SonarQube 9.1 Developer Edition Docker on ECS/Fargate tries to run elasticsearch as root (& fails)

  • Product: SonarQube Docker container (sonarqube:developer)
  • I’m attempting to run SonarQube 9.1 Developer Edition on an AWS ECS/Fargate cluster
  • I have the SonarQube community version (sonarqube:community) running fine. However, when I change only the tag in my Dockerfile from “community” to “developer”, I get a “java.lang.RuntimeException: can not run elasticsearch as root.” exception. The “solutions” that I’ve found involve editing the sonar.sh file, which in a docker environment really isn’t a great idea.

Any suggestions?

I’ve trimmed down my Dockerfile to the bare minimum:

FROM sonarqube:developer

Dependency-Check Plugin Installation

RUN mkdir -p /usr/local/sonarqube/dependency-check
COPY ./plugins/sonar-dependency-check-plugin-3.0.0-SNAPSHOT.jar /opt/sonarqube/extensions/plugins/
RUN echo “sonar.dependencyCheck.jsonReportPath=/usr/local/sonarqube/dependency-check/dependency-check-report.json” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.htmlReportPath=/usr/local/sonarqube/dependency-check/dependency-check-report.html” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.severity.blocker=9.0” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.severity.critical=7.0” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.severity.major=5.0” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.severity.minor=3.0” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.summarize=true” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.securityHotspot=true” >> /opt/sonarqube/conf/sonar.properties

RUN chmod -R o+x /opt/sonarqube/extensions/plugins/
RUN chown -R sonarqube:sonarqube /opt/sonarqube/extensions/plugins/
ENTRYPOINT ["/opt/sonarqube/bin/run.sh"]
CMD ["/opt/sonarqube/bin/sonar.sh"]

Hi @davewolfusa ,

what did you change? there is a drop of privileges already defined in the run.sh here. so the real question is why this drop of privileges is not working for you.

I’ve not changed anything other than “FROM sonarqube:community” to “sonarqube:developer”, my Dockerfile is as above, see the attached image of my ECS Task.

BTW, When I wrote “solutions found” above, I only was referring to solutions found via Google searches, not implemented.

can you post the complete output of the logs resulting in the described error? The privileges get dropped when the container is started as root.

you can also start the container as a none privileged user (the sonarqube user has id 1000). that the privileges are dropped in the run.sh is a precaution mechanism and is not required by sonarqube to run

Unfortunately, it doesn’t appear that specifying the Privileged parameter is available for Fargate, see the attached image:

That said, I created a new ECS Task with the sonarqube:developer image and according to the logs, the app is starting, but when I attempt to access from the public IP, I can’t connect. I can only guess that one of the environment parameters was somehow causing the user as root issue.

AWS Logfile.log (34.9 KB)

Ugh! I went back to the Task definition that uses my dockerfile (unchanged from above), is still resulting in the root user failure.
Scenarios:

  • Using my Dockerfile (with plugin configuration) that uses (FROM) sonarqube:community, works.
  • Using the sonarqube:developer image, works
  • Using my Dockerfile (with plugin configuration) that uses (FROM) sonarqube:developer, does not work (throws the user as root exception).

Any ideas?

If you are using your own Dockerfile anyway, you can drop the privileges in there too:

FROM sonarqube:developer

RUN mkdir -p /usr/local/sonarqube/dependency-check
COPY ./plugins/sonar-dependency-check-plugin-3.0.0-SNAPSHOT.jar /opt/sonarqube/extensions/plugins/
RUN echo “sonar.dependencyCheck.jsonReportPath=/usr/local/sonarqube/dependency-check/dependency-check-report.json” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.htmlReportPath=/usr/local/sonarqube/dependency-check/dependency-check-report.html” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.severity.blocker=9.0” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.severity.critical=7.0” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.severity.major=5.0” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.severity.minor=3.0” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.summarize=true” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.securityHotspot=true” >> /opt/sonarqube/conf/sonar.properties

RUN chmod -R o+x /opt/sonarqube/extensions/plugins/
RUN chown -R sonarqube:sonarqube /opt/sonarqube/extensions/plugins/

USER sonarqube

also you don’t need to overwrite CMD and ENTRYPOINT with the same values as the base image.

1 Like

Oh great, Thank you! I’m flying today, I’ll give it a go tonight.

Hi Tobias,

That worked! Thanks for your help! I’m mark that as a solution.

Cheers,
Dave

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.