Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mlockall fails on noexec /tmp #5493

Closed
jimmyjones2 opened this issue Mar 22, 2014 · 4 comments
Closed

mlockall fails on noexec /tmp #5493

jimmyjones2 opened this issue Mar 22, 2014 · 4 comments
Labels
>bug v1.2.0 v2.0.0-beta1

Comments

@jimmyjones2
Copy link
Contributor

I've been debugging a system where I couldn't get memory locking working. The upshot is JNA extracts out the relevant native library to /tmp and trys to load it, however if you follow security best practice and disable execute in /tmp (noexec mount option), this fails silently. The JNA documentation recommends you extract out the libraries on systems with additional security constraints; in fact the JNA package that ships with RHEL puts the relevant library in /usr/lib64/jna.

I see two potential solutions:

  • src/main/java/org/elasticsearch/common/jna/CLibrary.java - log with warning on UnsatisfiedLinkError (rather than debug), and hint at noexec being a potential issue
  • extract out the various libjnidispatch.so versions into the elasticsearch lib directory and get JNA to load from there
@hhoffstaette
Copy link

I'm very sympathetic to not have JNA unpack, but unfortunately this has several implications for packaging and deployment. However I just looked into this and found that while our current version of JNA does not support a custom directoy, the latest version does (see https://github.com/twall/jna/blob/master/src/com/sun/jna/Native.java#L1014), so that might be a way forward.

I'm not the biggest fan of simply logging the failure since that does not provide an actual solution to the problem and will only confuse too many people even more (who will then ask about how to turn off noexec).

In the meantime you can try:

Hope this helps for now.

@hhoffstaette hhoffstaette self-assigned this Mar 31, 2014
@hhoffstaette hhoffstaette added bug and removed v1.1.0 labels Mar 31, 2014
@jimmyjones2
Copy link
Contributor Author

Hey, thanks for your response. I agree logging isn't ideal, but in its defence:

@hhoffstaette
Copy link

Please have a look at https://github.com/hhoffstaette/elasticsearch/commit/3cb270cf4f7e2326eb7e924275b5187d9b140e09 and let me know if the message is clear enough.

@hhoffstaette hhoffstaette mentioned this issue Apr 1, 2014
Closed
@hhoffstaette hhoffstaette removed their assignment Apr 1, 2014
@jimmyjones2
Copy link
Contributor Author

LGTM, thanks Holger!

spinscale pushed a commit that referenced this issue May 2, 2014
@spinscale
Update JNA to latest version
75f9594 
Updating to this version allows to configure a special JNA directory,
in case the /tmp directory is mounted with the noexec option, as JNA
extracts some data and tries to execute parts of it.

Also updated documentation to clarify mlockall and memory settings as well
as pointing to the new jna.tmpdir system property.

Closes #5493
@jimmyjones2 jimmyjones2 mentioned this issue Nov 14, 2014
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
>bug v1.2.0 v2.0.0-beta1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hhoffstaette @jimmyjones2