Running Bitbucket Server on a Privileged Port (without Root)
This Knowledge Base article was written specifically for the Atlassian Server platform. Due to the Compare Atlassian cloud vs server, the contents of this article cannot be applied to Atlassian Cloud applications.
問題
On Linux, you are typically unable to run Bitbucket Server (or any other Atlassian product) on a port below 1024 as these are Privileged ports, without starting as root. Starting as Root introduces both a security risk and can prevent ElasticSearch from starting/operating as expected.
The following appears in your Bitbucket_home/log/atlassian-bitbucket.log
when you attempt to start Bitbucket on a port below 1024 without any changes.
2018-05-10 10:37:02,346 ERROR [main] o.a.catalina.core.StandardService Failed to start connector [Connector[HTTP/1.1-80]]
org.apache.catalina.LifecycleException: Failed to start component [Connector[HTTP/1.1-80]]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:167)
at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.addPreviouslyRemovedConnectors(TomcatEmbeddedServletContainer.java:250)
at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.start(TomcatEmbeddedServletContainer.java:193)
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.startEmbeddedServletContainer(EmbeddedWebApplicationContext.java:297)
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.finishRefresh(EmbeddedWebApplicationContext.java:145)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:546)
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:122)
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:693)
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:360)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:303)
at com.atlassian.bitbucket.internal.boot.BitbucketServerApplication.start(BitbucketServerApplication.java:247)
at com.atlassian.bitbucket.internal.boot.BitbucketServerApplication.main(BitbucketServerApplication.java:83)
at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:87)
at com.atlassian.bitbucket.internal.launcher.BitbucketServerLauncher.start(BitbucketServerLauncher.java:151)
at com.atlassian.bitbucket.internal.launcher.BitbucketServerLauncher.main(BitbucketServerLauncher.java:99)
... 5 frames trimmed
Caused by: org.apache.catalina.LifecycleException: Protocol handler start failed
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1021)
... 16 common frames omitted
Caused by: java.net.SocketException: Permission denied
at sun.nio.ch.Net.bind0(Native Method)
at sun.nio.ch.Net.bind(Net.java:433)
at sun.nio.ch.Net.bind(Net.java:425)
at sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:223)
at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:74)
... 16 common frames omitted
...
...
2018-05-10 10:37:06,559 ERROR [main] o.s.b.d.LoggingFailureAnalysisReporter
***************************
APPLICATION FAILED TO START
***************************
Description:
The Tomcat connector configured to listen on port 80 failed to start. The port may already be in use or the connector may be misconfigured.
Action:
Verify the connector's configuration, identify and stop any process that's listening on port 80, or configure this application to listen on another port.
2018-05-10 10:37:06,562 INFO [main] c.a.b.i.boot.log.BuildInfoLogger Bitbucket 5.9.0 has shut down
回避策
The below steps will provide a workaround for Java itself, allowing all Java applications elevated network permissions, thereby allowing you to bind to ports under 1024.
If your system supports "capabilities" then you can utilize "CAP_NET_BIND_SERVICE". You can verify if your system has this capability by running 'man capabilities'.
$ sudo apt-get install libcap2-bin
$ sudo getcap $JAVA_HOME/jre/bin/java
/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java =
$ sudo setcap cap_net_bind_service=+ep $JAVA_HOME/jre/bin/java
$ sudo getcap $JAVA_HOME/jre/bin/java
/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java = cap_net_bind_service+ep
Once the above steps have been completed and you verify the permissions, you can then edit the desired listen port within your Bitbucket.properties configuration as covered in our Changing the port that Bitbucket Server Listens on.
On attempting to start up Bitbucket, it's possible that you receive the error "error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory"
If you receive this error on starting Bitbucket, or attempting to even run ./java -version, then it's likely you will need to create a symbolic link for this library - as Java (once escalated) will start looking for libraries under a specific directory as part of a security feature.
The command to generate this symbolic link is as follows:
ln -s /path/to/your/jre/lib/amd64/jli/libjli.so /usr/lib/
#Note: If your OS is instead 64 bit, you may need to create a symbolic link to the lib64 directory instead:
ln -s /path/to/your/jre/lib/amd64/jli/libjli.so /usr/lib64/