How to Install SonarQube on Rocky Linux 9
SonarQube is a self-hosted, open-source static code analysis tool designed to detect bugs, security flaws, and code smells within your applications. Supporting a wide range of programming languages, SonarQube performs automated code reviews to help maintain superior software quality standards. Built with Java, it can run on various operating systems and container platforms like Docker or Kubernetes.
This guide covers how to install and configure SonarQube on Rocky Linux 9. You will install necessary dependencies and set up SonarQube to analyze code in your projects effectively.
Prerequisites
Before proceeding, ensure you meet the following requirements:
- A Rocky Linux 9 system with at least 4 GB of RAM.
- A domain A record that points to your server’s IP address, such as
sonarqube.example.com.
Install OpenJDK 17
SonarQube requires the Java Runtime Environment (JRE) and Java Development Kit (JDK) to operate. The long-term active (LTA) release of SonarQube for 2025 needs Java 17 or 21. Follow the steps below to install OpenJDK 17 on your Rocky Linux 9 instance.
Step 1: Update the Package Index
$ sudo dnf update -y
Step 2: Install OpenJDK 17
$ sudo dnf install java-17-openjdk java-17-openjdk-devel -y
Step 3: Verify the Java Version
$ java -version
Expected output:
openjdk version "17.0.14" 2025-01-21 LTS
OpenJDK Runtime Environment (Red_Hat-17.0.14.0.7-1) (build 17.0.14+7-LTS)
OpenJDK 64-Bit Server VM (Red_Hat-17.0.14.0.7-1) (build 17.0.14+7-LTS, mixed mode, sharing)
If your system runs a Java version lower than 17, switch to the correct version with:
$ sudo alternatives --config java
Create a Dedicated SonarQube User
SonarQube utilizes Elasticsearch for indexing and searching, which requires a non-root user. Follow these steps to create a dedicated user for SonarQube.
$ sudo useradd --system sonarqube
This creates a system user named sonarqube to securely manage and run the application.
Create a PostgreSQL Database for SonarQube
SonarQube supports several database systems, with PostgreSQL being the recommended option due to its reliability and advanced features. Follow the steps below to install PostgreSQL and configure a database for SonarQube.
Step 1: Install PostgreSQL Packages
$ sudo dnf install postgresql-server postgresql-contrib -y
Step 2: Initialize PostgreSQL
$ sudo postgresql-setup --initdb
Step 3: Enable and Start PostgreSQL
$ sudo systemctl enable postgresql
$ sudo systemctl start postgresql
Step 4: Configure PostgreSQL User and Database
Access the PostgreSQL shell and configure a database for SonarQube:
$ sudo -i -u postgres psql
Inside PostgreSQL, run the following commands:
postgres=# \password postgres
postgres=# CREATE DATABASE sonardb;
postgres=# CREATE USER sonaruser WITH ENCRYPTED PASSWORD '';
postgres=# GRANT ALL PRIVILEGES ON DATABASE sonardb TO sonaruser;
postgres=# \q
Step 5: Adjust PostgreSQL Authentication Settings
Edit the pg_hba.conf file to enable password-based access:
$ sudo nano /var/lib/pgsql/data/pg_hba.conf
Update the authentication methods as follows:
# TYPE DATABASE USER ADDRESS METHOD
local all all trust
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
Save the file and restart PostgreSQL:
$ sudo systemctl restart postgresql
Install SonarQube
SonarQube isn’t included in the default DNF repositories. Follow these steps to download and install the latest SonarQube release on Rocky Linux 9.
Step 1: Install Unzip
$ sudo dnf install unzip -y
Step 2: Create the SonarQube Directory
$ sudo mkdir -p /opt/sonarqube
Step 3: Download and Extract SonarQube
$ cd /tmp
$ wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-25.1.0.102122.zip
$ unzip sonarqube-25.1.0.102122.zip
$ sudo mv sonarqube-25.1.0.102122/* /opt/sonarqube
Install SonarScanner CLI
The SonarScanner CLI is required to analyze and upload project reports to the SonarQube server. Follow the steps below to install it on Rocky Linux 9.
Step 1: Create SonarScanner Directory
$ sudo mkdir -p /opt/sonarscanner
Step 2: Download and Extract SonarScanner
$ cd /tmp
$ wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.0.2.4839-linux-x64.zip
$ unzip sonar-scanner-cli-7.0.2.4839-linux-x64.zip
$ sudo mv sonar-scanner-7.0.2.4839-linux-x64/* /opt/sonarscanner
Step 3: Configure SonarScanner
Edit the configuration file and set the host URL:
$ sudo nano /opt/sonarscanner/conf/sonar-scanner.properties
Add the following line:
sonar.host.url=http://127.0.0.1
Step 4: Make SonarScanner Executable and Accessible
$ sudo chmod +x /opt/sonarscanner/bin/sonar-scanner
$ sudo ln -s /opt/sonarscanner/bin/sonar-scanner /usr/local/bin/sonar-scanner
Step 5: Verify the Installation
$ sonar-scanner -v
Expected output:
INFO SonarScanner CLI 7.0.2.4839
INFO Java 17.0.13 Eclipse Adoptium (64-bit)
INFO Linux 5.14.0-503.29.1.el9_5.x86_64 amd64
Configure SonarQube
Follow the steps below to configure SonarQube to run properly on your Rocky Linux 9 server.
Step 1: Edit the SonarQube Configuration File
Open the /opt/sonarqube/conf/sonar.properties file to modify SonarQube settings.
$ sudo nano /opt/sonarqube/conf/sonar.properties
Add the following configuration parameters at the end of the file. Replace sonaruser, sonardb, and <YOUR_PASSWORD> with the PostgreSQL database credentials you previously created.
sonar.jdbc.username=sonaruser
sonar.jdbc.password=<YOUR_PASSWORD>
sonar.jdbc.url=jdbc:postgresql://localhost/sonardb
sonar.web.host=0.0.0.0
sonar.web.port=9000
sonar.web.javaOpts=-Xmx512m -Xms256m -XX:+HeapDumpOnOutOfMemoryError
sonar.search.javaOpts=-Xmx1g -Xms1g -XX:MaxDirectMemorySize=512m -XX:+HeapDumpOnOutOfMemoryError
sonar.path.data=data
sonar.path.temp=temp
This configuration defines the PostgreSQL connection parameters, sets the listening address (0.0.0.0), Java runtime options, and storage paths for SonarQube data.
Step 2: Update Directory Ownership and Permissions
Assign ownership of the SonarQube directory to the sonarqube user.
$ sudo chown --recursive sonarqube:sonarqube /opt/sonarqube
Next, set directory permissions to 775 to allow full access for the owner and group.
$ sudo chmod --recursive 775 /opt/sonarqube
Step 3: Adjust Kernel Memory Settings
SonarQube requires specific memory limits for optimal performance. Open the /etc/sysctl.conf file to modify system parameters.
$ sudo nano /etc/sysctl.conf
Add the following values:
vm.max_map_count=524288
fs.file-max=131072
Save the file and reload the kernel configuration.
$ sudo sysctl -p
Create a SonarQube System Service
SonarQube includes a startup script (sonar.sh) that can be managed via systemd for automatic startup. Follow these steps to create and enable a SonarQube system service.
Step 1: Update SELinux Context
Adjust the SELinux context for the SonarQube executable script to allow it to run properly.
$ sudo chcon -t bin_t /opt/sonarqube/bin/linux-x86-64/sonar.sh
$ sudo restorecon -Rv /opt/sonarqube
Step 2: Create the SonarQube Service File
Create a new sonarqube.service file under /etc/systemd/system/ to manage SonarQube as a background service.
$ sudo nano /etc/systemd/system/sonarqube.service
Add the following content:
[Unit]
Description=SonarQube service
After=syslog.target network.target
[Service]
Type=forking
User=sonarqube
Group=sonarqube
PermissionsStartOnly=true
ExecStart=/opt/sonarqube/bin/linux-x86-64/sonar.sh start
ExecStop=/opt/sonarqube/bin/linux-x86-64/sonar.sh stop
Restart=always
RestartSec=10
LimitNOFILE=131072
LimitNPROC=8192
SuccessExitStatus=143
TimeoutStartSec=300
[Install]
WantedBy=multi-user.target
This configuration enables SonarQube to start and stop automatically under the sonarqube user.
Step 3: Enable and Start the SonarQube Service
Reload the systemd daemon, enable SonarQube at boot, and start the service.
$ sudo systemctl daemon-reload
$ sudo systemctl enable sonarqube
$ sudo systemctl start sonarqube
Verify that the service is running successfully.
$ sudo systemctl status sonarqube
Example output:
● sonarqube.service - SonarQube service
Loaded: loaded (/etc/systemd/system/sonarqube.service; enabled)
Active: active (running) since Thu 2025-04-03 17:46:16 UTC; 12s ago
Main PID: 80453 (java)
Tasks: 120 (limit: 48879)
Memory: 1.8G
CPU: 37.191s
Configure Apache as a Reverse Proxy for SonarQube
SonarQube’s web interface listens on port 9000 by default. You can configure Apache as a reverse proxy to route traffic securely via HTTP or HTTPS on standard ports.
Step 1: Install and Enable Apache
$ sudo dnf install httpd -y
$ sudo systemctl enable httpd
$ sudo systemctl start httpd
Step 2: Enable Required Apache Modules
Verify that the necessary proxy modules are active.
$ sudo httpd -M | grep proxy
If any modules are missing, open the Apache configuration file to enable them.
$ sudo nano /etc/httpd/conf/httpd.conf
Uncomment or add the following lines:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
Step 3: Create the SonarQube Virtual Host
Create a new Apache configuration file named sonarqube.conf in /etc/httpd/conf.d/:
$ sudo nano /etc/httpd/conf.d/sonarqube.conf
Add the following virtual host configuration, replacing sonarqube.example.com with your domain name.
<VirtualHost *:80>
ServerName sonarqube.example.com
ServerAdmin admin@sonarqube.example.com
ProxyPreserveHost On
ProxyPass / http://localhost:9000/
ProxyPassReverse / http://localhost:9000/
TransferLog /var/log/httpd/access.log
ErrorLog /var/log/httpd/error.log
</VirtualHost>
Step 4: Test and Restart Apache
Check the Apache configuration for syntax errors, restart the service, and allow network connections through the firewall.
$ sudo apachectl configtest
$ sudo systemctl restart httpd
$ sudo setsebool -P httpd_can_network_connect 1
$ sudo firewall-cmd --add-service=http --permanent
$ sudo firewall-cmd --reload
Secure SonarQube with Trusted SSL Certificates
By default, Apache forwards HTTP requests to SonarQube on port 9000. However, HTTP traffic is unencrypted. Follow the steps below to enable HTTPS with trusted SSL certificates using Let’s Encrypt for secure, encrypted communication between the client and your SonarQube server.
Step 1: Install Certbot for Apache
$ sudo dnf install certbot python3-certbot-apache -y
Step 2: Generate SSL Certificates
Use Certbot to create SSL certificates for your SonarQube domain. Replace sonarqube.example.com and admin@sonarqube.example.com with your actual domain and email address.
$ sudo certbot --apache -d sonarqube.example.com -m admin@sonarqube.example.com --agree-tos
Step 3: Allow HTTPS Through the Firewall
$ sudo firewall-cmd --add-service=https --permanent
$ sudo firewall-cmd --reload
Configure SELinux for SonarQube
SELinux is enabled by default on Rocky Linux 9 and can restrict Apache from accessing SonarQube files. Follow the steps below to configure SELinux properly.
Step 1: Check SELinux Status
$ sestatus
Expected output:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Step 2: Verify Directory Context
Confirm that the SELinux context for /opt/sonarqube is correctly set to allow access.
$ ls -lZ /opt/sonarqube
Expected output:
drwxrwxr-x. 6 sonarqube sonarqube unconfined_u:object_r:bin_t:s0 4096 Jan 7 10:30 bin
drwxrwxr-x. 2 sonarqube sonarqube unconfined_u:object_r:usr_t:s0 4096 Jan 7 10:30 conf
drwxrwxr-x. 4 sonarqube sonarqube unconfined_u:object_r:usr_t:s0 4096 Apr 22 18:18 data
Step 3: Verify Apache Network Access
Check that the SELinux boolean httpd_can_network_connect is active to allow Apache to forward traffic.
$ getsebool httpd_can_network_connect
Expected output:
httpd_can_network_connect --> on
Step 4: Restart Services
Restart Apache and SonarQube to apply the configuration changes.
$ sudo systemctl restart httpd
$ sudo systemctl restart sonarqube
Access SonarQube
Once the setup is complete, access the SonarQube web interface by visiting your domain in a browser.
Example URL:
Log in using the default credentials:
- Username:
admin - Password:
admin
Change the default admin password when prompted, then navigate to Administration → Security → Users to create a new user.
Generate a new access token for the user, define its expiration, and copy it for use in future code scans.
Scan Example Projects with SonarQube
Follow the steps below to test your setup by scanning example projects from the official SonarQube repository.
Step 1: Create a Projects Directory
$ cd
$ mkdir projects
$ cd projects
Step 2: Clone the SonarQube Example Repository
$ git clone https://github.com/SonarSource/sonar-scanning-examples
$ cd sonar-scanning-examples/sonar-scanner
Step 3: Run a Code Scan
Scan the project using SonarScanner. Replace <YOUR_SONAR_TOKEN> with the token you created earlier.
$ sonar-scanner -D sonar.token=<YOUR_SONAR_TOKEN>
Expected successful output:
INFO Scanner configuration file: /opt/sonarscanner/conf/sonar-scanner.properties
INFO Project root configuration file: /home/linuxuser/sonar-scanning-examples/sonar-scanner/sonar-project.properties
INFO SonarScanner CLI 7.0.2.4839
INFO Analysis total time: 38.112 s
INFO SonarScanner Engine completed successfully
INFO EXECUTION SUCCESS
Step 4: Review the Scan Results
Visit the following page to view the analyzed project:
https://sonarqube.example.com/projects
Open the Example of SonarScanner Usage project to explore detailed metrics such as code security, maintainability, test coverage, and duplication statistics.
Conclusion
You have successfully installed, configured, and secured SonarQube on Rocky Linux 9. You can now analyze your projects with the SonarScanner and access results through the SonarQube web dashboard. For more configuration details and advanced options, refer to the official SonarQube Documentation.
