This time, I have a couchpotato container that I want to change its default port from 5050 to port 80, so that it is as simple as http://mycouch/ to access from the local network.

Since CouchPotato is a python script, my other method of whitelisting the binary won’t work, an alternative is to use authbind to get around this by granting a user/group privileges to bind to one of those restricted ports (non-root can’t bind to ports 1024 or less).

Environment: LXC Container (Debian 9.0 Stretch) image, with couchpotato defaults running on port 5050 and systemd init script setup (couchpotato user is named gmedia)

#  groupadd -g 3200 gmedia
# useradd -u 3200 -g gmedia -M gmedia
# apt-get install authbind
# touch /etc/authbind/byport/80
# chown gmedia /etc/authbind/byport/80
# chmod 500 /etc/authbind/byport/80

Now edit the startup settings (Exec/user/group):
# nano /etc/systemd/system/couchpotato.service

Should look something like this:

[Unit]
Description=CouchPotato application instance
After=network.target

[Service]
ExecStart=/usr/bin/authbind --deep /opt/CouchPotatoServer/CouchPotato.py
Type=simple
User=gmedia
Group=gmedia

[Install]
WantedBy=multi-user.target

Now its time to test:

# systemctl daemon-reload
# systemctl start couchpotato.service
# systemctl status couchpotato.service

Confirm all is hunky dory.

root@couchpotato:~# systemctl status couchpotato.service
● couchpotato.service - CouchPotato application instance
Loaded: loaded (/etc/systemd/system/couchpotato.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2017-06-29 08:35:32 UTC; 2s ago
Main PID: 1203 (python)
Tasks: 9 (limit: 4915)
CGroup: /system.slice/couchpotato.service
└─1203 python /opt/CouchPotatoServer/CouchPotato.py

Jun 29 08:35:32 couchpotato systemd[1]: Started CouchPotato application instance.
root@couchpotato:~# lsof -i :80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
python 1203 gmedia 49u IPv4 6008724 0t0 TCP *:http (LISTEN)
python 1203 gmedia 52u IPv4 6024843 0t0 TCP 192.168.200.140:http->192.168.200.5:56928 (ESTABLISHED)
root@couchpotato:~#

In *nix any usage of well-known ports (aka 1024 or less) requires special privileges or a kernel setting. In FreeBSD a simple sysctl net.inet.ip.portrange.reservedhigh =1 was enough to allow the BSD jail to use any port on the jail.

On LXC, I had to figure out how to do the same thing and its quite different. My environment is a debian stretch LXC container but should work on other linux versions.

# apt-get install libcap2-bin
# setcap 'cap_net_bind_service=+ep' /usr/bin/transmission-daemon

In the example above, the binary /usr/bin/transmission-daemon is now able to open any port, or port 80 http in my case all while running a service as a non-root user.

Hopefully these helps folks out there, the answer took some digging but I already had an idea on what was needed thanks to my FreeBSD experience in zones

On servers with more than two network interfaces Debian/Proxmox renames all interfaces and does not properly detect eth0 as the on-board ethernet as many other linux flavors. This may cause a mild headache if you just installed Proxmox with static IP addresses using the installer and upon reboot you can’t access any network resources.

I already explained the cause and you could argue that on the Proxmox installer they could add a built-in network detection check to properly label eth0 as eth0 as the device is named in many other linux distros. That currently does not exist so I will walk you around the troubleshooting.

Upon reboot or first boot after the installation is complete:
# ip link

The bridge interface (vmbr0) should read “NO-CARRIER, MULTICAST, UP” as well as “state down” a few words further to the left of the results.

# dmesg | grep eth

Read the entries in the dmesg logs, it tells you the name of network interfaces on your system.

“NO-CARRIER” indicates it does not detect an uplink, the interface is configured but none of its bridge members have a network cable or connection being detected.

To fix this you will want to run the following commands:
# ifdown -a
# vi /etc/network/interfaces

By default the installer sets up “eth0” as your only bridge member since the network card numbering got setup differently, the logical name on proxmox for eth0 is actually eth2.

Edit the single instance of eth0 with eth2 – save the file and exit the editor.

# ifup -a
should try to bring back up your interfaces. Trying pinging your network gateway, it should be working now. Cheers.