Eric Newberry | 187ade8 | 2015-05-13 01:22:51 -0700 | [diff] [blame] | 1 | Starting NFD on Linux with systemd |
| 2 | ================================== |
| 3 | |
| 4 | Newer versions of Ubuntu (starting with 15.04) and some other Linux distributions, including Debian |
| 5 | use systemd to start system daemons, monitor their health, and restart them when they die. |
| 6 | |
| 7 | Initial setup |
| 8 | ------------- |
| 9 | |
| 10 | * Edit `nfd.service`, correcting the paths to the `nfd` executable, configuration, and |
| 11 | ``HOME`` directories. |
| 12 | |
| 13 | * Copy the systemd config file for NFD to the proper directory |
| 14 | |
| 15 | sudo cp nfd.service /etc/systemd/system |
| 16 | |
| 17 | * Reload the systemd manager configuration |
| 18 | |
| 19 | sudo systemctl daemon-reload |
| 20 | |
| 21 | ### Assumptions in the default scripts |
| 22 | |
| 23 | * `nfd` is installed into `/usr/local/bin` |
| 24 | * Configuraton file is `/usr/local/etc/ndn/nfd.conf` |
| 25 | * `nfd` will be run as root |
| 26 | * Log files will be written to `/usr/local/var/log/ndn` folder, which is owned by user `ndn` |
| 27 | |
| 28 | ### Creating users |
| 29 | |
| 30 | If the `ndn` user and group do not exist, they need to be manually created. |
| 31 | |
| 32 | # Create group `ndn` |
| 33 | sudo addgroup --system ndn |
| 34 | |
| 35 | # Create user `ndn` |
| 36 | sudo adduser --system \ |
| 37 | --disabled-login \ |
| 38 | --ingroup ndn \ |
| 39 | --home /nonexistent \ |
| 40 | --gecos "NDN User" \ |
| 41 | --shell /bin/false \ |
| 42 | ndn |
| 43 | |
| 44 | |
| 45 | ### Creating folders |
| 46 | |
| 47 | Folder `/usr/local/var/log/ndn` should be created and assigned proper user and group: |
| 48 | |
| 49 | sudo mkdir -p /usr/local/var/log/ndn |
| 50 | sudo chown -R ndn:ndn /usr/local/var/log/ndn |
| 51 | |
| 52 | `HOME` directory for `nfd` should be created prior to starting. This is necessary to manage |
| 53 | unique security credentials for the daemon. |
| 54 | |
| 55 | # Create HOME and generate self-signed NDN certificate for nfd |
| 56 | sudo sh -c ' \ |
| 57 | mkdir -p /usr/local/var/lib/ndn/nfd/.ndn; \ |
| 58 | export HOME=/usr/local/var/lib/ndn/nfd; \ |
| 59 | ndnsec-keygen /localhost/daemons/nfd | ndnsec-install-cert -; \ |
| 60 | ' |
| 61 | |
| 62 | ### Configuring NFD's security |
| 63 | |
| 64 | NFD sample configuration allows anybody to create faces, add nexthops to FIB, and set |
| 65 | strategy choice for namespaces. While such settings could be a good start, it is |
| 66 | generally not a good idea to run NFD in this mode. |
| 67 | |
| 68 | While thorough discussion about the security configuration of NFD is outside the scope of |
| 69 | this document, at least the following change should be done in ``nfd.conf`` in the |
| 70 | authorize section: |
| 71 | |
| 72 | authorizations |
| 73 | { |
| 74 | authorize |
| 75 | { |
| 76 | certfile certs/localhost_daemons_nfd.ndncert |
| 77 | privileges |
| 78 | { |
| 79 | faces |
| 80 | fib |
| 81 | strategy-choice |
| 82 | } |
| 83 | } |
| 84 | |
| 85 | authorize |
| 86 | { |
| 87 | certfile any |
| 88 | privileges |
| 89 | { |
| 90 | faces |
| 91 | strategy-choice |
| 92 | } |
| 93 | } |
| 94 | } |
| 95 | |
| 96 | While this configuration still allows the management of faces and updating strategy choice by |
| 97 | anyone, only NFD's RIB Manager (i.e., NFD itself) is allowed to manage FIB. |
| 98 | |
| 99 | As the final step to make this configuration work, nfd's self-signed certificate needs to |
| 100 | be exported into the `localhost_daemons_nfd.ndncert` file: |
| 101 | |
| 102 | sudo sh -c '\ |
| 103 | mkdir -p /usr/local/etc/ndn/certs || true; \ |
| 104 | export HOME=/usr/local/var/lib/ndn/nfd; \ |
| 105 | ndnsec-dump-certificate -i /localhost/daemons/nfd > \ |
| 106 | /usr/local/etc/ndn/certs/localhost_daemons_nfd.ndncert; \ |
| 107 | ' |
| 108 | |
| 109 | Enable auto-start |
| 110 | ----------------- |
| 111 | |
| 112 | After copying the provided upstart script, auto-start of the `nfd` daemon can be enabled with: |
| 113 | |
| 114 | sudo systemctl enable nfd |
| 115 | |
| 116 | To manually start it, use the following command: |
| 117 | |
| 118 | sudo systemctl start nfd |
| 119 | |
| 120 | Disable auto-start |
| 121 | ------------------ |
| 122 | |
| 123 | To stop the `nfd` daemon, use the following command: |
| 124 | |
| 125 | sudo systemctl stop nfd |
| 126 | |
| 127 | To permanently stop the `nfd` daemon and disable it from being automatically started on reboot, |
| 128 | disable the service: |
| 129 | |
| 130 | sudo systemctl disable nfd |