How to reload certificates inside a container

garlicbread · April 11, 2023, 10:13am

Version 9.9.0.65466, Docker

I want to update my cacerts in the sonarqube docker container. In order to reduce downtime, I´d like to avoid a restart of the container and prefer to restart or - even better - to reload the web server configuration.

carmine.vassallo · April 14, 2023, 1:38pm

Hi @garlicbread,

thanks for your question and interest in the community. We doubt that dynamic reloading of certificates can be advised as a good practice (considering that we run as non-root user), but we would like to know more about your use case before giving our opinion to your question.

Can you please tell us more about your docker deployment?

Do you use a docker-compose file? If yes, can you share it with us?
Do you use just run our docker image? Can you tell us how?

Regards,
Carmine

garlicbread · April 25, 2023, 7:07am

Hello Carmine,
Sorry, for my late reply, due to a sick leave last week.
Yes, I do use docker-compose.

version: '3.8'

services:
        sonar-enterprise:
                container_name: sonar-enterprise
                image: docker.compi.com/sonarqube:9.9.0-enterprise
                restart: unless-stopped
                build: .
                volumes:
                        - /xxxx/:/opt/sonarqube/conf/:z
                        - /yyyy/:/opt/sonarqube/logs/:z
                ports:
                        - 9161:9000
                        - 8613:9092
                environment:
                        RSG_SONAR_WEB_JavaOpts: " -Xmx8192M -XX:MaxMetaspaceSize=1024m -XX:+HeapDumpOnOutOfMemoryError -server"
                        RSG_SONAR_WEB_JavaAdditionalOpts: "-Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djavax.net.ssl.trustStore=//sonarq/conf/cert -Djavax.net.ssl.trustStorePassword=xxxx -Dhttp.proxyHost=web.compi.com -Dhttp.proxyPort=7090 -Dhttps.proxyHost=web.compi.com -Dhttps.proxyPort=7090 -Dhttp.nonProxyHosts=\"localhost|192.12.218.*|sc.compi.com|*github.com|svn.compi.com\""
                        RSG_SONAR_WEB_CONTEXT: "/sonar"
                        RSG_SONAR_SECURITY_LOCAL_USERS: "fritz,franz,ferdinand"
                env_file:
                        - vault.env

My purpose is to reduce the downtime, because we have many dependent applications accessing sonarqube 24/7. Are there any arguments in favour of restarting the whole container instead of reloading the certificate, aside from the potential fact, that there is no interface provided to perform a reload.
Thanks for your support.

carmine.vassallo · May 5, 2023, 1:14pm

Hi @garlicbread,

thanks for sharing your compose file. We do confirm that you have to restart the container to reload the certificate. We would probably need to define a custom Truststore class inside the SQ app to let it reload certificates on the fly and this could bring security issues.

How big is the downtime required to restart the container in your case? Do you persist Elasticsearch data? It should be quite fast (~1m)…