Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 1 | FAQ |
| 2 | === |
| 3 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 4 | How do I change the default installation paths? |
| 5 | ----------------------------------------------- |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 6 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 7 | Paths to where NFD is installed can be configured during ``./waf configure``: |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 8 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 9 | - Installation prefix (default ``/usr/local``):: |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 10 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 11 | ./waf configure --prefix=/usr |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 12 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 13 | - Location of NFD configuration file (default: ``${prefix}/etc``):: |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 14 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 15 | ./waf configure --prefix=/usr --sysconfdir=/etc |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 16 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 17 | - Location of manpages (default: ``${prefix}/share/man``):: |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 18 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 19 | ./waf configure --prefix=/usr --sysconfdir=/etc --mandir=/usr/share/man |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 20 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 21 | See ``./waf configure --help`` for the full list of options. |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 22 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 23 | How do I use the NDN PPA repository on Ubuntu Linux? |
| 24 | ---------------------------------------------------- |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 25 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 26 | Please see :ref:`Install NFD on Ubuntu Linux using the NDN PPA repository`. |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 27 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 28 | How do I run NFD as a non-root user? |
| 29 | ------------------------------------ |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 30 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 31 | How do I configure automatic privilege dropping? |
| 32 | ++++++++++++++++++++++++++++++++++++++++++++++++ |
Steve DiBenedetto | 24b9a64 | 2014-04-07 15:45:39 -0600 | [diff] [blame] | 33 | |
| 34 | NFD can be configured to drop privileges whenever possible. You can specify a user and/or |
| 35 | group for NFD to change its *effective* user/group ID to in the ``general`` section of the |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 36 | configuration file. For example:: |
Steve DiBenedetto | 24b9a64 | 2014-04-07 15:45:39 -0600 | [diff] [blame] | 37 | |
| 38 | general |
| 39 | { |
| 40 | user nobody |
| 41 | group nogroup |
| 42 | } |
| 43 | |
| 44 | will configure NFD to drop its effective user and group IDs to ``nobody`` and ``nogroup``, |
| 45 | respectively. |
| 46 | |
| 47 | .. note:: |
| 48 | |
Davide Pesavento | 7015694 | 2018-09-15 18:40:21 -0400 | [diff] [blame] | 49 | **IMPORTANT:** NFD may regain elevated privileges as needed during normal |
Steve DiBenedetto | 24b9a64 | 2014-04-07 15:45:39 -0600 | [diff] [blame] | 50 | execution. Dropping privileges in this manner should not be considered a security |
| 51 | mechanism (a compromised NFD that was started as root can trivially return to |
Davide Pesavento | 7015694 | 2018-09-15 18:40:21 -0400 | [diff] [blame] | 52 | root). However, reducing privileges may limit any damage caused by well intentioned, |
Steve DiBenedetto | 24b9a64 | 2014-04-07 15:45:39 -0600 | [diff] [blame] | 53 | but buggy, code. |
| 54 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 55 | How do I enable Ethernet face support? |
| 56 | ++++++++++++++++++++++++++++++++++++++ |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 57 | |
| 58 | The ``ether`` configuration file section contains settings for Ethernet faces and |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 59 | channels. These settings will **NOT** work without root or without setting the |
| 60 | appropriate permissions. |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 61 | |
Davide Pesavento | 9f6a7d9 | 2020-10-06 15:21:48 -0400 | [diff] [blame^] | 62 | - On **Ubuntu**:: |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 63 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 64 | sudo apt install libcap2-bin |
| 65 | sudo setcap cap_net_raw,cap_net_admin=eip /path/to/nfd |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 66 | |
Davide Pesavento | 9f6a7d9 | 2020-10-06 15:21:48 -0400 | [diff] [blame^] | 67 | - On **macOS**:: |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 68 | |
| 69 | curl https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3373 -o ChmodBPF.tar.gz |
| 70 | tar zxvf ChmodBPF.tar.gz |
| 71 | open ChmodBPF/Install\ ChmodBPF.app |
| 72 | |
Davide Pesavento | 9f6a7d9 | 2020-10-06 15:21:48 -0400 | [diff] [blame^] | 73 | or manually:: |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 74 | |
| 75 | sudo chgrp admin /dev/bpf* |
| 76 | sudo chmod g+rw /dev/bpf* |
| 77 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 78 | How do I enable UDP multicast support in multi-homed Linux machines? |
| 79 | ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 80 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 81 | The ``udp`` configuration file section contains settings for unicast and multicast UDP |
| 82 | faces. If the Linux machine is equipped with multiple network interfaces with multicast |
| 83 | capabilities, the settings for multicast faces will **NOT** work without root or without |
| 84 | setting the appropriate permissions:: |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 85 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 86 | sudo setcap cap_net_raw=eip /path/to/nfd |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 87 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 88 | .. _How do I configure NFD security: |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 89 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 90 | How do I configure NFD security? |
| 91 | -------------------------------- |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 92 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 93 | .. note:: The sample configuration file for NFD allows any user to manage faces, FIB, RIB, |
| 94 | CS, and strategy choices of the local NFD instance. The following procedure can be used |
| 95 | to restrict certain operations to certain users. |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 96 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 97 | More extensive documentation on the security mechanisms in NFD, as well as the available |
| 98 | options to configure its trust model, is currently in preparation. |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 99 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 100 | Many management components in NFD use *Command Interests* (e.g., FIB modification, face |
| 101 | creation/destruction, etc.), which require an NDN certificate (either self-signed for local |
Alexander Afanasyev | 84dd4ca | 2017-10-15 14:56:08 -0400 | [diff] [blame] | 102 | trust or delegated from a trusted authority). |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 103 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 104 | If you do not already have an NDN certificate, you can generate one using the following procedure. |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 105 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 106 | **Generating and installing a self-signed identity certificate**: |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 107 | |
| 108 | :: |
| 109 | |
| 110 | ndnsec-keygen /`whoami` | ndnsec-install-cert - |
| 111 | |
Alexander Afanasyev | 84dd4ca | 2017-10-15 14:56:08 -0400 | [diff] [blame] | 112 | Note that the argument to ndnsec-key will be the identity name of the new key (in this case, |
| 113 | ``/your-username``). Identity names are hierarchical NDN names and may have multiple components |
| 114 | (e.g. ``/ndn/ucla/edu/alice``). You may create additional keys and identities as you see fit. |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 115 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 116 | **Exporting the NDN certificate to a file**: |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 117 | |
Davide Pesavento | 69857c3 | 2020-04-05 16:36:26 -0400 | [diff] [blame] | 118 | The following commands assume that you have not modified ``PREFIX`` or ``SYSCONFDIR``. |
| 119 | If you have, please substitute the appropriate path in place of ``/usr/local/etc``. |
Alexander Afanasyev | 2618153 | 2014-05-07 23:38:51 -0700 | [diff] [blame] | 120 | |
| 121 | :: |
| 122 | |
| 123 | sudo mkdir -p /usr/local/etc/ndn/keys |
| 124 | ndnsec-cert-dump -i /`whoami` > default.ndncert |
| 125 | sudo mv default.ndncert /usr/local/etc/ndn/keys/default.ndncert |