenêtre de commandes:

sonar-scanner -h

Configurer un Project Java pour intégrer l’exécution SonarQube via le pipeline AWS

Fichier buildspec.yml

Editer le fichier buildspec.yml et ajouter les lignes suivantes:

Les variables à personnaliser sont

Avant de publier, valider le fichier YML ici: http://www.yamllint.com/

env:
  secrets-manager:
    SonarLogin: {{secretName}}:{{secretKey}}
    SonarHostUrl: {{secretName}}:{{secretKey}}
    SonarProjectKey: {{secretName}}:{{secretKey}}
pre_build:
  commands:	  
    - wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.2.0.1873-linux.zip
    - unzip ./sonar-scanner-cli-4.2.0.1873-linux.zip
    - export PATH=$PATH:/sonar-scanner-cli-4.2.0.1873-linux/bin/
build:
  commands:
    - mvn sonar:sonar -Dsonar.login=$SonarLogin -Dsonar.host.url=$SonarHostUrl -Dsonar.projectKey=$SonarProjectKey
    - sleep 5
    - curl http://{{ec2}}.ca-central-1.compute.amazonaws.com/api/qualitygates/project_status?projectKey=$SonarProjectKey >result.json
    - cat result.json
    - if [ $(jq -r '.projectStatus.status' result.json) = ERROR ] ; then $CODEBUILD_BUILD_SUCCEEDING -eq 0 ;fi

Git

Ajouter dans le gitignore

.scannerwork/**

sonar-project.properties

Pour plus de configuration, créer à la racine du projet un fichier: sonar-project.properties. Voici une configuration par exemple

# SOURCES
sonar.java.source=8
sonar.sources=src/main/java
sonar.java.binaries=target/classes
sonar.sourceEncoding=UTF-8
# EXCLUSIONS
# (exclusion of Lombok-generated stuff comes from the `lombok.config` file)
sonar.coverage.exclusions=**/*Exception.java , **/BullhubsApplication.java
# TESTS
sonar.coverage.jacoco.xmlReportPaths=target/site/jacoco/jacoco.xml
sonar.junit.reportsPath=target/surefire-reports/TEST-*.xml
sonar.tests=src/test/java

Sonar-Scanner

Différentes façon d’utiliser Sonar-Scanner manuellement:

Maven: mvn sonar:sonar

Windows/linux: sonar-scanner

Gradle

Plus d’informations ici: https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/