Our elasticsearch systemd unit sets PrivateTmp=true, which is overall a good thing. But this prevents jstack / jmap / etc... from connecting to the JVM as they expect a socket in the temp directory.
The easy (but less secure) workaround is to disable PrivateTmp. A better solution should be to wrap jstack / jmap / etc... and give them the access to that same temp dir. Not sure if there is something similar to JoinsNamespaceOf that we could use in this context.