I’m attempting to run SonarQube 9.1 Developer Edition on an AWS ECS/Fargate cluster
I have the SonarQube community version (sonarqube:community) running fine. However, when I change only the tag in my Dockerfile from “community” to “developer”, I get a “java.lang.RuntimeException: can not run elasticsearch as root.” exception. The “solutions” that I’ve found involve editing the sonar.sh file, which in a docker environment really isn’t a great idea.
Any suggestions?
I’ve trimmed down my Dockerfile to the bare minimum:
FROM sonarqube:developer
Dependency-Check Plugin Installation
RUN mkdir -p /usr/local/sonarqube/dependency-check
COPY ./plugins/sonar-dependency-check-plugin-3.0.0-SNAPSHOT.jar /opt/sonarqube/extensions/plugins/
RUN echo “sonar.dependencyCheck.jsonReportPath=/usr/local/sonarqube/dependency-check/dependency-check-report.json” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.htmlReportPath=/usr/local/sonarqube/dependency-check/dependency-check-report.html” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.severity.blocker=9.0” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.severity.critical=7.0” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.severity.major=5.0” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.severity.minor=3.0” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.summarize=true” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.securityHotspot=true” >> /opt/sonarqube/conf/sonar.properties
RUN chmod -R o+x /opt/sonarqube/extensions/plugins/
RUN chown -R sonarqube:sonarqube /opt/sonarqube/extensions/plugins/
ENTRYPOINT [“/opt/sonarqube/bin/run.sh”]
CMD [“/opt/sonarqube/bin/sonar.sh”]
what did you change? there is a drop of privileges already defined in the run.sh here. so the real question is why this drop of privileges is not working for you.
I’ve not changed anything other than “FROM sonarqube:community” to “sonarqube:developer”, my Dockerfile is as above, see the attached image of my ECS Task.
can you post the complete output of the logs resulting in the described error? The privileges get dropped when the container is started as root.
you can also start the container as a none privileged user (the sonarqube user has id 1000). that the privileges are dropped in the run.sh is a precaution mechanism and is not required by sonarqube to run
That said, I created a new ECS Task with the sonarqube:developer image and according to the logs, the app is starting, but when I attempt to access from the public IP, I can’t connect. I can only guess that one of the environment parameters was somehow causing the user as root issue.
If you are using your own Dockerfile anyway, you can drop the privileges in there too:
FROM sonarqube:developer
RUN mkdir -p /usr/local/sonarqube/dependency-check
COPY ./plugins/sonar-dependency-check-plugin-3.0.0-SNAPSHOT.jar /opt/sonarqube/extensions/plugins/
RUN echo “sonar.dependencyCheck.jsonReportPath=/usr/local/sonarqube/dependency-check/dependency-check-report.json” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.htmlReportPath=/usr/local/sonarqube/dependency-check/dependency-check-report.html” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.severity.blocker=9.0” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.severity.critical=7.0” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.severity.major=5.0” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.severity.minor=3.0” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.summarize=true” >> /opt/sonarqube/conf/sonar.properties
RUN echo “sonar.dependencyCheck.securityHotspot=true” >> /opt/sonarqube/conf/sonar.properties
RUN chmod -R o+x /opt/sonarqube/extensions/plugins/
RUN chown -R sonarqube:sonarqube /opt/sonarqube/extensions/plugins/
USER sonarqube
also you don’t need to overwrite CMD and ENTRYPOINT with the same values as the base image.