Varnish fails to start with : failed to map segment from shared object: Operation not permitted

Question

I installed varnish from epel repo on a CentOS 6.7, and it fails to start with following error :

Compiled VCL program failed to load:
  ./vcl.1P9zoqAU.so: failed to map segment from shared object: Operation not permitted
VCL compilation failed

If I strace the varnishd binary, I get following lines by the end

chdir("/var/lib/varnish/myserver.foo.bar") = 0
open("./vcl.1P9zoqAU.c", O_RDWR|O_CREAT|O_EXCL, 0600) = 3

So I checked that permissions were right on this directory (plus I'm running it with root), I disabled SELinux, rebooted, reinstalled... First it happened with varnish 2.1.15, but same is happening with 4.0.3 (using official varnish repo).

Do you have any idea what is going on on my system ?

Answer 1

As part of varnish's startup, it generates a loadable library of the configuration of it's behaviour. This gets compiled and loaded at run-time by varnishd. This is the thing that is being complained about with the error:

Compiled VCL program failed to load:
  ./vcl.1P9zoqAU.so: failed to map segment from shared object: Operation not permitted
VCL compilation failed

i.e. it's a dlopen call that's failing. The newer version has a slightly more obvious message where it says:

dlopen(vcl_boot/vgc.so) = failed to map segment from shared object: Operation not permitted

In this case, the directory that the .so is placed in resides on a filesystem that is mounted with the noexec option, which causes the dlopen to fail.

Addressing this requires remounting this file system with the exec option.