[Nfd-dev] Intended scope of client.conf
Burke, Jeff
jburke at remap.ucla.edu
Wed Aug 20 08:57:33 PDT 2014
Hi Alex,
A few comments below.
Jeff
From: Alex Afanasyev <alexander.afanasyev at ucla.edu<mailto:alexander.afanasyev at ucla.edu>>
Date: Tue, 19 Aug 2014 12:20:58 -0500
To: Jeff Burke <jburke at remap.ucla.edu<mailto:jburke at remap.ucla.edu>>
Cc: Yingdi Yu <yingdi at cs.ucla.edu<mailto:yingdi at cs.ucla.edu>>, Steve DiBenedetto <dibenede at cs.colostate.edu<mailto:dibenede at cs.colostate.edu>>, "nfd-dev at lists.cs.ucla.edu<mailto:nfd-dev at lists.cs.ucla.edu>" <nfd-dev at lists.cs.ucla.edu<mailto:nfd-dev at lists.cs.ucla.edu>>
Subject: Re: [Nfd-dev] Intended scope of client.conf
On Aug 19, 2014, at 11:44 AM, Burke, Jeff <jburke at remap.ucla.edu<mailto:jburke at remap.ucla.edu>> wrote:
Hi Yingdi,
Thanks for the reply – comments below.
Jeff
From: Yingdi Yu <yingdi at cs.ucla.edu<mailto:yingdi at cs.ucla.edu>>
Date: Tue, 19 Aug 2014 11:25:42 -0500
To: Jeff Burke <jburke at remap.ucla.edu<mailto:jburke at remap.ucla.edu>>
Cc: Alexander Afanasyev <alexander.afanasyev at ucla.edu<mailto:alexander.afanasyev at ucla.edu>>, Steve DiBenedetto <dibenede at cs.colostate.edu<mailto:dibenede at cs.colostate.edu>>, "nfd-dev at lists.cs.ucla.edu<mailto:nfd-dev at lists.cs.ucla.edu>" <nfd-dev at lists.cs.ucla.edu<mailto:nfd-dev at lists.cs.ucla.edu>>
Subject: Re: [Nfd-dev] Intended scope of client.conf
Hi Jeff,
On Aug 18, 2014, at 4:35 PM, Burke, Jeff <jburke at remap.ucla.edu<mailto:jburke at remap.ucla.edu>> wrote:
So, the idea is that client.conf provides per-user configuration for NDN applications that gives the default keystore and mechanism for connecting to the local daemon. For now, the default keystore specified in this configuration must be used if an application wants to interact with the identities/keys manipulated by the ndnsec tools.
Is that the right way to state it?
This client.conf is the configuration file of ndn-cxx, so all apps (including ndnsec) compiled against ndn-cxx will use the keystore info in this file as the default configuration. If an app wants to access the identities/keys created through ndn-cxx, the paths in the conf file should be the right place to go.
Alex's Issue #1850<http://redmine.named-data.net/issues/1850> suggests a stronger idea - that client.conf is for all libraries / applications interacting locally with NFD/NRD. Is that correct?
It is for "all" libraries (applications).
Ok, I'd suggest there should be a spec for this eventually; for now it is self-explanatory, though.
- NFD and NRD use their own system-wide configuration file, not client.conf. The unix socket they use is defined in their nfd.conf file. But where is the keystore for the keys used by NFD and NRD, and how is it configured? I couldn't find this in the developers guide.
NFD and NRD are built against ndn-cxx, so they use the keystore info in the client.conf. We will clarify that in the dev guide.
I'm still not sure that I understand why NFD/NRD should use a user's ~/.ndn/client.conf for their identity, if they are system-wide services. This means that NFD and NRD will have different identities/signing keys on the same host if they are started by different users? Shouldn't the daemon's identities be stable per-host unless changed by the owner/operator?
I think the fact that NFD and NRD are using ~/.ndn/client.conf is just an artifact of your installation. They are not suppose to be running as normal user. One is running as root, the other should be some special user (ndn user if using Ubuntu PPA or macports). In either case, ~/.ndn/client.conf should refer to different locations and there is "system-wide" /etc/ndn/client.conf (or /usr/local/etc/ndn/client.conf, depending on your installation) which kicks in when ~/.ndn/client.conf doesn't exist.
Yes, I understand now. I think this is just a documentation issue: Originally I followed the instructions in "Getting started with NFD" pretty carefully to install from source, as I prefer to be able to experiment with the source and not rely on macports or binary installations. There is nothing that I could find that suggests it is necessary to setup NRD/NFD to run in this way, or what the implications are if you don't do it.
If it is not "normal" to run the daemons as your own user, I think this just needs to be explained in the documentation for installing from source. The FAQ section on "How to run NFD as non-root user" doesn't explain the implications, nor cover all of the details of what needs to be done in terms of setting file permissions, creating keys (perhaps), etc. in addition to the config file step. (Also, it isn't clear that NFD itself moves from root to the less-privileged user, but NRD is always run as the less-privileged user.)
Since I prefer to have the user called nfd and not ndn (too general), I went through and manually followed the steps that the MacPorts installation does, modified also to point to what I am already compiling from source, and everything works fine. So perhaps that at some point that could be converted to a script independent of the Macports installation that could be run for source installs? And/or the steps documented somewhere else... At a minimum, I think the documentation should point out the importance of using one of the package installs if you want to get privileges and keystores correctly set up...
As an aside, in looking at Mac OS X launchd, I did notice the following in the man page, which may have implications for NFD:
A daemon or agent launched by launchd SHOULD NOT do the following as a part of their startup initialization:
o Setup the user ID or group ID.
o Setup the working directory.
o chroot(2)
o setsid(2)
o Close "stray" file descriptors.
o Change stdio(3) to /dev/null.
o Setup resource limits with setrusage(2).
o Setup priority with setpriority(2).
o Ignore the SIGTERM signal.
One more thing. Both ubuntu and macports are using trick with updating HOME variable before starting nfd, nrd, and all other daemons. This ensures that deamons/apps don't share client.conf and security credentials.
- It is assumed that there is only one installation of NFD/NRD per host. So, shouldn't the socket configuration and protocol be per-host rather than per user? I understand that for convenience they may be in client.conf, but want to confirm...
We may have per-host config for socket, but for keystore info, it might be better to keep per-user configuration.
If NFD/NRD are system-wide services, what is the motivation for this? (If they always ran under their own user, and the keystore was that of the NFD "user" this would make sense to me. But, this is not the default behavior yet.)
System-wide services do not (not suposed to) use user's client.conf.
perhaps their should be a client-default.conf in the same place as nfd.conf, and just override it from ~/.ndn/client.conf?
I think a client-default.conf is possible if we set user's home directory as the default path to keystore.
Yes, makes sense. I'm not sure it's necessary if the NRD/NFD identity issue is solved in a different way.
- There is an operator identity created by default at the time of installation of NFD/NRD. This seems to be associated with the user who installed the software. For NDN applications that run under other (non-root) users, is the idea that they can use their own client.conf settings, but the operator of the machine will need to authorize their key to sign things like prefix registration commands for the daemon?
Ideally yes, but command interest validation is turned off.
Yes, but hopefully not for long :)
It seems like there is a potential bottleneck here, where on a multi-user host the operator will need to manually sign each user's key before they can register prefixes, which is a basic part of NDN communication. Perhaps there should be an optional configuration mechanism available that automatically signs the keys of all authenticated users (who optionally are members of some group) on the host.
- Because it uses ndn-cxx, ndnsec manipulates the PIB/TPM for the current user, based on the settings in that user's client.conf. Is that correct? This may need to be clarified in the documentation. Also, ndnsec-list does not seem to take into account the TPM setting, it just lists all of the keys in the PIB for the user. Perhaps it could indicate which TPM they are stored in, to aid debugging?
ndn-cxx internally maintains the consistency between PIB and TPM. Right now ndn-cxx assumed that there is only one TPM for one PIB, so we do not list the TPM information for each key. But I think we may need the TPM info when PIB handles multiple TPMs at the same time.
Ok. This causes some problems with NFD/NRD and probably other applications in cases where you are experimenting with two different TPMs. See Bug #1889<http://redmine.named-data.net/issues/1889>.
It was never intended to use multiple TPMs in the first place. It just a current accident that we have multiple ones and behavior is not defined if there is a mix up.
Yes, I understand. I just think NFD/NRD should not fail to start in this circumstances, as long as they can load the keys they need.
---
Alex
Thanks!
Jeff
Yingdi
Thanks,
Jeff
From: Alex Afanasyev <alexander.afanasyev at ucla.edu<mailto:alexander.afanasyev at ucla.edu>>
Date: Mon, 18 Aug 2014 15:49:59 -0500
To: Steve DiBenedetto <dibenede at cs.colostate.edu<mailto:dibenede at cs.colostate.edu>>
Cc: Jeff Burke <jburke at remap.ucla.edu<mailto:jburke at remap.ucla.edu>>, "nfd-dev at lists.cs.ucla.edu<mailto:nfd-dev at lists.cs.ucla.edu>" <nfd-dev at lists.cs.ucla.edu<mailto:nfd-dev at lists.cs.ucla.edu>>
Subject: Re: [Nfd-dev] Intended scope of client.conf
On Aug 18, 2014, at 3:38 PM, Steve DiBenedetto <dibenede at cs.colostate.edu<mailto:dibenede at cs.colostate.edu>> wrote:
On Aug 18, 2014, at 2:25 PM, Burke, Jeff <jburke at remap.UCLA.EDU<mailto:jburke at remap.UCLA.EDU>> wrote:
Hi folks,
Is there any specification for the purpose and scope of client.conf. E.g., how it can be located, what can be specified there, and what code should pay attention to it?
I'm not aware of a full specification for the current client.conf. Here's the original client.conf redmine issue that covers file format, location, and some parameters: http://redmine.named-data.net/issues/1364 .
This is basically the spec. A new addition that was made long time ago was part of http://redmine.named-data.net/issues/1532 and is documented in http://redmine.named-data.net/projects/ndn-cxx/wiki/KeyChainConf
---
Alex
We need to consider how to handle this specification in the NDN-CCL libraries, and would prefer to work from a design specification rather than existing code in ndn-cxx. For code like ndn-js, it may not always apply, so we need to understand defaults and assumptions, too.
Please see:
http://redmine.named-data.net/issues/1850
Thanks,
Jeff
_______________________________________________
Nfd-dev mailing list
Nfd-dev at lists.cs.ucla.edu<mailto:Nfd-dev at lists.cs.ucla.edu>
http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev
_______________________________________________
Nfd-dev mailing list
Nfd-dev at lists.cs.ucla.edu<mailto:Nfd-dev at lists.cs.ucla.edu>
http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev
_______________________________________________
Nfd-dev mailing list
Nfd-dev at lists.cs.ucla.edu<mailto:Nfd-dev at lists.cs.ucla.edu>
http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20140820/e4586cc0/attachment.html>
More information about the Nfd-dev
mailing list