SONAR-10607 fix ability to disable Elasticsearch seccomp check

2 files changed, 27 insertions, 5 deletions

diff --git a/server/sonar-main/src/main/java/org/sonar/application/es/EsSettings.java b/server/sonar-main/src/main/java/org/sonar/application/es/EsSettings.java
index 79e949163cd..a8fd0f2233b 100644
--- a/server/sonar-main/src/main/java/org/sonar/application/es/EsSettings.java
+++ b/server/sonar-main/src/main/java/org/sonar/application/es/EsSettings.java
@@ -40,10 +40,10 @@ public class EsSettings {
 
   private static final Logger LOGGER = LoggerFactory.getLogger(EsSettings.class);
   private static final String STANDALONE_NODE_NAME = "sonarqube";
+  private static final String SECCOMP_PROPERTY = "bootstrap.system_call_filter";
 
   private final Props props;
   private final EsInstallation fileSystem;
-
   private final boolean clusterEnabled;
   private final String clusterName;
   private final String nodeName;
@@ -71,7 +71,7 @@ public class EsSettings {
     configureFileSystem(builder);
     configureNetwork(builder);
     configureCluster(builder);
-    configureAction(builder);
+    configureOthers(builder);
     return builder;
   }
 
@@ -142,7 +142,12 @@ public class EsSettings {
     builder.put("node.master", valueOf(true));
   }
 
-  private static void configureAction(Map<String, String> builder) {
+  private void configureOthers(Map<String, String> builder) {
     builder.put("action.auto_create_index", String.valueOf(false));
+
+    if (props.value("sonar.search.javaAdditionalOpts", "").contains("-D" + SECCOMP_PROPERTY + "=false")) {
+      builder.put(SECCOMP_PROPERTY, "false");
+    }
   }
+
 }
diff --git a/server/sonar-main/src/test/java/org/sonar/application/es/EsSettingsTest.java b/server/sonar-main/src/test/java/org/sonar/application/es/EsSettingsTest.java
index 3cc7580e2be..e38c43a3ce5 100644
--- a/server/sonar-main/src/test/java/org/sonar/application/es/EsSettingsTest.java
+++ b/server/sonar-main/src/test/java/org/sonar/application/es/EsSettingsTest.java
@@ -54,7 +54,7 @@ public class EsSettingsTest {
   private ListAppender listAppender;
 
   @After
-  public void tearDown() throws Exception {
+  public void tearDown() {
     if (listAppender != null) {
       ListAppender.detachMemoryAppenderToLoggerOf(EsSettings.class, listAppender);
     }
@@ -82,7 +82,7 @@ public class EsSettingsTest {
   }
 
   @Test
-  public void constructor_logs_warning_if_env_variable_ES_JVM_OPTIONS_is_set_and_non_empty() throws IOException {
+  public void constructor_logs_warning_if_env_variable_ES_JVM_OPTIONS_is_set_and_non_empty() {
     this.listAppender = ListAppender.attachMemoryAppenderToLoggerOf(EsSettings.class);
     Props props = minimalProps();
     System2 system2 = mock(System2.class);
@@ -295,6 +295,23 @@ public class EsSettingsTest {
     assertThat(settings.get("http.enabled")).isEqualTo("true");
   }
 
+  @Test
+  public void enable_seccomp_filter_by_default() throws Exception {
+    Props props = minProps(CLUSTER_DISABLED);
+    Map<String, String> settings = new EsSettings(props, new EsInstallation(props), System2.INSTANCE).build();
+
+    assertThat(settings.get("bootstrap.system_call_filter")).isNull();
+  }
+
+  @Test
+  public void disable_seccomp_filter_if_configured_in_search_additional_props() throws Exception {
+    Props props = minProps(CLUSTER_DISABLED);
+    props.set("sonar.search.javaAdditionalOpts", "-Xmx1G -Dbootstrap.system_call_filter=false -Dfoo=bar");
+    Map<String, String> settings = new EsSettings(props, new EsInstallation(props), System2.INSTANCE).build();
+
+    assertThat(settings.get("bootstrap.system_call_filter")).isEqualTo("false");
+  }
+
   private Props minProps(boolean cluster) throws IOException {
     File homeDir = temp.newFolder();
     Props props = new Props(new Properties());