CentOS Linux release 7.5.1804 (Core)

Configuring a production cluster, and ES refuses to start:

1:33:56,454][INFO ][o.e.t.TransportService   ] [node-68795-C] publish_address {192.168.200.162:9300}, bound_addresses {192.168.200.162:9300}
[2018-10-28T21:33:56,467][INFO ][o.e.b.BootstrapChecks    ] [node-68795-C] bound or publishing to a non-loopback address, enforcing bootstrap checks
[2018-10-28T21:33:56,494][ERROR][o.e.b.Bootstrap          ] [node-68795-C] node validation exception
[1] bootstrap checks failed
[1]: system call filters failed to install; check the logs and fix your configuration or disable system call filters at your own risk

OK, so I go to check the presence of seccomp:

[$]# cat /boot/config-`uname -r` | grep CONFIG_SECCOMP=
CONFIG_SECCOMP=y
[$]# CONFIG_SECCOMP=y

So, looks and smells like seccomp is present.

What next?

The root cause: /tmp was mounted as noexec

It turns out that two or three bootstrap checks fail if /tmp is noexec.

Solve for /tmp, and all the other issues are resolved!