Run SonarQube on OCI- 10 minutes to get going using Docker Container on always free VM

In this article I want to describe how I run a SonarQube instance (that I intend to use from my automated CI/CD pipeline) on OCI, using a simple VM and a simple Docker container image. The VM gets a public IP address and I need to SSH into it in order to install Docker and run the SonarQube image. Note: SonarQube automatic is a static code analysis and review tool to detect bugs, vulnerabilities, and code smells in code programmed in one of the 20+ supported languages. There are multiple versions of SonarQube but in this article I will work with the popular community edition which is free and open source.

Steps

  1. Get yourself an OCI Tenancy (could be a free trial);
  2. Create a Compute instance with an always free shape; download the generated SSH keys and write down the public IP assigned to the VM
  3. Create an NSG (Network Security Group) associated with the VNIC of the VM and Setup Ingress Rule to open up the port required for SonarQube
  4. SSH into the VM, install Docker
  5. Run Docker Container Image for SonarQube
  6. Access the service provided by the container image at the public IP address of the VM: have some code analyzed
  7. (in a follow up article) integrate SonarQube in CI/CD pipelines

Steps in more detail:

2. Create a Compute instance, save the generated SSH key and write down the public IP assigned to the VM

Image for post
Image for post

Select the desired Compartment context and click on Create Instance:

Image for post
Image for post

I have accepted mostly default values. I defined the name for the instance : docker-vm and selected a pre-existing compartment. I have selected an existing virtual network and a public subnet within that network. I have also indicated that I want a Public IP address to be assigned. You can also easily request a new VCN and subnet to be created for this VM to join. You can also easily change the shape or image for the VM.

Image for post
Image for post

I will configure the networking security after I create the VM.

I want OCI to generate an SSH key pair and I have made sure to download the keys (especially the private key — there is no chance of getting that key at a later moment after the VM has been created.

Image for post
Image for post

I do not feel the need for any additional changes to the default values, so I am ready to create the VM:

Image for post
Image for post

After pressing Create, OCI presents an overview of the creation process that is currently in progress:

Image for post
Image for post

3. Create an NSG for the VM’s VNIC with proper ingress rules for SonarQube

Create an NSG (Network Security Group) and Setup Ingress Rules to open up the port required for SonarQube

Open the page for the VCN with which the VM is associated. Click on the Network Security Groups section and press the Create Network Security Group button.

Image for post
Image for post

Edit the properties of the NSG. First the name:

Image for post
Image for post

then the ingress rule:

Image for post
Image for post

Source CIDR is set to 0.0.0.0/0; along with Source Port Range left blank (i.e. All) this means that this rule applies to any client. Protocol is TCP, all source ports are allowed and the destination port is limited to port 9000 (it could be any other old port that we can map to port 9000 in the Docker container).

Click on Create.

Image for post
Image for post

Next, we want to associate the VMs primary VNIC with this new NSG that should allow traffic to the VM. Bring up the instance details page for the VM.

Image for post
Image for post

Click on the edit link for Network Security Groups in the Primary VNIC section.

A list of NSGs in the VCN is shown. Select the desired one.

Image for post
Image for post

Press Save Changes. The NSG and its ingress rule are now associated with the VMs primary VNIC. This means that network calls to the public IP address of the VM to port 9000 should be allowed through to the VM — where it should be routed to the Docker container where SonarQube is listening.

4. SSH into the VM and install Docker

ssh opc@public-id-address -i rsa-private-key-file

Replace the public-id-address with the public IP assigned to the VM. Replace rsa-private-key-file with a reference to the downloaded file that contains the SSH private key (note: my SSH login failed when the private key file did not have the .pem extension):

Image for post
Image for post

To install Docker into the VM, execute these commands:

sudo yum-config-manager -enable ol7_addons 
sudo yum install docker-engine -y
sudo systemctl enable docker
sudo systemctl start docker

Then verify if Docker is running, for example with

sudo docker ps
Image for post
Image for post

And run a test container with

sudo docker run hello-world
Image for post
Image for post

To run Docker as a non-root user, read these instructions.

5. Run Docker Container Image for SonarQube

On the Docker Hub, you can find the information you need to get started. Because SonarQube uses an embedded Elasticsearch, make sure that your Docker host configuration complies with the Elasticsearch production mode requirements and File Descriptors configuration. By default, the image will use an embedded H2 database that is not suited for production. For a proper environment (not my R&D type of thing) you would need to use volumes mapped into the container to store data outside the ephemeral container.

To make sure my SonarQube will work, I have executed these commands:

sudo sysctl -w vm.max_map_count=262144
sudo sysctl -w fs.file-max=65536

Now this single command suffices to get it going:

sudo docker run -d -restart always -name sonarqube -p 9000:9000 sonarqube
Image for post
Image for post

It took close to 90 seconds for the image layers to be downloaded and the container to get started.

A local “curl localhost:9000” returns an HTML document as response, that looks good.

Check inside the container once it’s running:

Image for post
Image for post

6. Access the service provided by the container image at the public IP address of the VM: have some code analyzed

Here is what it eventually looked like in my browser:

Image for post
Image for post

7. First very simple steps in SonarQube

Image for post
Image for post

Check out for example the rules for JavaScript:

Image for post
Image for post

and check for example the rationale for the with statement:

Image for post
Image for post

To scan a code base:

  • create a project in SonarQube
  • download scanner to your local environment
  • configure the remote SonarQube server (the Docker VM on OCI) with the scanner
  • run the scanner locally on the local code base ; the results are submitted to the SonarQube server and can be inspected in the Web UI

Create a SonarQube project, generate a token for the project (to tie scan results to the Sonarqube server)

Image for post
Image for post

Enter the name for the token, then generate the token for this project:

Image for post
Image for post

The token is generated, save it for later usage with the scanner:

Image for post
Image for post

Indicate characteristics for the project technology and the environment in which you want to run the scanner (in my case, my Windows laptop):

Image for post
Image for post

Press Download button to download the scanner for the platform. The web page is brought up:

Image for post
Image for post

Download the scanner. For Windows, I get a Zip file. I extract the contents to the local directory c:\research:

Image for post
Image for post

Edit the file sonar-scanner.properties in the conf directory; set the value for the sonar.host.url property:

Image for post
Image for post

Add the bin directory to the Windows PATH environment variable:

Image for post
Image for post

To verify the installation and configuration is valid, I can run the statement sonar-scanner.bat -h :

Image for post
Image for post

Now I can run scans in any directory tree with for example Node JS applications — and send the results to the Sonarqube server. In the root of such a tree I should create a file called sonar-project.properties that contains a property called sonar.projectKey. The value of this property should correspond to the project in Sonarqube server, in my case my-first-sonarqube-project.

I can start the analysis on the command line simply by typing sonar-scanner:

Image for post
Image for post

It took about one and a half minute for the analysis to complete.

Image for post
Image for post

The results have been uploaded to the SonarQube server and should now be visible in the browser.

Image for post
Image for post

Wow. No issues, just one warning. To be honest: the project contained very little code of my own. And I am not even sure which rules were checked. But still. Better green than orange or red.

The code that was scanned can be inspected line for line in the Sonarqube dashboard. Pretty awesome. And very useful if there were real issues.

Image for post
Image for post

Let’s introduce a code smell. Then scan again.

After making some changes to the code — introducing deliberate vi0lations of some of the rules — I scanned again.

Image for post
Image for post

This second time the code analysis only takes 31 seconds.

The results are clear — my project went from green to red:

Image for post
Image for post

When drilling down on the details, this is what I am told:

Image for post
Image for post

I have undone all changes. The result of the rescan shows my return to normal:

Image for post
Image for post

Next steps,

Resources

OCI Documentation on NSG (Network Security Group): https://docs.cloud.oracle.com/en-us/iaas/Content/Network/Concepts/networksecuritygroups.htm?Highlight=nsg

My earlier article on running a(ny) Docker Container image on an always free VM on OCI was a useful guide.

Yashint’s article on running SonarQube in a Docker Container (and going through the first explorations) was also helpful.

My next step will involve Visual Builder Studio’s Build pipelines that can make use of an external SonarQube server for code analysis, as is described here.

The site for SonarQube is here. Here are the instructions in the SonarQube documentation on the Docker container image.

Originally published at https://technology.amis.nl on October 14, 2020.

Lucas Jellema is solution architect and CTO at AMIS, The Netherlands. He is Oracle ACE Director, Groundbreaker Ambassador, JavaOne Rockstar and programmer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store