Entitlements and tmpdir

frantz45 · January 19, 2026, 4:48pm

Hello,

I’ve just tried v8.19.10 and I get an issue with entitlements:

[2026-01-19T17:13:13,437][ERROR][o.e.b.Elasticsearch      ] [redacted] fatal exception while booting Elasticsearch
java.lang.IllegalArgumentException: policy for module [io.netty.common] in [repository-azure] has an invalid file entitlement. Any path under [/etc/elasticsearch] is forbidden for mode [READ_WRITE].
        at org.elasticsearch.entitlement.bootstrap.FilesEntitlementsValidation.buildValidationException(FilesEntitlementsValidation.java:63) ~[elasticsearch-entitlement-8.19.10.jar:?]
        at org.elasticsearch.entitlement.bootstrap.FilesEntitlementsValidation.validateWriteFilesEntitlements(FilesEntitlementsValidation.java:95) ~[elasticsearch-entitlement-8.19.10.jar:?]
        at org.elasticsearch.entitlement.bootstrap.FilesEntitlementsValidation.validate(FilesEntitlementsValidation.java:50) ~[elasticsearch-entitlement-8.19.10.jar:?]
        at org.elasticsearch.entitlement.bootstrap.EntitlementBootstrap.createPolicyManager(EntitlementBootstrap.java:169) ~[elasticsearch-entitlement-8.19.10.jar:?]
        at org.elasticsearch.entitlement.bootstrap.EntitlementBootstrap.bootstrap(EntitlementBootstrap.java:100) ~[elasticsearch-entitlement-8.19.10.jar:?]
        at org.elasticsearch.bootstrap.Elasticsearch.initPhase2(Elasticsearch.java:253) ~[elasticsearch-8.19.10.jar:?]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:99) ~[elasticsearch-8.19.10.jar:?]

I’ve tried to apply the following patch:

versions:
  - 8.19.10
policy:
  io.netty.common:
    - files:
      - path: "/etc/elasticsearch"
        mode: read_write

(I then use “base64 -w0” to get the value to set in -Des.entitlements.policy.repository-azure=)

But I still get the error and the service doesn’t start.

I’ve understood why it tries to access /etc/elasticsearch, it’s because I use ES_TMPDIR=/etc/elasticsearch and TMPDIR=/etc/elasticsearch. It’s because my /tmp partition is mounted with the noexec flag for security reasons.

Without these settings it works but I get the following error in logs:

systemd-entrypoint[34153]: Failed to load native library:jansi-2.4.0-63465bb7222bf8c0-libjansi.so. The native library file at /tmp/elasticsearch-17576746019114158548/jansi-2.4.0-63465bb7222bf8c0-libjansi.so is not executable, make sure that the directory is mounted on a partition without the noexec flag, or set the jansi.tmpdir system property to point to a proper location.  osinfo: Linux/x86_64
systemd-entrypoint[34153]: java.lang.UnsatisfiedLinkError: /tmp/elasticsearch-17576746019114158548/jansi-2.4.0-63465bb7222bf8c0-libjansi.so: /tmp/elasticsearch-17576746019114158548/jansi-2.4.0-63465bb7222bf8c0-libjansi.so: échec d'adressage (mapping) du segment de l'objet partagé

So my question is how to use a tmpdir other than /tmp with entitlements ?

leandrojmp · January 19, 2026, 6:27pm

You need to create a directory with write permissions for the elasticsearch user and use it in the ES_TMPDIR, something like /opt/tmp, do not use /etc/elasticsearch.

Topic		Replies	Views
Java.io.tmpdir Elasticsearch	11	2659	February 17, 2023
What's the solution of this error please? Elasticsearch	13	2001	November 27, 2022
Elasticsearch service getting failed when /tmp is mounted no exec Elasticsearch	4	3231	December 22, 2020
Elastic Search can't been started without execute rights on /tmp Elasticsearch	11	723	October 27, 2024
/var/lib/elasticsearch/tmp not accessible in ES 6.8 Elasticsearch	3	1500	November 18, 2020

Entitlements and tmpdir

Related topics