Securing the TMP directory

Map JNA to a different executable directory before mounting the TMP directory with the noexe flag.

Enterprise security policies often require mounting the /tmp directory with the no execution (noexec) flag. By default, Cassandra Java Native Access (JNA) is mapped to /tmp; JNA requires an executable directory to start. Remap JNA to a different (executable) directory and change permissions to allow full access to the user that runs the DSE service.

jvm.options

The location of the jvm.options file depends on the type of installation:
Package installations /etc/dse/cassandra/jvm.options
Tarball installations installation_location/resources/cassandra/conf/jvm.options

Procedure

  1. Create a directory and grant full access to the Cassandra user.
  2. Map the JNA temporary directory; in jvm.options file, add the following flag with the path to the new directory:
    -Djna.tmpdir=JNA_startup_directory
  3. Restart DataStax Enterprise.
    If DataStax Enterprise fails to start because the JNA startup directory is not available, the following error may appear in the system log:
    tail -3 /var/log/cassandra/system.log
    The error is similar to:
    ERROR main 2015-12-18 09:57:00,879 CassandraDaemon.java:213 - JNA failing to initialize properly. Use -Dcassandra.boot_without_jna=true to bootstrap even so.
    INFO Thread-2 2015-12-18 09:57:00,880 DseDaemon.java:418 - DSE shutting down...
    INFO Thread-2 2015-12-18 09:57:00,881 PluginManager.java:103 - All plugins are stopped.

    See JNA fails to initialize.