Analytics java.lang.UnsatisfiedLinkError or: How to run with /tmp mounted 'noexec'

Peter Burkholder -

Linux systems that are configured per the CIS (Center for Internet Security) Benchmarks or against the Dept of Defense STIGs will have the /tmp filesystem mounted with the 'noexec' flag. The Chef Analytics server on such systems will not ingest any events and will have error like this in /var/log/opscode-analytics/alaska/storm.log:


java.lang.UnsatisfiedLinkError: /tmp/jna-storm/jna4809723839018820845.tmp: /tmp/jna-storm/jna4809723839018820845.tmp: failed to map segment from shared object: Operation not permitted

The current workaround is to create another filesystem, on a loopback device, and mount that at /tmp/jna-storm. Since /tmp/jna-storm is only read-write by the storm user, the system is still in compliance with the STIG/CIS.

The following shell script provides an example of how to do this:

#!/bin/bash -xv
set -e # exit on any error
die() {
echo $*
exit 1
doit() {
/bin/rm -f /virtualfs$i
dd if=/dev/zero of=/virtualfs$i bs=1024 count=131720 # 128Mb
losetup /dev/loop$i /virtualfs$i || die losetup fail
mkfs -t ext3 -m 1 -v /dev/loop$i
mkdir -p /tmp/jna-storm
mount -t ext3 /dev/loop1 /tmp/jna-storm
chown storm:storm /tmp/jna-storm
undo() {
umount /dev/loop1
losetup -d /dev/loop1
[ -z "$1" ] && die "usage: $0 {doit|undo}"
opscode-analytics-ctl stop
eval $1
opscode-analytics-ctl start

Save as, say, /root/, then run /root/ doit

As you can see, what you're doing here is:

  • making a 128Mb /virtualfs1 file
  • associating that with /dev/loop1
  • making a filesystem on /dev/loop1
  • mounting /dev/loop1 at /tmp/jna-storm
  • setting ownership

A code-level fix for this is not expected for Analytics 1.x since it's built into the Apache Storm service that Analytics uses.

Have more questions? Submit a request


Powered by Zendesk