Installer et Configurer SonarQube sur AWS

From My Limbic Wiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Installer SonarQube sur une EC2 AWS sous Ubuntu 18.04 LTS

/ ! \ Ne fonctionne pas avec AWS t2.micro qui ne sont pas assez puissances

Accès: http://*.ca-central-1.compute.amazonaws.com/

Prerequisites & Java installation - 11 is needed for the last SonarQube version

<source lang="shell"> sudo apt update sudo apt upgrade -y sudo apt-get install -y software-properties-common sudo apt install openjdk-11-jdk -y java -version sudo apt-get install unzip </source>

PostgreSql Installation

<source lang="shell"> sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt/ `lsb_release -cs`-pgdg main" >> /etc/apt/sources.list.d/pgdg.list' wget -q https://www.postgresql.org/media/keys/ACCC4CF8.asc -O - | sudo apt-key add - sudo apt-get -y install postgresql postgresql-contrib

  1. Add secured User to the OS

sudo adduser sonar

  1. PostgreSql Configuration for SonarQube

sudo passwd postgres su - postgres createuser sqube psql ALTER USER sqube WITH ENCRYPTED password 'Alithya123!'; CREATE DATABASE sqube OWNER sqube; \q exit </source>

SonarQube Installation

<source lang="shell"> sudo wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-8.2.0.32929.zip sudo unzip sonarqube-8.2.0.32929.zip

  1. SonarQube Server Configuration to use PostgreSql Database

sudo nano sonarqube-8.2.0.32929/conf/sonar.properties sonar.jdbc.username=sqube sonar.jdbc.password=Alithya123! sonar.jdbc.url=jdbc:postgresql://localhost/sqube sonar.web.host=0.0.0.0 sonar.ce.javaAdditionalOpts=-server

  1. SonarQube Security, Run as sonar user with limited rights

sudo nano sonarqube-8.2.0.32929/bin/linux-x86-64/sonar.sh RUN_AS_USER=sonar sudo nano sonarqube-8.2.0.32929/elasticsearch/config/elasticsearch.yml node.name:${hostname} network.host: 0.0.0.0 sudo visudo root ALL=(ALL:ALL) ALL sonar ALL=(ALL) NOPASSWD: ALL

  1. SonarQube files, move to Optional folder

sudo mkdir /opt/sonar/ sudo chown -R sonar:sonar /opt/sonar sudo mv sonarqube-8.2.0.32929 /opt/sonar/ cd /opt/sonar/ sudo chown -R sonar:sonar /opt/sonar

  1. Configure SonarQube - extend allowed virtual memory

su - sonar sudo sysctl -w vm.max_map_count=262144

  1. Start SonarQube and check if it is running as expected using ports 9000 and 9001.

/opt/sonar/sonarqube-8.2.0.32929/bin/linux-x86-64/sonar.sh start sudo netstat -plnt

  1. If any error, Check the logs
  2. cat /opt/sonar/sonarqube-8.2.0.32929/logs/sonar.log
  3. cat /opt/sonar/sonarqube-8.2.0.32929/logs/es.log
  4. cat /opt/sonar/sonarqube-8.2.0.32929/logs/web.log
  5. cat /opt/sonar/sonarqube-8.2.0.32929/logs/access.log

</source>

Apache minimal Installation and Configuration

<source lang="shell">

  1. Apache installation and configuration

sudo apt-get install apache2 -y sudo a2enmod proxy sudo a2enmod proxy_http

  1. Apache creation of a website for SonarQube

sudo nano /etc/apache2/sites-available/sonar.conf <VirtualHost *:80> ServerName sub.domain.com ServerAdmin admin@example.com ProxyPreserveHost On ProxyPass / http://127.0.0.1:9000/ ProxyPassReverse / http://127.0.0.1:9000/ TransferLog /var/log/apache2/sonarm_access.log ErrorLog /var/log/apache2/sonar_error.log </VirtualHost>

  1. apache and the newly created site

sudo a2ensite sonar sudo systemctl restart apache2 </source>

Ajouter le SSL

Créer un certificat

Installer Cerbot

<source lang="shell"> cd wget https://dl.eff.org/certbot-auto sudo mv certbot-auto /usr/local/bin/certbot-auto sudo chown root /usr/local/bin/certbot-auto sudo chmod 0755 /usr/local/bin/certbot-auto /usr/local/bin/certbot-auto --help </source>

Créer les VirtualHosts pour la validation Cerbot

<source lang="shell"> sudo vim /etc/apache2/sites-available/sonar.conf </source>

Ajouter:

<source lang="shell"> <VirtualHost *:80> 

       ServerName letsencrypt.org
       ServerAlias acme-v02.api.letsencrypt.org
       ServerAdmin contact@letsencrypt.org
       DocumentRoot /var/www/cerbot/

</VirtualHost> <VirtualHost *:80> 

       ServerName sub.domain.com
       ServerAlias sub.domain.com
       ServerAdmin contact@alithya.com
       DocumentRoot /var/www/cerbot/

</VirtualHost> </source>

Redémarrer Apache <source lang="shell">

  1. Restart apache

sudo service apache2 restart </source>

Créer le certificat avec Cerbot

<source lang="shell"> cd /usr/local/bin/ sudo mkdir /var/www/cerbot/ sudo ./certbot-auto --debug -v --server https://acme-v02.api.letsencrypt.org/directory certonly --webroot -w /var/www/cerbot/ -d sub.domain.com -d sub.domain.com

  1. All files are generated here
  2. /etc/letsencrypt/live/sub.domain.com/

</source>

Configurer Apache pour utiliser le SSL

<source lang="shell">

  1. copy files

sudo cp /etc/letsencrypt/live/sonar.bullhubs.com/cert.pem ~/ssl/sonar.bullhubs.com/cert.pem sudo cp /etc/letsencrypt/live/sonar.bullhubs.com/chain.pem ~/ssl/sonar.bullhubs.com/chain.pem sudo cp /etc/letsencrypt/live/sonar.bullhubs.com/fullchain.pem ~/ssl/sonar.bullhubs.com/fullchain.pem sudo cp /etc/letsencrypt/live/sonar.bullhubs.com/privkey.pem ~/ssl/sonar.bullhubs.com/privkey.pem

  1. /!\ Check if the files are fully copied, especially the private key, open it

sudo a2enmod headers #For SSL Headers sudo a2enmod ssl #For SSLEngine </source>

Ajouter le virtual host pour le port 443

<source lang="shell"> <VirtualHost *:80> 

       ServerName sub.domain.com
       Redirect permanent / https://sub.domain.com/

</VirtualHost> <VirtualHost *:443> 

       ServerName sonar.bullhubs.com
       ServerAdmin contact@alithya.com
       <Proxy *>
               Order deny,allow
               Allow from all
       </Proxy>

       SSLEngine On
       SSLProxyEngine On
       SSLCertificateFile "/home/ubuntu/ssl/sub.domain.com/cert.pem"
       SSLCertificateKeyFile "/home/ubuntu/ssl/sub.domain.com/privkey.pem"

       ProxyRequests Off
       ProxyPreserveHost On
       ProxyPass / http://127.0.0.1:9000/
       ProxyPassReverse / http://127.0.0.1:9000/

       RequestHeader set X_FORWARDED_PROTO "https"
       RequestHeader set X-Forwarded-Port "443"
       SetEnv force-proxy-request-1.0 1
       SetEnv proxy-nokeepalive 1

       TransferLog /var/log/apache2/sonarm_access.log
       ErrorLog /var/log/apache2/sonar_error.log

</VirtualHost> </source>

Redémarrer Apache et le serveur sonarqube

<source lang="shell">

  1. Restart servers

sudo service apache2 restart /opt/sonar/sonarqube-8.2.0.32929/bin/linux-x86-64/sonar.sh restart </source>

Logs Utiles

<source lang="shell">

  1. Usefull Logs

journalctl | tail systemctl status apache2.service journalctl -xe tail -f /var/log/apache2/sonarm_access.log

  1. lets encrypt logs

/var/log/letsencrypt </source>

Configuration AWS de la EC2

Inbound Rules

SSH: 22

HTTP: 80

HTTPS: 443

Accès Sonar-Scanner: 9000

Rôles

Ajouter / modifier un rôle pour autoriser Code Build à lire les valeurs de Secrets Manager sur les bonnes resources:

<source lang="shell"> { 

   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "VisualEditor0",
           "Effect": "Allow",
           "Action": [
               "secretsmanager:GetResourcePolicy",
               "secretsmanager:GetSecretValue",
               "secretsmanager:DescribeSecret",
               "secretsmanager:ListSecretVersionIds"
           ],
           "Resource": [
               "arn:aws:secretsmanager:ca-central-1:545456465465:secret:stage/sonar-IfKMVF",
               "arn:aws:secretsmanager:ca-central-1:545456465465:secret:dev/sonar-bAEKiI",
               "arn:aws:secretsmanager:ca-central-1:545456465465:secret:prod/sonar-cIyZAC"
           ]
       },
       ........

</source>

Optionnel - Installer Sonar Scanner sur les EC2 Linux

Si l’on veut pouvoir lancer des exécutions de Sonar-Scanner manuellement depuis les l’environnement ElasticBeankStalk, c’est possible

L’api Bullhubs de Alithya l’a installé sur ses environnements de: Dev, Stage, Prod1, Prod2

<source lang="shell"> wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.2.0.1873-linux.zip unzip sonar-scanner-cli-4.2.0.1873-linux.zip sudo mv sonar-scanner-4.2.0.1873-linux /opt/sonar-scanner-4.2.0.1873-linux rm sonar-scanner-cli-4.2.0.1873-linux.zip export PATH="$PATH:/opt/sonar-scanner-4.2.0.1873-linux/bin" sudo nano .bashrc export PATH="$PATH:/opt/sonar-scanner-4.2.0.1873-linux/bin" sonar-scanner -h

  1. pour info: sudo nano /opt/sonar-scanner-4.2.0.1873-linux/conf/sonar-scanner.properties

</source>

Optionnel - Installer Sonar-Scanner pour Windows

Télecharger le zip https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/

Extraire dans Program Files

Ajouter le chemin vers Bin dans les variables d'environnement C:\Program Files\Sonar\sonar-scanner-4.2.0.1873-windows\bin

Ouvrir une nouvelle fenêtre de commandes:

<source lang="shell"> sonar-scanner -h </source>

Configurer un Project Java pour intégrer l’exécution SonarQube via le pipeline AWS

Fichier buildspec.yml

Editer le fichier buildspec.yml et ajouter les lignes suivantes:

Les variables à personnaliser sont

Avant de publier, valider le fichier YML ici: http://www.yamllint.com/

<source lang="shell"> env: 

 secrets-manager:
   SonarLogin: Template:SecretName:Template:SecretKey
   SonarHostUrl: Template:SecretName:Template:SecretKey
   SonarProjectKey: Template:SecretName:Template:SecretKey

pre_build: 

 commands:	  
   - wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.2.0.1873-linux.zip
   - unzip ./sonar-scanner-cli-4.2.0.1873-linux.zip
   - export PATH=$PATH:/sonar-scanner-cli-4.2.0.1873-linux/bin/

build: 

 commands:
   - mvn sonar:sonar -Dsonar.login=$SonarLogin -Dsonar.host.url=$SonarHostUrl -Dsonar.projectKey=$SonarProjectKey
   - sleep 5
   - curl http://Template:Ec2.ca-central-1.compute.amazonaws.com/api/qualitygates/project_status?projectKey=$SonarProjectKey >result.json
   - cat result.json
   - if [ $(jq -r '.projectStatus.status' result.json) = ERROR ] ; then $CODEBUILD_BUILD_SUCCEEDING -eq 0 ;fi

</source>

Git

Ajouter dans le gitignore

<source lang="shell"> .scannerwork/** </source>

sonar-project.properties

Pour plus de configuration, créer à la racine du projet un fichier: sonar-project.properties. Voici une configuration par exemple

<source lang="shell">

  1. SOURCES

sonar.java.source=8 sonar.sources=src/main/java sonar.java.binaries=target/classes sonar.sourceEncoding=UTF-8

  1. EXCLUSIONS
  2. (exclusion of Lombok-generated stuff comes from the `lombok.config` file)

sonar.coverage.exclusions=**/*Exception.java , **/BullhubsApplication.java

  1. TESTS

sonar.coverage.jacoco.xmlReportPaths=target/site/jacoco/jacoco.xml sonar.junit.reportsPath=target/surefire-reports/TEST-*.xml sonar.tests=src/test/java </source>

Sonar-Scanner

Différentes façon d’utiliser Sonar-Scanner manuellement:

Maven: mvn sonar:sonar

Windows/linux: sonar-scanner

Gradle

Plus d’informations ici: https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/

Retrieved from "http://mylimbicwiki.fr/index.php?title=Installer_et_Configurer_SonarQube_sur_AWS&oldid=1329"