systemd: improve nfd.service, add unit files for tools
Change-Id: I0012278b1898a48ea5594ce648dea1ebc2152113
diff --git a/systemd/ b/systemd/
deleted file mode 100644
index 45d24e3..0000000
--- a/systemd/
+++ /dev/null
@@ -1,130 +0,0 @@
-Starting NFD on Linux with systemd
-Modern versions of Ubuntu (starting with 15.04) and some other Linux distributions, including Debian
-and Fedora, use systemd to start system daemons, monitor their health, and restart them when they die.
-Initial setup
-* Edit `nfd.service`, correcting the paths to the `nfd` executable, configuration, and
- ``HOME`` directories.
-* Copy the systemd config file for NFD to the proper directory
- sudo cp nfd.service /etc/systemd/system
-* Reload the systemd manager configuration
- sudo systemctl daemon-reload
-### Assumptions in the default scripts
-* `nfd` is installed into `/usr/local/bin`
-* Configuraton file is `/usr/local/etc/ndn/nfd.conf`
-* `nfd` will be run as root
-* Log files will be written to `/usr/local/var/log/ndn` folder, which is owned by user `ndn`
-### Creating users
-If the `ndn` user and group do not exist, they need to be manually created.
- # Create group `ndn`
- sudo addgroup --system ndn
- # Create user `ndn`
- sudo adduser --system \
- --disabled-login \
- --ingroup ndn \
- --home /nonexistent \
- --gecos "NDN User" \
- --shell /bin/false \
- ndn
-### Creating folders
-Folder `/usr/local/var/log/ndn` should be created and assigned proper user and group:
- sudo mkdir -p /usr/local/var/log/ndn
- sudo chown -R ndn:ndn /usr/local/var/log/ndn
-`HOME` directory for `nfd` should be created prior to starting. This is necessary to manage
-unique security credentials for the daemon.
- # Create HOME and generate self-signed NDN certificate for nfd
- sudo sh -c ' \
- mkdir -p /usr/local/var/lib/ndn/nfd/.ndn; \
- export HOME=/usr/local/var/lib/ndn/nfd; \
- ndnsec-keygen /localhost/daemons/nfd | ndnsec-install-cert -; \
- '
-### Configuring NFD's security
-NFD sample configuration allows anybody to create faces, add nexthops to FIB, and set
-strategy choice for namespaces. While such settings could be a good start, it is
-generally not a good idea to run NFD in this mode.
-While thorough discussion about the security configuration of NFD is outside the scope of
-this document, at least the following change should be done in ``nfd.conf`` in the
-authorize section:
- authorizations
- {
- authorize
- {
- certfile certs/localhost_daemons_nfd.ndncert
- privileges
- {
- faces
- fib
- strategy-choice
- }
- }
- authorize
- {
- certfile any
- privileges
- {
- faces
- strategy-choice
- }
- }
- }
-While this configuration still allows the management of faces and updating strategy choice by
-anyone, only NFD's RIB Manager (i.e., NFD itself) is allowed to manage FIB.
-As the final step to make this configuration work, nfd's self-signed certificate needs to
-be exported into the `localhost_daemons_nfd.ndncert` file:
- sudo sh -c '\
- mkdir -p /usr/local/etc/ndn/certs || true; \
- export HOME=/usr/local/var/lib/ndn/nfd; \
- ndnsec-dump-certificate -i /localhost/daemons/nfd > \
- /usr/local/etc/ndn/certs/localhost_daemons_nfd.ndncert; \
- '
-Enable auto-start
-After copying the provided `nfd.service` file, auto-start can be enabled with:
- sudo systemctl enable nfd
-To manually start it, use the following command:
- sudo systemctl start nfd
-Disable auto-start
-To stop the `nfd` daemon, use the following command:
- sudo systemctl stop nfd
-To prevent it from being automatically started on reboot,
-disable the service:
- sudo systemctl disable nfd
diff --git a/systemd/ b/systemd/
new file mode 100644
index 0000000..2eaf3d4
--- /dev/null
+++ b/systemd/
@@ -0,0 +1,62 @@
+# Copyright (c) 2015-2019, Regents of the University of California,
+# Arizona Board of Regents,
+# Colorado State University,
+# University Pierre & Marie Curie, Sorbonne University,
+# Washington University in St. Louis,
+# Beijing Institute of Technology,
+# The University of Memphis.
+# This file is part of NFD (Named Data Networking Forwarding Daemon).
+# See for complete list of NFD authors and contributors.
+# NFD is free software: you can redistribute it and/or modify it under the terms
+# of the GNU General Public License as published by the Free Software Foundation,
+# either version 3 of the License, or (at your option) any later version.
+# NFD is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+# without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+# PURPOSE. See the GNU General Public License for more details.
+# You should have received a copy of the GNU General Public License along with
+# NFD, e.g., in file. If not, see <>.
+Description=NDN Autoconfig Client
+ExecStart=@BINDIR@/ndn-autoconfig --daemon --config @SYSCONFDIR@/ndn/autoconfig.conf
+# systemd older than v232 doesn't support a value of "strict" for ProtectSystem,
+# so it will ignore that line and use ProtectSystem=full; with newer systemd,
+# the latter assignment is recognized and takes precedence, resulting in an
+# effective setting of ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+SystemCallFilter=~@aio @chown @clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap
diff --git a/systemd/ b/systemd/
new file mode 100644
index 0000000..3403109
--- /dev/null
+++ b/systemd/
@@ -0,0 +1,63 @@
+# Copyright (c) 2015-2019, Regents of the University of California,
+# Arizona Board of Regents,
+# Colorado State University,
+# University Pierre & Marie Curie, Sorbonne University,
+# Washington University in St. Louis,
+# Beijing Institute of Technology,
+# The University of Memphis.
+# This file is part of NFD (Named Data Networking Forwarding Daemon).
+# See for complete list of NFD authors and contributors.
+# NFD is free software: you can redistribute it and/or modify it under the terms
+# of the GNU General Public License as published by the Free Software Foundation,
+# either version 3 of the License, or (at your option) any later version.
+# NFD is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+# without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+# PURPOSE. See the GNU General Public License for more details.
+# You should have received a copy of the GNU General Public License along with
+# NFD, e.g., in file. If not, see <>.
+Description=NDN Autoconfig Server
+ExecStart=@BINDIR@/ndn-autoconfig-server $ROUTABLE_PREFIXES $FACE_URI
+# systemd older than v232 doesn't support a value of "strict" for ProtectSystem,
+# so it will ignore that line and use ProtectSystem=full; with newer systemd,
+# the latter assignment is recognized and takes precedence, resulting in an
+# effective setting of ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+SystemCallFilter=~@aio @chown @clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap
diff --git a/systemd/ b/systemd/
new file mode 100644
index 0000000..e245700
--- /dev/null
+++ b/systemd/
@@ -0,0 +1,63 @@
+# Copyright (c) 2015-2019, Regents of the University of California,
+# Arizona Board of Regents,
+# Colorado State University,
+# University Pierre & Marie Curie, Sorbonne University,
+# Washington University in St. Louis,
+# Beijing Institute of Technology,
+# The University of Memphis.
+# This file is part of NFD (Named Data Networking Forwarding Daemon).
+# See for complete list of NFD authors and contributors.
+# NFD is free software: you can redistribute it and/or modify it under the terms
+# of the GNU General Public License as published by the Free Software Foundation,
+# either version 3 of the License, or (at your option) any later version.
+# NFD is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+# without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+# PURPOSE. See the GNU General Public License for more details.
+# You should have received a copy of the GNU General Public License along with
+# NFD, e.g., in file. If not, see <>.
+Description=NFD Automatic Prefix Registration
+# systemd older than v232 doesn't support a value of "strict" for ProtectSystem,
+# so it will ignore that line and use ProtectSystem=full; with newer systemd,
+# the latter assignment is recognized and takes precedence, resulting in an
+# effective setting of ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+SystemCallFilter=~@aio @chown @clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap
diff --git a/systemd/ b/systemd/
new file mode 100644
index 0000000..fa1469b
--- /dev/null
+++ b/systemd/
@@ -0,0 +1,61 @@
+# Copyright (c) 2015-2019, Regents of the University of California,
+# Arizona Board of Regents,
+# Colorado State University,
+# University Pierre & Marie Curie, Sorbonne University,
+# Washington University in St. Louis,
+# Beijing Institute of Technology,
+# The University of Memphis.
+# This file is part of NFD (Named Data Networking Forwarding Daemon).
+# See for complete list of NFD authors and contributors.
+# NFD is free software: you can redistribute it and/or modify it under the terms
+# of the GNU General Public License as published by the Free Software Foundation,
+# either version 3 of the License, or (at your option) any later version.
+# NFD is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+# without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+# PURPOSE. See the GNU General Public License for more details.
+# You should have received a copy of the GNU General Public License along with
+# NFD, e.g., in file. If not, see <>.
+Description=NFD HTTP Status Server
+ExecStart=@BINDIR@/nfd-status-http-server $FLAGS
+# systemd older than v232 doesn't support a value of "strict" for ProtectSystem,
+# so it will ignore that line and use ProtectSystem=full; with newer systemd,
+# the latter assignment is recognized and takes precedence, resulting in an
+# effective setting of ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+SystemCallFilter=~@aio @chown @clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap
diff --git a/systemd/nfd.service b/systemd/nfd.service
deleted file mode 100644
index 57661fd..0000000
--- a/systemd/nfd.service
+++ /dev/null
@@ -1,53 +0,0 @@
-# Copyright (c) 2015-2017, Regents of the University of California,
-# Arizona Board of Regents,
-# Colorado State University,
-# University Pierre & Marie Curie, Sorbonne University,
-# Washington University in St. Louis,
-# Beijing Institute of Technology,
-# The University of Memphis.
-# This file is part of NFD (Named Data Networking Forwarding Daemon).
-# See for complete list of NFD authors and contributors.
-# NFD is free software: you can redistribute it and/or modify it under the terms
-# of the GNU General Public License as published by the Free Software Foundation,
-# either version 3 of the License, or (at your option) any later version.
-# NFD is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
-# without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-# PURPOSE. See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with
-# NFD, e.g., in file. If not, see <>.
-# Author: Eric Newberry <>
-# Author: Davide Pesavento <>
-Description=NDN Forwarding Daemon
-Documentation=man:nfd(1) man:nfdc(1)
-ExecStart=/usr/local/bin/nfd --config /usr/local/etc/ndn/nfd.conf
-ExecStartPost=/bin/sh -ec 'if [ -f /usr/local/etc/ndn/ ]; then . /usr/local/etc/ndn/; fi'
-ExecReload=/bin/kill -HUP $MAINPID
-RestartPreventExitStatus=2 4
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
diff --git a/systemd/ b/systemd/
new file mode 100644
index 0000000..59058b8
--- /dev/null
+++ b/systemd/
@@ -0,0 +1,63 @@
+# Copyright (c) 2015-2019, Regents of the University of California,
+# Arizona Board of Regents,
+# Colorado State University,
+# University Pierre & Marie Curie, Sorbonne University,
+# Washington University in St. Louis,
+# Beijing Institute of Technology,
+# The University of Memphis.
+# This file is part of NFD (Named Data Networking Forwarding Daemon).
+# See for complete list of NFD authors and contributors.
+# NFD is free software: you can redistribute it and/or modify it under the terms
+# of the GNU General Public License as published by the Free Software Foundation,
+# either version 3 of the License, or (at your option) any later version.
+# NFD is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+# without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+# PURPOSE. See the GNU General Public License for more details.
+# You should have received a copy of the GNU General Public License along with
+# NFD, e.g., in file. If not, see <>.
+Description=NDN Forwarding Daemon
+Documentation=man:nfd(1) man:nfdc(1)
+ExecStartPost=/bin/sh -ec 'if [ -f @SYSCONFDIR@/ndn/ ]; then . @SYSCONFDIR@/ndn/; fi'
+ExecReload=/bin/kill -HUP $MAINPID
+# systemd older than v232 doesn't support a value of "strict" for ProtectSystem,
+# so it will ignore that line and use ProtectSystem=full; with newer systemd,
+# the latter assignment is recognized and takes precedence, resulting in an
+# effective setting of ProtectSystem=strict
+SystemCallFilter=~@aio @chown @clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @resources @setuid @swap