Task #1332
closedDefault config file installation
0%
Description
We need to have a sample configuration file in NFD repo.
Updated by Junxiao Shi over 10 years ago
- Category set to Build
- Estimated time set to 2.00 h
Updated by Junxiao Shi over 10 years ago
ERROR: [Main] Error: Failed to read configuration file: /usr/local/etc/nfd/nfd.conf
Traditionally, configuration files are placed in /etc/
, not in /usr/local/etc
.
So the default configuration path should be /etc/ndn/nfd.conf
.
Updated by Anonymous over 10 years ago
I don't currently have any objections to requiring root to install NFD and placing the sample configuration under /etc/ndn. However, the default configuration should not require root to run. My understanding is this requirement comes from:
- /private/var/run/nfd.sock
- Ethernet faces/channels
Can we move nfd.sock to /tmp and comment out the ether section by default?
Updated by Junxiao Shi over 10 years ago
20140313 conference call decides:
- If NFD is installed by package manager,
- NFD is started by
ndn
user, created during installation - NFD binary is granted CAP_NET_RAW privilege
- UNIX socket is in
/var/run/ndn/nfd.sock
; the directory/var/run/ndn
is owned byndn
user
- NFD is started by
- If NFD is installed by
./waf install
- NFD can be started by any user
- NFD binary is granted CAP_NET_RAW privilege
- UNIX socket is in
/tmp/nfd.sock
/etc/ndn/client.conf
contains the UNIX socket path, which is read by client libraries
Updated by Davide Pesavento over 10 years ago
Junxiao Shi wrote:
NFD binary is granted SOCK_RAW privilege
File capabilities might not be available on every system. In case they're not available at install time, we must fallback to running nfd as root (and possibly drop privileges later).
UNIX socket is in
/var/run/ndn/nfd.sock
; the directory/var/run/ndn
is owned byndn
user
Who creates the ndn
dir in /var/run
?
- If NFD is installed by
./waf install
- NFD can be started by any user
- NFD binary is granted SOCK_RAW privilege
Again, file caps might not be available...
Updated by Junxiao Shi over 10 years ago
Both ndn
user and /var/run/ndn
directory are created by installation script.
File capabilities is only needed on linux, and is supported by Ubuntu 12.04 (the only required platform).
Updated by Davide Pesavento over 10 years ago
Junxiao Shi wrote:
Both
ndn
user and/var/run/ndn
directory are created by installation script.
That won't work. On modern linux distros /var/run
is a symlink to /run
, which is a tmpfs. This means that the ndn
directory will be gone after the first reboot. Therefore either the init script or nfd itself must create it. If nfd creates it, this implies that it must be started as root, create the dir, and only then drop its privileges.
File capabilities is only needed on linux, and is supported by Ubuntu 12.04 (the only required platform).
File caps rely on extended attributes (xattr), and not all file systems support extended attributes.
Updated by Junxiao Shi over 10 years ago
If setcap
is not guaranteed to be available, it's better to require starting nfd process with root.
During initialization, nfd process should:
- process configuration file: create UNIX listener in
/var/run/nfd.sock
, and open pcap sessions - if configuration file specifies UID to change into,
seteuid
to that UID
(setuid
is not feasible, because a future version may allow creating new pcap sessions when additional NIC is enabled)
Updated by Alex Afanasyev over 10 years ago
I think we are conflicting different things here. We can do whatever we need when NFD is installed as a package (including dependency on setcap) and uses upstart. We will be root during startup, can create everything that we need and then drop privileges.
The "problem" comes from a non-packaged install, for which we can just write a README.
Updated by Junxiao Shi over 10 years ago
Sure NFD can require setcap
command to exist.
However, as note-8 said, if the filesystem on which NFD is installed (/usr/local
) does not support extended attributes, setcap
will not work on this filesystem, so that NFD would not get CAP_NET_RAW.
NFD should always start as root.
Package manager can create a ndn
user, and the configuration would make NFD seteuid(ndn)
.
Manually installation cannot create new users, so NFD will continue to run as root.
Under this proposal, UNIX listener can sit in /var/run, and setcap
isn't needed.
Updated by Davide Pesavento over 10 years ago
Junxiao Shi wrote:
Manually installation cannot create new users, so NFD will continue to run as root.
You still can (and should) fallback to user nobody
, which exists on all linux distros and on OS X.
Updated by Anonymous over 10 years ago
Manually installation cannot create new users, so NFD will continue to run as root.
Under this proposal, UNIX listener can sit in /var/run, and
setcap
isn't needed.
Requiring the default configuration to run as root should not be considered a valid option.
To look at this another way "manual installation" means "anything other than Ubuntu >= 12.04 or OS X >= 10.8 (via macports)", right? My group's lab is finishing a transition to CentOS. My department's lab machines are Fedora. This is going to cause problems for us, and I have to imagine other institutions, when it comes to using NFD for research and course projects due to security policy.
What's going to happen when it comes time for the government labs and others to run NFD as part of the atmospheric science project?
I'm concerned the number manual installations is being grossly underestimated. The socket should stay under /tmp.
Ethernet support should also be commented out by default. I understand that the face manager gracefully handles ethernet face creation failures, but it is not user friendly to generate error messages during startup. This will cause people to seek support and has already happened locally when trying to get others started on NFD development.
Updated by Junxiao Shi over 10 years ago
Manual installation still means installation on a supported platform.
Anything other than listed platforms are not supported.
/var/run
is the proper place for UNIX listeners on these supported platforms.
NFD is system software (like bind, nginx, etc), so it should start as root.
Updated by Anonymous over 10 years ago
Junxiao Shi wrote:
Manual installation still means installation on a supported platform.
Anything other than listed platforms are not supported.
That was not the original story we were told before the first January NFD meeting at UCLA. "Supported" meant "has pre-built packages" and everything else, within reason, could compile from source.
This is a research project and people will be modifying/extending NFD to test new ideas. That implies manual installation even though the platform may be "supported." Research code should not be running as root.
/var/run
is the proper place for UNIX listeners on these supported platforms.NFD is system software (like bind, nginx, etc), so it should start as root.
nginx/bind etc. need to start up as root because they need to bind to a port < 1024. They are also well established, production quality, applications and were probably not designed for research.
Updated by Junxiao Shi over 10 years ago
20140316 conference call decides:
- UNIX listener is
/var/run/nfd.sock
- Ethernet is enabled by default
- nfd program is installed with SetUID-root
- nfd program can be started by regular user
- nfd program should
seteuid(ndn_user)
after initialization