Blame - launchd/README.md - NFD

blob: 4cd53af1c4ea486571d0cbb8ac70c6603d819e14 [file] [log] [blame] [view]

Davide Pesavento	e541d1b	2022-08-17 15:10:32 -0400	[diff] [blame]	1	# Starting NFD on macOS
Alexander Afanasyev	c6e6142	2014-05-07 00:32:25 -0700	[diff] [blame]	2
Davide Pesavento	e541d1b	2022-08-17 15:10:32 -0400	[diff] [blame]	3	macOS provides a standard way to start system daemons, monitor their health, and restart
				4	them when they die.
Alexander Afanasyev	c6e6142	2014-05-07 00:32:25 -0700	[diff] [blame]	5
Davide Pesavento	e541d1b	2022-08-17 15:10:32 -0400	[diff] [blame]	6	## Initial setup
Alexander Afanasyev	c6e6142	2014-05-07 00:32:25 -0700	[diff] [blame]	7
Davide Pesavento	e541d1b	2022-08-17 15:10:32 -0400	[diff] [blame]	8	Edit `net.named-data.nfd.plist` as needed, adjusting the paths for the `nfd` binary,
				9	configuration, and log files.
Alexander Afanasyev	c6e6142	2014-05-07 00:32:25 -0700	[diff] [blame]	10
Alexander Afanasyev	f08a737	2015-02-09 21:28:19 -0800	[diff] [blame]	11	# Copy launchd.plist for NFD
Alexander Afanasyev	c6e6142	2014-05-07 00:32:25 -0700	[diff] [blame]	12	sudo cp net.named-data.nfd.plist /Library/LaunchDaemons/
				13	sudo chown root /Library/LaunchDaemons/net.named-data.nfd.plist
				14
Alexander Afanasyev	c6e6142	2014-05-07 00:32:25 -0700	[diff] [blame]	15	### Assumptions in the default scripts
				16
Alexander Afanasyev	f08a737	2015-02-09 21:28:19 -0800	[diff] [blame]	17	* `nfd` is installed into `/usr/local/bin`
Alexander Afanasyev	c6e6142	2014-05-07 00:32:25 -0700	[diff] [blame]	18	* Configuration file is `/usr/local/etc/ndn/nfd.conf`
				19	* `nfd` will be run as root
Alexander Afanasyev	c6e6142	2014-05-07 00:32:25 -0700	[diff] [blame]	20	* Log files will be written to `/usr/local/var/log/ndn` folder, which is owned by user `ndn`
				21
				22	### Creating users
				23
				24	If `ndn` user does not exists, it needs to be manually created (procedure copied from
				25	[macports script](https://trac.macports.org/browser/trunk/base/src/port1.0/portutil.tcl)).
				26	Update uid/gid if 6363 is already used.
				27
				28	# Create user `ndn`
				29	sudo dscl . -create /Users/ndn UniqueID 6363
				30
				31	# These are implicitly added on Mac OSX Lion. AuthenticationAuthority
				32	# causes the user to be visible in the Users & Groups Preference Pane,
				33	# and the others are just noise, so delete them.
				34	# https://trac.macports.org/ticket/30168
				35	sudo dscl . -delete /Users/ndn AuthenticationAuthority
				36	sudo dscl . -delete /Users/ndn PasswordPolicyOptions
				37	sudo dscl . -delete /Users/ndn dsAttrTypeNative:KerberosKeys
				38	sudo dscl . -delete /Users/ndn dsAttrTypeNative:ShadowHashData
				39
				40	sudo dscl . -create /Users/ndn RealName "NDN User"
				41	sudo dscl . -create /Users/ndn Password "{*}"
				42	sudo dscl . -create /Users/ndn PrimaryGroupID 6363
				43	sudo dscl . -create /Users/ndn NFSHomeDirectory /var/empty
				44	sudo dscl . -create /Users/ndn UserShell /usr/bin/false
				45
				46	# Create group `ndn`
				47	sudo dscl . -create /Groupsndn Password "{*}"
				48	sudo dscl . -create /Groups/ndn RealName "NDN User"
				49	sudo dscl . -create /Groups/ndn PrimaryGroupID 6363
				50
				51	### Creating folders
				52
				53	Folder `/usr/local/var/log/ndn` should be created and assigned proper user and group:
				54
				55	sudo mkdir -p /usr/local/var/log/ndn
				56	sudo chown -R ndn:ndn /usr/local/var/log/ndn
				57
Alexander Afanasyev	f08a737	2015-02-09 21:28:19 -0800	[diff] [blame]	58	`HOME` directory for `nfd` should be created and configured with correct library's config file
				59	and contain proper NDN security credentials for signing Data packets. This is necessary since
Davide Pesavento	e541d1b	2022-08-17 15:10:32 -0400	[diff] [blame]	60	the default private key storage on macOS (`tpm-osxkeychain`) does not support non-interactive
				61	access, and file-based private key storage needs to be used:
Alexander Afanasyev	c6e6142	2014-05-07 00:32:25 -0700	[diff] [blame]	62
Alexander Afanasyev	f08a737	2015-02-09 21:28:19 -0800	[diff] [blame]	63	# Create HOME and generate self-signed NDN certificate for nfd
				64	sudo -s -- ' \
				65	mkdir -p /usr/local/var/lib/ndn/nfd/.ndn; \
				66	export HOME=/usr/local/var/lib/ndn/nfd; \
				67	echo tpm=tpm-file > /usr/local/var/lib/ndn/nfd/.ndn/client.conf; \
Davide Pesavento	d69070e	2021-06-04 18:50:52 -0400	[diff] [blame]	68	ndnsec key-gen /localhost/daemons/nfd \| ndnsec cert-install -; \
Alexander Afanasyev	f08a737	2015-02-09 21:28:19 -0800	[diff] [blame]	69	'
Alexander Afanasyev	c6e6142	2014-05-07 00:32:25 -0700	[diff] [blame]	70
				71	### Configuring NFD's security
				72
Alexander Afanasyev	f08a737	2015-02-09 21:28:19 -0800	[diff] [blame]	73	NFD sample configuration allows anybody to create faces, add nexthops to FIB, and set strategy
				74	choice for namespaces. While such settings could be a good start, it is generally not a good
				75	idea to run NFD in this mode.
Alexander Afanasyev	c6e6142	2014-05-07 00:32:25 -0700	[diff] [blame]	76
Alexander Afanasyev	37a05f6	2014-05-09 18:55:21 -0700	[diff] [blame]	77	While thorough discussion about security configuration of NFD is outside the scope of this
				78	document, at least the following change should be done to nfd.conf in authorize section:
Alexander Afanasyev	c6e6142	2014-05-07 00:32:25 -0700	[diff] [blame]	79
				80	authorizations
				81	{
				82	authorize
				83	{
Alexander Afanasyev	f08a737	2015-02-09 21:28:19 -0800	[diff] [blame]	84	certfile certs/localhost_daemons_nfd.ndncert
Alexander Afanasyev	c6e6142	2014-05-07 00:32:25 -0700	[diff] [blame]	85	privileges
				86	{
				87	faces
				88	fib
				89	strategy-choice
				90	}
				91	}
				92
				93	authorize
				94	{
				95	certfile any
				96	privileges
				97	{
				98	faces
				99	strategy-choice
				100	}
				101	}
				102	}
				103
				104	While this configuration still allows management of faces and updating strategy choice by
Alexander Afanasyev	f08a737	2015-02-09 21:28:19 -0800	[diff] [blame]	105	anybody, only NFD's RIB Manager (i.e., NFD itself) is allowed to manage FIB.
Alexander Afanasyev	c6e6142	2014-05-07 00:32:25 -0700	[diff] [blame]	106
Alexander Afanasyev	f08a737	2015-02-09 21:28:19 -0800	[diff] [blame]	107	As the final step to make this configuration work, NFD's self-signed certificate needs to
				108	be exported into `localhost_daemons_nfd.ndncert` file:
Alexander Afanasyev	c6e6142	2014-05-07 00:32:25 -0700	[diff] [blame]	109
Alexander Afanasyev	f08a737	2015-02-09 21:28:19 -0800	[diff] [blame]	110	sudo -s -- '\
				111	mkdir -p /usr/local/etc/ndn/certs \|\| true; \
				112	export HOME=/usr/local/var/lib/ndn/nfd; \
Davide Pesavento	d69070e	2021-06-04 18:50:52 -0400	[diff] [blame]	113	ndnsec cert-dump -i /localhost/daemons/nfd > \
Alexander Afanasyev	f08a737	2015-02-09 21:28:19 -0800	[diff] [blame]	114	/usr/local/etc/ndn/certs/localhost_daemons_nfd.ndncert; \
				115	'
Alexander Afanasyev	c6e6142	2014-05-07 00:32:25 -0700	[diff] [blame]	116
Davide Pesavento	e541d1b	2022-08-17 15:10:32 -0400	[diff] [blame]	117	## Enable auto-start
Alexander Afanasyev	c6e6142	2014-05-07 00:32:25 -0700	[diff] [blame]	118
				119	sudo launchctl load -w /Library/LaunchDaemons/net.named-data.nfd.plist
Alexander Afanasyev	c6e6142	2014-05-07 00:32:25 -0700	[diff] [blame]	120
Davide Pesavento	e541d1b	2022-08-17 15:10:32 -0400	[diff] [blame]	121	## Disable auto-start
Alexander Afanasyev	c6e6142	2014-05-07 00:32:25 -0700	[diff] [blame]	122
				123	sudo launchctl unload -w /Library/LaunchDaemons/net.named-data.nfd.plist