Securing the TMP directory
Map JNA to a different executable directory before mounting the TMP directory with the noexe flag.
Enterprise security policies often require mounting the /tmp
directory with the no execution (noexec
) flag. By default,
Cassandra Java Native Access (JNA) is mapped to /tmp
; JNA requires
an executable directory to start. Remap JNA to a different (executable) directory
and change permissions to allow full access to the user that runs the DSE service.
jvm.options
The location of the jvm.options file depends on the type of installation:Package installations | /etc/dse/cassandra/jvm.options |
Tarball installations | installation_location/resources/cassandra/conf/jvm.options |
Procedure
- Create a directory and grant full access to the Cassandra user.
-
Map the JNA temporary directory; in
jvm.options file, add the following flag with
the path to the new directory:
-Djna.tmpdir=JNA_startup_directory
-
Restart DataStax Enterprise.
If DataStax Enterprise fails to start because the JNA startup directory is not available, the following error may appear in the system log:
tail -3 /var/log/cassandra/system.log
The error is similar to:ERROR main 2015-12-18 09:57:00,879 CassandraDaemon.java:213 - JNA failing to initialize properly. Use -Dcassandra.boot_without_jna=true to bootstrap even so. INFO Thread-2 2015-12-18 09:57:00,880 DseDaemon.java:418 - DSE shutting down... INFO Thread-2 2015-12-18 09:57:00,881 PluginManager.java:103 - All plugins are stopped.