blob: bcc0225a4e724dd786c69e36bdcd2a809f99bc5a [file] [log] [blame]
FAQ
===
How do I change the default installation paths?
-----------------------------------------------
Paths to where NFD is installed can be configured during ``./waf configure``:
- Installation prefix (default ``/usr/local``)::
./waf configure --prefix=/usr
- Location of NFD configuration file (default: ``${prefix}/etc``)::
./waf configure --prefix=/usr --sysconfdir=/etc
- Location of manpages (default: ``${prefix}/share/man``)::
./waf configure --prefix=/usr --sysconfdir=/etc --mandir=/usr/share/man
See ``./waf configure --help`` for the full list of options.
How do I use the NDN PPA repository on Ubuntu Linux?
----------------------------------------------------
Please see :ref:`Install NFD on Ubuntu Linux using the NDN PPA repository`.
How do I run NFD as a non-root user?
------------------------------------
How do I configure automatic privilege dropping?
++++++++++++++++++++++++++++++++++++++++++++++++
NFD can be configured to drop privileges whenever possible. You can specify a user and/or
group for NFD to change its *effective* user/group ID to in the ``general`` section of the
configuration file. For example::
general
{
user nobody
group nogroup
}
will configure NFD to drop its effective user and group IDs to ``nobody`` and ``nogroup``,
respectively.
.. note::
**IMPORTANT:** NFD may regain elevated privileges as needed during normal
execution. Dropping privileges in this manner should not be considered a security
mechanism (a compromised NFD that was started as root can trivially return to
root). However, reducing privileges may limit any damage caused by well intentioned,
but buggy, code.
How do I enable Ethernet face support?
++++++++++++++++++++++++++++++++++++++
The ``ether`` configuration file section contains settings for Ethernet faces and
channels. These settings will **NOT** work without root or without setting the
appropriate permissions.
- On **Ubuntu**::
sudo apt install libcap2-bin
sudo setcap cap_net_raw,cap_net_admin=eip /path/to/nfd
- On **macOS**::
curl https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3373 -o ChmodBPF.tar.gz
tar zxvf ChmodBPF.tar.gz
open ChmodBPF/Install\ ChmodBPF.app
or manually::
sudo chgrp admin /dev/bpf*
sudo chmod g+rw /dev/bpf*
How do I enable UDP multicast support in multi-homed Linux machines?
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The ``udp`` configuration file section contains settings for unicast and multicast UDP
faces. If the Linux machine is equipped with multiple network interfaces with multicast
capabilities, the settings for multicast faces will **NOT** work without root or without
setting the appropriate permissions::
sudo setcap cap_net_raw=eip /path/to/nfd
.. _How do I configure NFD security:
How do I configure NFD security?
--------------------------------
.. note:: The sample configuration file for NFD allows any user to manage faces, FIB, RIB,
CS, and strategy choices of the local NFD instance. The following procedure can be used
to restrict certain operations to certain users.
More extensive documentation on the security mechanisms in NFD, as well as the available
options to configure its trust model, is currently in preparation.
Many management components in NFD use *Command Interests* (e.g., FIB modification, face
creation/destruction, etc.), which require an NDN certificate (either self-signed for local
trust or delegated from a trusted authority).
If you do not already have an NDN certificate, you can generate one using the following procedure.
**Generating and installing a self-signed identity certificate**:
::
ndnsec key-gen /$(whoami) | ndnsec cert-install -
Note that the argument to ``ndnsec key-gen`` will be the identity name of the new key (in this
case, ``/your-username``). Identity names are hierarchical NDN names and may have multiple
components (e.g. ``/ndn/ucla/edu/alice``). You may create additional keys and identities as
needed.
**Exporting the NDN certificate to a file**:
The following commands assume that you have not modified ``PREFIX`` or ``SYSCONFDIR``.
If you have, please substitute the appropriate path in place of ``/usr/local/etc``.
::
sudo mkdir -p /usr/local/etc/ndn/keys
ndnsec cert-dump -i /$(whoami) > default.ndncert
sudo mv default.ndncert /usr/local/etc/ndn/keys/default.ndncert