There was recently a ticket from a support customer, where the customer actually read through the documentation but missed the second part of the need for AmbientCapabilities to allow them to launch the software on port 443 instead of 8443. It's not spelled out in the documentation that CAP_NET_BIND_SERVICE would allow non-root users to launch things on ports lower than 1024.

I was going to put in something to get the documentation updated to spell that out a little better but why not just include the following in the opennms.service file that is shipped?:

I know this section was added because of the change a few years ago from running as root to the opennms user for security reasons, which also clobbered the ability to do things root would normally be able to do which is why the above in the [Service] section is needed when starting the software.

If this were included in the service file, then users could run things on the original web ports and even collect snmp info on the standard port 162.

Things could still point to the port info we have configured [8980, 8443, 10162], but the user wouldn't be as burdened to switch to the original port numbers if they needed to.

Documentation would likely need to updated to reflect this change if not to remove the section from the deployment area when installing the software and throughout to reflect the ability for the user to set their desired port information.

Tagging on this.