chore: Linting.

Set ES parameters (files, processes...)

.ansible-lint

@@ -1,6 +1,6 @@
 ---
 exclude_paths:
-  - ./molecule
+  # - ./molecule
   - ./.travis.yml
   - ./.github
 parseable: true

.gitignore

@@ -6,10 +6,12 @@ __pycache__
 .molecule
 .cache
 .venv
+.scannerwork
 
 *.iml
 .idea
 .project
+sonar-project.properties
 
 *.pyc
 **/.vscode

.yamllint

@@ -31,3 +31,9 @@ rules:
   new-lines:
     type: unix
   truthy: disable
+  quoted-strings:
+    quote-type: any
+    required: only-when-needed
+  key-ordering: disable
+  document-end:
+    present: false

CHANGELOG.md

@@ -2,6 +2,30 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+### [1.1.4](https://git.laurivan.com/Dev/ansible-role-sonarqube/compare/v1.1.3...v1.1.4) (2023-04-29)
+
+### [1.1.3](https://git.laurivan.com/Dev/ansible-role-sonarqube/compare/v1.1.2...v1.1.3) (2023-04-28)
+
+
+### Bug Fixes
+
+* Fix the DB healthcheck to use custom user. ([d509b4e](https://git.laurivan.com/Dev/ansible-role-sonarqube/commit/d509b4e788b40fd15708c721d6af55e68a922966))
+
+### [1.1.2](https://git.laurivan.com/Dev/ansible-role-sonarqube/compare/v1.1.1...v1.1.2) (2023-04-28)
+
+
+### Bug Fixes
+
+* Sudo for limit changes ([f9a9801](https://git.laurivan.com/Dev/ansible-role-sonarqube/commit/f9a98017a3f1d58bf72aa818eb5a0447bcd0b80f))
+
+### [1.1.1](https://git.laurivan.com/Dev/ansible-role-sonarqube/compare/v1.1.0...v1.1.1) (2023-04-28)
+
+
+### Bug Fixes
+
+* Better healthcheck for sonarqube service. ([1323a7b](https://git.laurivan.com/Dev/ansible-role-sonarqube/commit/1323a7bdf42088952d318100e03b9690e4808b36))
+* Set elastic search parameters. ([d6cdbb6](https://git.laurivan.com/Dev/ansible-role-sonarqube/commit/d6cdbb675932ba812dc95543090bd86d9701424e))
+
 ## 1.1.0 (2023-04-27)
 
 

README.md

@@ -10,9 +10,21 @@ None
 
 All variables are listed below (see also `defaults/main.yml`).
 
-```yml
----
-```
+| Name | Description | Default |
+| ---: | --- | ---: |
+| `sonarqube_image` | The sonarqube docker image | sonarqube |
+| `sonarqube_db_image` |  The database docker image | postgres |
+| `sonarqube_http_port` | The published HTTP port | 9000 |
+| `sonarqube_api_port` | The API port | 9001 |
+| `sonarqube_vm_max_map_count` | Elastic search VM max map count | 524288 |
+| `sonarqube_fs_file_max` | Elastic search max files opened | 131072 |
+| `sonarqube_nofile` | Number of files opened | 131072 |
+| `sonarqube_nproc` | Number of processes operened | 8192 |
+| `sonarqube_config_path` | Location of the docker compose configuration | /var/local/conf/sonarqube |
+| `sonarqube_db_user` | The database user name | changeme |
+| `sonarqube_db_password` | The database password | changeme |
+
+Other variables declared in `defaults/main.yml` are defined for internal purposes and you should not touch/change them.
 
 ## Dependencies
 
@@ -23,7 +35,7 @@ You need a machine with docker and docker-compose installed.
 ```yml
 - hosts: servers
   roles:
-      - 'laurivan.Sonarqube'
+      - 'laurivan.sonarqube'
 ```
 
 ## License
@@ -40,7 +52,6 @@ This role was created in 2023 by [Laur Ivan](https://www.laurivan.com).
 
 ![Ansible](https://img.shields.io/badge/ansible-5.2.0-green.svg)
 ![Molecule](https://img.shields.io/badge/molecule-3.4.0-green.svg)
-![Goss](https://img.shields.io/badge/goss-0.3.16-green.svg)
 
 ## Contributing
 

defaults/main.yml

@@ -1,14 +1,20 @@
 ---
 
 ## General
-sonarqube_image: sonarqube
-sonarqube_db_image: postgres
+sonarqube_image: "sonarqube"
+sonarqube_db_image: "postgres"
 
 sonarqube_http_port: 9000
 sonarqube_api_port: 9001
 
+# Limits
+sonarqube_vm_max_map_count: 524288
+sonarqube_fs_file_max: 131072
+sonarqube_nofile: 131072
+sonarqube_nproc: 8192
+
 # Sonarqube paths
-sonarqube_root_path: /var/local
+sonarqube_root_path: "/var/local"
 sonarqube_config_path: "{{ sonarqube_root_path }}/conf/sonarqube"
 
 sonarqube_db_user: "changeme"

meta/main.yml

@@ -1,25 +1,25 @@
 ---
 
 galaxy_info:
-  author: Laur Ivan (laur.ivan@gmail.com)
-  namespace: laurivan
-  role_name: sonarqube
-  description: Sonarqube Role
+  author: "Laur Ivan (laur.ivan@gmail.com)"
+  namespace: "laurivan"
+  role_name: "sonarqube"
+  description: "Sonarqube Role"
   min_ansible_version: "2.4"
   min_ansible_container_version: "2.4"
-  license: MIT
+  license: "MIT"
   galaxy_tags:
-    - sonarqube
-    - testing
-    - security
+    - "sonarqube"
+    - "testing"
+    - "security"
   platforms:
-    - name: Debian
+    - name: "Debian"
       versions:
-        - bullseye
-        - buster
+        - "bullseye"
+        - "buster"
 
-    - name: Ubuntu
+    - name: "Ubuntu"
       versions:
-        - bionic
-        - focal
-        - jammy
+        - "bionic"
+        - "focal"
+        - "jammy"

molecule/default/cleanup.yml

@@ -1,27 +1,27 @@
 ---
-- name: Clean up
-  hosts: all
+- name: "Clean up"
+  hosts: "all"
   gather_facts: true
   tasks:
-    - name: Load the defaults
+    - name: "Load the defaults"
       ansible.builtin.include_vars:
         dir: "../../defaults"
 
-    - name: Check if the docker-compose file exists.
+    - name: "Check if the docker-compose file exists."
       ansible.builtin.stat:
-        path: "{{ sonarqube_config_path  | expanduser | realpath }}/docker-compose.yml"
-      register: docker_compose_file
+        path: "{{ sonarqube_config_path | expanduser | realpath }}/docker-compose.yml"
+      register: "docker_compose_file"
 
-    - name: Remove docker-compose.
+    - name: "Remove docker-compose."
       community.docker.docker_compose:
-        project_src: "{{ sonarqube_config_path  | expanduser | realpath }}/"
+        project_src: "{{ sonarqube_config_path | expanduser | realpath }}/"
         build: false
-        state: absent
-      when: docker_compose_file.stat.exists
+        state: "absent"
+      when: "docker_compose_file.stat.exists"
       become: false
 
-    - name: Remove the docker-compose file
+    - name: "Remove the docker-compose file"
       ansible.builtin.file:
-        path: "{{ sonarqube_config_path  | expanduser | realpath }}/docker-compose.yml"
-        state: absent
-      when: docker_compose_file.stat.exists
+        path: "{{ sonarqube_config_path | expanduser | realpath }}/docker-compose.yml"
+        state: "absent"
+      when: "docker_compose_file.stat.exists"

molecule/default/converge.yml

@@ -1,5 +1,5 @@
 ---
-- name: Converge
-  hosts: sonarqube_group
+- name: "Converge"
+  hosts: "sonarqube_group"
   roles:
     - role: "laurivan.sonarqube"

molecule/default/destroy.yml

@@ -1,27 +1,27 @@
 ---
-- name: Destroy
-  hosts: localhost
-  connection: local
+- name: "Destroy"
+  hosts: "localhost"
+  connection: "local"
   gather_facts: false
   no_log: "{{ molecule_no_log }}"
   tasks:
     # Developer must implement.
-    - name: Remove the docker image
+    - name: "Remove the docker image"
       community.docker.docker_container:
-        name: sonarqube
-        state: absent
+        name: "sonarqube"
+        state: "absent"
 
     # Mandatory configuration for Molecule to function.
 
-    - name: Populate instance config
+    - name: "Populate instance config"
       ansible.builtin.set_fact:
         instance_conf: {}
 
-    - name: Dump instance config
+    - name: "Dump instance config"
       ansible.builtin.copy:
         content: |
           # Molecule managed
           {{ instance_conf | to_json | from_json | to_yaml }}
         dest: "{{ molecule_instance_config }}"
         mode: 0600
-      when: server.changed | default(false) | bool
+      when: "server.changed | default(false) | bool"

molecule/default/molecule.yml

@@ -1,37 +1,37 @@
 ---
 dependency:
-  name: galaxy
+  name: "galaxy"
   options:
     ignore-certs: true
     ignore-errors: true
-    role-file: molecule/requirements.yml
-    requirements-file: molecule/requirements.yml
+    role-file: "molecule/requirements.yml"
+    requirements-file: "molecule/requirements.yml"
 driver:
-  name: docker
+  name: "docker"
 lint: |
   yamllint .
   ansible-lint .
 platforms:
-  - name: sonarqube
+  - name: "sonarqube"
     groups:
-      - sonarqube_group
+      - "sonarqube_group"
     image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos8}-ansible:latest"
     privileged: true
     pre_build_image: true
     capabilities:
-      - SYS_ADMIN
+      - "SYS_ADMIN"
     tmpfs:
-      - /tmp
-      - /run
-      - /run/lock
+      - "/tmp"
+      - "/run"
+      - "/run/lock"
     volumes:
       - '/sys/fs/cgroup:/sys/fs/cgroup:ro'
       - '/var/run/docker.sock:/tmp/docker_mounted.sock'
     command: '/lib/systemd/systemd'
     stop_signal: 'RTMIN+3'
 provisioner:
-  name: ansible
+  name: "ansible"
   playbooks:
-    converge: ${MOLECULE_PLAYBOOK:-converge.yml}
+    converge: "${MOLECULE_PLAYBOOK:-converge.yml}"
 verifier:
-  name: ansible
+  name: "ansible"

molecule/default/prepare.yml

@@ -1,38 +1,38 @@
 ---
-- name: Setup the test machine
-  hosts: sonarqube
+- name: "Setup the test machine"
+  hosts: "sonarqube"
   tasks:
-    - name: Check if /var/run/docker.sock already exists
+    - name: "Check if /var/run/docker.sock already exists"
       ansible.builtin.stat:
         path: "/var/run/docker.sock"
-      register: docker_sock_stat
+      register: "docker_sock_stat"
 
-    - name: Create docker.sock
-      ansible.builtin.raw: touch /var/run/docker.sock
+    - name: "Create docker.sock"
+      ansible.builtin.raw: "touch /var/run/docker.sock"
       become: true
       changed_when: false
-      when: not docker_sock_stat.stat.exists
+      when: "not docker_sock_stat.stat.exists"
 
-    - name: Move docker.sock from tmp
+    - name: "Move docker.sock from tmp"
       ansible.builtin.raw: >
         mount --move /tmp/docker_mounted.sock /var/run/docker.sock
       become: true
       changed_when: false
-      when: not docker_sock_stat.stat.exists
+      when: "not docker_sock_stat.stat.exists"
 
-    - name: Update apt cache.
-      ansible.builtin.apt: update_cache=yes cache_valid_time=600
-      when: ansible_os_family == 'Debian'
+    - name: "Update apt cache."
+      ansible.builtin.apt: "update_cache=yes cache_valid_time=600"
+      when: "ansible_os_family == 'Debian'"
 
-    - name: Install python requests
+    - name: "Install python requests"
       ansible.builtin.pip:
         name:
-          - requests
-          - docker
-          - docker-compose
+          - "requests"
+          - "docker"
+          - "docker-compose"
 
-    - name: Install docker
+    - name: "Install docker"
       vars:
         docker_service_manage: false
       ansible.builtin.include_role:
-        name: geerlingguy.docker
+        name: "geerlingguy.docker"

molecule/default/requirements.yml

@@ -1,4 +1,4 @@
 ---
 roles:
-  - geerlingguy.docker
+  - "geerlingguy.docker"
 collections: []

molecule/default/tests/test_app.yml

@@ -1,12 +1,5 @@
 ---
-## TODO: Remember to adapt goss tests to your convenience
 
-
-## Check if ports are really exposed
-# port:
-# # Check port at IPv6
-# # https://github.com/aelsabbahy/goss/issues/177
-#   tcp6:<port>:
-#     listening: true
-#     ip:
-#     - '::'
+http:
+  "http://localhost:{{ sonarqube_http_port }}/":
+    status: 200

molecule/default/verify.yml

@@ -3,57 +3,57 @@
 # Tests need distributed to the appropriate ansible host/groups
 # prior to execution by `goss validate`.
 
-- name: Verify sonarqube
+- name: "Verify sonarqube"
   hosts:
-    - sonarqube
+    - "sonarqube"
   become: true
   vars:
-    goss_version: v0.3.16
-    goss_arch: amd64
-    goss_dst: /usr/local/bin/goss
-    goss_sha256sum: 827e354b48f93bce933f5efcd1f00dc82569c42a179cf2d384b040d8a80bfbfb
+    goss_version: "v0.3.16"
+    goss_arch: "amd64"
+    goss_dst: "/usr/local/bin/goss"
+    goss_sha256sum: "827e354b48f93bce933f5efcd1f00dc82569c42a179cf2d384b040d8a80bfbfb"
     goss_url: "https://github.com/aelsabbahy/goss/releases/download/{{ goss_version }}/goss-linux-{{ goss_arch }}"
-    goss_test_directory: /tmp
-    goss_format: documentation
+    goss_test_directory: "/tmp"
+    goss_format: "documentation"
 
   vars_files:
-    - ../../defaults/main.yml
+    - "../../defaults/main.yml"
 
   tasks:
-    - name: Download and install Goss
+    - name: "Download and install Goss"
       get_url:
         url: "{{ goss_url }}"
         dest: "{{ goss_dst }}"
         checksum: "sha256:{{ goss_sha256sum }}"
         mode: 0755
-      register: download_goss
-      until: download_goss is succeeded
+      register: "download_goss"
+      until: "download_goss is succeeded"
       retries: 3
 
-    - name: Copy Goss tests to remote
+    - name: "Copy Goss tests to remote"
       template:
         src: "{{ item }}"
         dest: "{{ goss_test_directory }}/{{ item | basename }}"
       with_fileglob:
         - "tests/test_*.yml"
 
-    - name: Register test files
+    - name: "Register test files"
       shell: "ls {{ goss_test_directory }}/test_*.yml"
-      register: test_files
+      register: "test_files"
 
-    - name: Execute Goss tests
+    - name: "Execute Goss tests"
       command: "{{ goss_dst }} -g {{ item }} validate --format {{ goss_format }}"
-      register: test_results
+      register: "test_results"
       with_items: "{{ test_files.stdout_lines }}"
       ignore_errors: true
 
-    - name: Display details about the Goss results
+    - name: "Display details about the Goss results"
       debug:
         msg: "{{ item.stdout_lines }}"
       with_items: "{{ test_results.results }}"
 
-    - name: Fail when tests fail
+    - name: "Fail when tests fail"
       fail:
         msg: "Goss failed to validate"
-      when: item.rc != 0
+      when: "item.rc != 0"
       with_items: "{{ test_results.results }}"

sonar-project.properties

@@ -0,0 +1,10 @@
+sonar.projectKey=ansible-role-sonarqube
+sonar.projectVersion=v1.1.4
+sonar.projectName=ansible-role-sonarqube
+
+sonar.ansible-lint=.ansible-lint
+sonar.language=ansible,yaml
+sonar.sources=.
+sonar.host.url=http://10.0.0.27:39000
+
+sonar.token=sqp_530b3183b1efb76a4a146ed9dbfb74cfb5f5459a

tasks/config.yml

@@ -1,7 +1,7 @@
 ---
 - name: "SONARQUBE | Set up directories"
   ansible.builtin.file:
-    state: directory
+    state: "directory"
     path: "{{ item }}"
     owner: "{{ ansible_effective_user_id }}"
     group: "{{ ansible_effective_group_id }}"
@@ -9,7 +9,7 @@
   with_items:
     - "{{ sonarqube_skeleton_paths }}"
   tags:
-    - sonarqube_configure
+    - "sonarqube_configure"
   become: true
 
 - name: "SONARQUBE | Write configuration files"
@@ -20,4 +20,39 @@
   with_items:
     - "{{ sonarqube_configuration_files }}"
   tags:
-    - sonarqube_configure
+    - "sonarqube_configure"
+
+- name: "SONARQUBE | Set up nofiles and nproc for ansible user"
+  community.general.pam_limits:
+    domain: "*"
+    limit_type: "{{ item.limit_type }}"
+    limit_item: "{{ item.limit_item }}"
+    value: "{{ item.value }}"
+  loop:
+    # Add nofile and nproc, both soft and hard, limit for the user db_user with a comment.
+    # Type "-" for enforcing both soft and hard resource limits together for more details read `man limits.conf`.
+    - { limit_type: '-', limit_item: 'nofile', value: "{{ sonarqube_nofile }}" }
+    - { limit_type: '-', limit_item: 'nproc', value: "{{ sonarqube_nproc }}" }
+  tags:
+    - "sonarqube_configure"
+  become: true
+
+- name: "SONARQUBE | Set up the max files"
+  ansible.posix.sysctl:
+    name: "fs.file-max"
+    value: "{{ sonarqube_fs_file_max }}"
+    state: "present"
+    reload: true
+  tags:
+    - "sonarqube_configure"
+  become: true
+
+- name: "SONARQUBE | Set up the VM max_map_count"
+  ansible.posix.sysctl:
+    name: "vm.max_map_count"
+    value: "{{ sonarqube_vm_max_map_count }}"
+    state: "present"
+    reload: true
+  tags:
+    - "sonarqube_configure"
+  become: true

tasks/install.yml

@@ -4,4 +4,4 @@
     project_src: "{{ sonarqube_config_path | expanduser | realpath }}"
     build: false
   tags:
-    - sonarqube_install
+    - "sonarqube_install"

tasks/main.yml

@@ -1,11 +1,11 @@
 ---
 
 - name: "SONARQUBE | Configure"
-  ansible.builtin.import_tasks: config.yml
+  ansible.builtin.import_tasks: "config.yml"
   tags:
-    - sonarqube_configure
+    - "sonarqube_configure"
 
 - name: "SONARQUBE | Install"
-  ansible.builtin.import_tasks: install.yml
+  ansible.builtin.import_tasks: "install.yml"
   tags:
-    - sonarqube_install
+    - "sonarqube_install"

templates/docker-compose.yml.j2

@@ -4,15 +4,19 @@ services:
   sonarqube:
     image: "{{ sonarqube_image }}"
     restart: always
+    healthcheck:
+      test: wget -qO- http://localhost:9000/api/system/health
+      interval: 10s
+      retries: 5
+      start_period: 5s
+      timeout: 10s
     env_file:
       - "{{ sonarqube_config_path | expanduser }}/env.sonarqube.conf"
     ports:
       - "{{ sonarqube_http_port }}:9000"
       - "{{ sonarqube_api_port }}:9001"
-      # Add more ports if necessary
     networks:
       - sonarqube-net
-    # optional
     volumes:
       - sonarqube_conf:/opt/sonarqube/conf
       - sonarqube_data:/opt/sonarqube/data
@@ -24,6 +28,11 @@ services:
   db:
     image: "{{ sonarqube_db_image }}"
     restart: always
+    healthcheck:
+      test: /usr/bin/pg_isready -U "{{ sonarqube_db_user }}""
+      interval: 5s
+      timeout: 10s
+      retries: 120
     env_file:
       - "{{ sonarqube_config_path | expanduser }}/env.db.conf"
     volumes: