我一直在研究MongoDB CSFLE(客户端字段级加密),在我的Spring Boot项目mongodb-crypt-1.0.1中存在依赖性。出于安全原因,/tmp分区在EC2上运行的Ubuntu 16.04 OS上作为noexec挂载。应用程序启动失败,并显示以下堆栈跟踪:
Caused by: java.lang.UnsatisfiedLinkError: /tmp/jna--851256601/jna10844749069600633969.tmp: /tmp/jna--851256601/jna10844749069600633969.tmp: failed to map segment from shared object
at java.lang.ClassLoader$NativeLibrary.load0(Native Method) ~[?:?]
at java.lang.ClassLoader$NativeLibrary.load(ClassLoader.java:2430) ~[?:?]
at java.lang.ClassLoader$NativeLibrary.loadLibrary(ClassLoader.java:2487) ~[?:?]
at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:2684) ~[?:?]
at java.lang.ClassLoader.loadLibrary(ClassLoader.java:2617) ~[?:?]
at java.lang.Runtime.load0(Runtime.java:767) ~[?:?]
at java.lang.System.load(System.java:1834) ~[?:?]
at com.sun.jna.Native.loadNativeDispatchLibraryFromClasspath(Native.java:947) ~[jna-4.5.2.jar!/:4.5.2 (b0)]
at com.sun.jna.Native.loadNativeDispatchLibrary(Native.java:922) ~[jna-4.5.2.jar!/:4.5.2 (b0)]
at com.sun.jna.Native.<clinit>(Native.java:190) ~[jna-4.5.2.jar!/:4.5.2 (b0)]
at com.mongodb.crypt.capi.CAPI.<clinit>(CAPI.java:778) ~[mongodb-crypt-1.0.1.jar!/:?]
at com.mongodb.crypt.capi.MongoCryptImpl.<init>(MongoCryptImpl.java:92) ~[mongodb-crypt-1.0.1.jar!/:?]
at com.mongodb.crypt.capi.MongoCrypts.create(MongoCrypts.java:36) ~[mongodb-crypt-1.0.1.jar!/:?]
at com.mongodb.client.internal.Crypts.createCrypt(Crypts.java:35) ~[mongo-java-driver-3.12.3.jar!/:?]
...
[/tmp改为安装为exec时,应用程序启动正常。
没有任何方法可以解决而不使/tmp可执行的问题?
据我所知,加密部分使用JNA,尤其是默认情况下,使用JNA将libmongocrypt.so提取到一个临时目录中。我认为相关文档为https://github.com/java-native-access/jna/blob/master/www/GettingStarted.md。
我建议尝试:
jna.library.path设置为文件系统上允许执行的路径(并在那里手动复制libmongocrypt.so?)。nocrypto版本。编辑:jna.tmpdir似乎更适合每个注释。