How to reload certificates inside a container

Version 9.9.0.65466, Docker

I want to update my cacerts in the sonarqube docker container. In order to reduce downtime, I´d like to avoid a restart of the container and prefer to restart or - even better - to reload the web server configuration.

Hi @garlicbread,

thanks for your question and interest in the community. We doubt that dynamic reloading of certificates can be advised as a good practice (considering that we run as non-root user), but we would like to know more about your use case before giving our opinion to your question.

Can you please tell us more about your docker deployment?

  • Do you use a docker-compose file? If yes, can you share it with us?
  • Do you use just run our docker image? Can you tell us how?

Regards,
Carmine

1 Like

Hello Carmine,
Sorry, for my late reply, due to a sick leave last week.
Yes, I do use docker-compose.

version: '3.8'

services:
        sonar-enterprise:
                container_name: sonar-enterprise
                image: docker.compi.com/sonarqube:9.9.0-enterprise
                restart: unless-stopped
                build: .
                volumes:
                        - /xxxx/:/opt/sonarqube/conf/:z
                        - /yyyy/:/opt/sonarqube/logs/:z
                ports:
                        - 9161:9000
                        - 8613:9092
                environment:
                        RSG_SONAR_WEB_JavaOpts: " -Xmx8192M -XX:MaxMetaspaceSize=1024m -XX:+HeapDumpOnOutOfMemoryError -server"
                        RSG_SONAR_WEB_JavaAdditionalOpts: "-Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djavax.net.ssl.trustStore=//sonarq/conf/cert -Djavax.net.ssl.trustStorePassword=xxxx -Dhttp.proxyHost=web.compi.com -Dhttp.proxyPort=7090 -Dhttps.proxyHost=web.compi.com -Dhttps.proxyPort=7090 -Dhttp.nonProxyHosts=\"localhost|192.12.218.*|sc.compi.com|*github.com|svn.compi.com\""
                        RSG_SONAR_WEB_CONTEXT: "/sonar"
                        RSG_SONAR_SECURITY_LOCAL_USERS: "fritz,franz,ferdinand"
                env_file:
                        - vault.env

My purpose is to reduce the downtime, because we have many dependent applications accessing sonarqube 24/7. Are there any arguments in favour of restarting the whole container instead of reloading the certificate, aside from the potential fact, that there is no interface provided to perform a reload.
Thanks for your support.

Hi @garlicbread,

thanks for sharing your compose file. We do confirm that you have to restart the container to reload the certificate. We would probably need to define a custom Truststore class inside the SQ app to let it reload certificates on the fly and this could bring security issues.

How big is the downtime required to restart the container in your case? Do you persist Elasticsearch data? It should be quite fast (~1m)…