Sonarqube container without root?

Hi All, our infosec team has a Windows Defender finding that says no containerized apps must run as root. One of the last remaining apps is sonarqube and we wanted to validate if it is possible to run Sonarqube 10.2 without root or if there newer versions that can do this and if it cannot be done, understand what components require it.

  • which versions are you using: SonarQube Server 10.2.1.78527
  • how is SonarQube deployed: Helm
  • what are you trying to achieve: Understand if it is possible to run sonarqube wirthout root access
  • what have you tried so far to achieve this: largley research so far but have not found a conclusive answer.

Hello @McCranium thanks a lot for participating in the community.

Are you installing SonarQube Server with helm or with bare Docker ?

In any case, the docker image run without root permissions by default starting from 9.9 (I’ll have to double check this is from memory) and can even run with any uid now with the latest version. (Any Uid is pushed by openshift to ensure images can run with random UID at runtime, please see the doc here

Nonetheless we still have elasticsearch bundled in SonarQube Server, and elasticsearch has strict kernel requirements.

Based on this, before running the rootless docker image, you might need to change or ask administrators to change, some kernel parameters.

Official SonarQube server documentation
Official elasticsearch documentation

Side note: if you are running SonarQube Server with helm, we have some special initContainers that might run as root in order to do the operation I was describing above, more details on helm here

Thanks a lot, let me know if you have some more questions.

Regards, jeremy.

1 Like

Thanks for the reply. It is running as a container on AKS and is deployed from a Helm chart.

Perfect, then you should have no issues running rootless, you can take a further look at this documentation
as well as this one

If you have some more questions do not hesitate.

Thanks very much Jeremy! We’re looking into it.