blob: ff0042e1ad0a3deaf12f87369ddaf4e3c6696ab4 [file] [log] [blame] [view]
Alexander Afanasyev37a05f62014-05-09 18:55:21 -07001Starting NFD on Linux with upstart
2==================================
3
4Some Linux distributions, such as Ubuntu, use [upstart](http://upstart.ubuntu.com/) as a
5standard mechanism to start system daemons, monitor their health, and restart
6when they die.
7
8Initial setup
9-------------
10
Alexander Afanasyevf08a7372015-02-09 21:28:19 -080011* Edit `nfd.conf` correcting paths for `nfd` binary, configuration and log files.
Alexander Afanasyev37a05f62014-05-09 18:55:21 -070012
Alexander Afanasyevf08a7372015-02-09 21:28:19 -080013* Copy upstart config file for NFD
Alexander Afanasyev37a05f62014-05-09 18:55:21 -070014
Alexander Afanasyevf08a7372015-02-09 21:28:19 -080015 sudo cp nfd.conf /etc/init/
Alexander Afanasyev37a05f62014-05-09 18:55:21 -070016
17### Assumptions in the default scripts
18
Alexander Afanasyevf08a7372015-02-09 21:28:19 -080019* `nfd` is installed into `/usr/local/bin`
Alexander Afanasyev37a05f62014-05-09 18:55:21 -070020* Configuration file is `/usr/local/etc/ndn/nfd.conf`
21* `nfd` will be run as root
Alexander Afanasyev37a05f62014-05-09 18:55:21 -070022* Log files will be written to `/usr/local/var/log/ndn` folder, which is owned by user `ndn`
Alexander Afanasyev37a05f62014-05-09 18:55:21 -070023
24### Creating users
25
26If `ndn` user and group does not exists, they need to be manually created.
27
28 # Create group `ndn`
29 addgroup --system ndn
30
31 # Create user `ndn`
32 sudo adduser --system \
33 --disabled-login \
34 --ingroup ndn \
35 --home /nonexistent \
36 --gecos "NDN User" \
37 --shell /bin/false \
38 ndn
39
40
41### Creating folders
42
43Folder `/usr/local/var/log/ndn` should be created and assigned proper user and group:
44
45 sudo mkdir -p /usr/local/var/log/ndn
46 sudo chown -R ndn:ndn /usr/local/var/log/ndn
47
Alexander Afanasyevf08a7372015-02-09 21:28:19 -080048`HOME` directory for `nfd` should be created prior to starting. This is necessary to manage
49unique security credentials for the deamon.
Alexander Afanasyev37a05f62014-05-09 18:55:21 -070050
51 # Create HOME and generate self-signed NDN certificate for nfd
Alexander Afanasyevf08a7372015-02-09 21:28:19 -080052 sudo -s -- ' \
53 mkdir -p /usr/local/var/lib/ndn/nfd/.ndn; \
54 export HOME=/usr/local/var/lib/ndn/nfd; \
55 ndnsec-keygen /localhost/daemons/nfd | ndnsec-install-cert -; \
56 '
Alexander Afanasyev37a05f62014-05-09 18:55:21 -070057
58### Configuring NFD's security
59
60NFD sample configuration allows anybody to create faces, add nexthops to FIB, and set
61strategy choice for namespaces. While such settings could be a good start, it is
62generally not a good idea to run NFD in this mode.
63
64While thorough discussion about security configuration of NFD is outside the scope of this
65document, at least the following change should be done to ``nfd.conf`` in authorize
66section:
67
68 authorizations
69 {
70 authorize
71 {
Alexander Afanasyevf08a7372015-02-09 21:28:19 -080072 certfile certs/localhost_daemons_nfd.ndncert
Alexander Afanasyev37a05f62014-05-09 18:55:21 -070073 privileges
74 {
75 faces
76 fib
77 strategy-choice
78 }
79 }
80
81 authorize
82 {
83 certfile any
84 privileges
85 {
86 faces
87 strategy-choice
88 }
89 }
90 }
91
92While this configuration still allows management of faces and updating strategy choice by
Alexander Afanasyevf08a7372015-02-09 21:28:19 -080093anybody, only NFD's RIB Manager (i.e., NFD itself) is allowed to manage FIB.
Alexander Afanasyev37a05f62014-05-09 18:55:21 -070094
Alexander Afanasyevf08a7372015-02-09 21:28:19 -080095As the final step to make this configuration work, nfd's self-signed certificate needs to
96be exported into `localhost_daemons_nfd.ndncert` file:
Alexander Afanasyev37a05f62014-05-09 18:55:21 -070097
Alexander Afanasyevf08a7372015-02-09 21:28:19 -080098 sudo -s -- '\
99 mkdir -p /usr/local/etc/ndn/certs || true; \
100 export HOME=/usr/local/var/lib/ndn/nfd; \
101 ndnsec-dump-certificate -i /localhost/daemons/nfd > \
102 /usr/local/etc/ndn/certs/localhost_daemons_nfd.ndncert; \
103 '
Alexander Afanasyev37a05f62014-05-09 18:55:21 -0700104
105
106Enable auto-start
107-----------------
108
Alexander Afanasyevf08a7372015-02-09 21:28:19 -0800109After copying the provided upstart script, `nfd` daemon will automatically run after the reboot.
110To manually start them, use the following commands:
Alexander Afanasyev37a05f62014-05-09 18:55:21 -0700111
112 sudo start nfd
Alexander Afanasyev37a05f62014-05-09 18:55:21 -0700113
114Disable auto-start
115------------------
116
Alexander Afanasyevf08a7372015-02-09 21:28:19 -0800117To stop `nfd` daemon, use the following commands:
Alexander Afanasyev37a05f62014-05-09 18:55:21 -0700118
119 sudo stop nfd
Alexander Afanasyev37a05f62014-05-09 18:55:21 -0700120
Alexander Afanasyevf08a7372015-02-09 21:28:19 -0800121Note that as long as upstart files are present in `/etc/init/`, the daemon will
122automatically start after the reboot. To permanently stop `nfd` daemon, delete
Alexander Afanasyev37a05f62014-05-09 18:55:21 -0700123the upstart files:
124
125 sudo rm /etc/init/nfd.conf