Running Bitbucket Server on a Privileged Port (without Root)

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

This Knowledge Base article was written specifically for the Atlassian Server platform. Due to the Compare Atlassian cloud vs server, the contents of this article cannot be applied to Atlassian Cloud applications.

Solution

Problem

On Linux, you are typically unable to run Bitbucket Server (or any other Atlassian product) on a port below 1024 as these are Privileged ports, without starting as root. Starting as Root introduces both a security risk and can prevent ElasticSearch from starting/operating as expected.

The following appears in your Bitbucket_home/log/atlassian-bitbucket.log when you attempt to start Bitbucket on a port below 1024 without any changes.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 2018-05-10 10:37:02,346 ERROR [main] o.a.catalina.core.StandardService Failed to start connector [Connector[HTTP/1.1-80]] org.apache.catalina.LifecycleException: Failed to start component [Connector[HTTP/1.1-80]] at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:167) at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.addPreviouslyRemovedConnectors(TomcatEmbeddedServletContainer.java:250) at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.start(TomcatEmbeddedServletContainer.java:193) at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.startEmbeddedServletContainer(EmbeddedWebApplicationContext.java:297) at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.finishRefresh(EmbeddedWebApplicationContext.java:145) at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:546) at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:122) at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:693) at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:360) at org.springframework.boot.SpringApplication.run(SpringApplication.java:303) at com.atlassian.bitbucket.internal.boot.BitbucketServerApplication.start(BitbucketServerApplication.java:247) at com.atlassian.bitbucket.internal.boot.BitbucketServerApplication.main(BitbucketServerApplication.java:83) at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48) at org.springframework.boot.loader.Launcher.launch(Launcher.java:87) at com.atlassian.bitbucket.internal.launcher.BitbucketServerLauncher.start(BitbucketServerLauncher.java:151) at com.atlassian.bitbucket.internal.launcher.BitbucketServerLauncher.main(BitbucketServerLauncher.java:99) ... 5 frames trimmed Caused by: org.apache.catalina.LifecycleException: Protocol handler start failed at org.apache.catalina.connector.Connector.startInternal(Connector.java:1021) ... 16 common frames omitted Caused by: java.net.SocketException: Permission denied at sun.nio.ch.Net.bind0(Native Method) at sun.nio.ch.Net.bind(Net.java:433) at sun.nio.ch.Net.bind(Net.java:425) at sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:223) at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:74) ... 16 common frames omitted ... ... 2018-05-10 10:37:06,559 ERROR [main] o.s.b.d.LoggingFailureAnalysisReporter *************************** APPLICATION FAILED TO START *************************** Description: The Tomcat connector configured to listen on port 80 failed to start. The port may already be in use or the connector may be misconfigured. Action: Verify the connector's configuration, identify and stop any process that's listening on port 80, or configure this application to listen on another port. 2018-05-10 10:37:06,562 INFO [main] c.a.b.i.boot.log.BuildInfoLogger Bitbucket 5.9.0 has shut down

Workaround

The below steps will provide a workaround for Java itself, allowing all Java applications elevated network permissions, thereby allowing you to bind to ports under 1024.

If your system supports "capabilities" then you can utilize "CAP_NET_BIND_SERVICE". You can verify if your system has this capability by running 'man capabilities'.

Needed if "setcap" and "getcap" are not available on your machine

1 $ sudo apt-get install libcap2-bin

Checking what capabilities Java has

1 $ sudo getcap $JAVA_HOME/jre/bin/java

Expected output when Capabilities are not yet set:

1 /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java =

Setting the Capability to add Elevated Privileges for network ports

1 $ sudo setcap cap_net_bind_service=+ep $JAVA_HOME/jre/bin/java

Confirm change took effect with previous command

1 $ sudo getcap $JAVA_HOME/jre/bin/java

New expected output confirming change took effect

1 /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java = cap_net_bind_service+ep

Once the above steps have been completed and you verify the permissions, you can then edit the desired listen port within your Bitbucket.properties configuration as covered in our Changing the port that Bitbucket Server Listens on.

On attempting to start up Bitbucket, it's possible that you receive the error "error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory"

If you receive this error on starting Bitbucket, or attempting to even run ./java -version, then it's likely you will need to create a symbolic link for this library - as Java (once escalated) will start looking for libraries under a specific directory as part of a security feature.

The command to generate this symbolic link is as follows:

Creating a symbolic link to the libjli.so library

1 2 3 ln -s /path/to/your/jre/lib/amd64/jli/libjli.so /usr/lib/ #Note: If your OS is instead 64 bit, you may need to create a symbolic link to the lib64 directory instead: ln -s /path/to/your/jre/lib/amd64/jli/libjli.so /usr/lib64/

Updated on April 15, 2025

Still need help?

The Atlassian Community is here for you.