SonarSource · jCOTINEAU · Jul 25, 2024 · Jul 24, 2024 · Jul 24, 2024 · Jul 25, 2024
diff --git a/.cirrus/tasks.yml b/.cirrus/tasks.yml
@@ -42,7 +42,6 @@ multi_arch_build_gcp_prod_task:
     - docker pull "${PUBLIC_IMAGE_NAME}:${CURRENT_VERSION}-datacenter-search"
   login_to_gcr_script:
     - export DOCKER_GCLOUD_PASSWORD=$(echo ${DOCKER_GCLOUD_SA_KEY} | base64 -d)
-    - rm -rf ~/.docker/config.json
     - docker login -u _json_key -p "$DOCKER_GCLOUD_PASSWORD" https://${GCLOUD_REGISTRY}
   tag_and_promote_script:
     - export CURRENT_MINOR_VERSION=$(echo ${CURRENT_VERSION} | cut -d '.' -f 1,2)
@@ -69,7 +68,6 @@ multi_arch_build_gcp_staging_task:
     <<: *VM_TEMPLATE
   login_to_gcr_script:
     - export DOCKER_GCLOUD_PASSWORD=$(echo ${DOCKER_GCLOUD_SA_KEY} | base64 -d)
-    - rm -rf ~/.docker/config.json
     - docker login -u _json_key -p "$DOCKER_GCLOUD_PASSWORD" https://${GCLOUD_STAGING_REGISTRY}
   setup_multi_build_script:
     - docker run -t --rm --privileged tonistiigi/binfmt --install all
@@ -108,7 +106,6 @@ multi_arch_build_task:
   ec2_instance:
     <<: *VM_TEMPLATE
   login_script:
-    - rm -rf ~/.docker/config.json
     - docker login --username $DOCKER_USERNAME --password $DOCKER_PASSWORD
   setup_script:
     - docker run -t --rm --privileged tonistiigi/binfmt --install all
@@ -130,7 +127,6 @@ private_scan_task:
   ec2_instance:
     <<: *CI_SCANNER
   login_script:
-    - rm -rf ~/.docker/config.json
     - docker login --username $DOCKER_USERNAME --password $DOCKER_PASSWORD
   scan_script:
     - echo "docker.includes=${tag}" >> .cirrus/wss-unified-agent.config
@@ -191,7 +187,6 @@ multi_arch_test_task:
     type: ${INSTANCE_TYPE}
     architecture: ${CIRRUS_ARCH}
   login_script:
-    - rm -rf ~/.docker/config.json
     - docker login --username $DOCKER_USERNAME --password $DOCKER_PASSWORD
   test_script:
     - echo "Test the ${STAGING_IMAGE_NAME}:${tag} image supporting linux/${CIRRUS_ARCH}"

diff --git a/10/community/Dockerfile b/10/community/Dockerfile
@@ -1,5 +1,10 @@
 FROM eclipse-temurin:17-jre-jammy
 
+LABEL io.k8s.description="SonarQube is a self-managed, automatic code review tool that systematically helps you deliver Clean Code."
+LABEL io.openshift.min-cpu=400m
+LABEL io.openshift.min-memory=2048M
+LABEL io.openshift.non-scalable=true
+LABEL io.openshift.tags=sonarqube,static-code-analysis,code-quality,clean-code
 LABEL org.opencontainers.image.url=https://github.com/SonarSource/docker-sonarqube
 
 ENV LANG='en_US.UTF-8' \
@@ -20,10 +25,18 @@ ENV DOCKER_RUNNING="true" \
     SQ_LOGS_DIR="/opt/sonarqube/logs" \
     SQ_TEMP_DIR="/opt/sonarqube/temp"
 
+# Separate stage to use variable expansion
+ENV ES_TMPDIR="${SQ_TEMP_DIR}"
+
 RUN set -eux; \
     useradd --system --uid 1000 --gid 0 sonarqube; \
     apt-get update; \
-    apt-get --no-install-recommends -y install gnupg unzip curl bash fonts-dejavu; \
+    apt-get --no-install-recommends -y install \
+        bash \
+        curl \
+        fonts-dejavu \
+        gnupg \
+        unzip; \
     echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"; \
     sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security"; \
     # pub   2048R/D26468DE 2015-05-25
@@ -47,7 +60,10 @@ RUN set -eux; \
     chmod -R 550 ${SONARQUBE_HOME}; \
     chmod -R 770 "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"; \
     apt-get remove -y gnupg unzip; \
-    rm -rf /var/lib/apt/lists/*;
+    rm -rf /var/lib/apt/lists/*; \
+    apt-get clean;
+
+VOLUME ["${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"]
 
 COPY entrypoint.sh ${SONARQUBE_HOME}/docker/
 

diff --git a/10/datacenter/app/Dockerfile b/10/datacenter/app/Dockerfile
@@ -1,5 +1,10 @@
 FROM eclipse-temurin:17-jre-jammy
 
+LABEL io.k8s.description="SonarQube is a self-managed, automatic code review tool that systematically helps you deliver Clean Code."
+LABEL io.openshift.min-cpu=400m
+LABEL io.openshift.min-memory=2048M
+LABEL io.openshift.non-scalable=false
+LABEL io.openshift.tags=sonarqube,static-code-analysis,code-quality,clean-code
 LABEL org.opencontainers.image.url=https://github.com/SonarSource/docker-sonarqube
 
 ENV LANG='en_US.UTF-8' \
@@ -25,7 +30,13 @@ ENV DOCKER_RUNNING="true" \
 RUN set -eux; \
     useradd --system --uid 1000 --gid 0 sonarqube; \
     apt-get update; \
-    apt-get --no-install-recommends -y install gnupg unzip curl bash fonts-dejavu iproute2; \
+    apt-get --no-install-recommends -y install \
+        bash \
+        curl \
+        fonts-dejavu \
+        gnupg \
+        iproute2 \
+        unzip; \
     echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"; \
     sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security"; \
     # pub   2048R/D26468DE 2015-05-25
@@ -49,7 +60,10 @@ RUN set -eux; \
     chmod -R 550 ${SONARQUBE_HOME}; \
     chmod -R 770 "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"; \
     apt-get remove -y gnupg unzip; \
-    rm -rf /var/lib/apt/lists/*;
+    rm -rf /var/lib/apt/lists/*; \
+    apt-get clean;
+
+VOLUME ["${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"]
 
 COPY run.sh sonar.sh ${SONARQUBE_HOME}/docker/
 

diff --git a/10/datacenter/search/Dockerfile b/10/datacenter/search/Dockerfile
@@ -1,5 +1,10 @@
 FROM eclipse-temurin:17-jre-jammy
 
+LABEL io.k8s.description="SonarQube is a self-managed, automatic code review tool that systematically helps you deliver Clean Code."
+LABEL io.openshift.min-cpu=400m
+LABEL io.openshift.min-memory=2048M
+LABEL io.openshift.non-scalable=false
+LABEL io.openshift.tags=sonarqube,static-code-analysis,code-quality,clean-code
 LABEL org.opencontainers.image.url=https://github.com/SonarSource/docker-sonarqube
 
 ENV LANG='en_US.UTF-8' \
@@ -22,10 +27,19 @@ ENV DOCKER_RUNNING="true" \
     SONAR_CLUSTER_NODE_TYPE="search" \
     SONAR_CLUSTER_ENABLED="true"
 
+# Separate stage to use variable expansion
+ENV ES_TMPDIR="${SQ_TEMP_DIR}"
+
 RUN set -eux; \
     useradd --system --uid 1000 --gid 0 sonarqube; \
     apt-get update; \
-    apt-get --no-install-recommends -y install gnupg unzip curl bash fonts-dejavu iproute2; \
+    apt-get --no-install-recommends -y install \
+        bash \
+        curl \
+        fonts-dejavu \
+        gnupg \
+        iproute2 \
+        unzip; \
     echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"; \
     sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security"; \
     # pub   2048R/D26468DE 2015-05-25
@@ -49,7 +63,10 @@ RUN set -eux; \
     chmod -R 550 ${SONARQUBE_HOME}; \
     chmod -R 770 "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"; \
     apt-get remove -y gnupg unzip curl; \
-    rm -rf /var/lib/apt/lists/*;
+    rm -rf /var/lib/apt/lists/*; \
+    apt-get clean;
+
+VOLUME ["${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"]
 
 COPY run.sh sonar.sh ${SONARQUBE_HOME}/docker/
 

diff --git a/10/developer/Dockerfile b/10/developer/Dockerfile
@@ -1,5 +1,10 @@
 FROM eclipse-temurin:17-jre-jammy
 
+LABEL io.k8s.description="SonarQube is a self-managed, automatic code review tool that systematically helps you deliver Clean Code."
+LABEL io.openshift.min-cpu=400m
+LABEL io.openshift.min-memory=2048M
+LABEL io.openshift.non-scalable=true
+LABEL io.openshift.tags=sonarqube,static-code-analysis,code-quality,clean-code
 LABEL org.opencontainers.image.url=https://github.com/SonarSource/docker-sonarqube
 
 ENV LANG='en_US.UTF-8' \
@@ -20,10 +25,18 @@ ENV DOCKER_RUNNING="true" \
     SQ_LOGS_DIR="/opt/sonarqube/logs" \
     SQ_TEMP_DIR="/opt/sonarqube/temp"
 
+# Separate stage to use variable expansion
+ENV ES_TMPDIR="${SQ_TEMP_DIR}"
+
 RUN set -eux; \
     useradd --system --uid 1000 --gid 0 sonarqube; \
     apt-get update; \
-    apt-get --no-install-recommends -y install gnupg unzip curl bash fonts-dejavu; \
+    apt-get --no-install-recommends -y install \
+        bash \
+        curl \
+        fonts-dejavu \
+        gnupg \
+        unzip; \
     echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"; \
     sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security"; \
     # pub   2048R/D26468DE 2015-05-25
@@ -47,7 +60,10 @@ RUN set -eux; \
     chmod -R 550 ${SONARQUBE_HOME}; \
     chmod -R 770 "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"; \
     apt-get remove -y gnupg unzip; \
-    rm -rf /var/lib/apt/lists/*;
+    rm -rf /var/lib/apt/lists/*; \
+    apt-get clean;
+
+VOLUME ["${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"]
 
 COPY entrypoint.sh ${SONARQUBE_HOME}/docker/
 

diff --git a/10/enterprise/Dockerfile b/10/enterprise/Dockerfile
@@ -1,5 +1,10 @@
 FROM eclipse-temurin:17-jre-jammy
 
+LABEL io.k8s.description="SonarQube is a self-managed, automatic code review tool that systematically helps you deliver Clean Code."
+LABEL io.openshift.min-cpu=400m
+LABEL io.openshift.min-memory=2048M
+LABEL io.openshift.non-scalable=true
+LABEL io.openshift.tags=sonarqube,static-code-analysis,code-quality,clean-code
 LABEL org.opencontainers.image.url=https://github.com/SonarSource/docker-sonarqube
 
 ENV LANG='en_US.UTF-8' \
@@ -20,10 +25,18 @@ ENV DOCKER_RUNNING="true" \
     SQ_LOGS_DIR="/opt/sonarqube/logs" \
     SQ_TEMP_DIR="/opt/sonarqube/temp"
 
+# Separate stage to use variable expansion
+ENV ES_TMPDIR="${SQ_TEMP_DIR}"
+
 RUN set -eux; \
     useradd --system --uid 1000 --gid 0 sonarqube; \
     apt-get update; \
-    apt-get --no-install-recommends -y install gnupg unzip curl bash fonts-dejavu; \
+    apt-get --no-install-recommends -y install \
+        bash \
+        curl \
+        fonts-dejavu \
+        gnupg \
+        unzip; \
     echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"; \
     sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security"; \
     # pub   2048R/D26468DE 2015-05-25
@@ -47,7 +60,10 @@ RUN set -eux; \
     chmod -R 550 ${SONARQUBE_HOME}; \
     chmod -R 770 "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"; \
     apt-get remove -y gnupg unzip; \
-    rm -rf /var/lib/apt/lists/*;
+    rm -rf /var/lib/apt/lists/*; \
+    apt-get clean;
+
+VOLUME ["${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"]
 
 COPY entrypoint.sh ${SONARQUBE_HOME}/docker/
 

diff --git a/example-compose-files/sq-dce-postgres/docker-compose.yml b/example-compose-files/sq-dce-postgres/docker-compose.yml
@@ -9,6 +9,7 @@ services:
       retries: 3
       start_period: 55s
     image: sonarqube:datacenter-app
+    read_only: true
     depends_on:
       search-1:
         condition: service_healthy
@@ -37,8 +38,11 @@ services:
     volumes:
       - sonarqube_extensions:/opt/sonarqube/extensions
       - sonarqube_logs:/opt/sonarqube/logs
+      - sonarqube_temp:/opt/sonarqube/temp
+      - /opt/sonarqube/data
   search-1:
     image: sonarqube:datacenter-search
+    read_only: true
     hostname: "search-1"
     cpus: 0.5
     mem_limit: 3072M
@@ -55,7 +59,10 @@ services:
       SONAR_CLUSTER_ES_HOSTS: "search-1,search-2,search-3"
       SONAR_CLUSTER_NODE_NAME: "search-1"
     volumes:
-      - search-data-1:/opt/sonarqube/data
+      - search_data-1:/opt/sonarqube/data
+      - sonarqube_logs:/opt/sonarqube/logs
+      - search_temp-1:/opt/sonarqube/temp
+      - search_logs-1:/opt/sonarqube/logs
     healthcheck:
         test: wget --no-proxy -qO- "http://$$SONAR_CLUSTER_NODE_NAME:9001/_cluster/health?wait_for_status=yellow&timeout=50s" | grep -q -e '"status":"green"' -e '"status":"yellow"';  if [ $? -eq 0 ]; then exit 0; else exit 1; fi
         interval: 25s
@@ -64,6 +71,7 @@ services:
         start_period: 55s
   search-2:
     image: sonarqube:datacenter-search
+    read_only: true
     hostname: "search-2"
     cpus: 0.5
     mem_limit: 3072M
@@ -80,7 +88,10 @@ services:
       SONAR_CLUSTER_ES_HOSTS: "search-1,search-2,search-3"
       SONAR_CLUSTER_NODE_NAME: "search-2"
     volumes:
-      - search-data-2:/opt/sonarqube/data
+      - search_data-2:/opt/sonarqube/data
+      - sonarqube_logs:/opt/sonarqube/logs
+      - search_temp-2:/opt/sonarqube/temp
+      - search_logs-2:/opt/sonarqube/logs
     healthcheck:
         test: wget --no-proxy -qO- "http://$$SONAR_CLUSTER_NODE_NAME:9001/_cluster/health?wait_for_status=yellow&timeout=50s" | grep -q -e '"status":"green"' -e '"status":"yellow"';  if [ $? -eq 0 ]; then exit 0; else exit 1; fi
         interval: 25s
@@ -89,6 +100,7 @@ services:
         start_period: 55s
   search-3:
     image: sonarqube:datacenter-search
+    read_only: true
     hostname: "search-3"
     cpus: 0.5
     mem_limit: 3072M
@@ -105,7 +117,10 @@ services:
       SONAR_CLUSTER_ES_HOSTS: "search-1,search-2,search-3"
       SONAR_CLUSTER_NODE_NAME: "search-3"
     volumes:
-      - search-data-3:/opt/sonarqube/data
+      - search_data-3:/opt/sonarqube/data
+      - sonarqube_logs:/opt/sonarqube/logs
+      - search_temp-3:/opt/sonarqube/temp
+      - search_logs-3:/opt/sonarqube/logs
     healthcheck:
         test: wget --no-proxy -qO- "http://$$SONAR_CLUSTER_NODE_NAME:9001/_cluster/health?wait_for_status=yellow&timeout=50s" | grep -q -e '"status":"green"' -e '"status":"yellow"';  if [ $? -eq 0 ]; then exit 0; else exit 1; fi
         interval: 25s
@@ -150,8 +165,15 @@ networks:
 volumes:
   sonarqube_extensions:
   sonarqube_logs:
-  search-data-1:
-  search-data-2:
-  search-data-3:
+  search_logs-1:
+  search_logs-2:
+  search_logs-3:
+  search_data-1:
+  search_data-2:
+  search_data-3:
+  search_temp-1:
+  search_temp-2:
+  search_temp-3:
+  sonarqube_temp:
   postgresql:
   postgresql_data:
diff --git a/example-compose-files/sq-with-h2/docker-compose.yml b/example-compose-files/sq-with-h2/docker-compose.yml
@@ -1,13 +1,16 @@
 services:
   sonarqube:
     image: sonarqube:community
+    read_only: true
     volumes:
       - sonarqube_data:/opt/sonarqube/data
       - sonarqube_extensions:/opt/sonarqube/extensions
       - sonarqube_logs:/opt/sonarqube/logs
+      - sonarqube_temp:/opt/sonarqube/temp
     ports:
       - "9000:9000"
 volumes:
   sonarqube_data:
   sonarqube_extensions:
-  sonarqube_logs:
+  sonarqube_logs:
+  sonarqube_temp:
diff --git a/example-compose-files/sq-with-postgres/docker-compose.yml b/example-compose-files/sq-with-postgres/docker-compose.yml
@@ -3,6 +3,7 @@ services:
     image: sonarqube:community
     hostname: sonarqube
     container_name: sonarqube
+    read_only: true
     depends_on:
       db:
         condition: service_healthy
@@ -14,6 +15,7 @@ services:
       - sonarqube_data:/opt/sonarqube/data
       - sonarqube_extensions:/opt/sonarqube/extensions
       - sonarqube_logs:/opt/sonarqube/logs
+      - sonarqube_temp:/opt/sonarqube/temp
     ports:
       - "9000:9000"
   db:
@@ -35,6 +37,7 @@ services:
 
 volumes:
   sonarqube_data:
+  sonarqube_temp:
   sonarqube_extensions:
   sonarqube_logs:
   postgresql: