Centos7.6下docker安装sonarqube7.6加postgres:9.6实现代码安全扫描检测

sonarqube教程

代码安全检查的流程:

Centos7.6下docker安装sonarqube7.6加postgres:9.6实现代码安全扫描检测
Centos7.6下docker安装sonarqube7.6加postgres:9.6实现代码安全扫描检测

环境需求:
https://docs.sonarqube.org/7.6/requirements/requirements/
Linux
If you're running on Linux, you must ensure that:
vm.max_map_count is greater or equals to 262144
fs.file-max is greater or equals to 65536
the user running SonarQube can open at least 65536 file descriptors
the user running SonarQube can open at least 2048 threads
You can see the values with the following commands:
sysctl vm.max_map_count
sysctl fs.file-max
ulimit -n
ulimit -u

如果遇到系统级别报错:
报错:WARNING: IPv4 forwarding is disabled. Networking will not work.
/etc/sysctl.conf:
net.ipv4.ip_forward=1

##############################################
Docker 安装 sonarqube7.6 ,先找镜像文件:
https://hub.docker.com/_/sonarqube?tab=tags&page=3
docker pull sonarqube:7.6-community

##############################################
SonarQube使用了ES,需要修改一些内核参数:
echo "vm.max_map_count = 262144" >> /etc/sysctl.conf
sysctl -p
SonarQube 从 7.9+ 就放弃支持 MySQL 了。
Sonarqube7.6 只支持到9.3~9.6 和 10 ,所以下载9.6版本:
docker pull postgres:9.6
启动一个postgres的docker容器,并且创建数据库sonar:

docker run --name pgdb -e POSTGRES_USER=sonar -e POSTGRES_PASSWORD=YourPassword -e POSTGRES_DB=sonar -p 5432:5432 -v /data/postgresql/data:/var/lib/postgresql/data -d postgres:9.6

可登录数据库进行查看:
[root@gitlab-sonarqube ~]# docker exec -it pgdb psql -h 10.11.22.8 -U sonar
Password for user sonar:
psql (13.0 (Debian 13.0-1.pgdg100+1))
Type "help" for help.
sonar=# select datname from pg_database;
datname
-----------
postgres
sonar
template1
template0
(4 rows)

sonar=# \c sonar
You are now connected to database "sonar" as user "sonar".
sonar=# select * from pg_tables where schemaname='public';
schemaname | tablename | tableowner | tablespace | hasindexes | hasrules | hastriggers | rowsecurity
------------+-----------+------------+------------+------------+----------+-------------+-------------
(0 rows)

sonar=# \q

以上看到数据库里是空的,下面安装好sonarqube后,再次查看,就会有数据。

下载sonarqube 镜像:
docker pull sonarqube:7.6-community
为了升级方便,参考官方要求:https://docs.sonarqube.org/latest/setup/install-server/ 创建volume:
$> docker volume create --name sonarqube_data
$> docker volume create --name sonarqube_logs
$> docker volume create --name sonarqube_extensions

启动docker并指定数据库的link,用户名,密码后进行创建:
docker run -d --name sonarqube --link pgdb:sonar \
-p 9000:9000 \
-e sonar.jdbc.url=jdbc:postgresql://pgdb/sonar \
-e sonar.jdbc.username=sonar \
-e sonar.jdbc.password=YourPassword \
-v sonarqube_data:/opt/sonarqube/data \
-v sonarqube_extensions:/opt/sonarqube/extensions \
-v sonarqube_logs:/opt/sonarqube/logs \
sonarqube:7.6-community

通过 docker inspect sonarqube 查看volume 对应的 容器的实际目录
"Mounts": [
{
"Type": "volume",
"Name": "sonarqube_data",
"Source": "/var/lib/docker/volumes/sonarqube_data/_data",
"Destination": "/opt/sonarqube/data",
"Driver": "local",
"Mode": "z",
"RW": true,
"Propagation": ""
},
{
"Type": "volume",
"Name": "sonarqube_extensions",
"Source": "/var/lib/docker/volumes/sonarqube_extensions/_data",
"Destination": "/opt/sonarqube/extensions",
"Driver": "local",
"Mode": "z",
"RW": true,
"Propagation": ""
},
{
"Type": "volume",
"Name": "sonarqube_logs",
"Source": "/var/lib/docker/volumes/sonarqube_logs/_data",
"Destination": "/opt/sonarqube/logs",
"Driver": "local",
"Mode": "z",
"RW": true,
"Propagation": ""
}
],

可以看到 /opt/sonarqube/extensions 对应的容器实际目录为 /var/lib/docker/volumes/sonarqube_extensions/_data

本例子中sonarqube 的版本为7.6 ,参考:
https://github.com/gabrie-allaigre/sonar-gitlab-plugin
老的插件都有bug ,讨论地址:https://github.com/gabrie-allaigre/sonar-gitlab-plugin/issues/213
下载这个最新的插件:
https://github.com/gabrie-allaigre/sonar-gitlab-plugin/releases/download/4.1.0-SNAPSHOT/sonar-gitlab-plugin-4.1.0-SNAPSHOT.jar
按照要求把 sonar-gitlab-plugin-4.1.0-SNAPSHOT.jar 放到 /var/lib/docker/volumes/sonarqube_extensions/_data/plugins 中.
重启sonarqube容器:
docker restart sonarqube
查看日志:
docker logs sonarqube
看到gitlab 的插件已经部署了:
2020.12.07 08:53:07 INFO web[][o.s.s.p.ServerPluginRepository] Deploy plugin GitLab / 4.1.0-SNAPSHOT / 5b5df47a0539b34ffc0cc0e1e025baff4

下一步gitlab-ci 的配置参考:https://docs.gitlab.com/ee/ci/yaml/README.html