Allow privileged port bindings when running OpenNMS with a system account

Problem

With Horizon 29+ we run no longer as a root user by default. An unprivileged system account opennms is created and used for the process. Running with an unprivileged user increases some security aspects, but the drawback is limitations by spawning processes trying to bind privileged ports < 1024.

Especially for monitoring the ports 514/udp for Syslog and 162/udp can be an issue, which is the reason the ports have changed in our default configuration to 10514/udp and 10162/udp. For these common cases, we have addressed this problem in our deployment documentation on how to forward 514/udp and 162/udp packets using firewalld and ufw accordingly.

This problem is also a topic if you need to run the DHCP monitor which uses privileged ports to test DHCP services or you change the port in trapd-configuration.xml to 162/udp.

OpenNMS might start but will see error messages like this here in your logs:

Caused by: java.net.BindException: Permission denied (Bind failed)
	at java.net.PlainDatagramSocketImpl.bind0(Native Method) ~[?:?]
	at java.net.AbstractPlainDatagramSocketImpl.bind(AbstractPlainDatagramSocketImpl.java:131) ~[?:?]
	at java.net.DatagramSocket.bind(DatagramSocket.java:394) ~[?:?]
	at org.snmp4j.transport.DefaultUdpTransportMapping.<init>(DefaultUdpTransportMapping.java:86) ~[org.opennms.core.snmp.implementations.snmp4j-29.0.4.jar:?]
	at org.opennms.netmgt.snmp.snmp4j.Snmp4JStrategy.registerForTraps(Snmp4JStrategy.java:579) ~[org.opennms.core.snmp.implementations.snmp4j-29.0.4.jar:?]
	at org.opennms.netmgt.snmp.SnmpUtils.registerForTraps(SnmpUtils.java:198) ~[org.opennms.core.snmp.api-29.0.4.jar:?]
	at org.opennms.netmgt.trapd.TrapListener.open(TrapListener.java:117) ~[org.opennms.features.events.traps-29.0.4.jar:?]
	... 39 more

Solution

Give OpenNMS the necessary permissions to bind on privileged ports by assigning the CAP_NET_BIND_SERVICE capability in the systemd unit.

sudo systemctl edit --full opennms

In the [Service] section, add:

AmbientCapabilities=CAP_NET_BIND_SERVICE

Save the file restart OpenNMS with systemctl restart opennms. You should now see your open privileged port with the command ss -lnpu.

:tipping_hand_woman: Instead of editing the systemd unit, systemctl edit creates an unit overlay file in /etc/systemd/system/opennms.service.d/override.conf. This way your customizations are persisted even when you update or reinstall OpenNMS.


:woman_facepalming: You can fix me, Iā€™m a wiki post.

2 Likes

This worked for me. My DHCP monitor stopped working after an in-place upgrade to 29

1 Like