blob: 68d3b9b7b0429fd8d3becaa5f5bb523a60ce9c32 [file] [log] [blame] [view]
Alexander Afanasyevc6e61422014-05-07 00:32:25 -07001Starting NFD on OSX >= 10.8
2===========================
3
4OSX provides a standard way to start system daemons, monitor their health, and restart
5when they die.
6
7Initial setup
8-------------
9
10Edit `net.named-data.nfd` and `net.named-data.nrd` correcting paths for `nfd` and `nfd`
11binaries, configuration file, and log files.
12
13 # Copy launchd.plist for nfd (forwarding daemon)
14 sudo cp net.named-data.nfd.plist /Library/LaunchDaemons/
15 sudo chown root /Library/LaunchDaemons/net.named-data.nfd.plist
16
17 # Copy launchd.plist for nrd (RIB management daemon)
18 sudo cp net.named-data.nrd.plist /Library/LaunchDaemons/
19 sudo chown root /Library/LaunchDaemons/net.named-data.nrd.plist
20
21### Assumptions in the default scripts
22
23* `nfd` and `nrd` are installed into `/usr/local/bin`
24* Configuration file is `/usr/local/etc/ndn/nfd.conf`
25* `nfd` will be run as root
26* `nrd` will be run as user `ndn` and group `ndn`
27* Log files will be written to `/usr/local/var/log/ndn` folder, which is owned by user `ndn`
28
29### Creating users
30
31If `ndn` user does not exists, it needs to be manually created (procedure copied from
32[macports script](https://trac.macports.org/browser/trunk/base/src/port1.0/portutil.tcl)).
33Update uid/gid if 6363 is already used.
34
35 # Create user `ndn`
36 sudo dscl . -create /Users/ndn UniqueID 6363
37
38 # These are implicitly added on Mac OSX Lion. AuthenticationAuthority
39 # causes the user to be visible in the Users & Groups Preference Pane,
40 # and the others are just noise, so delete them.
41 # https://trac.macports.org/ticket/30168
42 sudo dscl . -delete /Users/ndn AuthenticationAuthority
43 sudo dscl . -delete /Users/ndn PasswordPolicyOptions
44 sudo dscl . -delete /Users/ndn dsAttrTypeNative:KerberosKeys
45 sudo dscl . -delete /Users/ndn dsAttrTypeNative:ShadowHashData
46
47 sudo dscl . -create /Users/ndn RealName "NDN User"
48 sudo dscl . -create /Users/ndn Password "{*}"
49 sudo dscl . -create /Users/ndn PrimaryGroupID 6363
50 sudo dscl . -create /Users/ndn NFSHomeDirectory /var/empty
51 sudo dscl . -create /Users/ndn UserShell /usr/bin/false
52
53 # Create group `ndn`
54 sudo dscl . -create /Groupsndn Password "{*}"
55 sudo dscl . -create /Groups/ndn RealName "NDN User"
56 sudo dscl . -create /Groups/ndn PrimaryGroupID 6363
57
58### Creating folders
59
60Folder `/usr/local/var/log/ndn` should be created and assigned proper user and group:
61
62 sudo mkdir -p /usr/local/var/log/ndn
63 sudo chown -R ndn:ndn /usr/local/var/log/ndn
64
65`HOME` directories for `nfd` and `nrd` should be created and configured with correct
66library's config file and contain proper NDN security credentials for signing Data
67packets. This is necessary since default private key storage on OSX (`osx-keychain`) does
68not support non-interactive access, and file-based private key storage needs to be used:
69
70 # Generate self-signed NDN certificate for nfd (owned by root)
71 sudo mkdir -p /usr/local/var/lib/ndn/nfd/.ndn
72 sudo sh -c 'echo tpm=file > /usr/local/var/lib/ndn/nfd/.ndn/client.conf'
73 sudo HOME=/usr/local/var/lib/ndn/nfd ndnsec-keygen /localhost/daemons/nfd | \
74 sudo HOME=/usr/local/var/lib/ndn/nfd ndnsec-install-cert -
75
76 # Generate self-signed NDN certificate for nrd (owned by ndn)
77 sudo mkdir -p /usr/local/var/lib/ndn/nrd/.ndn
78 sudo chown -R ndn:ndn /usr/local/var/lib/ndn/nrd
79 sudo -u ndn -g ndn sh -c 'echo tpm=file > /usr/local/var/lib/ndn/nrd/.ndn/client.conf'
80 sudo -u ndn -g ndn HOME=/usr/local/var/lib/ndn/nrd ndnsec-keygen /localhost/daemons/nrd | \
81 sudo -u ndn -g ndn HOME=/usr/local/var/lib/ndn/nrd ndnsec-install-cert -
82
83### Configuring NFD's security
84
Alexander Afanasyev37a05f62014-05-09 18:55:21 -070085NFD sample configuration allows anybody to create faces, add nexthops to FIB,
Alexander Afanasyevc6e61422014-05-07 00:32:25 -070086and set strategy choice for namespaces. While such settings could be a good start, it is
87generally not a good idea to run NFD in this mode.
88
Alexander Afanasyev37a05f62014-05-09 18:55:21 -070089While thorough discussion about security configuration of NFD is outside the scope of this
90document, at least the following change should be done to nfd.conf in authorize section:
Alexander Afanasyevc6e61422014-05-07 00:32:25 -070091
92 authorizations
93 {
94 authorize
95 {
96 certfile certs/localhost_daemons_nrd.ndncert
97 privileges
98 {
99 faces
100 fib
101 strategy-choice
102 }
103 }
104
105 authorize
106 {
107 certfile any
108 privileges
109 {
110 faces
111 strategy-choice
112 }
113 }
114 }
115
116While this configuration still allows management of faces and updating strategy choice by
117anybody, only NFD's RIB Manager Daemon (`nrd`) is allowed to manage FIB.
118
119As the final step to make this configuration work, nrd's self-signed certificate needs to
120be exported into `localhost_daemons_nrd.ndncert` file:
121
122 sudo mkdir /usr/local/etc/ndn/certs
123 sudo sh -c 'sudo -u ndn -g ndn HOME=/usr/local/var/lib/ndn/nrd \
124 ndnsec-dump-certificate -i /localhost/daemons/nrd \
125 > /usr/local/etc/ndn/certs/localhost_daemons_nrd.ndncert'
126
127
128Enable auto-start
129-----------------
130
131 sudo launchctl load -w /Library/LaunchDaemons/net.named-data.nfd.plist
132 sudo launchctl load -w /Library/LaunchDaemons/net.named-data.nrd.plist
133
134Disable auto-start
135------------------
136
137 sudo launchctl unload -w /Library/LaunchDaemons/net.named-data.nfd.plist
138 sudo launchctl unload -w /Library/LaunchDaemons/net.named-data.nrd.plist