Setting and securing the tmp directory for the agent

The DataStax agent requires exec permissions to the JDK tmpdir. Map to a different executable directory before mounting the tmp directory with the noexec flag. If the tmp directory has the noexec flag set, the agent cannot start.

Many enterprise security policies require mounting /tmp directories with the no execution (noexec) flag. OpsCenter runs the JVM using Jython, which requires access to its temporary directory to which it can copy executable files. The JDK requires an executable directory to start and is mapped to /tmp by default. If the /tmp directory has the noexec flag set, the agent cannot start.

By default, the DataStax agent when installed by deb or rpm packages runs as the same user as DSE, which is cassandra. If you are running the agent as a different user (tarball install), see Setting permissions to run the agent as a different user.

Remap the default temporary directory to a different (executable) directory and change its permissions to allow full access for the agent. Follow this procedure to securely mount a /tmp directory for OpsCenter and the DataStax agent.

datastax-agent-env.sh 

The default location of the DataStax agent environment shell script datastax-agent-env.sh depends on the type of installation:

  • Package installations: /etc/datastax-agent/datastax-agent-env.sh
  • Tarball installations: install_location/agent/conf/datastax-agent-env.sh

Procedure

  1. Create a temporary directory and grant full access to the cassandra user.
  2. Map the new temporary directory in the datastax-agent-env.sh file by specifying its path.
    Set the -Djava.io.tmpdir property to the path for the new /tmp directory.
    JVM_OPTS="$JVM_OPTS -Xmx512M -Djava.io.tmpdir=/path/to/tmp/dir"

    The example also shows doubling the agent max heap size to 512M with the -Xmx property.

  3. Save the file and restart the agents.