From 30ca0d2b4fe4f11f0b16452b516de7706b53370d Mon Sep 17 00:00:00 2001 From: Simon Brandhof Date: Thu, 19 Apr 2018 14:41:18 +0200 Subject: [PATCH] SONAR-10607 fix ability to disable Elasticsearch seccomp check --- .../org/sonar/application/es/EsSettings.java | 11 +++++++--- .../sonar/application/es/EsSettingsTest.java | 21 +++++++++++++++++-- 2 files changed, 27 insertions(+), 5 deletions(-) diff --git a/server/sonar-main/src/main/java/org/sonar/application/es/EsSettings.java b/server/sonar-main/src/main/java/org/sonar/application/es/EsSettings.java index 79e949163cd..a8fd0f2233b 100644 --- a/server/sonar-main/src/main/java/org/sonar/application/es/EsSettings.java +++ b/server/sonar-main/src/main/java/org/sonar/application/es/EsSettings.java @@ -40,10 +40,10 @@ public class EsSettings { private static final Logger LOGGER = LoggerFactory.getLogger(EsSettings.class); private static final String STANDALONE_NODE_NAME = "sonarqube"; + private static final String SECCOMP_PROPERTY = "bootstrap.system_call_filter"; private final Props props; private final EsInstallation fileSystem; - private final boolean clusterEnabled; private final String clusterName; private final String nodeName; @@ -71,7 +71,7 @@ public class EsSettings { configureFileSystem(builder); configureNetwork(builder); configureCluster(builder); - configureAction(builder); + configureOthers(builder); return builder; } @@ -142,7 +142,12 @@ public class EsSettings { builder.put("node.master", valueOf(true)); } - private static void configureAction(Map builder) { + private void configureOthers(Map builder) { builder.put("action.auto_create_index", String.valueOf(false)); + + if (props.value("sonar.search.javaAdditionalOpts", "").contains("-D" + SECCOMP_PROPERTY + "=false")) { + builder.put(SECCOMP_PROPERTY, "false"); + } } + } diff --git a/server/sonar-main/src/test/java/org/sonar/application/es/EsSettingsTest.java b/server/sonar-main/src/test/java/org/sonar/application/es/EsSettingsTest.java index 3cc7580e2be..e38c43a3ce5 100644 --- a/server/sonar-main/src/test/java/org/sonar/application/es/EsSettingsTest.java +++ b/server/sonar-main/src/test/java/org/sonar/application/es/EsSettingsTest.java @@ -54,7 +54,7 @@ public class EsSettingsTest { private ListAppender listAppender; @After - public void tearDown() throws Exception { + public void tearDown() { if (listAppender != null) { ListAppender.detachMemoryAppenderToLoggerOf(EsSettings.class, listAppender); } @@ -82,7 +82,7 @@ public class EsSettingsTest { } @Test - public void constructor_logs_warning_if_env_variable_ES_JVM_OPTIONS_is_set_and_non_empty() throws IOException { + public void constructor_logs_warning_if_env_variable_ES_JVM_OPTIONS_is_set_and_non_empty() { this.listAppender = ListAppender.attachMemoryAppenderToLoggerOf(EsSettings.class); Props props = minimalProps(); System2 system2 = mock(System2.class); @@ -295,6 +295,23 @@ public class EsSettingsTest { assertThat(settings.get("http.enabled")).isEqualTo("true"); } + @Test + public void enable_seccomp_filter_by_default() throws Exception { + Props props = minProps(CLUSTER_DISABLED); + Map settings = new EsSettings(props, new EsInstallation(props), System2.INSTANCE).build(); + + assertThat(settings.get("bootstrap.system_call_filter")).isNull(); + } + + @Test + public void disable_seccomp_filter_if_configured_in_search_additional_props() throws Exception { + Props props = minProps(CLUSTER_DISABLED); + props.set("sonar.search.javaAdditionalOpts", "-Xmx1G -Dbootstrap.system_call_filter=false -Dfoo=bar"); + Map settings = new EsSettings(props, new EsInstallation(props), System2.INSTANCE).build(); + + assertThat(settings.get("bootstrap.system_call_filter")).isEqualTo("false"); + } + private Props minProps(boolean cluster) throws IOException { File homeDir = temp.newFolder(); Props props = new Props(new Properties()); -- 2.39.5