Problem

-- When API Gateway is running as non root user, to listen on privileged port, the CAP_NET_BIND capability has to be added to the vshell binary and some API Gateway libraries has to be added to the system cache libraries.

-- Some of the livraries used by API Gateway can conflict with the system libraries which could lead to some issue when running external program.

-- How can API Gateway listened on privileged port without running as root user and without having to add the API Gateway libraries in the system cache libraries?

Resolution

One solution is to set rpath in the vshell binary with the path to the library folder it uses.

Procedure to do that is ($VDISTDIR is the apigateway home folder):
- Stop the product (node manager and instances)
- If it has already been added, remove capabilities on vhsell binary:
# setcap -r $VDISTDIR/platform/bin/vshell
- Patch vshell binary to add it rpath:
# patchelf --force-rpath --set-rpath "$VDISTDIR/platform/jre/lib/amd64/server:$VDISTDIR/platform/jre/lib/amd64:$VDISTDIR/platform/jre/lib/amd64/jli:$VDISTDIR/platform/lib/engines:$VDISTDIR/platform/lib:$VDISTDIR/ext/lib" $VDISTDIR/platform/bin/vshell
- Set capability on vshell binary:
# setcap 'cap_net_bind_service=+ep' $VDISTDIR/platform/bin/vshell
- If config path has been modified on the system, remove the gateway-libs.conf file from /etc/ld.so.conf.d/ then run ldconfig to reload the library cache file.

- If not already done, add the line:

<VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>

near the top of system/conf/jvm.xml file, after the following line:

<JVMSettings classloader="com.vordel.boot.ServiceClassLoader">