Alexander Afanasyev | c6e6142 | 2014-05-07 00:32:25 -0700 | [diff] [blame] | 1 | Starting NFD on OSX >= 10.8 |
| 2 | =========================== |
| 3 | |
| 4 | OSX provides a standard way to start system daemons, monitor their health, and restart |
| 5 | when they die. |
| 6 | |
| 7 | Initial setup |
| 8 | ------------- |
| 9 | |
| 10 | Edit `net.named-data.nfd` and `net.named-data.nrd` correcting paths for `nfd` and `nfd` |
| 11 | binaries, configuration file, and log files. |
| 12 | |
| 13 | # Copy launchd.plist for nfd (forwarding daemon) |
| 14 | sudo cp net.named-data.nfd.plist /Library/LaunchDaemons/ |
| 15 | sudo chown root /Library/LaunchDaemons/net.named-data.nfd.plist |
| 16 | |
| 17 | # Copy launchd.plist for nrd (RIB management daemon) |
| 18 | sudo cp net.named-data.nrd.plist /Library/LaunchDaemons/ |
| 19 | sudo chown root /Library/LaunchDaemons/net.named-data.nrd.plist |
| 20 | |
| 21 | ### Assumptions in the default scripts |
| 22 | |
| 23 | * `nfd` and `nrd` are installed into `/usr/local/bin` |
| 24 | * Configuration file is `/usr/local/etc/ndn/nfd.conf` |
| 25 | * `nfd` will be run as root |
| 26 | * `nrd` will be run as user `ndn` and group `ndn` |
| 27 | * Log files will be written to `/usr/local/var/log/ndn` folder, which is owned by user `ndn` |
| 28 | |
| 29 | ### Creating users |
| 30 | |
| 31 | If `ndn` user does not exists, it needs to be manually created (procedure copied from |
| 32 | [macports script](https://trac.macports.org/browser/trunk/base/src/port1.0/portutil.tcl)). |
| 33 | Update uid/gid if 6363 is already used. |
| 34 | |
| 35 | # Create user `ndn` |
| 36 | sudo dscl . -create /Users/ndn UniqueID 6363 |
| 37 | |
| 38 | # These are implicitly added on Mac OSX Lion. AuthenticationAuthority |
| 39 | # causes the user to be visible in the Users & Groups Preference Pane, |
| 40 | # and the others are just noise, so delete them. |
| 41 | # https://trac.macports.org/ticket/30168 |
| 42 | sudo dscl . -delete /Users/ndn AuthenticationAuthority |
| 43 | sudo dscl . -delete /Users/ndn PasswordPolicyOptions |
| 44 | sudo dscl . -delete /Users/ndn dsAttrTypeNative:KerberosKeys |
| 45 | sudo dscl . -delete /Users/ndn dsAttrTypeNative:ShadowHashData |
| 46 | |
| 47 | sudo dscl . -create /Users/ndn RealName "NDN User" |
| 48 | sudo dscl . -create /Users/ndn Password "{*}" |
| 49 | sudo dscl . -create /Users/ndn PrimaryGroupID 6363 |
| 50 | sudo dscl . -create /Users/ndn NFSHomeDirectory /var/empty |
| 51 | sudo dscl . -create /Users/ndn UserShell /usr/bin/false |
| 52 | |
| 53 | # Create group `ndn` |
| 54 | sudo dscl . -create /Groupsndn Password "{*}" |
| 55 | sudo dscl . -create /Groups/ndn RealName "NDN User" |
| 56 | sudo dscl . -create /Groups/ndn PrimaryGroupID 6363 |
| 57 | |
| 58 | ### Creating folders |
| 59 | |
| 60 | Folder `/usr/local/var/log/ndn` should be created and assigned proper user and group: |
| 61 | |
| 62 | sudo mkdir -p /usr/local/var/log/ndn |
| 63 | sudo chown -R ndn:ndn /usr/local/var/log/ndn |
| 64 | |
| 65 | `HOME` directories for `nfd` and `nrd` should be created and configured with correct |
| 66 | library's config file and contain proper NDN security credentials for signing Data |
| 67 | packets. This is necessary since default private key storage on OSX (`osx-keychain`) does |
| 68 | not support non-interactive access, and file-based private key storage needs to be used: |
| 69 | |
| 70 | # Generate self-signed NDN certificate for nfd (owned by root) |
| 71 | sudo mkdir -p /usr/local/var/lib/ndn/nfd/.ndn |
| 72 | sudo sh -c 'echo tpm=file > /usr/local/var/lib/ndn/nfd/.ndn/client.conf' |
| 73 | sudo HOME=/usr/local/var/lib/ndn/nfd ndnsec-keygen /localhost/daemons/nfd | \ |
| 74 | sudo HOME=/usr/local/var/lib/ndn/nfd ndnsec-install-cert - |
| 75 | |
| 76 | # Generate self-signed NDN certificate for nrd (owned by ndn) |
| 77 | sudo mkdir -p /usr/local/var/lib/ndn/nrd/.ndn |
| 78 | sudo chown -R ndn:ndn /usr/local/var/lib/ndn/nrd |
| 79 | sudo -u ndn -g ndn sh -c 'echo tpm=file > /usr/local/var/lib/ndn/nrd/.ndn/client.conf' |
| 80 | sudo -u ndn -g ndn HOME=/usr/local/var/lib/ndn/nrd ndnsec-keygen /localhost/daemons/nrd | \ |
| 81 | sudo -u ndn -g ndn HOME=/usr/local/var/lib/ndn/nrd ndnsec-install-cert - |
| 82 | |
| 83 | ### Configuring NFD's security |
| 84 | |
Alexander Afanasyev | 37a05f6 | 2014-05-09 18:55:21 -0700 | [diff] [blame] | 85 | NFD sample configuration allows anybody to create faces, add nexthops to FIB, |
Alexander Afanasyev | c6e6142 | 2014-05-07 00:32:25 -0700 | [diff] [blame] | 86 | and set strategy choice for namespaces. While such settings could be a good start, it is |
| 87 | generally not a good idea to run NFD in this mode. |
| 88 | |
Alexander Afanasyev | 37a05f6 | 2014-05-09 18:55:21 -0700 | [diff] [blame] | 89 | While thorough discussion about security configuration of NFD is outside the scope of this |
| 90 | document, at least the following change should be done to nfd.conf in authorize section: |
Alexander Afanasyev | c6e6142 | 2014-05-07 00:32:25 -0700 | [diff] [blame] | 91 | |
| 92 | authorizations |
| 93 | { |
| 94 | authorize |
| 95 | { |
| 96 | certfile certs/localhost_daemons_nrd.ndncert |
| 97 | privileges |
| 98 | { |
| 99 | faces |
| 100 | fib |
| 101 | strategy-choice |
| 102 | } |
| 103 | } |
| 104 | |
| 105 | authorize |
| 106 | { |
| 107 | certfile any |
| 108 | privileges |
| 109 | { |
| 110 | faces |
| 111 | strategy-choice |
| 112 | } |
| 113 | } |
| 114 | } |
| 115 | |
| 116 | While this configuration still allows management of faces and updating strategy choice by |
| 117 | anybody, only NFD's RIB Manager Daemon (`nrd`) is allowed to manage FIB. |
| 118 | |
| 119 | As the final step to make this configuration work, nrd's self-signed certificate needs to |
| 120 | be exported into `localhost_daemons_nrd.ndncert` file: |
| 121 | |
| 122 | sudo mkdir /usr/local/etc/ndn/certs |
| 123 | sudo sh -c 'sudo -u ndn -g ndn HOME=/usr/local/var/lib/ndn/nrd \ |
| 124 | ndnsec-dump-certificate -i /localhost/daemons/nrd \ |
| 125 | > /usr/local/etc/ndn/certs/localhost_daemons_nrd.ndncert' |
| 126 | |
| 127 | |
| 128 | Enable auto-start |
| 129 | ----------------- |
| 130 | |
| 131 | sudo launchctl load -w /Library/LaunchDaemons/net.named-data.nfd.plist |
| 132 | sudo launchctl load -w /Library/LaunchDaemons/net.named-data.nrd.plist |
| 133 | |
| 134 | Disable auto-start |
| 135 | ------------------ |
| 136 | |
| 137 | sudo launchctl unload -w /Library/LaunchDaemons/net.named-data.nfd.plist |
| 138 | sudo launchctl unload -w /Library/LaunchDaemons/net.named-data.nrd.plist |