DevSecLab Series: Environment Setup

This post will include step-by-step instructions on how to configure your environment within your Ubuntu image. The three tools that we will be installing and configuring will be Jenkins, GitLab, and Sonarqube.

Before we get started with this lab, if you are not familiar with Git in any way, I would suggest you learn more about it by visiting Codecademy! They offer a free course that will get you familiar with Git CLI and fundamentals.

P.S. If you have not installed and configured your image within VirtualBox, I would recommend that you take a look at my previous article: DevSecLab Series: Server Setup.

GitLab

GitLab is an open-source software development platform with built-in version control, tracking, code review tools, and so much more. It is designed to provide a flexible internal repository for development teams to upload code and contribute. For more information about GitLab and all of its features, please visit this website: About GitLab. For this lab, we'll be working with the community version (free), or GitLab CE, and installing it.

Step 0: Updating and Installing Dependencies

Before installing GitLab, let us ensure that we have updated our image with the latest packages and dependencies by running the following commands:

$ sudo apt update
$ sudo apt install ca-certificates curl openssh-server postfix

Step 1: Installing GitLab

After we've installed the latest updates, we can proceed with installing GitLab. Luckily, GitLab provides us an install script that we can run and it'll do all the hard work for us. Move into the /tmp directory and download the fancy install script:

$ cd /tmp
$ curl -LO https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh

After we've downloaded the script, let's go ahead and run the installer:

$ sudo bash /tmp/script.deb.sh

This script will configure our default package manager (APT) to call the GitLab repositories to install the actual application. Once the script is complete, we can install GitLab:

$ sudo apt install gitlab-ce

Step 2: Configuring Firewall Rules

Before we get into configuring GitLab, we have to modify our firewall rules to allow web traffic to our application. So, the first thing we need to ensure our firewall is enabled. To check to see if it's enabled or not, type the following:

$ sudo ufw status

If it's disabled, you can simply enable it:

$ sudo ufw enable

Otherwise, we're going to add a couple of exceptions to our firewall itself. The beautiful thing about the firewall is that we can create exceptions based on the name of the protocol. For now, we'll just allow HTTP/HTTPS traffic:

$ sudo ufw allow http
$ sudo ufw allow https
$ sudo ufw allow OpenSSH

Afterward, check your settings to double-check your configuration:

 $ sudo ufw status

Status: active


To  Action From
--  ------ ----
80/tcp  ALLOW  Anywhere  
443/tcp ALLOW  Anywhere  
OpenSSH ALLOW  Anywhere  
80/tcp (v6) ALLOW  Anywhere (v6) 
443/tcp (v6)  ALLOW  Anywhere (v6) 
OpenSSH (v6)  ALLOW  Anywhere (v6)  

This'll ensure that we'll be able to access the GitLab interface after we've configured our application.

Step 4: Edit the GitLab Configuration File

Before starting and using the application, we need to update the configuration file. Open the config file:

 $ sudo nano /etc/gitlab/gitlab.rb

Once you've opened the config file, search for the external_url key, and comment that value out. We aren't worried about mapping a domain to GitLab as of now.

$ ##! Note: During installation/upgrades, the value of the environment variable
##! EXTERNAL_URL will be used to populate/replace this value.
##! On AWS EC2 instances, we also attempt to fetch the public hostname/IP
##! address from AWS. For more details, see:
##!https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
#external_url 'http://example.com/'

Afterward, save the file by entering the following commands: Control-X, y [Enter], y [Enter].

Now, we'll reconfigure and restart our application:

$ sudo gitlab-ctl reconfigure

This will run for some time, so please feel free to step away and grab a cup of tea or beverage of your choice.

Step 5: Configure Port Forwarding Settings

After GitLab has been reconfigured, we'll need to hop back to VirtualBox and add an additional port configuration to our port-forwarding settings:

By adding the HTTP forward rule, we should be able to hit our URL from outside of the VM. After clicking OK, try accessing GitLab from your local web browser by going to http://localhost/

You should be redirected to this screen:

At this point, we should create a new password for the admin account. Make sure you take note of this someplace safe.

Afterward, you'll be redirected to the GitLab home page where you'll have to option to Register or Login. Please create a new user account and register yourself.

Follow the screens all the way through until you get to this screen and pause for now:

We will come back to this in a later post. However, we have finished configuring and installing GitLab! One down, two more to go!!

SonarQube

SonarQube is an open-source code quality and code analysis web tool. It is widely used for continuous code inspection which performs a code review for bugs, vulnerabilities, and code smells. This tool has built-in support for more than 20+ programming languages such as Java, C++, and Python. For more information about SonarQube, please visit the SonarQube webpage.

Step 0: Installing Java

Because this tool was developed in Java, we're going to need to install the JDK in order to run this application:

$ sudo apt-get install openjdk-11-jdk
$ sudo apt-get install openjdk-11-jre-headless

Just to verify if Java is installed properly, we should check the version installed:

$ java -version

Step 1: Installing PostgreSQL

Because we've already updated our server previously, we shouldn't have to do it again. The first thing we'll want to do is to install PostgreSQL. This is the database that SonarQube writes to:

$ sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt/ `lsb_release -cs`-pgdg main" >> /etc/apt/sources.list.d/pgdg.list'
$  wget -q https://www.postgresql.org/media/keys/ACCC4CF8.asc -O - | sudo apt-key add -

Once we've added the repository information to our default package repository, we'll install the application:

$ sudo apt-get -y install postgresql postgresql-contrib

Once we've installed that application, we should modify the systemctl to automatically start postgres when the server initially starts up:

$ sudo systemctl start postgresql
$ sudo systemctl enable postgresql

Now, we'll change the default password for our admin account for the database. Please make sure it's something that you can remember because we will use this later:

$ sudo passwd postgres

Afterward, we'll want to switch into the postgres user, create a new user called sonar, and log into the database:

$ su postgres
$ createuser sonar
$ psql

After we've logged into the database, I'll set a password and create a new database solely for SonarQube to write to and return back to the sudo user:

ALTER USER sonar WITH ENCRYPTED password 'ChangeMe!';
CREATE DATABASE sonar OWNER sonar;
\q
exit

Step 2: Installing SonarQube

In order to install SonarQube, we'll need to pull the binary files from the website itself:

$ wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-7.3.zip

After we've downloaded this file, we'll need to unzip the file, start setting up the folder structure, and assign permissions:

$ sudo apt-get -y install unzip
$ sudo unzip sonarqube-7.3.zip -d /opt
$ sudo mv /opt/sonarqube-7.3 /opt/sonarqube
$ sudo groupadd sonar
$ sudo useradd sonar -g sonar
$ sudo chown -R sonar:sonar /opt/sonarqube/

Afterward, we'll open the config file using our favorite text editor and start modifying some properties:

$ sudo nano /opt/sonarqube/conf/sonar.properties

Now, we'll uncomment the following lines and add the username and password:

$ sonar.jdbc.username=sonar
$ sonar.jdbc.password=ChangeMe!

Uncomment the following line and add another line to tell SonarQube to run in server mode:

$ sonar.jdbc.url=jdbc:postgresql://localhost/sonar

Open up the following sonar script file and set RUN_AS_USER=sonar:

$ sudo nano /opt/sonarqube/bin/linux-x86-64/sonar.sh

# NOTE: The build for specific applications may override this during the resource-copying
# phase, to fill in a concrete name and avoid the use of the defaults specified here.
RUN_AS_USER=sonar

Once we've modified the file, now we should be able to switch to the sonar user and execute the sonar.sh script:

$ sudo su sonar
$ cd /opt/sonarqube/bin/linux-x86-64/
$ ./sonar.sh start

After we've done so, check the status of SonarQube to ensure that it is running and look at the log output:

$ ./sonar.sh status
$ tail /opt/sonarqube/logs/sonar.log

You should see this:
2020.11.15 22:56:28 INFO app[][o.s.a.SchedulerImpl] Process[ce] is up
2020.11.15 22:56:28 INFO app[][o.s.a.SchedulerImpl] SonarQube is up

Yay! We know that this thing works now. So, let's stop it and move into configuring systemd:

$ ./sonar.sh stop

Step 3: Configuring systemd

Instead of starting SonarQube manually, we would like to have it start automatically when the system starts up. The first thing we'll need to do is edit the sonar.service file and add the lines highlighted in red:

$ sudo nano /etc/systemd/system/sonar.service

[Unit]
Description=SonarQube service
After=syslog.target network.target

[Service]
Type=forking

ExecStart=/opt/sonarqube/bin/linux-x86-64/sonar.sh start
ExecStop=/opt/sonarqube/bin/linux-x86-64/sonar.sh stop

User=sonar
Group=sonar
Restart=always

LimitNOFILE=65536
LimitNPROC=4096

[Install]
WantedBy=multi-user.target

Close and save the file, and let's enable, start, and check the status of the application:

$ sudo systemctl start sonar
$ sudo systemctl enable sonar
$ sudo systemctl status sonar

Step 3: Firewall Configuration

SonarQube uses 9000 by default. So we need to configure our application by opening that port and check its status:

$ sudo ufw allow 9000
$ sudo ufw status

Step 4: Configure Port Forwarding Settings

After SonarQube has been reconfigured, we'll need to hop back to VirtualBox and add an additional port configuration to our port-forwarding settings and add an additional line for SonarQube:

Step 5: SonarQube Dashboard

Now that we've configured our settings, it is time we log into the web application. Try accessing SonarQube from your local web browser by going to http://localhost:9000/. You should be bought to this screen at the very beginning:

In order to log into the application as the Administrator, you'll need to use the default username and password (admin/admin).

We've finished setting up SonarQube for now! One more left!!

Jenkins

Jenkins is an open-source automation server that automates the repetitive technical tasks involved in the continuous integration and delivery of software.

Step 1: Installing Jenkins

The first thing we need to do is add the repository key into the system:

$ wget -q -O - http://pkg.jenkins-ci.org/debian/jenkins-ci.org.key |sudo apt-key add -

Once the system has returned "OK", let's add the package repository to the server's sources.list and update the server:

$ sudo sh -c 'echo deb http://pkg.jenkins-ci.org/debian-stable binary/ > /etc/apt/sources.list.d/jenkins.list'
$ sudo apt update 

Once that has been completed, then we can simply install Jenkins:

 $ sudo apt install jenkins 

Troubleshooting: In the event you get this error:

Reading package lists... Done  
W: GPG error: http://pkg.jenkins-ci.org/debian-stable binary/ Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY FCEF32E745F2C3D5

Do not panic. We just need to manually add the key to our package manager:

$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys FCEF32E745F2C3D5

Once that has been completed, rerun the install command and proceed with the instructions.

Troubleshooting: If Jenkins fails to start, there are a few things we can modify to ensure it works properly with OpenJDK 11. First, open up the Jenkins run script:

$ sudo nano /etc/init.d/jenkins

Afterward, find the JAVA_VERSION key and replace that line of code with this one. We'll modify the regex a bit to account for the latest version of JDK 11:

$ JAVA_VERSION=$($JAVA -version 2>&1 | sed -n ';s/.* version "\([0-9]*\)\.\([0-9]*\)\..*".*/\1\2/p;')

Reboot the application and you should see that it has been started after checking the status:

$ sudo systemctl restart jenkins
$ sudo systemctl status jenkins

Step 2: Firewall Configuration

Jenkins uses 8080 by default. So we need to configure our application by opening that port and check its status:

$ sudo ufw allow 8080
$ sudo ufw status

Step 3: Configure Port Forwarding Settings

After Jenkins has been reconfigured, we'll need to hop back to VirtualBox and add an additional port configuration to our port-forwarding settings and add an additional line for Jenkins:

Step 4: Configuring Jenkins

Now that we've configured our settings, it is time we log into the web application. Try accessing Jenkins from your local web browser by going to http://localhost:8080/. You should be bought to this screen at the very beginning:

Jenkins is prompting us for a password to unlock it. Hop back over to you shell and run this command:

$ sudo cat /var/lib/jenkins/secrets/initialAdminPassword

You should see a hash value print out. Copy and paste that value into the GUI. After you click continue, you will want to click on Install Suggested Plugins. After you do that, you should be brought to this screen:

Get up and take a short break. It'll take a little bit to download and install these plugins.

After the setup is completed, we'll need to setup our first admin account. Please fill out this information and click Continue.

Once you've configured the page, click Next/Continue throughout the next set of pages. You should arrive at this home page:

At this point. We have finished installing and configuring Jenkins!!! Give yourself a pat on the back!

Conclusion

At this point, we've completely setup our environment for the most part. In the upcoming posts, we'll dive deeper into each of these tools and understand them at a deeper level. Thanks for following along!

Cheers!