Analytics java.lang.UnsatisfiedLinkError or: How to run with /tmp mounted 'noexec'

Peter Burkholder -

Linux systems that are configured per the CIS (Center for Internet Security) Benchmarks or against the Dept of Defense STIGs will have the /tmp filesystem mounted with the 'noexec' flag. The Chef Analytics server on such systems will not ingest any events and will have error like this in /var/log/opscode-analytics/alaska/storm.log:

  

java.lang.UnsatisfiedLinkError: /tmp/jna-storm/jna4809723839018820845.tmp: /tmp/jna-storm/jna4809723839018820845.tmp: failed to map segment from shared object: Operation not permitted


The current workaround is to create another filesystem, on a loopback device, and mount that at /tmp/jna-storm. Since /tmp/jna-storm is only read-write by the storm user, the system is still in compliance with the STIG/CIS.

The following shell script provides an example of how to do this:


#!/bin/bash -xv
 
set -e # exit on any error
 
die() {
echo $*
 
exit 1
}
 
doit() {
i=1
/bin/rm -f /virtualfs$i
 
dd if=/dev/zero of=/virtualfs$i bs=1024 count=131720 # 128Mb
losetup /dev/loop$i /virtualfs$i || die losetup fail
mkfs -t ext3 -m 1 -v /dev/loop$i
 
mkdir -p /tmp/jna-storm
mount -t ext3 /dev/loop1 /tmp/jna-storm
 
chown storm:storm /tmp/jna-storm
}
 
undo() {
umount /dev/loop1
losetup -d /dev/loop1
 
}
 
[ -z "$1" ] && die "usage: $0 {doit|undo}"
opscode-analytics-ctl stop
eval $1
opscode-analytics-ctl start

Save as, say, /root/fix_noexec.sh, then run /root/fix_noexec.sh doit

As you can see, what you're doing here is:

  • making a 128Mb /virtualfs1 file
  • associating that with /dev/loop1
  • making a filesystem on /dev/loop1
  • mounting /dev/loop1 at /tmp/jna-storm
  • setting ownership

A code-level fix for this is not expected for Analytics 1.x since it's built into the Apache Storm service that Analytics uses.

 
Have more questions? Submit a request

Comments

Powered by Zendesk