Alexander Afanasyev | c6e6142 | 2014-05-07 00:32:25 -0700 | [diff] [blame] | 1 | Starting NFD on OSX >= 10.8 |
| 2 | =========================== |
| 3 | |
| 4 | OSX provides a standard way to start system daemons, monitor their health, and restart |
| 5 | when they die. |
| 6 | |
| 7 | Initial setup |
| 8 | ------------- |
| 9 | |
Alexander Afanasyev | f08a737 | 2015-02-09 21:28:19 -0800 | [diff] [blame] | 10 | Edit `net.named-data.nfd` correcting paths for `nfd` binary, configuration and log files. |
Alexander Afanasyev | c6e6142 | 2014-05-07 00:32:25 -0700 | [diff] [blame] | 11 | |
Alexander Afanasyev | f08a737 | 2015-02-09 21:28:19 -0800 | [diff] [blame] | 12 | # Copy launchd.plist for NFD |
Alexander Afanasyev | c6e6142 | 2014-05-07 00:32:25 -0700 | [diff] [blame] | 13 | sudo cp net.named-data.nfd.plist /Library/LaunchDaemons/ |
| 14 | sudo chown root /Library/LaunchDaemons/net.named-data.nfd.plist |
| 15 | |
Alexander Afanasyev | c6e6142 | 2014-05-07 00:32:25 -0700 | [diff] [blame] | 16 | ### Assumptions in the default scripts |
| 17 | |
Alexander Afanasyev | f08a737 | 2015-02-09 21:28:19 -0800 | [diff] [blame] | 18 | * `nfd` is installed into `/usr/local/bin` |
Alexander Afanasyev | c6e6142 | 2014-05-07 00:32:25 -0700 | [diff] [blame] | 19 | * Configuration file is `/usr/local/etc/ndn/nfd.conf` |
| 20 | * `nfd` will be run as root |
Alexander Afanasyev | c6e6142 | 2014-05-07 00:32:25 -0700 | [diff] [blame] | 21 | * Log files will be written to `/usr/local/var/log/ndn` folder, which is owned by user `ndn` |
| 22 | |
| 23 | ### Creating users |
| 24 | |
| 25 | If `ndn` user does not exists, it needs to be manually created (procedure copied from |
| 26 | [macports script](https://trac.macports.org/browser/trunk/base/src/port1.0/portutil.tcl)). |
| 27 | Update uid/gid if 6363 is already used. |
| 28 | |
| 29 | # Create user `ndn` |
| 30 | sudo dscl . -create /Users/ndn UniqueID 6363 |
| 31 | |
| 32 | # These are implicitly added on Mac OSX Lion. AuthenticationAuthority |
| 33 | # causes the user to be visible in the Users & Groups Preference Pane, |
| 34 | # and the others are just noise, so delete them. |
| 35 | # https://trac.macports.org/ticket/30168 |
| 36 | sudo dscl . -delete /Users/ndn AuthenticationAuthority |
| 37 | sudo dscl . -delete /Users/ndn PasswordPolicyOptions |
| 38 | sudo dscl . -delete /Users/ndn dsAttrTypeNative:KerberosKeys |
| 39 | sudo dscl . -delete /Users/ndn dsAttrTypeNative:ShadowHashData |
| 40 | |
| 41 | sudo dscl . -create /Users/ndn RealName "NDN User" |
| 42 | sudo dscl . -create /Users/ndn Password "{*}" |
| 43 | sudo dscl . -create /Users/ndn PrimaryGroupID 6363 |
| 44 | sudo dscl . -create /Users/ndn NFSHomeDirectory /var/empty |
| 45 | sudo dscl . -create /Users/ndn UserShell /usr/bin/false |
| 46 | |
| 47 | # Create group `ndn` |
| 48 | sudo dscl . -create /Groupsndn Password "{*}" |
| 49 | sudo dscl . -create /Groups/ndn RealName "NDN User" |
| 50 | sudo dscl . -create /Groups/ndn PrimaryGroupID 6363 |
| 51 | |
| 52 | ### Creating folders |
| 53 | |
| 54 | Folder `/usr/local/var/log/ndn` should be created and assigned proper user and group: |
| 55 | |
| 56 | sudo mkdir -p /usr/local/var/log/ndn |
| 57 | sudo chown -R ndn:ndn /usr/local/var/log/ndn |
| 58 | |
Alexander Afanasyev | f08a737 | 2015-02-09 21:28:19 -0800 | [diff] [blame] | 59 | `HOME` directory for `nfd` should be created and configured with correct library's config file |
| 60 | and contain proper NDN security credentials for signing Data packets. This is necessary since |
| 61 | default private key storage on OSX (`osx-keychain`) does not support non-interactive access, |
| 62 | and file-based private key storage needs to be used: |
Alexander Afanasyev | c6e6142 | 2014-05-07 00:32:25 -0700 | [diff] [blame] | 63 | |
Alexander Afanasyev | f08a737 | 2015-02-09 21:28:19 -0800 | [diff] [blame] | 64 | # Create HOME and generate self-signed NDN certificate for nfd |
| 65 | sudo -s -- ' \ |
| 66 | mkdir -p /usr/local/var/lib/ndn/nfd/.ndn; \ |
| 67 | export HOME=/usr/local/var/lib/ndn/nfd; \ |
| 68 | echo tpm=tpm-file > /usr/local/var/lib/ndn/nfd/.ndn/client.conf; \ |
| 69 | ndnsec-keygen /localhost/daemons/nfd | ndnsec-install-cert -; \ |
| 70 | ' |
Alexander Afanasyev | c6e6142 | 2014-05-07 00:32:25 -0700 | [diff] [blame] | 71 | |
| 72 | ### Configuring NFD's security |
| 73 | |
Alexander Afanasyev | f08a737 | 2015-02-09 21:28:19 -0800 | [diff] [blame] | 74 | NFD sample configuration allows anybody to create faces, add nexthops to FIB, and set strategy |
| 75 | choice for namespaces. While such settings could be a good start, it is generally not a good |
| 76 | idea to run NFD in this mode. |
Alexander Afanasyev | c6e6142 | 2014-05-07 00:32:25 -0700 | [diff] [blame] | 77 | |
Alexander Afanasyev | 37a05f6 | 2014-05-09 18:55:21 -0700 | [diff] [blame] | 78 | While thorough discussion about security configuration of NFD is outside the scope of this |
| 79 | document, at least the following change should be done to nfd.conf in authorize section: |
Alexander Afanasyev | c6e6142 | 2014-05-07 00:32:25 -0700 | [diff] [blame] | 80 | |
| 81 | authorizations |
| 82 | { |
| 83 | authorize |
| 84 | { |
Alexander Afanasyev | f08a737 | 2015-02-09 21:28:19 -0800 | [diff] [blame] | 85 | certfile certs/localhost_daemons_nfd.ndncert |
Alexander Afanasyev | c6e6142 | 2014-05-07 00:32:25 -0700 | [diff] [blame] | 86 | privileges |
| 87 | { |
| 88 | faces |
| 89 | fib |
| 90 | strategy-choice |
| 91 | } |
| 92 | } |
| 93 | |
| 94 | authorize |
| 95 | { |
| 96 | certfile any |
| 97 | privileges |
| 98 | { |
| 99 | faces |
| 100 | strategy-choice |
| 101 | } |
| 102 | } |
| 103 | } |
| 104 | |
| 105 | While this configuration still allows management of faces and updating strategy choice by |
Alexander Afanasyev | f08a737 | 2015-02-09 21:28:19 -0800 | [diff] [blame] | 106 | anybody, only NFD's RIB Manager (i.e., NFD itself) is allowed to manage FIB. |
Alexander Afanasyev | c6e6142 | 2014-05-07 00:32:25 -0700 | [diff] [blame] | 107 | |
Alexander Afanasyev | f08a737 | 2015-02-09 21:28:19 -0800 | [diff] [blame] | 108 | As the final step to make this configuration work, NFD's self-signed certificate needs to |
| 109 | be exported into `localhost_daemons_nfd.ndncert` file: |
Alexander Afanasyev | c6e6142 | 2014-05-07 00:32:25 -0700 | [diff] [blame] | 110 | |
Alexander Afanasyev | f08a737 | 2015-02-09 21:28:19 -0800 | [diff] [blame] | 111 | sudo -s -- '\ |
| 112 | mkdir -p /usr/local/etc/ndn/certs || true; \ |
| 113 | export HOME=/usr/local/var/lib/ndn/nfd; \ |
| 114 | ndnsec-dump-certificate -i /localhost/daemons/nfd > \ |
| 115 | /usr/local/etc/ndn/certs/localhost_daemons_nfd.ndncert; \ |
| 116 | ' |
Alexander Afanasyev | c6e6142 | 2014-05-07 00:32:25 -0700 | [diff] [blame] | 117 | |
| 118 | |
| 119 | Enable auto-start |
| 120 | ----------------- |
| 121 | |
| 122 | sudo launchctl load -w /Library/LaunchDaemons/net.named-data.nfd.plist |
Alexander Afanasyev | c6e6142 | 2014-05-07 00:32:25 -0700 | [diff] [blame] | 123 | |
| 124 | Disable auto-start |
| 125 | ------------------ |
| 126 | |
| 127 | sudo launchctl unload -w /Library/LaunchDaemons/net.named-data.nfd.plist |