Packaging: document systemd net bind capability rpm and deb installations (#40165)

* add systemd net bind capability docs for rpm and deb

Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>

docs/sources/installation/debian.md

@@ -137,6 +137,10 @@ Configure the Grafana server to start at boot:
 sudo systemctl enable grafana-server.service
 ```
 
+#### Serving Grafana on a port < 1024
+
+{{< docs/shared "systemd/bind-net-capabilities.md" >}}
+
 ### Start the server with init.d
 
 To start the service and verify that the service has started:

docs/sources/installation/rpm.md

@@ -168,6 +168,10 @@ sudo systemctl enable grafana-server
 
 > **SUSE or OpenSUSE users:** You might need to start the server with the systemd method, then use the init.d method to configure Grafana to start at boot.
 
+#### Serving Grafana on a port < 1024
+
+{{< docs/shared "systemd/bind-net-capabilities.md" >}}
+
 ### Start the server with init.d
 
 To start the service and verify that the service has started:

docs/sources/shared/systemd/bind-net-capabilities.md

@@ -0,0 +1,25 @@
+---
+title: Serving Grafana on a port < 1024
+---
+
+If you are using `systemd` and want to start Grafana on a port that is less than 1024, then you must add a `systemd` unit override.
+
+1. The following command creates an override file in your configured editor:
+
+```bash
+# Alternatively, create a file in /etc/systemd/system/grafana-server.service.d/override.conf
+systemctl edit grafana-server.service
+```
+
+1 Add these additional settings to grant the `CAP_NET_BIND_SERVICE` capability. To read more about capabilities, see [the manual page on capabilities.](https://man7.org/linux/man-pages/man7/capabilities.7.html)
+
+```
+[Service]
+# Give the CAP_NET_BIND_SERVICE capability
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+# A private user cannot have process capabilities on the host's user
+# namespace and thus CAP_NET_BIND_SERVICE has no effect.
+PrivateUsers=false
+```