Rename bootstrap.seccomp to bootstrap.system_call_filter

We try to install a system call filter on various operating systems
(Linux, macOS, BSD, Solaris, and Windows) but the setting
(bootstrap.seccomp) to control this is named after the Linux
implementation (seccomp). This commit replaces this setting with
bootstrap.system_call_filter. For backwards compatibility reasons, we
fallback to bootstrap.seccomp and log a deprecation message if
bootstrap.seccomp is set. We intend to remove this fallback in
6.0.0. Note that now is the time to make this change it's likely that
most users are not making this setting anyway as prior to version 5.2.0
(currently unreleased) it was not necessary to configure anything to
enable a node to start up if the system call filter failed to install
(we marched on anyway) but starting in 5.2.0 it will be necessary in
this case.

Relates #22226

core/src/main/java/org/elasticsearch/bootstrap/Bootstrap.java

@@ -30,11 +30,13 @@ import org.apache.lucene.util.IOUtils;
 import org.apache.lucene.util.StringHelper;
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.Version;
+import org.elasticsearch.cli.ExitCodes;
 import org.elasticsearch.cli.Terminal;
 import org.elasticsearch.cli.UserException;
 import org.elasticsearch.common.PidFile;
 import org.elasticsearch.common.SuppressForbidden;
 import org.elasticsearch.common.inject.CreationException;
+import org.elasticsearch.common.logging.DeprecationLogger;
 import org.elasticsearch.common.logging.ESLoggerFactory;
 import org.elasticsearch.common.logging.LogConfigurator;
 import org.elasticsearch.common.logging.Loggers;
@@ -56,7 +58,9 @@ import java.net.URISyntaxException;
 import java.nio.file.Path;
 import java.security.NoSuchAlgorithmException;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
+import java.util.Objects;
 import java.util.concurrent.CountDownLatch;
 
 /**
@@ -177,7 +181,7 @@ final class Bootstrap {
         initializeNatives(
                 environment.tmpFile(),
                 BootstrapSettings.MEMORY_LOCK_SETTING.get(settings),
-                BootstrapSettings.SECCOMP_SETTING.get(settings),
+                BootstrapSettings.SYSTEM_CALL_FILTER_SETTING.get(settings),
                 BootstrapSettings.CTRLHANDLER_SETTING.get(settings));
 
         // initialize probes before the security manager is installed

core/src/main/java/org/elasticsearch/bootstrap/BootstrapChecks.java

@@ -166,7 +166,7 @@ final class BootstrapChecks {
         }
         checks.add(new ClientJvmCheck());
         checks.add(new UseSerialGCCheck());
-        checks.add(new SystemCallFilterCheck(BootstrapSettings.SECCOMP_SETTING.get(settings)));
+        checks.add(new SystemCallFilterCheck(BootstrapSettings.SYSTEM_CALL_FILTER_SETTING.get(settings)));
         checks.add(new OnErrorCheck());
         checks.add(new OnOutOfMemoryErrorCheck());
         checks.add(new G1GCCheck());
@@ -521,7 +521,7 @@ final class BootstrapChecks {
                 "OnError [%s] requires forking but is prevented by system call filters ([%s=true]);" +
                     " upgrade to at least Java 8u92 and use ExitOnOutOfMemoryError",
                 onError(),
-                BootstrapSettings.SECCOMP_SETTING.getKey());
+                BootstrapSettings.SYSTEM_CALL_FILTER_SETTING.getKey());
         }
 
     }
@@ -546,7 +546,7 @@ final class BootstrapChecks {
                 "OnOutOfMemoryError [%s] requires forking but is prevented by system call filters ([%s=true]);" +
                     " upgrade to at least Java 8u92 and use ExitOnOutOfMemoryError",
                 onOutOfMemoryError(),
-                BootstrapSettings.SECCOMP_SETTING.getKey());
+                BootstrapSettings.SYSTEM_CALL_FILTER_SETTING.getKey());
         }
 
     }

core/src/main/java/org/elasticsearch/bootstrap/BootstrapSettings.java

@@ -33,8 +33,8 @@ public final class BootstrapSettings {
 
     public static final Setting<Boolean> MEMORY_LOCK_SETTING =
         Setting.boolSetting("bootstrap.memory_lock", false, Property.NodeScope);
-    public static final Setting<Boolean> SECCOMP_SETTING =
+    public static final Setting<Boolean> SYSTEM_CALL_FILTER_SETTING =
-        Setting.boolSetting("bootstrap.seccomp", true, Property.NodeScope);
+        Setting.boolSetting("bootstrap.system_call_filter", true, Property.NodeScope);
     public static final Setting<Boolean> CTRLHANDLER_SETTING =
         Setting.boolSetting("bootstrap.ctrlhandler", true, Property.NodeScope);
 

core/src/main/java/org/elasticsearch/common/settings/ClusterSettings.java

@@ -390,7 +390,7 @@ public final class ClusterSettings extends AbstractScopedSettings {
                     PluginsService.MANDATORY_SETTING,
                     BootstrapSettings.SECURITY_FILTER_BAD_DEFAULTS_SETTING,
                     BootstrapSettings.MEMORY_LOCK_SETTING,
-                    BootstrapSettings.SECCOMP_SETTING,
+                    BootstrapSettings.SYSTEM_CALL_FILTER_SETTING,
                     BootstrapSettings.CTRLHANDLER_SETTING,
                     IndexingMemoryController.INDEX_BUFFER_SIZE_SETTING,
                     IndexingMemoryController.MIN_INDEX_BUFFER_SIZE_SETTING,

core/src/test/java/org/elasticsearch/bootstrap/BootstrapCheckTests.java

@@ -492,8 +492,8 @@ public class BootstrapCheckTests extends ESTestCase {
             e -> assertThat(
                 e.getMessage(),
                 containsString(
-                    "OnError [" + command + "] requires forking but is prevented by system call filters ([bootstrap.seccomp=true]);"
+                    "OnError [" + command + "] requires forking but is prevented by system call filters " +
-                        + " upgrade to at least Java 8u92 and use ExitOnOutOfMemoryError")));
+                        "([bootstrap.system_call_filter=true]); upgrade to at least Java 8u92 and use ExitOnOutOfMemoryError")));
     }
 
     public void testOnOutOfMemoryErrorCheck() throws NodeValidationException {
@@ -521,7 +521,7 @@ public class BootstrapCheckTests extends ESTestCase {
                 e.getMessage(),
                 containsString(
                     "OnOutOfMemoryError [" + command + "]"
-                        + " requires forking but is prevented by system call filters ([bootstrap.seccomp=true]);"
+                        + " requires forking but is prevented by system call filters ([bootstrap.system_call_filter=true]);"
                         + " upgrade to at least Java 8u92 and use ExitOnOutOfMemoryError")));
     }
 

core/src/test/java/org/elasticsearch/bootstrap/BootstrapSettingsTests.java

@@ -27,7 +27,7 @@ public class BootstrapSettingsTests extends ESTestCase {
     public void testDefaultSettings() {
         assertTrue(BootstrapSettings.SECURITY_FILTER_BAD_DEFAULTS_SETTING.get(Settings.EMPTY));
         assertFalse(BootstrapSettings.MEMORY_LOCK_SETTING.get(Settings.EMPTY));
-        assertTrue(BootstrapSettings.SECCOMP_SETTING.get(Settings.EMPTY));
+        assertTrue(BootstrapSettings.SYSTEM_CALL_FILTER_SETTING.get(Settings.EMPTY));
         assertTrue(BootstrapSettings.CTRLHANDLER_SETTING.get(Settings.EMPTY));
     }
 

docs/reference/setup/bootstrap-checks.asciidoc

@@ -156,7 +156,7 @@ The system call filter check ensures that if system call filters are enabled,
 then they were successfully installed. To pass the system call filter check you
 must either fix any configuration errors on your system that prevented system
 call filters from installing (check your logs), or *at your own risk* disable
-system call filters by setting `bootstrap.seccomp` to `false`.
+system call filters by setting `bootstrap.system_call_filter` to `false`.
 
 === OnError and OnOutOfMemoryError checks