Module org.elasticsearch.nativeaccess
Package org.elasticsearch.nativeaccess

Class LinuxNativeAccess

java.lang.Object
org.elasticsearch.nativeaccess.PosixNativeAccess
org.elasticsearch.nativeaccess.LinuxNativeAccess
All Implemented Interfaces:
NativeAccess
public class LinuxNativeAccess extends PosixNativeAccess

  • Field Details

  • Method Details

    • getMaxThreads

      protected long getMaxThreads()
      Description copied from class: PosixNativeAccess
      Return the maximum number of threads this process may start, or ProcessLimits.UNKNOWN.
      Specified by:
      getMaxThreads in class PosixNativeAccess

    • systemd

      public Systemd systemd()
      Specified by:
      systemd in interface NativeAccess

    • logMemoryLimitInstructions

      protected void logMemoryLimitInstructions()
      Specified by:
      logMemoryLimitInstructions in class PosixNativeAccess

    • nativePreallocate

      protected boolean nativePreallocate(int fd, long currentSize, long newSize)
      Specified by:
      nativePreallocate in class PosixNativeAccess

    • tryInstallExecSandbox

      public void tryInstallExecSandbox()
      Installs exec system call filtering for Linux.

      On Linux exec system call filtering currently supports amd64 and aarch64 architectures. It requires Linux kernel 3.5 or above, and CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER compiled into the kernel.

      On Linux BPF Filters are installed using either seccomp(2) (3.17+) or prctl(2) (3.5+). seccomp(2) is preferred, as it allows filters to be applied to any existing threads in the process, and one motivation here is to protect against bugs in the JVM. Otherwise, code will fall back to the prctl(2) method which will at least protect elasticsearch application threads.

      Linux BPF filters will return EACCES (Access Denied) for the following system calls:

      • execve
      • fork
      • vfork
      • execveat
      See Also:

    • getZstd

      public Zstd getZstd()
      Description copied from interface: NativeAccess
      Returns an accessor to zstd compression functions.
      Specified by:
      getZstd in interface NativeAccess
      Returns:
      an object used to compress and decompress bytes using zstd

    • newSharedBuffer

      public CloseableByteBuffer newSharedBuffer(int len)
      Description copied from interface: NativeAccess
      Creates a new CloseableByteBuffer using a shared arena. The buffer can be used across multiple threads.
      Specified by:
      newSharedBuffer in interface NativeAccess
      Parameters:
      len - the number of bytes the buffer should allocate
      Returns:
      the buffer

    • newConfinedBuffer

      public CloseableByteBuffer newConfinedBuffer(int len)
      Description copied from interface: NativeAccess
      Creates a new CloseableByteBuffer using a confined arena. The buffer must be used within the same thread that it is created.
      Specified by:
      newConfinedBuffer in interface NativeAccess
      Parameters:
      len - the number of bytes the buffer should allocate
      Returns:
      the buffer

    • isMemoryLocked

      public boolean isMemoryLocked()
      Description copied from interface: NativeAccess
      Return whether locking memory was successful, or false otherwise.
      Specified by:
      isMemoryLocked in interface NativeAccess

    • getExecSandboxState

      public NativeAccess.ExecSandboxState getExecSandboxState()
      Description copied from interface: NativeAccess
      Return whether installing the exec system call filters was successful, and to what degree.
      Specified by:
      getExecSandboxState in interface NativeAccess