Ensure JNA temporary directory permits executables
Ensure JNA temporary directory permits executables
This is only relevant for Linux.
Elasticsearch uses the Java Native Access (JNA) library, and another library called libffi
, for executing some platform-dependent native code. On Linux, the native code backing these libraries is extracted at runtime into a temporary directory and then mapped into executable pages in Elasticsearch’s address space. This requires the underlying files not to be on a filesystem mounted with the noexec
option.
By default, Elasticsearch will create its temporary directory within /tmp
. However, some hardened Linux installations mount /tmp
with the noexec
option by default. This prevents JNA and libffi
from working correctly. For instance, at startup JNA may fail to load with an java.lang.UnsatisfiedLinkerError
exception or with a message that says something similar to failed to map segment from shared object
, or libffi
may report a message such as failed to allocate closure
. Note that the exception messages can differ between JVM versions. Additionally, the components of Elasticsearch that rely on execution of native code via JNA may fail with messages indicating that it is because JNA is not available
.
To resolve these problems, either remove the noexec
option from your /tmp
filesystem, or configure Elasticsearch to use a different location for its temporary directory by setting the $ES_TMPDIR environment variable. For instance:
If you are running Elasticsearch directly from a shell, set
$ES_TMPDIR
as follows:export ES_TMPDIR=/usr/share/elasticsearch/tmp
If you are using
systemd
to run Elasticsearch as a service, add the following line to the[Service]
section in a service override file:Environment=ES_TMPDIR=/usr/share/elasticsearch/tmp
If you need finer control over the location of these temporary files, you can also configure the path that JNA uses with the JVM flag -Djna.tmpdir=<path>
and you can configure the path that libffi
uses for its temporary files by setting the LIBFFI_TMPDIR
environment variable. Future versions of Elasticsearch may need additional configuration, so you should prefer to set ES_TMPDIR
wherever possible.