blob: 7c722ab9b6267bf33d288ea38cce1c97e78f76b3 [file] [log] [blame] [view]
Eric Newberry187ade82015-05-13 01:22:51 -07001Starting NFD on Linux with systemd
2==================================
3
4Newer versions of Ubuntu (starting with 15.04) and some other Linux distributions, including Debian
5use systemd to start system daemons, monitor their health, and restart them when they die.
6
7Initial setup
8-------------
9
10* Edit `nfd.service`, correcting the paths to the `nfd` executable, configuration, and
11 ``HOME`` directories.
12
13* Copy the systemd config file for NFD to the proper directory
14
15 sudo cp nfd.service /etc/systemd/system
16
17* Reload the systemd manager configuration
18
19 sudo systemctl daemon-reload
20
21### Assumptions in the default scripts
22
23* `nfd` is installed into `/usr/local/bin`
24* Configuraton file is `/usr/local/etc/ndn/nfd.conf`
25* `nfd` will be run as root
26* Log files will be written to `/usr/local/var/log/ndn` folder, which is owned by user `ndn`
27
28### Creating users
29
30If the `ndn` user and group do not exist, they need to be manually created.
31
32 # Create group `ndn`
33 sudo addgroup --system ndn
34
35 # Create user `ndn`
36 sudo adduser --system \
37 --disabled-login \
38 --ingroup ndn \
39 --home /nonexistent \
40 --gecos "NDN User" \
41 --shell /bin/false \
42 ndn
43
44
45### Creating folders
46
47Folder `/usr/local/var/log/ndn` should be created and assigned proper user and group:
48
49 sudo mkdir -p /usr/local/var/log/ndn
50 sudo chown -R ndn:ndn /usr/local/var/log/ndn
51
52`HOME` directory for `nfd` should be created prior to starting. This is necessary to manage
53unique security credentials for the daemon.
54
55 # Create HOME and generate self-signed NDN certificate for nfd
56 sudo sh -c ' \
57 mkdir -p /usr/local/var/lib/ndn/nfd/.ndn; \
58 export HOME=/usr/local/var/lib/ndn/nfd; \
59 ndnsec-keygen /localhost/daemons/nfd | ndnsec-install-cert -; \
60 '
61
62### Configuring NFD's security
63
64NFD sample configuration allows anybody to create faces, add nexthops to FIB, and set
65strategy choice for namespaces. While such settings could be a good start, it is
66generally not a good idea to run NFD in this mode.
67
68While thorough discussion about the security configuration of NFD is outside the scope of
69this document, at least the following change should be done in ``nfd.conf`` in the
70authorize section:
71
72 authorizations
73 {
74 authorize
75 {
76 certfile certs/localhost_daemons_nfd.ndncert
77 privileges
78 {
79 faces
80 fib
81 strategy-choice
82 }
83 }
84
85 authorize
86 {
87 certfile any
88 privileges
89 {
90 faces
91 strategy-choice
92 }
93 }
94 }
95
96While this configuration still allows the management of faces and updating strategy choice by
97anyone, only NFD's RIB Manager (i.e., NFD itself) is allowed to manage FIB.
98
99As the final step to make this configuration work, nfd's self-signed certificate needs to
100be exported into the `localhost_daemons_nfd.ndncert` file:
101
102 sudo sh -c '\
103 mkdir -p /usr/local/etc/ndn/certs || true; \
104 export HOME=/usr/local/var/lib/ndn/nfd; \
105 ndnsec-dump-certificate -i /localhost/daemons/nfd > \
106 /usr/local/etc/ndn/certs/localhost_daemons_nfd.ndncert; \
107 '
108
109Enable auto-start
110-----------------
111
112After copying the provided upstart script, auto-start of the `nfd` daemon can be enabled with:
113
114 sudo systemctl enable nfd
115
116To manually start it, use the following command:
117
118 sudo systemctl start nfd
119
120Disable auto-start
121------------------
122
123To stop the `nfd` daemon, use the following command:
124
125 sudo systemctl stop nfd
126
127To permanently stop the `nfd` daemon and disable it from being automatically started on reboot,
128disable the service:
129
130 sudo systemctl disable nfd