Java 21 Migration Guide for CI Runners¶
Context¶
SonarScanner requires Java 21+ starting from SonarQube 10.x. This guide covers provisioning Java 21 on CI runners (OVH VPS shell runners).
Prerequisites¶
- SSH access to the target runner (VPS)
- Ansible installed locally
- Vault access for credentials (if needed)
Steps¶
Option A: Ansible role (recommended)¶
# From ProbatioVault-infra root
ansible-playbook -i ansible/inventory/dev \
-e '{"sonar_java_home": "/opt/java/temurin-21"}' \
--tags sonar-runner \
ansible/playbook.yml
This runs ansible/roles/sonar-runner/tasks/main.yml which: 1. Downloads Eclipse Temurin JDK 21 (LTS) 2. Extracts to /opt/java/temurin-21 3. Sets JAVA_HOME in /etc/environment 4. Creates /etc/profile.d/java21.sh for PATH 5. Writes /opt/probatiovault/sonar-runtime.json trace
Option B: Manual install¶
ssh ubuntu@dev.probatiovault.com
# Download Temurin JDK 21
sudo mkdir -p /opt/java/temurin-21
curl -sSL -o /tmp/temurin-21.tar.gz \
"https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.4%2B7/OpenJDK21U-jre_x64_linux_hotspot_21.0.4_7.tar.gz"
sudo tar -xzf /tmp/temurin-21.tar.gz -C /opt/java/temurin-21 --strip-components=1
# Set JAVA_HOME
echo 'JAVA_HOME=/opt/java/temurin-21' | sudo tee -a /etc/environment
echo 'export JAVA_HOME=/opt/java/temurin-21; export PATH=$JAVA_HOME/bin:$PATH' | \
sudo tee /etc/profile.d/java21.sh
# Verify
source /etc/profile.d/java21.sh
java -version
Option C: Auto-JRE in SonarScanner¶
If the CI job uses a Docker image, SonarScanner can download its own JRE:
sonar:analysis:
image: sonarsource/sonar-scanner-cli:latest
# Auto-JRE: scanner bundles its own Java
Rollback¶
# Remove Java 21
sudo rm -rf /opt/java/temurin-21
sudo sed -i '/JAVA_HOME/d' /etc/environment
sudo rm -f /etc/profile.d/java21.sh
# Restore Java 17 if needed
# The old CI jobs install Java 17 on-the-fly from Temurin
Verification¶
# Check Java version on runner
ssh ubuntu@dev.probatiovault.com 'java -version'
# Check sonar-runtime.json
ssh ubuntu@dev.probatiovault.com 'cat /opt/probatiovault/sonar-runtime.json'
# Run a Sonar analysis to verify
# Trigger pipeline manually or push to dev branch
Applies to¶
- ProbatioVault-backend: SonarQube analysis (primary consumer)
- ProbatioVault-app: SonarQube analysis (if enabled)
- ProbatioVault-infra: IaC SonarQube analysis
Notes¶
- Temurin 21 is LTS (supported until 2029)
- The old Java 17 on-the-fly install in
.gitlab-ci.ymlis kept as fallback - Java 21 does not conflict with Java 17 (different directories)