docs/FAQ.rst - NFD - Gitiles

 FAQ
 ===

 How to change default paths?
 ----------------------------

 Paths to where NFD is installed can be configured during ``./waf
 configure``:

 - Installation prefix (default ``/usr/local``):

     ::

         ./waf configure --prefix=/usr

 - Location of NFD configuration file (default: ``${prefix}/etc``):

     ::

         ./waf configure --prefix=/usr --sysconfdir=/etc

 - Location of manpages (default: ``${prefix}/share/man``)

     ::

         ./waf configure --prefix=/usr --sysconfdir=/etc --mandir=/usr/share/man

 How to run NFD as non-root user?
 --------------------------------

 How to configure automatic dropping of privileges?
 ++++++++++++++++++++++++++++++++++++++++++++++++++

 NFD can be configured to drop privileges whenever possible.  You can specify a user and/or
 group for NFD to change its *effective* user/group ID to in the ``general`` section of the
 configuration file. For example:

 ::

     general
     {
       user nobody
       group nogroup
     }

 will configure NFD to drop its effective user and group IDs to ``nobody`` and ``nogroup``,
 respectively.

 .. note::

     **IMPORTANT:** NFD may regain elevated permissions as needed during normal
     execution. Dropping privileges in this manner should not be considered a security
     mechanism (a compromised NFD that was started as root can trivially return to
     root). However, reducing privileges may limit any damaged caused by well intentioned,
     but buggy, code.

 How to enable Ethernet Face Support?
 ++++++++++++++++++++++++++++++++++++

 The ``ether`` configuration file section contains settings for Ethernet faces and
 channels. These settings will **NOT** work without root or setting the appropriate
 permissions:

 ::

     sudo setcap cap_net_raw,cap_net_admin=eip /full/path/nfd

 You may need to install a package to use setcap:

 **Ubuntu:**

 ::

     sudo apt-get install libcap2-bin

 **Mac OS X:**

 ::

     curl https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3373 -o ChmodBPF.tar.gz
     tar zxvf ChmodBPF.tar.gz
     open ChmodBPF/Install\ ChmodBPF.app

 or manually:

 ::

     sudo chgrp admin /dev/bpf*
     sudo chmod g+rw /dev/bpf*

 How to enable UDP multicast support in multi-homed Linux machines
 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 The UDP configuration file section contains settings for unicast and multicast UDP
 faces. If the Linux box is equipped with multiple network interfaces with multicast
 capabilities, the settings for multicast faces will **NOT** work without root
 or setting the appropriate permissions:

 ::

     sudo setcap cap_net_raw=eip /full/path/nfd

 .. _How to configure NFD security:

 How to configure NFD security?
 ------------------------------

 .. note:: The sample configuration file of NFD allow any user to manage faces, FIB, RIB, and
     StrategyChoice of the local NFD.  The following description can be used to restrict certain
     operations to certain users.

     More extensive documentation about NFD's security and options to configure trust model for
     NFD is currently in preparation.

 Many NFD management protocols use commands Interests (e.g., FIB modification, Face
 creation/destructions, etc.), which require an NDN certificate (either self-signed for local
 trust or delegated from a trusted authority).

 If you do not already have NDN certificate, you can generate one with the following commands:

 **Generate and install a self-signed identity certificate**:

 ::

     ndnsec-keygen /`whoami` | ndnsec-install-cert -

 Note that the argument to ndnsec-key will be the identity name of the new key (in this case,
 ``/your-username``). Identity names are hierarchical NDN names and may have multiple components
 (e.g.  ``/ndn/ucla/edu/alice``). You may create additional keys and identities as you see fit.

 **Dump the NDN certificate to a file**:

 The following commands assume that you have not modified ``PREFIX`` or ``SYSCONFDIR`` If you
 have, please substitute ``/usr/local/etc`` for the appropriate value (the overriden
 ``SYSCONFDIR`` or ``PREFIX/etc`` if you changed ``PREFIX``).

 ::

     sudo mkdir -p /usr/local/etc/ndn/keys
     ndnsec-cert-dump -i /`whoami` > default.ndncert
     sudo mv default.ndncert /usr/local/etc/ndn/keys/default.ndncert

 .. _How to start using NDN PPA repository on Ubuntu Linux:

 How to start using NDN PPA repository on Ubuntu Linux?
 ------------------------------------------------------

 Please see :ref:`Install NFD Using the NDN PPA Repository on Ubuntu Linux`.
	FAQ
	===

	How to change default paths?
	----------------------------

	Paths to where NFD is installed can be configured during ``./waf
	configure``:

	- Installation prefix (default ``/usr/local``):

	::

	./waf configure --prefix=/usr

	- Location of NFD configuration file (default: ``${prefix}/etc``):

	::

	./waf configure --prefix=/usr --sysconfdir=/etc

	- Location of manpages (default: ``${prefix}/share/man``)

	::

	./waf configure --prefix=/usr --sysconfdir=/etc --mandir=/usr/share/man

	How to run NFD as non-root user?
	--------------------------------

	How to configure automatic dropping of privileges?
	++++++++++++++++++++++++++++++++++++++++++++++++++

	NFD can be configured to drop privileges whenever possible. You can specify a user and/or
	group for NFD to change its effective user/group ID to in the ``general`` section of the
	configuration file. For example:

	::

	general
	{
	user nobody
	group nogroup
	}

	will configure NFD to drop its effective user and group IDs to ``nobody`` and ``nogroup``,
	respectively.

	.. note::

	IMPORTANT: NFD may regain elevated permissions as needed during normal
	execution. Dropping privileges in this manner should not be considered a security
	mechanism (a compromised NFD that was started as root can trivially return to
	root). However, reducing privileges may limit any damaged caused by well intentioned,
	but buggy, code.

	How to enable Ethernet Face Support?
	++++++++++++++++++++++++++++++++++++

	The ``ether`` configuration file section contains settings for Ethernet faces and
	channels. These settings will NOT work without root or setting the appropriate
	permissions:

	::

	sudo setcap cap_net_raw,cap_net_admin=eip /full/path/nfd

	You may need to install a package to use setcap:

	Ubuntu:

	::

	sudo apt-get install libcap2-bin

	Mac OS X:

	::

	curl https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3373 -o ChmodBPF.tar.gz
	tar zxvf ChmodBPF.tar.gz
	open ChmodBPF/Install\ ChmodBPF.app

	or manually:

	::

	sudo chgrp admin /dev/bpf*
	sudo chmod g+rw /dev/bpf*

	How to enable UDP multicast support in multi-homed Linux machines
	+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

	The UDP configuration file section contains settings for unicast and multicast UDP
	faces. If the Linux box is equipped with multiple network interfaces with multicast
	capabilities, the settings for multicast faces will NOT work without root
	or setting the appropriate permissions:

	::

	sudo setcap cap_net_raw=eip /full/path/nfd

	.. _How to configure NFD security:

	How to configure NFD security?
	------------------------------

	.. note:: The sample configuration file of NFD allow any user to manage faces, FIB, RIB, and
	StrategyChoice of the local NFD. The following description can be used to restrict certain
	operations to certain users.

	More extensive documentation about NFD's security and options to configure trust model for
	NFD is currently in preparation.

	Many NFD management protocols use commands Interests (e.g., FIB modification, Face
	creation/destructions, etc.), which require an NDN certificate (either self-signed for local
	trust or delegated from a trusted authority).

	If you do not already have NDN certificate, you can generate one with the following commands:

	Generate and install a self-signed identity certificate:

	::

	ndnsec-keygen /`whoami` \| ndnsec-install-cert -

	Note that the argument to ndnsec-key will be the identity name of the new key (in this case,
	``/your-username``). Identity names are hierarchical NDN names and may have multiple components
	(e.g. ``/ndn/ucla/edu/alice``). You may create additional keys and identities as you see fit.

	Dump the NDN certificate to a file:

	The following commands assume that you have not modified ``PREFIX`` or ``SYSCONFDIR`` If you
	have, please substitute ``/usr/local/etc`` for the appropriate value (the overriden
	``SYSCONFDIR`` or ``PREFIX/etc`` if you changed ``PREFIX``).

	::

	sudo mkdir -p /usr/local/etc/ndn/keys
	ndnsec-cert-dump -i /`whoami` > default.ndncert
	sudo mv default.ndncert /usr/local/etc/ndn/keys/default.ndncert

	.. _How to start using NDN PPA repository on Ubuntu Linux:

	How to start using NDN PPA repository on Ubuntu Linux?
	------------------------------------------------------

	Please see :ref:`Install NFD Using the NDN PPA Repository on Ubuntu Linux`.