systemd: improve nfd.service, add unit files for tools
Change-Id: I0012278b1898a48ea5594ce648dea1ebc2152113
diff --git a/systemd/README.md b/systemd/README.md
deleted file mode 100644
index 45d24e3..0000000
--- a/systemd/README.md
+++ /dev/null
@@ -1,130 +0,0 @@
-Starting NFD on Linux with systemd
-==================================
-
-Modern versions of Ubuntu (starting with 15.04) and some other Linux distributions, including Debian
-and Fedora, use systemd to start system daemons, monitor their health, and restart them when they die.
-
-Initial setup
--------------
-
-* Edit `nfd.service`, correcting the paths to the `nfd` executable, configuration, and
- ``HOME`` directories.
-
-* Copy the systemd config file for NFD to the proper directory
-
- sudo cp nfd.service /etc/systemd/system
-
-* Reload the systemd manager configuration
-
- sudo systemctl daemon-reload
-
-### Assumptions in the default scripts
-
-* `nfd` is installed into `/usr/local/bin`
-* Configuraton file is `/usr/local/etc/ndn/nfd.conf`
-* `nfd` will be run as root
-* Log files will be written to `/usr/local/var/log/ndn` folder, which is owned by user `ndn`
-
-### Creating users
-
-If the `ndn` user and group do not exist, they need to be manually created.
-
- # Create group `ndn`
- sudo addgroup --system ndn
-
- # Create user `ndn`
- sudo adduser --system \
- --disabled-login \
- --ingroup ndn \
- --home /nonexistent \
- --gecos "NDN User" \
- --shell /bin/false \
- ndn
-
-
-### Creating folders
-
-Folder `/usr/local/var/log/ndn` should be created and assigned proper user and group:
-
- sudo mkdir -p /usr/local/var/log/ndn
- sudo chown -R ndn:ndn /usr/local/var/log/ndn
-
-`HOME` directory for `nfd` should be created prior to starting. This is necessary to manage
-unique security credentials for the daemon.
-
- # Create HOME and generate self-signed NDN certificate for nfd
- sudo sh -c ' \
- mkdir -p /usr/local/var/lib/ndn/nfd/.ndn; \
- export HOME=/usr/local/var/lib/ndn/nfd; \
- ndnsec-keygen /localhost/daemons/nfd | ndnsec-install-cert -; \
- '
-
-### Configuring NFD's security
-
-NFD sample configuration allows anybody to create faces, add nexthops to FIB, and set
-strategy choice for namespaces. While such settings could be a good start, it is
-generally not a good idea to run NFD in this mode.
-
-While thorough discussion about the security configuration of NFD is outside the scope of
-this document, at least the following change should be done in ``nfd.conf`` in the
-authorize section:
-
- authorizations
- {
- authorize
- {
- certfile certs/localhost_daemons_nfd.ndncert
- privileges
- {
- faces
- fib
- strategy-choice
- }
- }
-
- authorize
- {
- certfile any
- privileges
- {
- faces
- strategy-choice
- }
- }
- }
-
-While this configuration still allows the management of faces and updating strategy choice by
-anyone, only NFD's RIB Manager (i.e., NFD itself) is allowed to manage FIB.
-
-As the final step to make this configuration work, nfd's self-signed certificate needs to
-be exported into the `localhost_daemons_nfd.ndncert` file:
-
- sudo sh -c '\
- mkdir -p /usr/local/etc/ndn/certs || true; \
- export HOME=/usr/local/var/lib/ndn/nfd; \
- ndnsec-dump-certificate -i /localhost/daemons/nfd > \
- /usr/local/etc/ndn/certs/localhost_daemons_nfd.ndncert; \
- '
-
-Enable auto-start
------------------
-
-After copying the provided `nfd.service` file, auto-start can be enabled with:
-
- sudo systemctl enable nfd
-
-To manually start it, use the following command:
-
- sudo systemctl start nfd
-
-Disable auto-start
-------------------
-
-To stop the `nfd` daemon, use the following command:
-
- sudo systemctl stop nfd
-
-To prevent it from being automatically started on reboot,
-disable the service:
-
- sudo systemctl disable nfd
diff --git a/systemd/ndn-autoconfig-client.service.in b/systemd/ndn-autoconfig-client.service.in
new file mode 100644
index 0000000..2eaf3d4
--- /dev/null
+++ b/systemd/ndn-autoconfig-client.service.in
@@ -0,0 +1,62 @@
+# Copyright (c) 2015-2019, Regents of the University of California,
+# Arizona Board of Regents,
+# Colorado State University,
+# University Pierre & Marie Curie, Sorbonne University,
+# Washington University in St. Louis,
+# Beijing Institute of Technology,
+# The University of Memphis.
+#
+# This file is part of NFD (Named Data Networking Forwarding Daemon).
+# See AUTHORS.md for complete list of NFD authors and contributors.
+#
+# NFD is free software: you can redistribute it and/or modify it under the terms
+# of the GNU General Public License as published by the Free Software Foundation,
+# either version 3 of the License, or (at your option) any later version.
+#
+# NFD is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+# without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+# PURPOSE. See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# NFD, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
+
+[Unit]
+Description=NDN Autoconfig Client
+Documentation=man:nfd-autoconfig(1)
+BindsTo=nfd.service
+After=nfd.service
+
+[Service]
+Environment=HOME=%S/ndn/ndn-autoconfig
+ExecStart=@BINDIR@/ndn-autoconfig --daemon --config @SYSCONFDIR@/ndn/autoconfig.conf
+Restart=on-failure
+RestartPreventExitStatus=2
+User=ndn
+
+CapabilityBoundingSet=
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+# systemd older than v232 doesn't support a value of "strict" for ProtectSystem,
+# so it will ignore that line and use ProtectSystem=full; with newer systemd,
+# the latter assignment is recognized and takes precedence, resulting in an
+# effective setting of ProtectSystem=strict
+ProtectSystem=full
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+StateDirectory=ndn/ndn-autoconfig
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=~@aio @chown @clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap
+
+[Install]
+WantedBy=multi-user.target
diff --git a/systemd/ndn-autoconfig-server.service.in b/systemd/ndn-autoconfig-server.service.in
new file mode 100644
index 0000000..3403109
--- /dev/null
+++ b/systemd/ndn-autoconfig-server.service.in
@@ -0,0 +1,63 @@
+# Copyright (c) 2015-2019, Regents of the University of California,
+# Arizona Board of Regents,
+# Colorado State University,
+# University Pierre & Marie Curie, Sorbonne University,
+# Washington University in St. Louis,
+# Beijing Institute of Technology,
+# The University of Memphis.
+#
+# This file is part of NFD (Named Data Networking Forwarding Daemon).
+# See AUTHORS.md for complete list of NFD authors and contributors.
+#
+# NFD is free software: you can redistribute it and/or modify it under the terms
+# of the GNU General Public License as published by the Free Software Foundation,
+# either version 3 of the License, or (at your option) any later version.
+#
+# NFD is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+# without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+# PURPOSE. See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# NFD, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
+
+[Unit]
+Description=NDN Autoconfig Server
+Documentation=man:nfd-autoconfig-server(1)
+BindsTo=nfd.service
+After=nfd.service
+
+[Service]
+Environment=HOME=%S/ndn/ndn-autoconfig-server
+EnvironmentFile=-@SYSCONFDIR@/default/ndn-autoconfig-server
+ExecStart=@BINDIR@/ndn-autoconfig-server $ROUTABLE_PREFIXES $FACE_URI
+Restart=on-failure
+RestartPreventExitStatus=2
+User=ndn
+
+CapabilityBoundingSet=
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+# systemd older than v232 doesn't support a value of "strict" for ProtectSystem,
+# so it will ignore that line and use ProtectSystem=full; with newer systemd,
+# the latter assignment is recognized and takes precedence, resulting in an
+# effective setting of ProtectSystem=strict
+ProtectSystem=full
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+StateDirectory=ndn/ndn-autoconfig-server
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=~@aio @chown @clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap
+
+[Install]
+WantedBy=multi-user.target
diff --git a/systemd/nfd-autoreg.service.in b/systemd/nfd-autoreg.service.in
new file mode 100644
index 0000000..e245700
--- /dev/null
+++ b/systemd/nfd-autoreg.service.in
@@ -0,0 +1,63 @@
+# Copyright (c) 2015-2019, Regents of the University of California,
+# Arizona Board of Regents,
+# Colorado State University,
+# University Pierre & Marie Curie, Sorbonne University,
+# Washington University in St. Louis,
+# Beijing Institute of Technology,
+# The University of Memphis.
+#
+# This file is part of NFD (Named Data Networking Forwarding Daemon).
+# See AUTHORS.md for complete list of NFD authors and contributors.
+#
+# NFD is free software: you can redistribute it and/or modify it under the terms
+# of the GNU General Public License as published by the Free Software Foundation,
+# either version 3 of the License, or (at your option) any later version.
+#
+# NFD is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+# without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+# PURPOSE. See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# NFD, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
+
+[Unit]
+Description=NFD Automatic Prefix Registration
+Documentation=man:nfd-autoreg(1)
+BindsTo=nfd.service
+After=nfd.service
+
+[Service]
+Environment=HOME=%S/ndn/nfd-autoreg
+EnvironmentFile=-@SYSCONFDIR@/default/nfd-autoreg
+ExecStart=@BINDIR@/nfd-autoreg $BLACKLIST $WHITELIST $ON_DEMAND_FACES_PREFIXES $ALL_FACES_PREFIXES $FLAGS
+Restart=on-failure
+RestartPreventExitStatus=2
+User=ndn
+
+CapabilityBoundingSet=
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+# systemd older than v232 doesn't support a value of "strict" for ProtectSystem,
+# so it will ignore that line and use ProtectSystem=full; with newer systemd,
+# the latter assignment is recognized and takes precedence, resulting in an
+# effective setting of ProtectSystem=strict
+ProtectSystem=full
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+StateDirectory=ndn/nfd-autoreg
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=~@aio @chown @clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap
+
+[Install]
+WantedBy=multi-user.target
diff --git a/systemd/nfd-status-http-server.service.in b/systemd/nfd-status-http-server.service.in
new file mode 100644
index 0000000..fa1469b
--- /dev/null
+++ b/systemd/nfd-status-http-server.service.in
@@ -0,0 +1,61 @@
+# Copyright (c) 2015-2019, Regents of the University of California,
+# Arizona Board of Regents,
+# Colorado State University,
+# University Pierre & Marie Curie, Sorbonne University,
+# Washington University in St. Louis,
+# Beijing Institute of Technology,
+# The University of Memphis.
+#
+# This file is part of NFD (Named Data Networking Forwarding Daemon).
+# See AUTHORS.md for complete list of NFD authors and contributors.
+#
+# NFD is free software: you can redistribute it and/or modify it under the terms
+# of the GNU General Public License as published by the Free Software Foundation,
+# either version 3 of the License, or (at your option) any later version.
+#
+# NFD is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+# without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+# PURPOSE. See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# NFD, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
+
+[Unit]
+Description=NFD HTTP Status Server
+Documentation=man:nfd-status-http-server(1)
+After=network.target
+
+[Service]
+Environment=HOME=%S/ndn/nfd-status-http-server
+EnvironmentFile=-@SYSCONFDIR@/default/nfd-status-http-server
+ExecStart=@BINDIR@/nfd-status-http-server $FLAGS
+Restart=on-failure
+RestartPreventExitStatus=2
+
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+# systemd older than v232 doesn't support a value of "strict" for ProtectSystem,
+# so it will ignore that line and use ProtectSystem=full; with newer systemd,
+# the latter assignment is recognized and takes precedence, resulting in an
+# effective setting of ProtectSystem=strict
+ProtectSystem=full
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+StateDirectory=ndn/nfd-status-http-server
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=~@aio @chown @clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap
+
+[Install]
+WantedBy=multi-user.target
diff --git a/systemd/nfd.service b/systemd/nfd.service
deleted file mode 100644
index 57661fd..0000000
--- a/systemd/nfd.service
+++ /dev/null
@@ -1,53 +0,0 @@
-# Copyright (c) 2015-2017, Regents of the University of California,
-# Arizona Board of Regents,
-# Colorado State University,
-# University Pierre & Marie Curie, Sorbonne University,
-# Washington University in St. Louis,
-# Beijing Institute of Technology,
-# The University of Memphis.
-#
-# This file is part of NFD (Named Data Networking Forwarding Daemon).
-# See AUTHORS.md for complete list of NFD authors and contributors.
-#
-# NFD is free software: you can redistribute it and/or modify it under the terms
-# of the GNU General Public License as published by the Free Software Foundation,
-# either version 3 of the License, or (at your option) any later version.
-#
-# NFD is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
-# without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-# PURPOSE. See the GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along with
-# NFD, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
-#
-# Author: Eric Newberry <enewberry@email.arizona.edu>
-# Author: Davide Pesavento <davide.pesavento@lip6.fr>
-
-[Unit]
-Description=NDN Forwarding Daemon
-Documentation=man:nfd(1) man:nfdc(1)
-Wants=network-online.target
-After=network-online.target
-
-[Service]
-Type=notify
-Environment=HOME=/usr/local/var/lib/ndn/nfd
-ExecStart=/usr/local/bin/nfd --config /usr/local/etc/ndn/nfd.conf
-ExecStartPost=/bin/sh -ec 'if [ -f /usr/local/etc/ndn/nfd-init.sh ]; then . /usr/local/etc/ndn/nfd-init.sh; fi'
-ExecReload=/bin/kill -HUP $MAINPID
-Restart=on-failure
-RestartPreventExitStatus=2 4
-PrivateTmp=yes
-PrivateDevices=yes
-ProtectSystem=full
-ProtectHome=yes
-ProtectKernelTunables=yes
-ProtectKernelModules=yes
-ProtectControlGroups=yes
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
-SystemCallArchitectures=native
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-
-[Install]
-WantedBy=multi-user.target
diff --git a/systemd/nfd.service.in b/systemd/nfd.service.in
new file mode 100644
index 0000000..59058b8
--- /dev/null
+++ b/systemd/nfd.service.in
@@ -0,0 +1,63 @@
+# Copyright (c) 2015-2019, Regents of the University of California,
+# Arizona Board of Regents,
+# Colorado State University,
+# University Pierre & Marie Curie, Sorbonne University,
+# Washington University in St. Louis,
+# Beijing Institute of Technology,
+# The University of Memphis.
+#
+# This file is part of NFD (Named Data Networking Forwarding Daemon).
+# See AUTHORS.md for complete list of NFD authors and contributors.
+#
+# NFD is free software: you can redistribute it and/or modify it under the terms
+# of the GNU General Public License as published by the Free Software Foundation,
+# either version 3 of the License, or (at your option) any later version.
+#
+# NFD is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+# without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+# PURPOSE. See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# NFD, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
+
+[Unit]
+Description=NDN Forwarding Daemon
+Documentation=man:nfd(1) man:nfdc(1)
+After=network.target
+
+[Service]
+Environment=HOME=%S/ndn/nfd
+ExecStart=@BINDIR@/nfd
+ExecStartPost=/bin/sh -ec 'if [ -f @SYSCONFDIR@/ndn/nfd-init.sh ]; then . @SYSCONFDIR@/ndn/nfd-init.sh; fi'
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-abnormal
+RestartForceExitStatus=1
+Type=notify
+
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_ADMIN
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+# systemd older than v232 doesn't support a value of "strict" for ProtectSystem,
+# so it will ignore that line and use ProtectSystem=full; with newer systemd,
+# the latter assignment is recognized and takes precedence, resulting in an
+# effective setting of ProtectSystem=strict
+ProtectSystem=full
+ProtectSystem=strict
+ReadWritePaths=/var/run
+RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
+RestrictNamespaces=yes
+RestrictRealtime=yes
+StateDirectory=ndn/nfd
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=~@aio @chown @clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @resources @setuid @swap
+
+[Install]
+WantedBy=multi-user.target
diff --git a/wscript b/wscript
index 6773293..217cfa4 100644
--- a/wscript
+++ b/wscript
@@ -1,6 +1,6 @@
# -*- Mode: python; py-indent-offset: 4; indent-tabs-mode: nil; coding: utf-8; -*-
"""
-Copyright (c) 2014-2018, Regents of the University of California,
+Copyright (c) 2014-2019, Regents of the University of California,
Arizona Board of Regents,
Colorado State University,
University Pierre & Marie Curie, Sorbonne University,
@@ -217,6 +217,15 @@
IF_HAVE_LIBPCAP='' if bld.env.HAVE_LIBPCAP else '; ',
IF_HAVE_WEBSOCKET='' if bld.env.HAVE_WEBSOCKET else '; ')
+ bld.install_files('${SYSCONFDIR}/ndn', 'autoconfig.conf.sample')
+
+ if Utils.unversioned_sys_platform() == 'linux':
+ systemd_units = bld.path.ant_glob('systemd/*.in')
+ bld(features='subst',
+ name='systemd-units',
+ source=systemd_units,
+ target=[u.change_ext('') for u in systemd_units])
+
if bld.env.SPHINX_BUILD:
bld(features='sphinx',
name='manpages',
@@ -233,8 +242,6 @@
bld.symlink_as('${MANDIR}/man1/nfdc-set-strategy.1', 'nfdc-strategy.1')
bld.symlink_as('${MANDIR}/man1/nfdc-unset-strategy.1', 'nfdc-strategy.1')
- bld.install_files('${SYSCONFDIR}/ndn', 'autoconfig.conf.sample')
-
def docs(bld):
from waflib import Options
Options.commands = ['doxygen', 'sphinx'] + Options.commands