Installer et Configurer SonarQube sur AWS
Installer SonarQube sur une EC2 AWS sous Ubuntu 18.04 LTS
/ ! \ Ne fonctionne pas avec AWS t2.micro qui ne sont pas assez puissances
Accès: http://*.ca-central-1.compute.amazonaws.com/
Prerequisites & Java installation - 11 is needed for the last SonarQube version <source lang="shell"> sudo apt update sudo apt upgrade -y sudo apt-get install -y software-properties-common sudo apt install openjdk-11-jdk -y java -version sudo apt-get install unzip </source> PostgreSql Installation
<source lang="shell"> sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt/ `lsb_release -cs`-pgdg main" >> /etc/apt/sources.list.d/pgdg.list' wget -q https://www.postgresql.org/media/keys/ACCC4CF8.asc -O - | sudo apt-key add - sudo apt-get -y install postgresql postgresql-contrib
- Add secured User to the OS
sudo adduser sonar
- PostgreSql Configuration for SonarQube
sudo passwd postgres su - postgres createuser sqube psql ALTER USER sqube WITH ENCRYPTED password 'Alithya123!'; CREATE DATABASE sqube OWNER sqube; \q exit </source>
SonarQube Installation
<source lang="shell"> sudo wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-8.2.0.32929.zip sudo unzip sonarqube-8.2.0.32929.zip
- SonarQube Server Configuration to use PostgreSql Database
sudo nano sonarqube-8.2.0.32929/conf/sonar.properties sonar.jdbc.username=sqube sonar.jdbc.password=Alithya123! sonar.jdbc.url=jdbc:postgresql://localhost/sqube sonar.web.host=0.0.0.0 sonar.ce.javaAdditionalOpts=-server
- SonarQube Security, Run as sonar user with limited rights
sudo nano sonarqube-8.2.0.32929/bin/linux-x86-64/sonar.sh RUN_AS_USER=sonar sudo nano sonarqube-8.2.0.32929/elasticsearch/config/elasticsearch.yml node.name:${hostname} network.host: 0.0.0.0 sudo visudo root ALL=(ALL:ALL) ALL sonar ALL=(ALL) NOPASSWD: ALL
- SonarQube files, move to Optional folder
sudo mkdir /opt/sonar/ sudo chown -R sonar:sonar /opt/sonar sudo mv sonarqube-8.2.0.32929 /opt/sonar/ cd /opt/sonar/ sudo chown -R sonar:sonar /opt/sonar
- Configure SonarQube - extend allowed virtual memory
su - sonar sudo sysctl -w vm.max_map_count=262144
- Start SonarQube and check if it is running as expected using ports 9000 and 9001.
/opt/sonar/sonarqube-8.2.0.32929/bin/linux-x86-64/sonar.sh start sudo netstat -plnt
- If any error, Check the logs
- cat /opt/sonar/sonarqube-8.2.0.32929/logs/sonar.log
- cat /opt/sonar/sonarqube-8.2.0.32929/logs/es.log
- cat /opt/sonar/sonarqube-8.2.0.32929/logs/web.log
- cat /opt/sonar/sonarqube-8.2.0.32929/logs/access.log
</source>
Apache minimal Installation and Configuration
<source lang="shell">
- Apache installation and configuration
sudo apt-get install apache2 -y sudo a2enmod proxy sudo a2enmod proxy_http
- Apache creation of a website for SonarQube
sudo nano /etc/apache2/sites-available/sonar.conf <VirtualHost *:80> ServerName sub.domain.com ServerAdmin admin@example.com ProxyPreserveHost On ProxyPass / http://127.0.0.1:9000/ ProxyPassReverse / http://127.0.0.1:9000/ TransferLog /var/log/apache2/sonarm_access.log ErrorLog /var/log/apache2/sonar_error.log </VirtualHost>
- apache and the newly created site
sudo a2ensite sonar sudo systemctl restart apache2 </source>
Ajouter le SSL
Créer un certificat
Installer Cerbot
<source lang="shell"> cd wget https://dl.eff.org/certbot-auto sudo mv certbot-auto /usr/local/bin/certbot-auto sudo chown root /usr/local/bin/certbot-auto sudo chmod 0755 /usr/local/bin/certbot-auto /usr/local/bin/certbot-auto --help </source>
Créer les VirtualHosts pour la validation Cerbot
<source lang="shell"> sudo vim /etc/apache2/sites-available/sonar.conf </source>
Ajouter:
<source lang="shell"> <VirtualHost *:80>
ServerName letsencrypt.org ServerAlias acme-v02.api.letsencrypt.org ServerAdmin contact@letsencrypt.org DocumentRoot /var/www/cerbot/
</VirtualHost> <VirtualHost *:80>
ServerName sub.domain.com ServerAlias sub.domain.com ServerAdmin contact@alithya.com DocumentRoot /var/www/cerbot/
</VirtualHost> </source>
Redémarrer Apache <source lang="shell">
- Restart apache
sudo service apache2 restart </source>
Créer le certificat avec Cerbot
<source lang="shell"> cd /usr/local/bin/ sudo mkdir /var/www/cerbot/ sudo ./certbot-auto --debug -v --server https://acme-v02.api.letsencrypt.org/directory certonly --webroot -w /var/www/cerbot/ -d sub.domain.com -d sub.domain.com
- All files are generated here
- /etc/letsencrypt/live/sub.domain.com/
</source>
Configurer Apache pour utiliser le SSL
<source lang="shell">
- copy files
sudo cp /etc/letsencrypt/live/sonar.bullhubs.com/cert.pem ~/ssl/sonar.bullhubs.com/cert.pem sudo cp /etc/letsencrypt/live/sonar.bullhubs.com/chain.pem ~/ssl/sonar.bullhubs.com/chain.pem sudo cp /etc/letsencrypt/live/sonar.bullhubs.com/fullchain.pem ~/ssl/sonar.bullhubs.com/fullchain.pem sudo cp /etc/letsencrypt/live/sonar.bullhubs.com/privkey.pem ~/ssl/sonar.bullhubs.com/privkey.pem
- /!\ Check if the files are fully copied, especially the private key, open it
sudo a2enmod headers #For SSL Headers sudo a2enmod ssl #For SSLEngine </source>
Ajouter le virtual host pour le port 443
<source lang="shell"> <VirtualHost *:443>
ServerName sonar.bullhubs.com ServerAdmin contact@alithya.com <Proxy *> Order deny,allow Allow from all </Proxy>
SSLEngine On SSLProxyEngine On SSLCertificateFile "/home/ubuntu/ssl/sub.domain.com/cert.pem" SSLCertificateKeyFile "/home/ubuntu/ssl/sub.domain.com/privkey.pem"
ProxyRequests Off ProxyPreserveHost On ProxyPass / http://127.0.0.1:9000/ ProxyPassReverse / http://127.0.0.1:9000/
RequestHeader set X_FORWARDED_PROTO "https" RequestHeader set X-Forwarded-Port "443" SetEnv force-proxy-request-1.0 1 SetEnv proxy-nokeepalive 1
TransferLog /var/log/apache2/sonarm_access.log ErrorLog /var/log/apache2/sonar_error.log
</VirtualHost> </source> Redémarrer Apache et le serveur sonarqube <source lang="shell">
- Restart servers
sudo service apache2 restart /opt/sonar/sonarqube-8.2.0.32929/bin/linux-x86-64/sonar.sh restart </source>
Logs Utiles
<source lang="shell">
- Usefull Logs
journalctl | tail systemctl status apache2.service journalctl -xe tail -f /var/log/apache2/sonarm_access.log
- lets encrypt logs
/var/log/letsencrypt </source>
Configuration AWS de la EC2
Inbound Rules
SSH: 22
HTTP: 80
HTTPS: 443
Accès Sonar-Scanner: 9000
Rôles
Ajouter / modifier un rôle pour autoriser Code Build à lire les valeurs de Secrets Manager sur les bonnes resources:
<source lang="shell"> {
"Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds" ], "Resource": [ "arn:aws:secretsmanager:ca-central-1:545456465465:secret:stage/sonar-IfKMVF", "arn:aws:secretsmanager:ca-central-1:545456465465:secret:dev/sonar-bAEKiI", "arn:aws:secretsmanager:ca-central-1:545456465465:secret:prod/sonar-cIyZAC" ] }, ........
</source>
Optionnel - Installer Sonar Scanner sur les EC2 Linux
Si l’on veut pouvoir lancer des exécutions de Sonar-Scanner manuellement depuis les l’environnement ElasticBeankStalk, c’est possible
L’api Bullhubs de Alithya l’a installé sur ses environnements de: Dev, Stage, Prod1, Prod2
<source lang="shell"> wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.2.0.1873-linux.zip unzip sonar-scanner-cli-4.2.0.1873-linux.zip sudo mv sonar-scanner-4.2.0.1873-linux /opt/sonar-scanner-4.2.0.1873-linux rm sonar-scanner-cli-4.2.0.1873-linux.zip export PATH="$PATH:/opt/sonar-scanner-4.2.0.1873-linux/bin" sudo nano .bashrc export PATH="$PATH:/opt/sonar-scanner-4.2.0.1873-linux/bin" sonar-scanner -h
- pour info: sudo nano /opt/sonar-scanner-4.2.0.1873-linux/conf/sonar-scanner.properties
</source>
Optionnel - Installer Sonar-Scanner pour Windows
Télecharger le zip https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/
Extraire dans Program Files
Ajouter le chemin vers Bin dans les variables d'environnement C:\Program Files\Sonar\sonar-scanner-4.2.0.1873-windows\bin
Ouvrir une nouvelle fenêtre de commandes:
<source lang="shell"> sonar-scanner -h </source>
Configurer un Project Java pour intégrer l’exécution SonarQube via le pipeline AWS
Fichier buildspec.yml
Editer le fichier buildspec.yml et ajouter les lignes suivantes:
Les variables à personnaliser sont
Avant de publier, valider le fichier YML ici: http://www.yamllint.com/
<source lang="shell"> env:
secrets-manager: SonarLogin: Template:SecretName:Template:SecretKey SonarHostUrl: Template:SecretName:Template:SecretKey SonarProjectKey: Template:SecretName:Template:SecretKey
pre_build:
commands: - wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.2.0.1873-linux.zip - unzip ./sonar-scanner-cli-4.2.0.1873-linux.zip - export PATH=$PATH:/sonar-scanner-cli-4.2.0.1873-linux/bin/
build:
commands: - mvn sonar:sonar -Dsonar.login=$SonarLogin -Dsonar.host.url=$SonarHostUrl -Dsonar.projectKey=$SonarProjectKey - sleep 5 - curl http://Template:Ec2.ca-central-1.compute.amazonaws.com/api/qualitygates/project_status?projectKey=$SonarProjectKey >result.json - cat result.json - if [ $(jq -r '.projectStatus.status' result.json) = ERROR ] ; then $CODEBUILD_BUILD_SUCCEEDING -eq 0 ;fi
</source> Git
Ajouter dans le gitignore
<source lang="shell"> .scannerwork/** </source>
sonar-project.properties
Pour plus de configuration, créer à la racine du projet un fichier: sonar-project.properties. Voici une configuration par exemple
<source lang="shell">
- SOURCES
sonar.java.source=8 sonar.sources=src/main/java sonar.java.binaries=target/classes sonar.sourceEncoding=UTF-8
- EXCLUSIONS
- (exclusion of Lombok-generated stuff comes from the `lombok.config` file)
sonar.coverage.exclusions=**/*Exception.java , **/BullhubsApplication.java
- TESTS
sonar.coverage.jacoco.xmlReportPaths=target/site/jacoco/jacoco.xml sonar.junit.reportsPath=target/surefire-reports/TEST-*.xml sonar.tests=src/test/java </source>
Sonar-Scanner
Différentes façon d’utiliser Sonar-Scanner manuellement:
Maven: mvn sonar:sonar
Windows/linux: sonar-scanner
Gradle
…
Plus d’informations ici: https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/