This version of the SonarQube documentation is no longer maintained. It relates to a version of SonarQube that is not active.

See latest version
Start Free
10.5 | Server installation and setup | Configure and operate a cluster

Configure and operate a cluster

On this page

High availability and cluster scalability are features of the Data Center Edition.

Once the SonarQube cluster is installed, you have a high availability configuration that allows your SonarQube instance to stay up and running even if there is a crash or failure in one of the cluster's nodes. Your SonarQube cluster is also scalable, and you can add application nodes to increase your computing capabilities.

Start, stop, or upgrade the cluster

Start the Cluster

To start a cluster, you need to follow these steps in order:

  1. Start the search nodes
  2. Start the application nodes

Stop the Cluster

To stop a cluster, you need to follow these steps in order:

  1. Stop the application nodes
  2. Stop the search nodes

Upgrade SonarQube

  1. Stop the cluster.
  2. Upgrade SonarQube on all nodes (application part, plugins, JDBC driver if required) following the usual upgrade procedure but without triggering the setup phase.
  3. Once all nodes have the same binaries: restart the cluster.
  4. At this point, only one of the application nodes is up. Try to access node_ip:port/setup on each application node, and trigger the setup operation on the one that responds.

Start or stop a node

You can start or stop a single node in the same way as starting and stopping an instance using a single server. By default, it's a graceful shutdown where no new analysis report processing can start, but the tasks in progress are allowed to finish.

Install or upgrade a plugin

  1. Stop the application nodes.
  2. Install or upgrade the plugin on the application nodes.
    • If upgrading, remove the old version.
    • You don't need to install plugins on search nodes.
  3. Restart the application nodes.

Scalability

You have the option of adding application nodes (up to 10 total application nodes) to your cluster to increase computing capabilities.

Scaling in a Traditional Environment

Adding an Application Node

To add an application node: 

  1. Configure your new application node in sonar.properties. The following is an example of the configuration to be added to sonar.properties for a sixth application node (server6, ip6) in a cluster with the default five servers:

    Server6:
...
sonar.cluster.enabled=true
sonar.cluster.node.type=application
sonar.cluster.node.host=ip6 
sonar.cluster.node.port=9003
sonar.cluster.hosts=ip1,ip2,ip6
sonar.cluster.search.hosts=ip3:9001,ip4:9001,ip5:9001
sonar.auth.jwtBase64Hs256Secret=YOURGENERATEDSECRET
...

2. Update the configuration of the preexisting nodes to include your new node. While you don't need to restart the cluster after adding a node, you should ensure the configuration is up to date on all of your nodes to avoid issues when you eventually do need to restart.

Removing an Application Node

When you remove an application node, make sure to update the configuration of the remaining nodes. Much like adding a node, while you don't need to restart the cluster after removing a node, you should ensure the configuration is up to date on all of your nodes to avoid issues when you eventually do need to restart.

Scaling in a Docker Environment

Adding Application Nodes

If you're using docker-compose, you can scale the application nodes using the following command:

docker-compose up -d --scale sonarqube=3

Removing Application Nodes

You can reduce the number of application nodes with the same command used to add application nodes by lowering the number.

Monitoring

CPU and RAM usage on each node have to be monitored separately with an APM.

In addition, we provide a Web API api/system/health you can use to validate that all of the nodes in your cluster are operational.

  • GREEN: SonarQube is fully operational
  • YELLOW: SonarQube is usable, but it needs attention in order to be fully operational
  • RED: SonarQube is not operational

To call it from a monitoring system without having to give admin credentials, it is possible to setup a system passcode. You can configure this through the sonar.web.systemPasscode property in <sonarqubeHome>/conf/sonar.properties if you're using a traditional environment or through the corresponding environment variable if you're using a Docker environment.

Cluster Status

On the System Info page at Administration > System, you can check whether your cluster is running safely (green) or has some nodes with problems (orange or red).

Maximum Pending Time for Tasks

On the global Background Tasks page at Administration > Projects > Background Tasks, you can see the number of pending tasks as well as the maximum pending time for the tasks in the queue. This shows the pending time of the oldest background task waiting to be processed. You can use this to evaluate if it might be worth configuring additional Compute Engine workers (Enterprise Edition) or additional nodes (Data Center Edition) to improve SonarQube performance.

Compute engine workers

If you change the number of compute engine workers in the UI, you must restart each application node to have the change take effect.

Project move

When the Project move feature is used in a DC installation:

  • Projects are exported on only one of the application nodes
  • The archive of the exported projects must be copied to all the applications nodes in the target server

Configuration details

There are three TCP networks to configure:

  • the network of application nodes that relies on Hazelcast.
  • the network used for Elasticsearch internal communication between search nodes (es properties).
  • the network between application nodes and search nodes (search properties).

Hazelcast is used to manage the communication between the cluster's application nodes. You don't need to install it yourself, it's provided out of the box.

Docker environment configuration

In a Docker environment, your properties are configured using environment variables.

Traditional environment configuration

The following properties may be defined in the <sonarqubeHome>/conf/sonar.properties file of each node in a cluster. When defining a property that contains a list of hosts (*.hosts) the port is not required if the default port was not overridden in the configuration.

All nodes

PropertyDescriptionDefaultRequired
sonar.cluster.enabledSet to true in each node to activate the cluster modefalseyes
sonar.cluster.nameThe name of the cluster. Required if multiple clusters are present on the same network. For example this prevents mixing Production and Preproduction clusters. This will be the name stored in the Hazelcast cluster and used as the name of the Elasticsearch cluster.sonarqubeno
sonar.cluster.node.nameThe name of the node that is used on Elasticsearch and stored in Hazelcast member attribute (NODE_NAME) for sonar-applicationsonarqube-{UUID}
sonar.cluster.node.typeType of node: either application or search

Application nodes

PropertyDescription
sonar.cluster.hostsComma-delimited list of all application hosts in the cluster. This value must contain only application hosts. Each item in the list must contain the port if the default sonar.cluster.node.port value is not used. Item format is sonar.cluster.node.host or sonar.cluster.node.host:sonar.cluster.node.po
sonar.cluster.node.hostIP address of the network card that will be used by Hazelcast to communicate with the members of the cluster.
sonar.cluster.node.portThe Hazelcast port for communication with each application member of the cluster. Default: 9003
sonar.cluster.node.web.portThe Hazelcast port for communication with the WebServer process. Port must be accessible to all other application nodes. If not specified, a dynamic port will be chosen and all ports must be open among the nodes.
sonar.cluster.node.ce.portThe Hazelcast port for communication with the ComputeEngine process. Port must be accessible to all other application nodes. If not specified, a dynamic port will be chosen and all ports must be open among the nodes.
sonar.cluster.search.hostsComma-delimited list of search hosts in the cluster. The list can contain either the host or the host and port, but not both. The item format is sonar.cluster.node.search.host for host only orsonar.cluster.node.search.host:sonar.cluster.node.search.port for host and port.
sonar.auth.jwtBase64Hs256SecretRequired for authentication with multiple web servers. It is used to keep user sessions opened when they are redirected from one web server to another by the load balancer. See $SONARQUBE-HOME/conf/sonar.properties) for details about how to generate this secret key.

Search nodes

PropertyDescription
sonar.cluster.node.search.hostElasticsearch host of the current node used for HTTP communication between search and application nodes. IP must be accessible to all application nodes.
sonar.cluster.node.search.portElasticsearch port of the current node used for HTTP communication between search and application nodes. Port must be accessible to all application nodes.
sonar.cluster.es.hostsComma-delimited list of search hosts in the cluster. The list can contain either the host or the host and port but not both. The item format is sonar.cluster.node.es.host for host only orsonar.cluster.node.es.host:sonar.cluster.node.es.port for host and port.
sonar.cluster.node.es.hostElasticsearch host of the current node used by Elasticsearch internal communication to form a cluster (TCP transport).
sonar.cluster.node.es.portElasticsearch port of the current node used by Elasticsearch internal communication to form a cluster (TCP transport). Port must be accessible to all other search nodes
sonar.search.initialStateTimeoutThe timeout for the Elasticsearch nodes to elect a primary node. The default value will be fine in most cases, but in a situation where startup is failing because of a timeout, this may need to be adjusted. The value must be set in the format: {integer}{timeunit}. Valid {timeunit} values are: ms (milliseconds); s (seconds); m (minutes); h (hours); d (days); w (weeks)

Elasticsearch authentication

For Elasticsearch authentication, the following properties need to be configured on specific nodes:

Application nodes

PropertyDescriptionDefaultRequired
sonar.cluster.search.passwordPassword for Elasticsearch built-in user (elastic) which will be used on the client site. If provided, it enables authentication. If this property is set, sonar.cluster.search.password on the search nodes must also be set to exact same value.
no

Search nodes

PropertyDescriptionDefaultRequired
sonar.cluster.search.passwordPassword for Elasticsearch built-in user (elastic) which will be set in ES. If provided, it enables authentication, and the instance will require additional properties to be set. If this property is set, sonar.cluster.search.password on the application nodes must also be set to exact same value.
no
sonar.cluster.es.ssl.keystoreFile path to a keystore in PKCS#12 format. The user running SonarQube must have READ permission to that file. Required if password provided.
no
sonar.cluster.es.ssl.truststoreFile path to a truststore in PKCS#12 format. The user running SonarQube must have READ permission to that file. Required if password provided.
no
sonar.cluster.es.ssl.keystorePasswordPassword to the keystore.
no
sonar.cluster.es.ssl.truststorePasswordPassword to the truststore.
no

When you're using the SonarSource Docker images, the truststore/keystore should be provided as volumes. On Kubernetes, you need to create a new Secret from the truststore/keystore and provide the name to the Helm chart.

Elasticsearch TLS encryption over HTTP

Prerequisite: Elasticsearch authentication is enabled.

This configuration is optional. Enabling TLS on the HTTP layer provides additional security to ensure that all communications between application nodes and search nodes are encrypted.

The following properties need to be configured on both application nodes and search nodes:

PropertyDescriptionDefaultRequired
sonar.cluster.es.http.ssl.keystoreFile path to a keystore in PKCS#12 format. The user running SonarQube must have READ permission to that file. If provided, it enables TLS encryption.
no
sonar.cluster.es.http.ssl.keystorePasswordPassword to the keystore.
no

Secure your network

To further lock down the communication in between the nodes in your SonarQube Cluster, you can define the following network rules:

ProtocolSourceDestinationPortDefault
TCPReverse ProxyApp Nodesonar.web.port9000
TCPApp NodeSearch Nodesonar.cluster.node.search.port9001
TCPSearch NodeSearch Nodesonar.cluster.node.es.port9002
TCPApp NodeApp Nodesonar.cluster.node.port9003

You can further segment your network configuration if you specify a frontend, a backend and a search network.

NetworkParameterDescription
Frontendsonar.web.hostFrontend HTTP Network
Backendsonar.cluster.node.hostBackend App to App Network
Backendsonar.cluster.search.hostsBackend App to Search Network
Searchsonar.cluster.node.search.hostBackend Search to Search Network

Limitations

  • Cluster downtime is required for SonarQube upgrades or plugin installations.
  • All application nodes must be stopped when installing, uninstalling, or upgrading a plugin.
  • Plugins are not shared, meaning if you install/uninstall/upgrade a given plugin on one application node, you need to perform the same actions on the other application node.
  • There is no way to perform actions on the cluster from a central app - all operations must be done manually on each node of the cluster.

Frequently asked questions

Does Elasticsearch discover automatically other ES nodes?

No. Multicast is disabled. All hosts (IP+port) must be listed.

Can different nodes run on the same machine?

Yes, but it's best to have one machine for each node to be resilient to failures. To maintain an even higher level of availability, each of your three search nodes can be located in a separate availability zone within the same region.

Can the members of a cluster be discovered automatically?

No, all nodes must be configured in <sonarqubeHome>/conf/sonar.properties.

My keystore/truststore cannot be read by SonarQube

Make sure that the keystore/truststore in question was generated with an algorithm that is known to Java 17. See JDK-8267599 for reference


Was this page helpful?

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License