blob: 21efeade2fe2ab13c2e022e690799b2b196dad91 [file] [log] [blame]
Alexander Afanasyev26181532014-05-07 23:38:51 -07001FAQ
2===
3
Davide Pesavento69857c32020-04-05 16:36:26 -04004How do I change the default installation paths?
5-----------------------------------------------
Alexander Afanasyev26181532014-05-07 23:38:51 -07006
Davide Pesavento69857c32020-04-05 16:36:26 -04007Paths to where NFD is installed can be configured during ``./waf configure``:
Alexander Afanasyev26181532014-05-07 23:38:51 -07008
Davide Pesavento69857c32020-04-05 16:36:26 -04009- Installation prefix (default ``/usr/local``)::
Alexander Afanasyev26181532014-05-07 23:38:51 -070010
Davide Pesavento69857c32020-04-05 16:36:26 -040011 ./waf configure --prefix=/usr
Alexander Afanasyev26181532014-05-07 23:38:51 -070012
Davide Pesavento69857c32020-04-05 16:36:26 -040013- Location of NFD configuration file (default: ``${prefix}/etc``)::
Alexander Afanasyev26181532014-05-07 23:38:51 -070014
Davide Pesavento69857c32020-04-05 16:36:26 -040015 ./waf configure --prefix=/usr --sysconfdir=/etc
Alexander Afanasyev26181532014-05-07 23:38:51 -070016
Davide Pesavento69857c32020-04-05 16:36:26 -040017- Location of manpages (default: ``${prefix}/share/man``)::
Alexander Afanasyev26181532014-05-07 23:38:51 -070018
Davide Pesavento69857c32020-04-05 16:36:26 -040019 ./waf configure --prefix=/usr --sysconfdir=/etc --mandir=/usr/share/man
Alexander Afanasyev26181532014-05-07 23:38:51 -070020
Davide Pesavento69857c32020-04-05 16:36:26 -040021See ``./waf configure --help`` for the full list of options.
Alexander Afanasyev26181532014-05-07 23:38:51 -070022
Davide Pesavento69857c32020-04-05 16:36:26 -040023How do I use the NDN PPA repository on Ubuntu Linux?
24----------------------------------------------------
Alexander Afanasyev26181532014-05-07 23:38:51 -070025
Davide Pesavento69857c32020-04-05 16:36:26 -040026Please see :ref:`Install NFD on Ubuntu Linux using the NDN PPA repository`.
Alexander Afanasyev26181532014-05-07 23:38:51 -070027
Davide Pesavento69857c32020-04-05 16:36:26 -040028How do I run NFD as a non-root user?
29------------------------------------
Alexander Afanasyev26181532014-05-07 23:38:51 -070030
Davide Pesavento69857c32020-04-05 16:36:26 -040031How do I configure automatic privilege dropping?
32++++++++++++++++++++++++++++++++++++++++++++++++
Steve DiBenedetto24b9a642014-04-07 15:45:39 -060033
34NFD can be configured to drop privileges whenever possible. You can specify a user and/or
35group for NFD to change its *effective* user/group ID to in the ``general`` section of the
Davide Pesavento69857c32020-04-05 16:36:26 -040036configuration file. For example::
Steve DiBenedetto24b9a642014-04-07 15:45:39 -060037
38 general
39 {
40 user nobody
41 group nogroup
42 }
43
44will configure NFD to drop its effective user and group IDs to ``nobody`` and ``nogroup``,
45respectively.
46
47.. note::
48
Davide Pesavento70156942018-09-15 18:40:21 -040049 **IMPORTANT:** NFD may regain elevated privileges as needed during normal
Steve DiBenedetto24b9a642014-04-07 15:45:39 -060050 execution. Dropping privileges in this manner should not be considered a security
51 mechanism (a compromised NFD that was started as root can trivially return to
Davide Pesavento70156942018-09-15 18:40:21 -040052 root). However, reducing privileges may limit any damage caused by well intentioned,
Steve DiBenedetto24b9a642014-04-07 15:45:39 -060053 but buggy, code.
54
Davide Pesavento69857c32020-04-05 16:36:26 -040055How do I enable Ethernet face support?
56++++++++++++++++++++++++++++++++++++++
Alexander Afanasyev26181532014-05-07 23:38:51 -070057
58The ``ether`` configuration file section contains settings for Ethernet faces and
Davide Pesavento69857c32020-04-05 16:36:26 -040059channels. These settings will **NOT** work without root or without setting the
60appropriate permissions.
Alexander Afanasyev26181532014-05-07 23:38:51 -070061
Davide Pesavento9f6a7d92020-10-06 15:21:48 -040062- On **Ubuntu**::
Alexander Afanasyev26181532014-05-07 23:38:51 -070063
Davide Pesavento69857c32020-04-05 16:36:26 -040064 sudo apt install libcap2-bin
65 sudo setcap cap_net_raw,cap_net_admin=eip /path/to/nfd
Alexander Afanasyev26181532014-05-07 23:38:51 -070066
Davide Pesavento9f6a7d92020-10-06 15:21:48 -040067- On **macOS**::
Alexander Afanasyev26181532014-05-07 23:38:51 -070068
69 curl https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3373 -o ChmodBPF.tar.gz
70 tar zxvf ChmodBPF.tar.gz
71 open ChmodBPF/Install\ ChmodBPF.app
72
Davide Pesavento9f6a7d92020-10-06 15:21:48 -040073 or manually::
Alexander Afanasyev26181532014-05-07 23:38:51 -070074
75 sudo chgrp admin /dev/bpf*
76 sudo chmod g+rw /dev/bpf*
77
Davide Pesavento69857c32020-04-05 16:36:26 -040078How do I enable UDP multicast support in multi-homed Linux machines?
79++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Alexander Afanasyev26181532014-05-07 23:38:51 -070080
Davide Pesavento69857c32020-04-05 16:36:26 -040081The ``udp`` configuration file section contains settings for unicast and multicast UDP
82faces. If the Linux machine is equipped with multiple network interfaces with multicast
83capabilities, the settings for multicast faces will **NOT** work without root or without
84setting the appropriate permissions::
Alexander Afanasyev26181532014-05-07 23:38:51 -070085
Davide Pesavento69857c32020-04-05 16:36:26 -040086 sudo setcap cap_net_raw=eip /path/to/nfd
Alexander Afanasyev26181532014-05-07 23:38:51 -070087
Davide Pesavento69857c32020-04-05 16:36:26 -040088.. _How do I configure NFD security:
Alexander Afanasyev26181532014-05-07 23:38:51 -070089
Davide Pesavento69857c32020-04-05 16:36:26 -040090How do I configure NFD security?
91--------------------------------
Alexander Afanasyev26181532014-05-07 23:38:51 -070092
Davide Pesavento69857c32020-04-05 16:36:26 -040093.. note:: The sample configuration file for NFD allows any user to manage faces, FIB, RIB,
94 CS, and strategy choices of the local NFD instance. The following procedure can be used
95 to restrict certain operations to certain users.
Alexander Afanasyev26181532014-05-07 23:38:51 -070096
Davide Pesavento69857c32020-04-05 16:36:26 -040097 More extensive documentation on the security mechanisms in NFD, as well as the available
98 options to configure its trust model, is currently in preparation.
Alexander Afanasyev26181532014-05-07 23:38:51 -070099
Davide Pesavento69857c32020-04-05 16:36:26 -0400100Many management components in NFD use *Command Interests* (e.g., FIB modification, face
101creation/destruction, etc.), which require an NDN certificate (either self-signed for local
Alexander Afanasyev84dd4ca2017-10-15 14:56:08 -0400102trust or delegated from a trusted authority).
Alexander Afanasyev26181532014-05-07 23:38:51 -0700103
Davide Pesavento69857c32020-04-05 16:36:26 -0400104If you do not already have an NDN certificate, you can generate one using the following procedure.
Alexander Afanasyev26181532014-05-07 23:38:51 -0700105
Davide Pesavento69857c32020-04-05 16:36:26 -0400106**Generating and installing a self-signed identity certificate**:
Alexander Afanasyev26181532014-05-07 23:38:51 -0700107
108::
109
110 ndnsec-keygen /`whoami` | ndnsec-install-cert -
111
Alexander Afanasyev84dd4ca2017-10-15 14:56:08 -0400112Note that the argument to ndnsec-key will be the identity name of the new key (in this case,
113``/your-username``). Identity names are hierarchical NDN names and may have multiple components
114(e.g. ``/ndn/ucla/edu/alice``). You may create additional keys and identities as you see fit.
Alexander Afanasyev26181532014-05-07 23:38:51 -0700115
Davide Pesavento69857c32020-04-05 16:36:26 -0400116**Exporting the NDN certificate to a file**:
Alexander Afanasyev26181532014-05-07 23:38:51 -0700117
Davide Pesavento69857c32020-04-05 16:36:26 -0400118The following commands assume that you have not modified ``PREFIX`` or ``SYSCONFDIR``.
119If you have, please substitute the appropriate path in place of ``/usr/local/etc``.
Alexander Afanasyev26181532014-05-07 23:38:51 -0700120
121::
122
123 sudo mkdir -p /usr/local/etc/ndn/keys
124 ndnsec-cert-dump -i /`whoami` > default.ndncert
125 sudo mv default.ndncert /usr/local/etc/ndn/keys/default.ndncert