Skip to content

Commit

Permalink
SONAR-22581 docker image openshift hardening
Browse files Browse the repository at this point in the history 
* SONAR-22581 docker image openshift hardening

* NO-JIRA revert login bug fix, no longer needed

* SONAR-22581 address reviewer comments
  • Loading branch information
@jCOTINEAU
jCOTINEAU authored Jul 25, 2024
1 parent f76e7b0 commit e31e0be
Show file tree
Hide file tree
Showing 9 changed files with 124 additions and 22 deletions.
5 changes: 0 additions & 5 deletions .cirrus/tasks.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,6 @@ multi_arch_build_gcp_prod_task:
- docker pull "${PUBLIC_IMAGE_NAME}:${CURRENT_VERSION}-datacenter-search"
login_to_gcr_script:
- export DOCKER_GCLOUD_PASSWORD=$(echo ${DOCKER_GCLOUD_SA_KEY} | base64 -d)
- rm -rf ~/.docker/config.json
- docker login -u _json_key -p "$DOCKER_GCLOUD_PASSWORD" https://${GCLOUD_REGISTRY}
tag_and_promote_script:
- export CURRENT_MINOR_VERSION=$(echo ${CURRENT_VERSION} | cut -d '.' -f 1,2)
Expand All @@ -69,7 +68,6 @@ multi_arch_build_gcp_staging_task:
<<: *VM_TEMPLATE
login_to_gcr_script:
- export DOCKER_GCLOUD_PASSWORD=$(echo ${DOCKER_GCLOUD_SA_KEY} | base64 -d)
- rm -rf ~/.docker/config.json
- docker login -u _json_key -p "$DOCKER_GCLOUD_PASSWORD" https://${GCLOUD_STAGING_REGISTRY}
setup_multi_build_script:
- docker run -t --rm --privileged tonistiigi/binfmt --install all
Expand Down Expand Up @@ -108,7 +106,6 @@ multi_arch_build_task:
ec2_instance:
<<: *VM_TEMPLATE
login_script:
- rm -rf ~/.docker/config.json
- docker login --username $DOCKER_USERNAME --password $DOCKER_PASSWORD
setup_script:
- docker run -t --rm --privileged tonistiigi/binfmt --install all
Expand All @@ -130,7 +127,6 @@ private_scan_task:
ec2_instance:
<<: *CI_SCANNER
login_script:
- rm -rf ~/.docker/config.json
- docker login --username $DOCKER_USERNAME --password $DOCKER_PASSWORD
scan_script:
- echo "docker.includes=${tag}" >> .cirrus/wss-unified-agent.config
Expand Down Expand Up @@ -191,7 +187,6 @@ multi_arch_test_task:
type: ${INSTANCE_TYPE}
architecture: ${CIRRUS_ARCH}
login_script:
- rm -rf ~/.docker/config.json
- docker login --username $DOCKER_USERNAME --password $DOCKER_PASSWORD
test_script:
- echo "Test the ${STAGING_IMAGE_NAME}:${tag} image supporting linux/${CIRRUS_ARCH}"
Expand Down
20 changes: 18 additions & 2 deletions 10/community/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
FROM eclipse-temurin:17-jre-jammy

LABEL io.k8s.description="SonarQube is a self-managed, automatic code review tool that systematically helps you deliver Clean Code."
LABEL io.openshift.min-cpu=400m
LABEL io.openshift.min-memory=2048M
LABEL io.openshift.non-scalable=true
LABEL io.openshift.tags=sonarqube,static-code-analysis,code-quality,clean-code
LABEL org.opencontainers.image.url=https://github.com/SonarSource/docker-sonarqube

ENV LANG='en_US.UTF-8' \
Expand All @@ -20,10 +25,18 @@ ENV DOCKER_RUNNING="true" \
SQ_LOGS_DIR="/opt/sonarqube/logs" \
SQ_TEMP_DIR="/opt/sonarqube/temp"

# Separate stage to use variable expansion
ENV ES_TMPDIR="${SQ_TEMP_DIR}"

RUN set -eux; \
useradd --system --uid 1000 --gid 0 sonarqube; \
apt-get update; \
apt-get --no-install-recommends -y install gnupg unzip curl bash fonts-dejavu; \
apt-get --no-install-recommends -y install \
bash \
curl \
fonts-dejavu \
gnupg \
unzip; \
echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"; \
sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security"; \
# pub 2048R/D26468DE 2015-05-25
Expand All @@ -47,7 +60,10 @@ RUN set -eux; \
chmod -R 550 ${SONARQUBE_HOME}; \
chmod -R 770 "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"; \
apt-get remove -y gnupg unzip; \
rm -rf /var/lib/apt/lists/*;
rm -rf /var/lib/apt/lists/*; \
apt-get clean;

VOLUME ["${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"]

COPY entrypoint.sh ${SONARQUBE_HOME}/docker/

Expand Down
18 changes: 16 additions & 2 deletions 10/datacenter/app/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
FROM eclipse-temurin:17-jre-jammy

LABEL io.k8s.description="SonarQube is a self-managed, automatic code review tool that systematically helps you deliver Clean Code."
LABEL io.openshift.min-cpu=400m
LABEL io.openshift.min-memory=2048M
LABEL io.openshift.non-scalable=false
LABEL io.openshift.tags=sonarqube,static-code-analysis,code-quality,clean-code
LABEL org.opencontainers.image.url=https://github.com/SonarSource/docker-sonarqube

ENV LANG='en_US.UTF-8' \
Expand All @@ -25,7 +30,13 @@ ENV DOCKER_RUNNING="true" \
RUN set -eux; \
useradd --system --uid 1000 --gid 0 sonarqube; \
apt-get update; \
apt-get --no-install-recommends -y install gnupg unzip curl bash fonts-dejavu iproute2; \
apt-get --no-install-recommends -y install \
bash \
curl \
fonts-dejavu \
gnupg \
iproute2 \
unzip; \
echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"; \
sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security"; \
# pub 2048R/D26468DE 2015-05-25
Expand All @@ -49,7 +60,10 @@ RUN set -eux; \
chmod -R 550 ${SONARQUBE_HOME}; \
chmod -R 770 "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"; \
apt-get remove -y gnupg unzip; \
rm -rf /var/lib/apt/lists/*;
rm -rf /var/lib/apt/lists/*; \
apt-get clean;

VOLUME ["${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"]

COPY run.sh sonar.sh ${SONARQUBE_HOME}/docker/

Expand Down
21 changes: 19 additions & 2 deletions 10/datacenter/search/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
FROM eclipse-temurin:17-jre-jammy

LABEL io.k8s.description="SonarQube is a self-managed, automatic code review tool that systematically helps you deliver Clean Code."
LABEL io.openshift.min-cpu=400m
LABEL io.openshift.min-memory=2048M
LABEL io.openshift.non-scalable=false
LABEL io.openshift.tags=sonarqube,static-code-analysis,code-quality,clean-code
LABEL org.opencontainers.image.url=https://github.com/SonarSource/docker-sonarqube

ENV LANG='en_US.UTF-8' \
Expand All @@ -22,10 +27,19 @@ ENV DOCKER_RUNNING="true" \
SONAR_CLUSTER_NODE_TYPE="search" \
SONAR_CLUSTER_ENABLED="true"

# Separate stage to use variable expansion
ENV ES_TMPDIR="${SQ_TEMP_DIR}"

RUN set -eux; \
useradd --system --uid 1000 --gid 0 sonarqube; \
apt-get update; \
apt-get --no-install-recommends -y install gnupg unzip curl bash fonts-dejavu iproute2; \
apt-get --no-install-recommends -y install \
bash \
curl \
fonts-dejavu \
gnupg \
iproute2 \
unzip; \
echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"; \
sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security"; \
# pub 2048R/D26468DE 2015-05-25
Expand All @@ -49,7 +63,10 @@ RUN set -eux; \
chmod -R 550 ${SONARQUBE_HOME}; \
chmod -R 770 "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"; \
apt-get remove -y gnupg unzip curl; \
rm -rf /var/lib/apt/lists/*;
rm -rf /var/lib/apt/lists/*; \
apt-get clean;

VOLUME ["${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"]

COPY run.sh sonar.sh ${SONARQUBE_HOME}/docker/

Expand Down
20 changes: 18 additions & 2 deletions 10/developer/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
FROM eclipse-temurin:17-jre-jammy

LABEL io.k8s.description="SonarQube is a self-managed, automatic code review tool that systematically helps you deliver Clean Code."
LABEL io.openshift.min-cpu=400m
LABEL io.openshift.min-memory=2048M
LABEL io.openshift.non-scalable=true
LABEL io.openshift.tags=sonarqube,static-code-analysis,code-quality,clean-code
LABEL org.opencontainers.image.url=https://github.com/SonarSource/docker-sonarqube

ENV LANG='en_US.UTF-8' \
Expand All @@ -20,10 +25,18 @@ ENV DOCKER_RUNNING="true" \
SQ_LOGS_DIR="/opt/sonarqube/logs" \
SQ_TEMP_DIR="/opt/sonarqube/temp"

# Separate stage to use variable expansion
ENV ES_TMPDIR="${SQ_TEMP_DIR}"

RUN set -eux; \
useradd --system --uid 1000 --gid 0 sonarqube; \
apt-get update; \
apt-get --no-install-recommends -y install gnupg unzip curl bash fonts-dejavu; \
apt-get --no-install-recommends -y install \
bash \
curl \
fonts-dejavu \
gnupg \
unzip; \
echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"; \
sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security"; \
# pub 2048R/D26468DE 2015-05-25
Expand All @@ -47,7 +60,10 @@ RUN set -eux; \
chmod -R 550 ${SONARQUBE_HOME}; \
chmod -R 770 "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"; \
apt-get remove -y gnupg unzip; \
rm -rf /var/lib/apt/lists/*;
rm -rf /var/lib/apt/lists/*; \
apt-get clean;

VOLUME ["${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"]

COPY entrypoint.sh ${SONARQUBE_HOME}/docker/

Expand Down
20 changes: 18 additions & 2 deletions 10/enterprise/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
FROM eclipse-temurin:17-jre-jammy

LABEL io.k8s.description="SonarQube is a self-managed, automatic code review tool that systematically helps you deliver Clean Code."
LABEL io.openshift.min-cpu=400m
LABEL io.openshift.min-memory=2048M
LABEL io.openshift.non-scalable=true
LABEL io.openshift.tags=sonarqube,static-code-analysis,code-quality,clean-code
LABEL org.opencontainers.image.url=https://github.com/SonarSource/docker-sonarqube

ENV LANG='en_US.UTF-8' \
Expand All @@ -20,10 +25,18 @@ ENV DOCKER_RUNNING="true" \
SQ_LOGS_DIR="/opt/sonarqube/logs" \
SQ_TEMP_DIR="/opt/sonarqube/temp"

# Separate stage to use variable expansion
ENV ES_TMPDIR="${SQ_TEMP_DIR}"

RUN set -eux; \
useradd --system --uid 1000 --gid 0 sonarqube; \
apt-get update; \
apt-get --no-install-recommends -y install gnupg unzip curl bash fonts-dejavu; \
apt-get --no-install-recommends -y install \
bash \
curl \
fonts-dejavu \
gnupg \
unzip; \
echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"; \
sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security"; \
# pub 2048R/D26468DE 2015-05-25
Expand All @@ -47,7 +60,10 @@ RUN set -eux; \
chmod -R 550 ${SONARQUBE_HOME}; \
chmod -R 770 "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"; \
apt-get remove -y gnupg unzip; \
rm -rf /var/lib/apt/lists/*;
rm -rf /var/lib/apt/lists/*; \
apt-get clean;

VOLUME ["${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"]

COPY entrypoint.sh ${SONARQUBE_HOME}/docker/

Expand Down
34 changes: 28 additions & 6 deletions example-compose-files/sq-dce-postgres/docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ services:
retries: 3
start_period: 55s
image: sonarqube:datacenter-app
read_only: true
depends_on:
search-1:
condition: service_healthy
Expand Down Expand Up @@ -37,8 +38,11 @@ services:
volumes:
- sonarqube_extensions:/opt/sonarqube/extensions
- sonarqube_logs:/opt/sonarqube/logs
- sonarqube_temp:/opt/sonarqube/temp
- /opt/sonarqube/data
search-1:
image: sonarqube:datacenter-search
read_only: true
hostname: "search-1"
cpus: 0.5
mem_limit: 3072M
Expand All @@ -55,7 +59,10 @@ services:
SONAR_CLUSTER_ES_HOSTS: "search-1,search-2,search-3"
SONAR_CLUSTER_NODE_NAME: "search-1"
volumes:
- search-data-1:/opt/sonarqube/data
- search_data-1:/opt/sonarqube/data
- sonarqube_logs:/opt/sonarqube/logs
- search_temp-1:/opt/sonarqube/temp
- search_logs-1:/opt/sonarqube/logs
healthcheck:
test: wget --no-proxy -qO- "http://$$SONAR_CLUSTER_NODE_NAME:9001/_cluster/health?wait_for_status=yellow&timeout=50s" | grep -q -e '"status":"green"' -e '"status":"yellow"'; if [ $? -eq 0 ]; then exit 0; else exit 1; fi
interval: 25s
Expand All @@ -64,6 +71,7 @@ services:
start_period: 55s
search-2:
image: sonarqube:datacenter-search
read_only: true
hostname: "search-2"
cpus: 0.5
mem_limit: 3072M
Expand All @@ -80,7 +88,10 @@ services:
SONAR_CLUSTER_ES_HOSTS: "search-1,search-2,search-3"
SONAR_CLUSTER_NODE_NAME: "search-2"
volumes:
- search-data-2:/opt/sonarqube/data
- search_data-2:/opt/sonarqube/data
- sonarqube_logs:/opt/sonarqube/logs
- search_temp-2:/opt/sonarqube/temp
- search_logs-2:/opt/sonarqube/logs
healthcheck:
test: wget --no-proxy -qO- "http://$$SONAR_CLUSTER_NODE_NAME:9001/_cluster/health?wait_for_status=yellow&timeout=50s" | grep -q -e '"status":"green"' -e '"status":"yellow"'; if [ $? -eq 0 ]; then exit 0; else exit 1; fi
interval: 25s
Expand All @@ -89,6 +100,7 @@ services:
start_period: 55s
search-3:
image: sonarqube:datacenter-search
read_only: true
hostname: "search-3"
cpus: 0.5
mem_limit: 3072M
Expand All @@ -105,7 +117,10 @@ services:
SONAR_CLUSTER_ES_HOSTS: "search-1,search-2,search-3"
SONAR_CLUSTER_NODE_NAME: "search-3"
volumes:
- search-data-3:/opt/sonarqube/data
- search_data-3:/opt/sonarqube/data
- sonarqube_logs:/opt/sonarqube/logs
- search_temp-3:/opt/sonarqube/temp
- search_logs-3:/opt/sonarqube/logs
healthcheck:
test: wget --no-proxy -qO- "http://$$SONAR_CLUSTER_NODE_NAME:9001/_cluster/health?wait_for_status=yellow&timeout=50s" | grep -q -e '"status":"green"' -e '"status":"yellow"'; if [ $? -eq 0 ]; then exit 0; else exit 1; fi
interval: 25s
Expand Down Expand Up @@ -150,8 +165,15 @@ networks:
volumes:
sonarqube_extensions:
sonarqube_logs:
search-data-1:
search-data-2:
search-data-3:
search_logs-1:
search_logs-2:
search_logs-3:
search_data-1:
search_data-2:
search_data-3:
search_temp-1:
search_temp-2:
search_temp-3:
sonarqube_temp:
postgresql:
postgresql_data:
5 changes: 4 additions & 1 deletion example-compose-files/sq-with-h2/docker-compose.yml
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,16 @@
services:
sonarqube:
image: sonarqube:community
read_only: true
volumes:
- sonarqube_data:/opt/sonarqube/data
- sonarqube_extensions:/opt/sonarqube/extensions
- sonarqube_logs:/opt/sonarqube/logs
- sonarqube_temp:/opt/sonarqube/temp
ports:
- "9000:9000"
volumes:
sonarqube_data:
sonarqube_extensions:
sonarqube_logs:
sonarqube_logs:
sonarqube_temp:
3 changes: 3 additions & 0 deletions example-compose-files/sq-with-postgres/docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ services:
image: sonarqube:community
hostname: sonarqube
container_name: sonarqube
read_only: true
depends_on:
db:
condition: service_healthy
Expand All @@ -14,6 +15,7 @@ services:
- sonarqube_data:/opt/sonarqube/data
- sonarqube_extensions:/opt/sonarqube/extensions
- sonarqube_logs:/opt/sonarqube/logs
- sonarqube_temp:/opt/sonarqube/temp
ports:
- "9000:9000"
db:
Expand All @@ -35,6 +37,7 @@ services:

volumes:
sonarqube_data:
sonarqube_temp:
sonarqube_extensions:
sonarqube_logs:
postgresql:
Expand Down

0 comments on commit e31e0be

Please sign in to comment.