Securing the TMP directory

Map JNA to a different executable directory before mounting the TMP directory with the noexe flag.

Enterprise security policies often require mounting the /tmp directory with the no execution (noexec) flag. By default, Cassandra Java Native Access (JNA) is mapped to /tmp; JNA requires an executable directory to start. Remap JNA to a different (executable) directory and change permissions to allow full access to the user that runs the DSE service.

Procedure

  1. Create a directory and grant full access to the Cassandra user.
  2. Map the JNA temporary directory; in jvm.options file, add the following flag with the path to the new directory:
    -Djna.tmpdir=JNA_startup_directory

    jvm.options

    The location of the jvm.options file depends on the type of installation:

    Package installations
    Installer-Services installations

    /etc/dse/cassandra/jvm.options

    Tarball installations
    Installer-No Services installations

    installation_location/resources/cassandra/conf/jvm.options
  3. Restart DataStax Enterprise.
    If DataStax Enterprise fails to start because the JNA startup directory is not available, the following error may appear in the system log:
    tail -3 /var/log/cassandra/system.log
    The error is similar to:
    ERROR main 2015-12-18 09:57:00,879 CassandraDaemon.java:213 - JNA failing to initialize properly. Use -Dcassandra.boot_without_jna=true to bootstrap even so.
    INFO Thread-2 2015-12-18 09:57:00,880 DseDaemon.java:418 - DSE shutting down...
    INFO Thread-2 2015-12-18 09:57:00,881 PluginManager.java:103 - All plugins are stopped.

    See JNA fails to initialize.