Starting NFD on Linux with systemd

Modern versions of Ubuntu (starting with 15.04) and some other Linux distributions, including Debian and Fedora, use systemd to start system daemons, monitor their health, and restart them when they die.

Initial setup

  • Edit nfd.service, correcting the paths to the nfd executable, configuration, and HOME directories.

  • Copy the systemd config file for NFD to the proper directory

      sudo cp nfd.service /etc/systemd/system
    
  • Reload the systemd manager configuration

      sudo systemctl daemon-reload
    

Assumptions in the default scripts

  • nfd is installed into /usr/local/bin
  • Configuraton file is /usr/local/etc/ndn/nfd.conf
  • nfd will be run as root
  • Log files will be written to /usr/local/var/log/ndn folder, which is owned by user ndn

Creating users

If the ndn user and group do not exist, they need to be manually created.

# Create group `ndn`
sudo addgroup --system ndn

# Create user `ndn`
sudo adduser --system \
             --disabled-login \
             --ingroup ndn \
             --home /nonexistent \
             --gecos "NDN User" \
             --shell /bin/false \
             ndn

Creating folders

Folder /usr/local/var/log/ndn should be created and assigned proper user and group:

sudo mkdir -p /usr/local/var/log/ndn
sudo chown -R ndn:ndn /usr/local/var/log/ndn

HOME directory for nfd should be created prior to starting. This is necessary to manage unique security credentials for the daemon.

# Create HOME and generate self-signed NDN certificate for nfd
sudo sh -c ' \
  mkdir -p /usr/local/var/lib/ndn/nfd/.ndn; \
  export HOME=/usr/local/var/lib/ndn/nfd; \
  ndnsec-keygen /localhost/daemons/nfd | ndnsec-install-cert -; \
'

Configuring NFD's security

NFD sample configuration allows anybody to create faces, add nexthops to FIB, and set strategy choice for namespaces. While such settings could be a good start, it is generally not a good idea to run NFD in this mode.

While thorough discussion about the security configuration of NFD is outside the scope of this document, at least the following change should be done in nfd.conf in the authorize section:

authorizations
{
  authorize
  {
    certfile certs/localhost_daemons_nfd.ndncert
    privileges
    {
        faces
        fib
        strategy-choice
    }
  }

  authorize
  {
    certfile any
    privileges
    {
        faces
        strategy-choice
    }
  }
}

While this configuration still allows the management of faces and updating strategy choice by anyone, only NFD's RIB Manager (i.e., NFD itself) is allowed to manage FIB.

As the final step to make this configuration work, nfd's self-signed certificate needs to be exported into the localhost_daemons_nfd.ndncert file:

sudo sh -c '\
  mkdir -p /usr/local/etc/ndn/certs || true; \
  export HOME=/usr/local/var/lib/ndn/nfd; \
  ndnsec-dump-certificate -i /localhost/daemons/nfd > \
    /usr/local/etc/ndn/certs/localhost_daemons_nfd.ndncert; \
'

Enable auto-start

After copying the provided upstart script, auto-start of the nfd daemon can be enabled with:

sudo systemctl enable nfd

To manually start it, use the following command:

sudo systemctl start nfd

Disable auto-start

To stop the nfd daemon, use the following command:

sudo systemctl stop nfd

To permanently stop the nfd daemon and disable it from being automatically started on reboot, disable the service:

sudo systemctl disable nfd