| 123456789101112131415161718192021222324 | [[executable-jna-tmpdir]]=== JNA temporary directory not mounted with `noexec`[NOTE]This is only relevant for Linux.Elasticsearch uses the Java Native Access (JNA) library for executing someplatform-dependent native code. On Linux, the native code backing this libraryis extracted at runtime from the JNA archive. By default, this code is extractedto the Elasticsearch temporary directory which defaults to a sub-directory of`/tmp`. Alternatively, this location can be controlled with the JVM flag`-Djna.tmpdir=<path>`. As the native library is mapped into the JVM virtualaddress space as executable, the underlying mount point of the location thatthis code is extracted to must *not* be mounted with `noexec` as this preventsthe JVM process from being able to map this code as executable. On some hardenedLinux installations this is a default mount option for `/tmp`. One indicationthat the underlying mount is mounted with `noexec` is that at startup JNA willfail to load with a `java.lang.UnsatisfiedLinkerError` exception with a messagealong the lines of `failed to map segment from shared object`.  Note that theexception message can differ amongst JVM versions. Additionally, the componentsof Elasticsearch that rely on execution of native code via JNA will fail withmessages indicating that it is `because JNA is not available`. If you are seeingsuch error messages, you must remount the temporary directory used for JNA tonot be mounted with `noexec`.
 |