Loading

Ensure JNA temporary directory permits executables

Note

This is only relevant for Linux.

Elasticsearch uses the Java Native Access (JNA) library, and another library called libffi, for executing some platform-dependent native code. On Linux, the native code backing these libraries is extracted at runtime into a temporary directory and then mapped into executable pages in Elasticsearch's address space. This requires the underlying files not to be on a filesystem mounted with the noexec option.

By default, Elasticsearch will create its temporary directory within /tmp. However, some hardened Linux installations mount /tmp with the noexec option by default. This prevents JNA and libffi from working correctly.

Exact errors can differ between JVM versions, but the most common error messages are:

  • at startup due to a java.nio.file.AccessDeniedException exception against a file inside the /etc/elasticsearch/tmp/ directory

  • at startup if JNA fails to load:

    • a java.lang.UnsatisfiedLinkerError exception
    • failed to map segment from shared object
    • failed to allocate closure

  • when a component that relies on JNA attempts to run, it might fail with the message because JNA is not available

To resolve these problems, either remove the noexec option from your /tmp filesystem, or configure Elasticsearch to use a different location for its temporary directory by setting the $ES_TMPDIR environment variable. For example:

  • If you are running Elasticsearch directly from a shell, set $ES_TMPDIR as follows:

    export ES_TMPDIR=/usr/share/elasticsearch/tmp

  • For installs done through RPM or DEB packages, the environment variable needs to be set through the system configuration file.

  • If you are using systemd to run Elasticsearch as a service, add the following line to the [Service] section in a service override file:

    Environment=ES_TMPDIR=/usr/share/elasticsearch/tmp

If you need finer control over the location of these temporary files, you can also configure the path that JNA uses with the JVM flag -Djna.tmpdir=<path> and you can configure the path that libffi uses for its temporary files by setting the LIBFFI_TMPDIR environment variable. Future versions of Elasticsearch may need additional configuration, so you should prefer to set ES_TMPDIR wherever possible.

Note

Elasticsearch does not remove its temporary directory. You should remove leftover temporary directories while Elasticsearch is not running. It is best to do this automatically, for instance on each reboot. If you are running on Linux, you can achieve this by using the tmpfs file system.