Hi All, our infosec team has a Windows Defender finding that says no containerized apps must run as root. One of the last remaining apps is sonarqube and we wanted to validate if it is possible to run Sonarqube 10.2 without root or if there newer versions that can do this and if it cannot be done, understand what components require it.
which versions are you using: SonarQube Server 10.2.1.78527
how is SonarQube deployed: Helm
what are you trying to achieve: Understand if it is possible to run sonarqube wirthout root access
what have you tried so far to achieve this: largley research so far but have not found a conclusive answer.
Hello @McCranium thanks a lot for participating in the community.
Are you installing SonarQube Server with helm or with bare Docker ?
In any case, the docker image run without root permissions by default starting from 9.9 (I’ll have to double check this is from memory) and can even run with any uid now with the latest version. (Any Uid is pushed by openshift to ensure images can run with random UID at runtime, please see the doc here
Nonetheless we still have elasticsearch bundled in SonarQube Server, and elasticsearch has strict kernel requirements.
Based on this, before running the rootless docker image, you might need to change or ask administrators to change, some kernel parameters.
Side note: if you are running SonarQube Server with helm, we have some special initContainers that might run as root in order to do the operation I was describing above, more details on helm here
Thanks a lot, let me know if you have some more questions.