It is every developer’s dream to have clean, bug-free code that can be easily deployed in staging and production environments. A tool that can help you achieve this is in your CI / CD pipeline: SonarQube. SonarQube is a cross-platform, web-based tool for continuous review of the source code. It’s written in Java. SonarQube allows you to write cleaner, safer code by reviewing the code and identifying errors and other inconsistencies.
SonarQube can be integrated with platforms such as GitHub, Gitlab, BitBucket, and Azure DevOps, to name a few. It is available in different editions, including Community, Developer, Enterprise, and Datacenter editions.
In this tutorial we will learn how to install SonarQube on Ubuntu 20.04. We are going to install the Community Edition as it is free to download and the SSL certificate (https) can be activated with Let’s Encrypt by setting Nginx as the reverse proxy.
requirements
Before starting, make sure you meet the following requirements:
- Ubuntu 20.04 LTS with a configured sudo user.
- Make sure your system has at least 4 GB of RAM and 2 vCPU cores
You need to install some tools
$ sudo apt update $ sudo apt install net-tools unzip vim curl
You also need to increase the virtual memory kernel
$ sudo sysctl -w vm.max_map_count=262144
with the maximum number of open files
$ sudo sysctl -w fs.file-max=65536
and the resource limits
$ ulimit -n 65536
$ ulimit -u 4096
You can make the changes permanent by changing the system parameters in the configuration file /etc/sysctl.conf
$ sudo vim /etc/sysctl.conf
Add the following lines.
vm.max_map_count=262144 fs.file-max=65536 ulimit -n 65536 ulimit -u 4096
Save and close. Then open the limits.conf file
$ sudo vim /etc/security/limits.conf
At the very bottom, add the following lines
sonarqube - nofile 65536 sonarqube - nproc 4096
Save and close. Restart your server for the changes to take effect.
Step 1: Install OpenJDK
Since SonarQube is written in Java, it depends on Java to work. We are going to install OpenJDK 11 which provides Java.
$ sudo apt install openjdk-11-jdk
After the installation, you can check the Java version.
$ java -version
Step 2: Install the PostgreSQL database
As of 2016, SonarQube stopped supporting MySQL and now only supports PostgreSQL. Hence we need to install the PostgreSQL database.
First, download and add the PostgreSQL GPG key.
$ wget -q https://www.postgresql.org/media/keys/ACCC4CF8.asc -O - | sudo apt-key add -
Then add the PostgreSQL repository.
$ sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt/ `lsb_release -cs`-pgdg main" >> /etc/apt/sources.list.d/pgdg.list'
Then update the package index to synchronize the new repository.
$ sudo apt update
After you’ve updated the package lists, install the PostgreSQL database and its dependencies.
$ sudo apt install postgresql postgresql-contrib
By default, the PostgreSQL service starts after installation, if it doesn’t start, run the following command.
$ sudo systemctl start postgresql
To confirm that everything is running as expected, check the execution status.
$ sudo systemctl status postgresql
You can also confirm the port it is listening on:
$ sudo netstat -pnltu | grep 5432
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 7768/postgres tcp6 0 0 ::1:5432 :::* LISTEN 7768/postgres
Enable PostgreSQL to start automatically at boot:
$ sudo systemctl enable postgresql
So far our PostgreSQL has been running without any problems.
Step 3: configure PostgreSQL
In the following we will set the password for the Postgres user, which is normally used by default when installing PostgreSQL. To do this, run the command:
$ sudo passwd postgres
Enter the password and confirm it. Next, switch to the Postgres user.
$ su - postgres
Next, go ahead and create a new database user.
$ createuser sonar
When you’re done, switch to the PostgreSQL prompt with the command:
$ psql
With access to the PostgreSQL shell, create a password for the user you just created.
ALTER USER sonar WITH ENCRYPTED PASSWORD 'strong_password';
Next, create a SonarQube database with the user you created as the owner
CREATE DATABASE sonarqube OWNER sonar;
Then assign all permissions to the database usage or grant them so that they have all permissions to modify the database.
GRANT ALL PRIVILEGES ON DATABASE sonarqube to sonar;
Now exit the database.
q
Step 4: Download and Configure SonarQube
Next, we’re going to download the latest binary ZIP file from SonarQube. Currently, the latest version of the Community Edition, which is a Long Term Service (LTS) version, is SonarQube version 9.0.1. You can too SonarQube download page for the latest downloads.
To download the zip file, enter the command:
$ wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-9.0.1.46107.zip
Next, unzip the zipped file.
$ unzip sonarqube-9.0.1.46107.zip
And move it to the / opt / path.
$ sudo mv sonarqube-9.0.1.46107 /opt/sonarqube
Step 5: Create a new user and group
Next, we’ll create a new user and group that will run the SonarQube service. So create the group.
$ sudo groupadd sonar
Next, create the user with the home directory on / opt / sonarqube while adding the user to the newly created group.
$ sudo useradd -c "SonarQube - User" -d /opt/sonarqube/ -g sonar sonar
Then set ownership to the / opt / sonarqube directory.
$ sudo chown -R sonar:sonar /opt/sonarqube/
Step 6: Configure the SonarQube
Now let’s configure SonarQube. Open the SonarQube configuration file.
$ sudo vim /opt/sonarqube/conf/sonar.properties
Find and comment on the following lines
sonar.jdbc.username= sonar.jdbc.password=
These represent the SonarQube database user and password that we created on the PostgreSQL database server. Therefore, enter the values accordingly.
sonar.jdbc.username=sonar_user sonar.jdbc.password=strong_password
Next, modify these lines to look like they are provided
sonar.jdbc.url=jdbc:postgresql://localhost:5432/sonarqube
sonar.search.javaOpts=-Xmx512m -Xms512m -XX:MaxDirectMemorySize=256m -XX:+HeapDumpOnOutOfMemoryError
Then modify the following lines so that they appear as they appear.
sonar.web.host=0.0.0.0
sonar.web.port=9000
sonar.web.javaAdditionalOpts=-server
sonar.log.level=INFO
sonar.path.logs=logs
Next, change the user who is running the SonarQube service by editing the file shown.
$ sudo vim /opt/sonarqube/bin/linux-x86-64/sonar.sh
Scroll down and make sure the line below appears as shown.
RUN_AS_USER=sonar
Step 7: Create a systemd service file for SonarQube
Currently, our system has no way of starting the SonarQube service. Hence we need to create a systemd service. To do this, run the command:
$ sudo vim /etc/systemd/system/sonarqube.service
Add the following lines.
[Unit] Description=SonarQube service After=syslog.target network.target [Service] Type=forking ExecStart=/opt/sonarqube/bin/linux-x86-64/sonar.sh start ExecStop=/opt/sonarqube/bin/linux-x86-64/sonar.sh stop User=sonar Group=sonar Restart=always LimitNOFILE=65536 LimitNPROC=4096 [Install] WantedBy=multi-user.target
Save your changes and exit the file.
Enable the SonarQube service to start at boot
$ sudo systemctl enable sonarqube
And start the SonarQube service.
$ sudo systemctl start sonarqube
To make sure the SonarQube service is running, run the command:
$ sudo systemctl status sonarqube
Also make sure port 9000 is open
$ sudo ufw allow '9000'
Rules updated Rules updated (v6)
Check that the service is listening on port 9000
$ sudo netstat -pnltu | grep 9000
tcp6 0 0 :::9000 :::* LISTEN 65140/java
Now you can try to check if you can access the login page by entering the public IP of your server and the port number of your browser, e.g. http: //
Sonarqube will prompt you to update the password to change the default password.
Step 8: install and configure Nginx with SSL (optional)
To access your Sonarqube with an SSL-enabled domain name, you will need to install a reverse proxy such as Nginx. The web server connects to SonarQube as a proxy so developers can access it from a secure domain name.
Installing Nginx is simple and straightforward and can be done with a single command.
$ sudo apt install nginx
Once installed, enable the Nginx web server to start at boot.
$ sudo systemctl enable nginx
And start the service
$ sudo systemctl start nginx
So that the web server recognizes SonarQube, we create a configuration file as shown.
$ sudo vim /etc/nginx/sites-available/sonarqube.conf
Then paste in the provided content.
server {
listen 80;
server_name example.com or SERVER-IP;
access_log /var/log/nginx/sonar.access.log;
error_log /var/log/nginx/sonar.error.log;
proxy_buffers 16 64k;
proxy_buffer_size 128k;
location / {
proxy_pass http://127.0.0.1:9000;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
}
}Save and close. Then activate the Sonarqube site:
$ sudo ln -s /etc/nginx/sites-available/sonarqube.conf /etc/nginx/sites-enabled/sonarqube.conf
Check that the configuration is correct
$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
Then restart the Nginx web server for the changes to take effect.
$ sudo systemctl restart nginx
Now we need to configure the UFW firewall to allow nginx. To do this, run the commands
$ sudo ufw allow 'Nginx Full'
Then reload the firewall for the changes to take effect.
$ sudo ufw --reload
You can now access your SonarQube by its domain name
Here we use the free Let’s Encrypt certificate. To configure this we need to run cerbot for Nginx:
$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): alain@websitefortesting.com Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory (A)gree/(C)ancel: A Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. (Y)es/(N)o: N Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Which names would you like to activate HTTPS for? 1: websitefortesting.com Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 Obtaining a new certificate Performing the following challenges: http-01 challenge for websitefortesting.com Waiting for verification… Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/sonarqube.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/sonarqube.conf Congratulations! You have successfully enabled https://websitefortesting.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=websitefortesting.com IMPORTANT NOTES: Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/websitefortesting.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/websitefortesting.com/privkey.pem Your cert will expire on 2021-11-27. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew all of your certificates, run "certbot renew" If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Let’s encrypt adds some lines to the Nginx server block file by default.
You should have something like this
server {
server_name websitefortesting.com;
add_header Strict-Transport-Security max-age=2592000;
#rewrite ^ https://$server_name$request_uri? permanent;
access_log /var/log/nginx/sonarqube.access.log;
error_log /var/log/nginx/sonarqube.error.log;
proxy_buffers 16 64k;
proxy_buffer_size 128k;
location / {
proxy_pass http://127.0.0.1:9000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/websitefortesting.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/websitefortesting.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = websitefortesting.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name websitefortesting.com; return 404; # managed by Certbot
}Step 10: Access SonarQube using HTTPS
Now you can securely access SonarQube with an HTTPS URL configured with let’s encrypt.
https://domain-name
After logging in, you will be shown the landing page.
diploma
In this tutorial we learned how to install SonarQube on Ubuntu 20.04. We have activated Sonarqube with SSL with the Let’s Encrypt certificate with Nginx as a reverse proxy.
Discover more from Ubuntu-Server.com
Subscribe to get the latest posts sent to your email.
