Alexander Afanasyev | 37a05f6 | 2014-05-09 18:55:21 -0700 | [diff] [blame] | 1 | Starting NFD on Linux with upstart |
| 2 | ================================== |
| 3 | |
| 4 | Some Linux distributions, such as Ubuntu, use [upstart](http://upstart.ubuntu.com/) as a |
| 5 | standard mechanism to start system daemons, monitor their health, and restart |
| 6 | when they die. |
| 7 | |
| 8 | Initial setup |
| 9 | ------------- |
| 10 | |
Alexander Afanasyev | f08a737 | 2015-02-09 21:28:19 -0800 | [diff] [blame] | 11 | * Edit `nfd.conf` correcting paths for `nfd` binary, configuration and log files. |
Alexander Afanasyev | 37a05f6 | 2014-05-09 18:55:21 -0700 | [diff] [blame] | 12 | |
Alexander Afanasyev | f08a737 | 2015-02-09 21:28:19 -0800 | [diff] [blame] | 13 | * Copy upstart config file for NFD |
Alexander Afanasyev | 37a05f6 | 2014-05-09 18:55:21 -0700 | [diff] [blame] | 14 | |
Alexander Afanasyev | f08a737 | 2015-02-09 21:28:19 -0800 | [diff] [blame] | 15 | sudo cp nfd.conf /etc/init/ |
Alexander Afanasyev | 37a05f6 | 2014-05-09 18:55:21 -0700 | [diff] [blame] | 16 | |
| 17 | ### Assumptions in the default scripts |
| 18 | |
Alexander Afanasyev | f08a737 | 2015-02-09 21:28:19 -0800 | [diff] [blame] | 19 | * `nfd` is installed into `/usr/local/bin` |
Alexander Afanasyev | 37a05f6 | 2014-05-09 18:55:21 -0700 | [diff] [blame] | 20 | * Configuration file is `/usr/local/etc/ndn/nfd.conf` |
| 21 | * `nfd` will be run as root |
Alexander Afanasyev | 37a05f6 | 2014-05-09 18:55:21 -0700 | [diff] [blame] | 22 | * Log files will be written to `/usr/local/var/log/ndn` folder, which is owned by user `ndn` |
Alexander Afanasyev | 37a05f6 | 2014-05-09 18:55:21 -0700 | [diff] [blame] | 23 | |
| 24 | ### Creating users |
| 25 | |
| 26 | If `ndn` user and group does not exists, they need to be manually created. |
| 27 | |
| 28 | # Create group `ndn` |
| 29 | addgroup --system ndn |
| 30 | |
| 31 | # Create user `ndn` |
| 32 | sudo adduser --system \ |
| 33 | --disabled-login \ |
| 34 | --ingroup ndn \ |
| 35 | --home /nonexistent \ |
| 36 | --gecos "NDN User" \ |
| 37 | --shell /bin/false \ |
| 38 | ndn |
| 39 | |
| 40 | |
| 41 | ### Creating folders |
| 42 | |
| 43 | Folder `/usr/local/var/log/ndn` should be created and assigned proper user and group: |
| 44 | |
| 45 | sudo mkdir -p /usr/local/var/log/ndn |
| 46 | sudo chown -R ndn:ndn /usr/local/var/log/ndn |
| 47 | |
Alexander Afanasyev | f08a737 | 2015-02-09 21:28:19 -0800 | [diff] [blame] | 48 | `HOME` directory for `nfd` should be created prior to starting. This is necessary to manage |
| 49 | unique security credentials for the deamon. |
Alexander Afanasyev | 37a05f6 | 2014-05-09 18:55:21 -0700 | [diff] [blame] | 50 | |
| 51 | # Create HOME and generate self-signed NDN certificate for nfd |
Alexander Afanasyev | f08a737 | 2015-02-09 21:28:19 -0800 | [diff] [blame] | 52 | sudo -s -- ' \ |
| 53 | mkdir -p /usr/local/var/lib/ndn/nfd/.ndn; \ |
| 54 | export HOME=/usr/local/var/lib/ndn/nfd; \ |
| 55 | ndnsec-keygen /localhost/daemons/nfd | ndnsec-install-cert -; \ |
| 56 | ' |
Alexander Afanasyev | 37a05f6 | 2014-05-09 18:55:21 -0700 | [diff] [blame] | 57 | |
| 58 | ### Configuring NFD's security |
| 59 | |
| 60 | NFD sample configuration allows anybody to create faces, add nexthops to FIB, and set |
| 61 | strategy choice for namespaces. While such settings could be a good start, it is |
| 62 | generally not a good idea to run NFD in this mode. |
| 63 | |
| 64 | While thorough discussion about security configuration of NFD is outside the scope of this |
| 65 | document, at least the following change should be done to ``nfd.conf`` in authorize |
| 66 | section: |
| 67 | |
| 68 | authorizations |
| 69 | { |
| 70 | authorize |
| 71 | { |
Alexander Afanasyev | f08a737 | 2015-02-09 21:28:19 -0800 | [diff] [blame] | 72 | certfile certs/localhost_daemons_nfd.ndncert |
Alexander Afanasyev | 37a05f6 | 2014-05-09 18:55:21 -0700 | [diff] [blame] | 73 | privileges |
| 74 | { |
| 75 | faces |
| 76 | fib |
| 77 | strategy-choice |
| 78 | } |
| 79 | } |
| 80 | |
| 81 | authorize |
| 82 | { |
| 83 | certfile any |
| 84 | privileges |
| 85 | { |
| 86 | faces |
| 87 | strategy-choice |
| 88 | } |
| 89 | } |
| 90 | } |
| 91 | |
| 92 | While this configuration still allows management of faces and updating strategy choice by |
Alexander Afanasyev | f08a737 | 2015-02-09 21:28:19 -0800 | [diff] [blame] | 93 | anybody, only NFD's RIB Manager (i.e., NFD itself) is allowed to manage FIB. |
Alexander Afanasyev | 37a05f6 | 2014-05-09 18:55:21 -0700 | [diff] [blame] | 94 | |
Alexander Afanasyev | f08a737 | 2015-02-09 21:28:19 -0800 | [diff] [blame] | 95 | As the final step to make this configuration work, nfd's self-signed certificate needs to |
| 96 | be exported into `localhost_daemons_nfd.ndncert` file: |
Alexander Afanasyev | 37a05f6 | 2014-05-09 18:55:21 -0700 | [diff] [blame] | 97 | |
Alexander Afanasyev | f08a737 | 2015-02-09 21:28:19 -0800 | [diff] [blame] | 98 | sudo -s -- '\ |
| 99 | mkdir -p /usr/local/etc/ndn/certs || true; \ |
| 100 | export HOME=/usr/local/var/lib/ndn/nfd; \ |
| 101 | ndnsec-dump-certificate -i /localhost/daemons/nfd > \ |
| 102 | /usr/local/etc/ndn/certs/localhost_daemons_nfd.ndncert; \ |
| 103 | ' |
Alexander Afanasyev | 37a05f6 | 2014-05-09 18:55:21 -0700 | [diff] [blame] | 104 | |
| 105 | |
| 106 | Enable auto-start |
| 107 | ----------------- |
| 108 | |
Alexander Afanasyev | f08a737 | 2015-02-09 21:28:19 -0800 | [diff] [blame] | 109 | After copying the provided upstart script, `nfd` daemon will automatically run after the reboot. |
| 110 | To manually start them, use the following commands: |
Alexander Afanasyev | 37a05f6 | 2014-05-09 18:55:21 -0700 | [diff] [blame] | 111 | |
| 112 | sudo start nfd |
Alexander Afanasyev | 37a05f6 | 2014-05-09 18:55:21 -0700 | [diff] [blame] | 113 | |
| 114 | Disable auto-start |
| 115 | ------------------ |
| 116 | |
Alexander Afanasyev | f08a737 | 2015-02-09 21:28:19 -0800 | [diff] [blame] | 117 | To stop `nfd` daemon, use the following commands: |
Alexander Afanasyev | 37a05f6 | 2014-05-09 18:55:21 -0700 | [diff] [blame] | 118 | |
| 119 | sudo stop nfd |
Alexander Afanasyev | 37a05f6 | 2014-05-09 18:55:21 -0700 | [diff] [blame] | 120 | |
Alexander Afanasyev | f08a737 | 2015-02-09 21:28:19 -0800 | [diff] [blame] | 121 | Note that as long as upstart files are present in `/etc/init/`, the daemon will |
| 122 | automatically start after the reboot. To permanently stop `nfd` daemon, delete |
Alexander Afanasyev | 37a05f6 | 2014-05-09 18:55:21 -0700 | [diff] [blame] | 123 | the upstart files: |
| 124 | |
| 125 | sudo rm /etc/init/nfd.conf |