From 47b6860dcd8520b6a2d7cdf66f26a6c41b26bbfb Mon Sep 17 00:00:00 2001
From: Simon Brandhof <simon.brandhof@sonarsource.com>
Date: Tue, 24 Apr 2018 22:01:41 +0200
Subject: [PATCH] SONAR-10607 fix ability to disable Elasticsearch seccomp
 check

---
 .../org/sonar/application/es/EsSettings.java    |  8 ++++++--
 .../sonar/application/es/EsSettingsTest.java    | 17 +++++++++++++++++
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/server/sonar-main/src/main/java/org/sonar/application/es/EsSettings.java b/server/sonar-main/src/main/java/org/sonar/application/es/EsSettings.java
index b4231f3f75f..dc99e13d24e 100644
--- a/server/sonar-main/src/main/java/org/sonar/application/es/EsSettings.java
+++ b/server/sonar-main/src/main/java/org/sonar/application/es/EsSettings.java
@@ -44,6 +44,7 @@ public class EsSettings {
 
   private static final Logger LOGGER = LoggerFactory.getLogger(EsSettings.class);
   private static final String STANDALONE_NODE_NAME = "sonarqube";
+  private static final String SECCOMP_PROPERTY = "bootstrap.system_call_filter";
 
   private final Props props;
   private final EsInstallation fileSystem;
@@ -75,7 +76,7 @@ public class EsSettings {
     configureFileSystem(builder);
     configureNetwork(builder);
     configureCluster(builder);
-    configureAction(builder);
+    configureOthers(builder);
     return builder;
   }
 
@@ -146,7 +147,10 @@ public class EsSettings {
     builder.put("node.master", valueOf(true));
   }
 
-  private static void configureAction(Map<String, String> builder) {
+  private void configureOthers(Map<String, String> builder) {
     builder.put("action.auto_create_index", String.valueOf(false));
+    if (props.value("sonar.search.javaAdditionalOpts", "").contains("-D" + SECCOMP_PROPERTY + "=false")) {
+      builder.put(SECCOMP_PROPERTY, "false");
+    }
   }
 }
diff --git a/server/sonar-main/src/test/java/org/sonar/application/es/EsSettingsTest.java b/server/sonar-main/src/test/java/org/sonar/application/es/EsSettingsTest.java
index 16fb18bbe74..a6cb8597f16 100644
--- a/server/sonar-main/src/test/java/org/sonar/application/es/EsSettingsTest.java
+++ b/server/sonar-main/src/test/java/org/sonar/application/es/EsSettingsTest.java
@@ -311,6 +311,23 @@ public class EsSettingsTest {
     assertThat(settings.get("http.enabled")).isEqualTo("true");
   }
 
+  @Test
+  public void enable_seccomp_filter_by_default() throws Exception {
+    Props props = minProps(CLUSTER_DISABLED);
+    Map<String, String> settings = new EsSettings(props, new EsInstallation(props), System2.INSTANCE).build();
+
+    assertThat(settings.get("bootstrap.system_call_filter")).isNull();
+  }
+
+  @Test
+  public void disable_seccomp_filter_if_configured_in_search_additional_props() throws Exception {
+    Props props = minProps(CLUSTER_DISABLED);
+    props.set("sonar.search.javaAdditionalOpts", "-Xmx1G -Dbootstrap.system_call_filter=false -Dfoo=bar");
+    Map<String, String> settings = new EsSettings(props, new EsInstallation(props), System2.INSTANCE).build();
+
+    assertThat(settings.get("bootstrap.system_call_filter")).isEqualTo("false");
+  }
+
   private Props minProps(boolean cluster) throws IOException {
     File homeDir = temp.newFolder();
     Props props = new Props(new Properties());
-- 
2.39.5