# On Linux systems

## Making sure FIPS is not enforced <a href="#fips-not-enforced" id="fips-not-enforced"></a>

SonarQube will not run on Linux hosts where FIPS (Federal Information Processing Standard) is enforced.

## Configuring the host to comply with Elasticsearch <a href="#elasticsearch" id="elasticsearch"></a>

Because SonarQube uses an embedded Elasticsearch, make sure that your host configuration complies with the [Elasticsearch production mode requirements](https://www.elastic.co/guide/en/elasticsearch/reference/current/docker.html#docker-cli-run-prod-mode) and [File Descriptors configuration](https://www.elastic.co/guide/en/elasticsearch/reference/current/file-descriptors.html).

### Configuring the maximum number of open files and other limits <a href="#configuring-the-maximum-number-of-open-files-and-other-limits" id="configuring-the-maximum-number-of-open-files-and-other-limits"></a>

You must ensure that:

* The maximum number of memory map areas a process may have (vm.max\_map\_count) is greater than or equal to 524288.
* The maximum number of open file descriptors (fs.file-max) is greater than or equal to 131072.
* The user running SonarQube can open **at least** 131072 file descriptors.
* The user running SonarQube can open **at least** 8192 threads.

You must set these limits on the host system, whatever the installation type:

* For a Docker installation: These settings will then apply to the Docker container.
* For a Kubernetes deployment: Check also these [guidelines](https://artifacthub.io/packages/helm/sonarqube/sonarqube#elasticsearch-prerequisites).

To check and change these limits, login as the user used to run SonarQube and proceed as described below depending on the type of this user.

<details>

<summary>For a non-systemd user</summary>

1\. Verify the values listed above with the following commands:

```css-79elbk
sysctl vm.max_map_count

sysctl fs.file-max

ulimit -n

ulimit -u
```

2\. To change the max map count and the file-max, insert the following in `/etc/sysctl.d/99-sonarqube.conf` (or in `/etc/sysctl.conf` if you use the default file (not recommended)). To apply the changes, run the corresponding Linux command.

```css-79elbk
 vm.max_map_count=524288
 fs.file-max=13107
```

3\. To change the limits on the user running SonarQube, insert the following in /etc/security/limits.d/99-sonarqube.conf (or in /etc/security/limits.conf if you use the default file (not recommended)) where sonarqube is the user used to run SonarQube. To apply the changes, run the corresponding Linux command.

```css-79elbk
sonarqube   -   nofile   131072

sonarqube   -   nproc    8192
```

</details>

<details>

<summary>For a systemd user</summary>

Specify those limits inside your unit file in the section \[Service] :

```css-79elbk
[Service]

...

LimitNOFILE=131072

LimitNPROC=8192

...
```

</details>

{% hint style="info" %}
To change these values dynamically for the current session, run the following commands as `root`:

```css-79elbk
sysctl -w vm.max_map_count=524288

sysctl -w fs.file-max=131072

ulimit -n 131072

ulimit -u 8192
```

{% endhint %}

### Enabling seccomp on the Linux kernel <a href="#enabling-seccomp-on-the-linux-kernel" id="enabling-seccomp-on-the-linux-kernel"></a>

By default, Elasticsearch uses the seccomp filter. Make sure you use a kernel with seccomp enabled.

To check that seccomp is available on your kernel, use:

```css-79elbk
$ grep SECCOMP /boot/config-$(uname -r)
```

If your kernel has seccomp, you’ll see the following:

```css-79elbk
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y

CONFIG_SECCOMP_FILTER=y

CONFIG_SECCOMP=y
```

## Managing SonarQube Server access to fonts <a href="#fonts" id="fonts"></a>

Generating executive reports requires that fonts be installed on the server hosting SonarQube.

If you use a Linux server, you should ensure that Fontconfig is installed on the server host.

{% hint style="info" %}
A package of FreeType fonts is installed on the SonarQube Server host. The exact packages available will vary by distribution, but a commonly used package is libfreetype6.
{% endhint %}

## If using an Oracle database <a href="#if-oracle" id="if-oracle"></a>

In case your SonarQube Server is running on Linux and you are using Oracle, the Oracle JDBC Driver may be blocked due to `/dev/random`. See [this Oracle article](http://www.usn-it.de/index.php/2009/02/20/oracle-11g-jdbc-driver-hangs-blocked-by-devrandom-entropy-pool-empty/) for more details about this problem.

To avoid it, you may want to add this JVM parameter to your SonarQube web server (`sonar.web.javaOpts`) configuration:

```css-79elbk
-Djava.security.egd=file:///dev/urandom
```