diff --git a/.cirrus/tasks.yml b/.cirrus/tasks.yml index a78ce50a..158e7745 100644 --- a/.cirrus/tasks.yml +++ b/.cirrus/tasks.yml @@ -25,7 +25,7 @@ build_server_hw_template: &BUILD_SERVER_HW_TEMPLATE region: eu-central-1 vm_instance_template: &VM_TEMPLATE - image: docker-builder-v* + image: pr-52-docker-builder-v* <<: *BUILD_SERVER_HW_TEMPLATE ci_instance_scanner: &CI_SCANNER @@ -42,7 +42,6 @@ multi_arch_build_gcp_prod_task: - docker pull "${PUBLIC_IMAGE_NAME}:${CURRENT_VERSION}-datacenter-search" login_to_gcr_script: - export DOCKER_GCLOUD_PASSWORD=$(echo ${DOCKER_GCLOUD_SA_KEY} | base64 -d) - - rm -rf ~/.docker/config.json - docker login -u _json_key -p "$DOCKER_GCLOUD_PASSWORD" https://${GCLOUD_REGISTRY} tag_and_promote_script: - export CURRENT_MINOR_VERSION=$(echo ${CURRENT_VERSION} | cut -d '.' -f 1,2) @@ -69,7 +68,6 @@ multi_arch_build_gcp_staging_task: <<: *VM_TEMPLATE login_to_gcr_script: - export DOCKER_GCLOUD_PASSWORD=$(echo ${DOCKER_GCLOUD_SA_KEY} | base64 -d) - - rm -rf ~/.docker/config.json - docker login -u _json_key -p "$DOCKER_GCLOUD_PASSWORD" https://${GCLOUD_STAGING_REGISTRY} setup_multi_build_script: - docker run -t --rm --privileged tonistiigi/binfmt --install all @@ -108,7 +106,6 @@ multi_arch_build_task: ec2_instance: <<: *VM_TEMPLATE login_script: - - rm -rf ~/.docker/config.json - docker login --username $DOCKER_USERNAME --password $DOCKER_PASSWORD setup_script: - docker run -t --rm --privileged tonistiigi/binfmt --install all @@ -130,7 +127,6 @@ private_scan_task: ec2_instance: <<: *CI_SCANNER login_script: - - rm -rf ~/.docker/config.json - docker login --username $DOCKER_USERNAME --password $DOCKER_PASSWORD scan_script: - echo "docker.includes=${tag}" >> .cirrus/wss-unified-agent.config @@ -191,7 +187,6 @@ multi_arch_test_task: type: ${INSTANCE_TYPE} architecture: ${CIRRUS_ARCH} login_script: - - rm -rf ~/.docker/config.json - docker login --username $DOCKER_USERNAME --password $DOCKER_PASSWORD test_script: - echo "Test the ${STAGING_IMAGE_NAME}:${tag} image supporting linux/${CIRRUS_ARCH}" diff --git a/10/community/Dockerfile b/10/community/Dockerfile index 2ad9852b..ac42dd6b 100644 --- a/10/community/Dockerfile +++ b/10/community/Dockerfile @@ -1,5 +1,10 @@ FROM eclipse-temurin:17-jre-jammy +LABEL io.k8s.description="SonarQube is a self-managed, automatic code review tool that systematically helps you deliver Clean Code." +LABEL io.openshift.min-cpu=400m +LABEL io.openshift.min-memory=2048M +LABEL io.openshift.non-scalable=true +LABEL io.openshift.tags=sonarqube,static-code-analysis,code-quality,clean-code LABEL org.opencontainers.image.url=https://github.com/SonarSource/docker-sonarqube ENV LANG='en_US.UTF-8' \ @@ -20,10 +25,18 @@ ENV DOCKER_RUNNING="true" \ SQ_LOGS_DIR="/opt/sonarqube/logs" \ SQ_TEMP_DIR="/opt/sonarqube/temp" +# Separate stage to use variable expansion +ENV ES_TMPDIR="${SQ_TEMP_DIR}" + RUN set -eux; \ useradd --system --uid 1000 --gid 0 sonarqube; \ apt-get update; \ - apt-get --no-install-recommends -y install gnupg unzip curl bash fonts-dejavu; \ + apt-get --no-install-recommends -y install \ + bash \ + curl \ + fonts-dejavu \ + gnupg \ + unzip; \ echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"; \ sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security"; \ # pub 2048R/D26468DE 2015-05-25 @@ -47,7 +60,10 @@ RUN set -eux; \ chmod -R 550 ${SONARQUBE_HOME}; \ chmod -R 770 "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"; \ apt-get remove -y gnupg unzip; \ - rm -rf /var/lib/apt/lists/*; + rm -rf /var/lib/apt/lists/*; \ + apt-get clean; + +VOLUME ["${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"] COPY entrypoint.sh ${SONARQUBE_HOME}/docker/ diff --git a/10/datacenter/app/Dockerfile b/10/datacenter/app/Dockerfile index 818fc786..bd59f506 100644 --- a/10/datacenter/app/Dockerfile +++ b/10/datacenter/app/Dockerfile @@ -1,5 +1,10 @@ FROM eclipse-temurin:17-jre-jammy +LABEL io.k8s.description="SonarQube is a self-managed, automatic code review tool that systematically helps you deliver Clean Code." +LABEL io.openshift.min-cpu=400m +LABEL io.openshift.min-memory=2048M +LABEL io.openshift.non-scalable=false +LABEL io.openshift.tags=sonarqube,static-code-analysis,code-quality,clean-code LABEL org.opencontainers.image.url=https://github.com/SonarSource/docker-sonarqube ENV LANG='en_US.UTF-8' \ @@ -25,7 +30,13 @@ ENV DOCKER_RUNNING="true" \ RUN set -eux; \ useradd --system --uid 1000 --gid 0 sonarqube; \ apt-get update; \ - apt-get --no-install-recommends -y install gnupg unzip curl bash fonts-dejavu iproute2; \ + apt-get --no-install-recommends -y install \ + bash \ + curl \ + fonts-dejavu \ + gnupg \ + iproute2 \ + unzip; \ echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"; \ sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security"; \ # pub 2048R/D26468DE 2015-05-25 @@ -49,7 +60,10 @@ RUN set -eux; \ chmod -R 550 ${SONARQUBE_HOME}; \ chmod -R 770 "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"; \ apt-get remove -y gnupg unzip; \ - rm -rf /var/lib/apt/lists/*; + rm -rf /var/lib/apt/lists/*; \ + apt-get clean; + +VOLUME ["${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"] COPY run.sh sonar.sh ${SONARQUBE_HOME}/docker/ diff --git a/10/datacenter/search/Dockerfile b/10/datacenter/search/Dockerfile index 3eb7d562..09621212 100644 --- a/10/datacenter/search/Dockerfile +++ b/10/datacenter/search/Dockerfile @@ -1,5 +1,10 @@ FROM eclipse-temurin:17-jre-jammy +LABEL io.k8s.description="SonarQube is a self-managed, automatic code review tool that systematically helps you deliver Clean Code." +LABEL io.openshift.min-cpu=400m +LABEL io.openshift.min-memory=2048M +LABEL io.openshift.non-scalable=false +LABEL io.openshift.tags=sonarqube,static-code-analysis,code-quality,clean-code LABEL org.opencontainers.image.url=https://github.com/SonarSource/docker-sonarqube ENV LANG='en_US.UTF-8' \ @@ -22,10 +27,19 @@ ENV DOCKER_RUNNING="true" \ SONAR_CLUSTER_NODE_TYPE="search" \ SONAR_CLUSTER_ENABLED="true" +# Separate stage to use variable expansion +ENV ES_TMPDIR="${SQ_TEMP_DIR}" + RUN set -eux; \ useradd --system --uid 1000 --gid 0 sonarqube; \ apt-get update; \ - apt-get --no-install-recommends -y install gnupg unzip curl bash fonts-dejavu iproute2; \ + apt-get --no-install-recommends -y install \ + bash \ + curl \ + fonts-dejavu \ + gnupg \ + iproute2 \ + unzip; \ echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"; \ sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security"; \ # pub 2048R/D26468DE 2015-05-25 @@ -49,7 +63,10 @@ RUN set -eux; \ chmod -R 550 ${SONARQUBE_HOME}; \ chmod -R 770 "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"; \ apt-get remove -y gnupg unzip curl; \ - rm -rf /var/lib/apt/lists/*; + rm -rf /var/lib/apt/lists/*; \ + apt-get clean; + +VOLUME ["${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"] COPY run.sh sonar.sh ${SONARQUBE_HOME}/docker/ diff --git a/10/developer/Dockerfile b/10/developer/Dockerfile index 4e8cba00..78a2a720 100644 --- a/10/developer/Dockerfile +++ b/10/developer/Dockerfile @@ -1,5 +1,10 @@ FROM eclipse-temurin:17-jre-jammy +LABEL io.k8s.description="SonarQube is a self-managed, automatic code review tool that systematically helps you deliver Clean Code." +LABEL io.openshift.min-cpu=400m +LABEL io.openshift.min-memory=2048M +LABEL io.openshift.non-scalable=true +LABEL io.openshift.tags=sonarqube,static-code-analysis,code-quality,clean-code LABEL org.opencontainers.image.url=https://github.com/SonarSource/docker-sonarqube ENV LANG='en_US.UTF-8' \ @@ -20,10 +25,18 @@ ENV DOCKER_RUNNING="true" \ SQ_LOGS_DIR="/opt/sonarqube/logs" \ SQ_TEMP_DIR="/opt/sonarqube/temp" +# Separate stage to use variable expansion +ENV ES_TMPDIR="${SQ_TEMP_DIR}" + RUN set -eux; \ useradd --system --uid 1000 --gid 0 sonarqube; \ apt-get update; \ - apt-get --no-install-recommends -y install gnupg unzip curl bash fonts-dejavu; \ + apt-get --no-install-recommends -y install \ + bash \ + curl \ + fonts-dejavu \ + gnupg \ + unzip; \ echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"; \ sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security"; \ # pub 2048R/D26468DE 2015-05-25 @@ -47,7 +60,10 @@ RUN set -eux; \ chmod -R 550 ${SONARQUBE_HOME}; \ chmod -R 770 "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"; \ apt-get remove -y gnupg unzip; \ - rm -rf /var/lib/apt/lists/*; + rm -rf /var/lib/apt/lists/*; \ + apt-get clean; + +VOLUME ["${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"] COPY entrypoint.sh ${SONARQUBE_HOME}/docker/ diff --git a/10/enterprise/Dockerfile b/10/enterprise/Dockerfile index 7839db54..e9760036 100644 --- a/10/enterprise/Dockerfile +++ b/10/enterprise/Dockerfile @@ -1,5 +1,10 @@ FROM eclipse-temurin:17-jre-jammy +LABEL io.k8s.description="SonarQube is a self-managed, automatic code review tool that systematically helps you deliver Clean Code." +LABEL io.openshift.min-cpu=400m +LABEL io.openshift.min-memory=2048M +LABEL io.openshift.non-scalable=true +LABEL io.openshift.tags=sonarqube,static-code-analysis,code-quality,clean-code LABEL org.opencontainers.image.url=https://github.com/SonarSource/docker-sonarqube ENV LANG='en_US.UTF-8' \ @@ -20,10 +25,18 @@ ENV DOCKER_RUNNING="true" \ SQ_LOGS_DIR="/opt/sonarqube/logs" \ SQ_TEMP_DIR="/opt/sonarqube/temp" +# Separate stage to use variable expansion +ENV ES_TMPDIR="${SQ_TEMP_DIR}" + RUN set -eux; \ useradd --system --uid 1000 --gid 0 sonarqube; \ apt-get update; \ - apt-get --no-install-recommends -y install gnupg unzip curl bash fonts-dejavu; \ + apt-get --no-install-recommends -y install \ + bash \ + curl \ + fonts-dejavu \ + gnupg \ + unzip; \ echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"; \ sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security"; \ # pub 2048R/D26468DE 2015-05-25 @@ -47,7 +60,10 @@ RUN set -eux; \ chmod -R 550 ${SONARQUBE_HOME}; \ chmod -R 770 "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"; \ apt-get remove -y gnupg unzip; \ - rm -rf /var/lib/apt/lists/*; + rm -rf /var/lib/apt/lists/*; \ + apt-get clean; + +VOLUME ["${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"] COPY entrypoint.sh ${SONARQUBE_HOME}/docker/ diff --git a/example-compose-files/sq-dce-postgres/docker-compose.yml b/example-compose-files/sq-dce-postgres/docker-compose.yml index 1fad68e1..3b02cab4 100644 --- a/example-compose-files/sq-dce-postgres/docker-compose.yml +++ b/example-compose-files/sq-dce-postgres/docker-compose.yml @@ -9,6 +9,7 @@ services: retries: 3 start_period: 55s image: sonarqube:datacenter-app + read_only: true depends_on: search-1: condition: service_healthy @@ -37,8 +38,11 @@ services: volumes: - sonarqube_extensions:/opt/sonarqube/extensions - sonarqube_logs:/opt/sonarqube/logs + - sonarqube_temp:/opt/sonarqube/temp + - /opt/sonarqube/data search-1: image: sonarqube:datacenter-search + read_only: true hostname: "search-1" cpus: 0.5 mem_limit: 3072M @@ -55,7 +59,10 @@ services: SONAR_CLUSTER_ES_HOSTS: "search-1,search-2,search-3" SONAR_CLUSTER_NODE_NAME: "search-1" volumes: - - search-data-1:/opt/sonarqube/data + - search_data-1:/opt/sonarqube/data + - sonarqube_logs:/opt/sonarqube/logs + - search_temp-1:/opt/sonarqube/temp + - search_logs-1:/opt/sonarqube/logs healthcheck: test: wget --no-proxy -qO- "http://$$SONAR_CLUSTER_NODE_NAME:9001/_cluster/health?wait_for_status=yellow&timeout=50s" | grep -q -e '"status":"green"' -e '"status":"yellow"'; if [ $? -eq 0 ]; then exit 0; else exit 1; fi interval: 25s @@ -64,6 +71,7 @@ services: start_period: 55s search-2: image: sonarqube:datacenter-search + read_only: true hostname: "search-2" cpus: 0.5 mem_limit: 3072M @@ -80,7 +88,10 @@ services: SONAR_CLUSTER_ES_HOSTS: "search-1,search-2,search-3" SONAR_CLUSTER_NODE_NAME: "search-2" volumes: - - search-data-2:/opt/sonarqube/data + - search_data-2:/opt/sonarqube/data + - sonarqube_logs:/opt/sonarqube/logs + - search_temp-2:/opt/sonarqube/temp + - search_logs-2:/opt/sonarqube/logs healthcheck: test: wget --no-proxy -qO- "http://$$SONAR_CLUSTER_NODE_NAME:9001/_cluster/health?wait_for_status=yellow&timeout=50s" | grep -q -e '"status":"green"' -e '"status":"yellow"'; if [ $? -eq 0 ]; then exit 0; else exit 1; fi interval: 25s @@ -89,6 +100,7 @@ services: start_period: 55s search-3: image: sonarqube:datacenter-search + read_only: true hostname: "search-3" cpus: 0.5 mem_limit: 3072M @@ -105,7 +117,10 @@ services: SONAR_CLUSTER_ES_HOSTS: "search-1,search-2,search-3" SONAR_CLUSTER_NODE_NAME: "search-3" volumes: - - search-data-3:/opt/sonarqube/data + - search_data-3:/opt/sonarqube/data + - sonarqube_logs:/opt/sonarqube/logs + - search_temp-3:/opt/sonarqube/temp + - search_logs-3:/opt/sonarqube/logs healthcheck: test: wget --no-proxy -qO- "http://$$SONAR_CLUSTER_NODE_NAME:9001/_cluster/health?wait_for_status=yellow&timeout=50s" | grep -q -e '"status":"green"' -e '"status":"yellow"'; if [ $? -eq 0 ]; then exit 0; else exit 1; fi interval: 25s @@ -150,8 +165,15 @@ networks: volumes: sonarqube_extensions: sonarqube_logs: - search-data-1: - search-data-2: - search-data-3: + search_logs-1: + search_logs-2: + search_logs-3: + search_data-1: + search_data-2: + search_data-3: + search_temp-1: + search_temp-2: + search_temp-3: + sonarqube_temp: postgresql: postgresql_data: \ No newline at end of file diff --git a/example-compose-files/sq-with-h2/docker-compose.yml b/example-compose-files/sq-with-h2/docker-compose.yml index 791eaaa4..56f8d6a0 100644 --- a/example-compose-files/sq-with-h2/docker-compose.yml +++ b/example-compose-files/sq-with-h2/docker-compose.yml @@ -1,13 +1,16 @@ services: sonarqube: image: sonarqube:community + read_only: true volumes: - sonarqube_data:/opt/sonarqube/data - sonarqube_extensions:/opt/sonarqube/extensions - sonarqube_logs:/opt/sonarqube/logs + - sonarqube_temp:/opt/sonarqube/temp ports: - "9000:9000" volumes: sonarqube_data: sonarqube_extensions: - sonarqube_logs: \ No newline at end of file + sonarqube_logs: + sonarqube_temp: \ No newline at end of file diff --git a/example-compose-files/sq-with-postgres/docker-compose.yml b/example-compose-files/sq-with-postgres/docker-compose.yml index af71502d..276856f2 100644 --- a/example-compose-files/sq-with-postgres/docker-compose.yml +++ b/example-compose-files/sq-with-postgres/docker-compose.yml @@ -3,6 +3,7 @@ services: image: sonarqube:community hostname: sonarqube container_name: sonarqube + read_only: true depends_on: db: condition: service_healthy @@ -14,6 +15,7 @@ services: - sonarqube_data:/opt/sonarqube/data - sonarqube_extensions:/opt/sonarqube/extensions - sonarqube_logs:/opt/sonarqube/logs + - sonarqube_temp:/opt/sonarqube/temp ports: - "9000:9000" db: @@ -35,6 +37,7 @@ services: volumes: sonarqube_data: + sonarqube_temp: sonarqube_extensions: sonarqube_logs: postgresql: