blob: 6b453aa6d50e47503b98b0596f0c898013e865be [file] [log] [blame] [view]
Alexander Afanasyevc6e61422014-05-07 00:32:25 -07001Starting NFD on OSX >= 10.8
2===========================
3
4OSX provides a standard way to start system daemons, monitor their health, and restart
5when they die.
6
7Initial setup
8-------------
9
Alexander Afanasyevf08a7372015-02-09 21:28:19 -080010Edit `net.named-data.nfd` correcting paths for `nfd` binary, configuration and log files.
Alexander Afanasyevc6e61422014-05-07 00:32:25 -070011
Alexander Afanasyevf08a7372015-02-09 21:28:19 -080012 # Copy launchd.plist for NFD
Alexander Afanasyevc6e61422014-05-07 00:32:25 -070013 sudo cp net.named-data.nfd.plist /Library/LaunchDaemons/
14 sudo chown root /Library/LaunchDaemons/net.named-data.nfd.plist
15
Alexander Afanasyevc6e61422014-05-07 00:32:25 -070016### Assumptions in the default scripts
17
Alexander Afanasyevf08a7372015-02-09 21:28:19 -080018* `nfd` is installed into `/usr/local/bin`
Alexander Afanasyevc6e61422014-05-07 00:32:25 -070019* Configuration file is `/usr/local/etc/ndn/nfd.conf`
20* `nfd` will be run as root
Alexander Afanasyevc6e61422014-05-07 00:32:25 -070021* Log files will be written to `/usr/local/var/log/ndn` folder, which is owned by user `ndn`
22
23### Creating users
24
25If `ndn` user does not exists, it needs to be manually created (procedure copied from
26[macports script](https://trac.macports.org/browser/trunk/base/src/port1.0/portutil.tcl)).
27Update uid/gid if 6363 is already used.
28
29 # Create user `ndn`
30 sudo dscl . -create /Users/ndn UniqueID 6363
31
32 # These are implicitly added on Mac OSX Lion. AuthenticationAuthority
33 # causes the user to be visible in the Users & Groups Preference Pane,
34 # and the others are just noise, so delete them.
35 # https://trac.macports.org/ticket/30168
36 sudo dscl . -delete /Users/ndn AuthenticationAuthority
37 sudo dscl . -delete /Users/ndn PasswordPolicyOptions
38 sudo dscl . -delete /Users/ndn dsAttrTypeNative:KerberosKeys
39 sudo dscl . -delete /Users/ndn dsAttrTypeNative:ShadowHashData
40
41 sudo dscl . -create /Users/ndn RealName "NDN User"
42 sudo dscl . -create /Users/ndn Password "{*}"
43 sudo dscl . -create /Users/ndn PrimaryGroupID 6363
44 sudo dscl . -create /Users/ndn NFSHomeDirectory /var/empty
45 sudo dscl . -create /Users/ndn UserShell /usr/bin/false
46
47 # Create group `ndn`
48 sudo dscl . -create /Groupsndn Password "{*}"
49 sudo dscl . -create /Groups/ndn RealName "NDN User"
50 sudo dscl . -create /Groups/ndn PrimaryGroupID 6363
51
52### Creating folders
53
54Folder `/usr/local/var/log/ndn` should be created and assigned proper user and group:
55
56 sudo mkdir -p /usr/local/var/log/ndn
57 sudo chown -R ndn:ndn /usr/local/var/log/ndn
58
Alexander Afanasyevf08a7372015-02-09 21:28:19 -080059`HOME` directory for `nfd` should be created and configured with correct library's config file
60and contain proper NDN security credentials for signing Data packets. This is necessary since
61default private key storage on OSX (`osx-keychain`) does not support non-interactive access,
62and file-based private key storage needs to be used:
Alexander Afanasyevc6e61422014-05-07 00:32:25 -070063
Alexander Afanasyevf08a7372015-02-09 21:28:19 -080064 # Create HOME and generate self-signed NDN certificate for nfd
65 sudo -s -- ' \
66 mkdir -p /usr/local/var/lib/ndn/nfd/.ndn; \
67 export HOME=/usr/local/var/lib/ndn/nfd; \
68 echo tpm=tpm-file > /usr/local/var/lib/ndn/nfd/.ndn/client.conf; \
69 ndnsec-keygen /localhost/daemons/nfd | ndnsec-install-cert -; \
70 '
Alexander Afanasyevc6e61422014-05-07 00:32:25 -070071
72### Configuring NFD's security
73
Alexander Afanasyevf08a7372015-02-09 21:28:19 -080074NFD sample configuration allows anybody to create faces, add nexthops to FIB, and set strategy
75choice for namespaces. While such settings could be a good start, it is generally not a good
76idea to run NFD in this mode.
Alexander Afanasyevc6e61422014-05-07 00:32:25 -070077
Alexander Afanasyev37a05f62014-05-09 18:55:21 -070078While thorough discussion about security configuration of NFD is outside the scope of this
79document, at least the following change should be done to nfd.conf in authorize section:
Alexander Afanasyevc6e61422014-05-07 00:32:25 -070080
81 authorizations
82 {
83 authorize
84 {
Alexander Afanasyevf08a7372015-02-09 21:28:19 -080085 certfile certs/localhost_daemons_nfd.ndncert
Alexander Afanasyevc6e61422014-05-07 00:32:25 -070086 privileges
87 {
88 faces
89 fib
90 strategy-choice
91 }
92 }
93
94 authorize
95 {
96 certfile any
97 privileges
98 {
99 faces
100 strategy-choice
101 }
102 }
103 }
104
105While this configuration still allows management of faces and updating strategy choice by
Alexander Afanasyevf08a7372015-02-09 21:28:19 -0800106anybody, only NFD's RIB Manager (i.e., NFD itself) is allowed to manage FIB.
Alexander Afanasyevc6e61422014-05-07 00:32:25 -0700107
Alexander Afanasyevf08a7372015-02-09 21:28:19 -0800108As the final step to make this configuration work, NFD's self-signed certificate needs to
109be exported into `localhost_daemons_nfd.ndncert` file:
Alexander Afanasyevc6e61422014-05-07 00:32:25 -0700110
Alexander Afanasyevf08a7372015-02-09 21:28:19 -0800111 sudo -s -- '\
112 mkdir -p /usr/local/etc/ndn/certs || true; \
113 export HOME=/usr/local/var/lib/ndn/nfd; \
114 ndnsec-dump-certificate -i /localhost/daemons/nfd > \
115 /usr/local/etc/ndn/certs/localhost_daemons_nfd.ndncert; \
116 '
Alexander Afanasyevc6e61422014-05-07 00:32:25 -0700117
118
119Enable auto-start
120-----------------
121
122 sudo launchctl load -w /Library/LaunchDaemons/net.named-data.nfd.plist
Alexander Afanasyevc6e61422014-05-07 00:32:25 -0700123
124Disable auto-start
125------------------
126
127 sudo launchctl unload -w /Library/LaunchDaemons/net.named-data.nfd.plist