[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnunet-texinfo] branch master updated: installation.texi
|
From: |
gnunet |
|
Subject: |
[GNUnet-SVN] [gnunet-texinfo] branch master updated: installation.texi |
|
Date: |
Mon, 27 Mar 2017 15:28:09 +0200 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnunet-texinfo.
The following commit(s) were added to refs/heads/master by this push:
new 8789f87 installation.texi
8789f87 is described below
commit 8789f87ed7d5c440e8956dfa03f60d2b502e1f48
Author: ng0 <address@hidden>
AuthorDate: Fri Feb 17 16:58:17 2017 +0000
installation.texi
---
installation.texi | 1700 ++++++++++++++++++++++++++++++-----------------------
1 file changed, 969 insertions(+), 731 deletions(-)
diff --git a/installation.texi b/installation.texi
index 173f4c6..7f543fa 100644
--- a/installation.texi
+++ b/installation.texi
@@ -256,7 +256,7 @@ gnunet-service-gns (requires vpn, dns, dht, namestore,
identity)
@end itemize
@node Generic installation instructions
address@hidden Generic installation instructions
address@hidden Generic installation instructions
First, in addition to the GNUnet sources you must download the latest version
of various dependencies. Most distributions do not include sufficiently recent
@@ -349,97 +349,108 @@ file-sharing):@
SYSTEM_ONLY = YES@
USER_ONLY = NO@
}@
- You may need to update your ld.so cache to include files installed in
/usr/local/lib:@
+You may need to update your ld.so cache to include files installed in
address@hidden/usr/local/lib}:@
+
@code{@
# ldconfig@
}@
- Then, switch from user root to user gnunet to start the peer:@
+
+Then, switch from user root to user gnunet to start the peer:@
+
@code{@
# su -s /bin/sh - gnunet@
$ gnunet-arm -c /etc/gnunet.conf -s@
}@
- You may also want to add the last line in the gnunet users @code{crontab}
prefixed with @code{@@reboot} so that it is executed whenever the system is
booted:@
+
+You may also want to add the last line in the gnunet users @file{crontab}
+prefixed with @code{@@reboot} so that it is executed whenever the system is
+booted:@
+
@code{@
@@reboot /usr/local/bin/gnunet-arm -c /etc/gnunet.conf -s@
}@
- This will only start the system-wide GNUnet services. Type exit to get back
your root shell. Now, you need to configure the per-user part. For each $USER
on the system, run:@
+
+This will only start the system-wide GNUnet services. Type exit to get back
+your root shell. Now, you need to configure the per-user part. For each
+$USER on the system, run:@
+
@code{@
# adduser $USER gnunet@
}@
- to allow them to access the system-wide GNUnet services. Then, each user
should create a configuration file "~/.config/gnunet.conf" with the lines:@
+
+to allow them to access the system-wide GNUnet services. Then, each user should
+create a configuration file "~/.config/gnunet.conf" with the lines:@
+
@code{@
[arm]@
SYSTEM_ONLY = NO@
USER_ONLY = YES@
DEFAULTSERVICES = gns@
}@
- and start the per-user services using@
+
+and start the per-user services using@
+
@code{@
$ gnunet-arm -c ~/.config/gnunet.conf -s@
}@
- Again, adding a @code{crontab} entry to autostart the peer is advised:@
+
+Again, adding a @file{crontab} entry to autostart the peer is advised:@
@code{@
- @@reboot /usr/local/bin/gnunet-arm -c $HOME/.config/gnunet.conf -s@
+@@reboot /usr/local/bin/gnunet-arm -c $HOME/.config/gnunet.conf -s@
}@
- Note that some GNUnet services (such as SOCKS5 proxies) may need a
system-wide TCP port for each user. For those services, systems with more than
one user may require each user to specify a different port number in their
personal configuration file.
- Finally, the user should perform the basic initial setup for the GNU Name
System. This is done by running two commands:@
+Note that some GNUnet services (such as SOCKS5 proxies) may need a system-wide
+TCP port for each user. For those services, systems with more than one user may
+require each user to specify a different port number in their personal
+configuration file.
+
+Finally, the user should perform the basic initial setup for the GNU Name
+System. This is done by running two commands:@
+
@code{@
$ gnunet-gns-import.sh@
$ gnunet-gns-proxy-setup-ca@
}@
- The first generates the default zones, wheras the second setups the GNS
Certificate Authority with the user's browser. Now, to actiave GNS in the
normal DNS resolution process, you need to edit your @code{/etc/nsswitch.conf}
where you should fine a line like this:
address@hidden: files mdns4_minimal [NOTFOUND=return] dns mdns4
address@hidden example
-
-The exact details may differ a bit, which is fine. Add the text "gns@
- [NOTFOUND=return]" after files:
address@hidden: files gns [NOTFOUND=return] mdns4_minimal
[NOTFOUND=return] dns mdns4
+The first generates the default zones, wheras the second setups the GNS
+Certificate Authority with the user's browser. Now, to actiave GNS in the
+normal DNS resolution process, you need to edit your @file{/etc/nsswitch.conf}
+where you should find a line like this:
address@hidden
+hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
@end example
-You might want to make sure that @code{/lib/libnss_gns.so.2} exists on your
system, it should have been created during the installation.
address@hidden @bullet
-
-
address@hidden
-
-
address@hidden
-Español
-
address@hidden
-Français
-
address@hidden
-Ð ÑÑÑкий
address@hidden itemize
address@hidden Build instructions for Ubuntu 12.04 using Git
address@hidden %**end of header
-
address@hidden Top
+The exact details may differ a bit, which is fine. Add the text
+"gns [NOTFOUND=return]" after "files":
address@hidden
+hosts: files gns [NOTFOUND=return] mdns4_minimal [NOTFOUND=return] dns mdns4
address@hidden example
address@hidden Install the required build tools
address@hidden %**end of header
address@hidden Top
+You might want to make sure that @file{/lib/libnss_gns.so.2} exists on your
+system, it should have been created during the installation.
address@hidden Build instructions for Ubuntu 12.04 using Git
address@hidden Build instructions for Ubuntu 12.04 using Git
address@hidden Install the required build tools
address@hidden Install the required build tools
First, make sure Git is installed on your system:@
address@hidden@
address@hidden
$ sudo apt-get install git@
-}@
- Install the essential buildtools:@
address@hidden@
- $ sudo apt-get install automake autopoint autoconf libtool@
address@hidden Install libgcrypt 1.6 and libgpg-error
address@hidden %**end of header
+}
address@hidden Top
+Install the essential buildtools:@
address@hidden
+ $ sudo apt-get install automake autopoint autoconf libtool
+}
address@hidden Install libgcrypt 1.6 and libgpg-error
address@hidden Install libgcrypt 1.6 and libgpg-error
@code{@
$ wget ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.12.tar.bz2@
@@ -448,12 +459,10 @@ First, make sure Git is installed on your system:@
$ ./configure@
$ sudo make install@
$ cd ..@
address@hidden Install gnutls with DANE support
address@hidden %**end of header
-
address@hidden Top
-
+}
address@hidden Install gnutls with DANE support
address@hidden Install gnutls with DANE support
$ wget @uref{http://www.lysator.liu.se/~nisse/archive/nettle-2.7.1.tar.gz,
http://www.lysator.liu.se/~nisse/archive/nettle-2.7.1.tar.gz}@
$ tar xf nettle-2.7.1.tar.gz@
@@ -490,12 +499,10 @@ $ wget
@uref{ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.17.tar.xz, ftp:/
$ ./configure@
$ sudo make install@
$ cd ..@
address@hidden Install libgnurl
address@hidden %**end of header
-
address@hidden Top
-
+}
address@hidden Install libgnurl
address@hidden Install libgnurl
@code{@
$ wget https://gnunet.org/sites/default/files/gnurl-7.34.0.tar.bz2@
@@ -504,12 +511,10 @@ $ wget
@uref{ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.17.tar.xz, ftp:/
$ ./configure --enable-ipv6 --with-gnutls --without-libssh2
--without-libmetalink --without-winidn --without-librtmp --without-nghttp2
--without-nss --without-cyassl --without-polarssl --without-ssl
--without-winssl --without-darwinssl --disable-sspi --disable-ntlm-wb
--disable-ldap --disable-rtsp --disable-dict --disable-telnet --disable-tftp
--disable-pop3 --disable-imap --disable-smtp --disable-gopher --disable-file
--disable-ftp@
$ sudo make install@
$ cd ..@
address@hidden Install libmicrohttpd from Git
address@hidden %**end of header
-
address@hidden Top
-
+}
address@hidden Install libmicrohttpd from Git
address@hidden Install libmicrohttpd from Git
@code{@
$ git clone https://gnunet.org/git/libmicrohttpd@
@@ -518,12 +523,10 @@ $ wget
@uref{ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.17.tar.xz, ftp:/
$ ./configure@
$ sudo make install@
$ cd ..@
address@hidden Install libextractor from Git
address@hidden %**end of header
-
address@hidden Top
-
+}
address@hidden Install libextractor from Git
address@hidden Install libextractor from Git
Install libextractor dependencies:@
@code{@
@@ -538,12 +541,10 @@ Build libextractor:@
$ ./configure@
$ sudo make install@
$ cd ..@
address@hidden Install GNUnet dependencies
address@hidden %**end of header
-
address@hidden Top
-
+}
address@hidden Install GNUnet dependencies
address@hidden Install GNUnet dependencies
@code{@
$ sudo apt-get install libidn11-dev libunistring-dev libglpk-dev libpulse-dev
libbluetooth-dev libsqlite-dev@
@@ -570,31 +571,26 @@ Choose one or more database backends@
PostgreSQL@
@code{@
$ sudo apt-get install libpq-dev postgresql@
address@hidden Build GNUnet
address@hidden %**end of header
-
address@hidden Top
-
address@hidden Configuring the installation path
address@hidden %**end of header
-
address@hidden Top
+}
address@hidden Build GNUnet
address@hidden Build GNUnet
address@hidden Configuring the installation path
address@hidden Configuring the installation path
-You can specify the location of the GNUnet installation by setting the prefix
when calling the configure script:@code{ --prefix=DIRECTORY}
+You can specify the location of the GNUnet installation by setting the prefix
+when calling the configure script:@code{ --prefix=DIRECTORY}
@code{@
$ export PATH=$PATH:DIRECTORY/bin@
address@hidden Configuring the system
address@hidden %**end of header
-
address@hidden Top
-
+}
address@hidden Configuring the system
address@hidden Configuring the system
Please make sure NOW that you have created a user and group 'gnunet'@
- and additionally a group 'gnunetdns':@
+and additionally a group 'gnunetdns':@
@code{@
$ sudo addgroup gnunet@
$ sudo addgroup gnunetdns@
@@ -602,32 +598,29 @@ Please make sure NOW that you have created a user and
group 'gnunet'@
}
Each GNUnet user should be added to the 'gnunet' group (may@
- require fresh login to come into effect):@
+require fresh login to come into effect):
@code{@
$ sudo useradd -G gnunet@
address@hidden Installing components requiring sudo permission
address@hidden %**end of header
-
address@hidden Top
-
+}
address@hidden Installing components requiring sudo permission
address@hidden Installing components requiring sudo permission
-Some components, like the nss plugin required for GNS, may require root
permissions. To allow these few components to be installed use:@
+Some components, like the nss plugin required for GNS, may require root
+permissions. To allow these few components to be installed use:@
@code{@
- $ ./configure --with-sudo@
address@hidden@settitle Build
address@hidden %**end of header
-
address@hidden Top
-
+ $ ./configure --with-sudo}
address@hidden Build
address@hidden Build
@code{@
$ git clone https://gnunet.org/git/gnunet/@
$ cd gnunet/@
$ ./bootstrap@
-}@
- Use the required configure call including the optional installation prefix
PREFIX or the sudo permissions@
+}
+Use the required configure call including the optional installation prefix
+PREFIX or the sudo permissions@
@code{$ ./configure [ --with-sudo | --with-prefix=PREFIX ]}@
@code{$ make; sudo make install}
@@ -635,17 +628,15 @@ After installing it, you need to create an empty
configuration file:@
@code{mkdir ~/.gnunet; touch ~/.gnunet/gnunet.conf}
And finally you can start GNUnet with@
address@hidden gnunet-arm address@hidden Install the GNUnet-gtk user interface
from Subversion
address@hidden %**end of header
-
address@hidden Top
-
address@hidden gnunet-arm -s}
address@hidden Install the GNUnet-gtk user interface from Subversion
address@hidden Install the GNUnet-gtk user interface from Subversion
Install depencies:@
@code{$ sudo apt-get install libgtk-3-dev libunique-3.0-dev libgladeui-dev
libqrencode-dev}
-To build GNUnet (with an optional prefix)and execute :@
+To build GNUnet (with an optional prefix)and execute:@
@code{@
$ git clone https://gnunet.org/git/gnunet-gtk/@
$ cd gnunet-gtk/@
@@ -653,174 +644,208 @@ To build GNUnet (with an optional prefix)and execute :@
$ ./configure [--prefix=PREFIX] --with-gnunet=DIRECTORY@
$ make; sudo make install@
}
address@hidden @bullet
address@hidden Build Instructions for Microsoft Windows Platforms
address@hidden Build Instructions for Microsoft Windows Platforms
address@hidden
address@hidden Introduction
address@hidden Introduction
+This document is a guide to building GNUnet and its dependencies on Windows
+platforms. GNUnet development is mostly done under Linux and especially SVN
+checkouts may not build out of the box. We regret any inconvenience, and if you
+have problems, please report them.
address@hidden
-Español
address@hidden itemize
address@hidden Build Instructions for Microsoft Windows Platforms
address@hidden %**end of header
-
address@hidden Top
-
address@hidden Introduction
address@hidden %**end of header
-
address@hidden Top
-
-
-
- This document is a guide to building GNUnet and its dependencies on Windows
platforms. GNUnet development is mostly done under Linux and especially SVN
checkouts may not build out of the box. We regret any inconvenience, and if you
have problems, please report them. @settitle Requirements
address@hidden %**end of header
-
address@hidden Top
-
-
-
- The Howto is based upon a @strong{Windows Server 2008 address@hidden
Installation, @strong{sbuild} and thus a @uref{http://www.mingw.org/wiki/MSYS,
MSYS+MinGW} (W32-GCC-Compiler-Suite + Unix-like Userland) installation. sbuild
is a convenient set of scripts which creates a working msys/mingw installation
and installs most dependencies required for GNUnet. }}
address@hidden Requirements
address@hidden Requirements
-As of the point of the creation of this Howto, GNUnet @strong{requires} a
Windows @strong{Server} 2003 or newer for full feature support. Windows Vista
and laterwill also work, but @strong{non-server version can not run a
VPN-Exit-Node} as the NAT features have been removed as of Windows
address@hidden Dependencies & Initial Setup
address@hidden %**end of header
+The Howto is based upon a @strong{Windows Server 2008 address@hidden
Installation, @strong{sbuild} and thus a @uref{http://www.mingw.org/wiki/MSYS,
MSYS+MinGW} (W32-GCC-Compiler-Suite + Unix-like Userland) installation. sbuild
is a convenient set of scripts which creates a working msys/mingw installation
and installs most dependencies required for GNUnet. }}
address@hidden Top
+As of the point of the creation of this Howto, GNUnet @strong{requires} a
+Windows @strong{Server} 2003 or newer for full feature support. Windows Vista
+and later will also work, but
address@hidden version can not run a VPN-Exit-Node} as the NAT features
+have been removed as of Windows Vista.
address@hidden Dependencies & Initial Setup
address@hidden Dependencies & Initial Setup
@itemize @bullet
-
@item
-Install a fresh version of @strong{Python 2.x}, even if you are using a
x64-OS, install a 32-bit version for use with sbuild. Python 3.0 currently is
incompatible.
+Install a fresh version of @strong{Python 2.x}, even if you are using a x64-OS,
+install a 32-bit version for use with sbuild. Python 3.0 currently is
+incompatible.
@item
-Install your favorite @uref{http://code.google.com/p/tortoisegit/, GIT} &
@uref{http://tortoisesvn.net/, SVN}-clients.
+Install your favorite @uref{http://code.google.com/p/tortoisegit/, GIT} &
address@hidden://tortoisesvn.net/, SVN}-clients.
@item
You will also need some archive-manager like @uref{http://www.7-zip.org/,
7zip}.
@item
-Pull a copy of sbuild to a directory of your choice, which will be used in the
remainder of this guide. For now, we will use c:\gnunet\sbuild\
+Pull a copy of sbuild to a directory of your choice, which will be used in the
+remainder of this guide. For now, we will use @file{c:\gnunet\sbuild\}
@item
-in @strong{sbuild\src\mingw\mingw32-buildall.sh}, comment out the packages
@strong{gnunet-svn} and @strong{gnunet-gtk-svn}, as we don't want sbuild to
compile/install those for us.
+in @file{sbuild\src\mingw\mingw32-buildall.sh}, comment out the packages
address@hidden and @strong{gnunet-gtk-svn}, as we don't want sbuild to
+compile/install those for us.
@item
Follow LRN's sbuild installation instructions.-
@end itemize
+Please note that sbuild may (or will most likely) fail during installation,
+thus you really HAVE to @strong{check the logfiles} created during the
+installation process. Certain packages may fail to build initially due to
+missing dependencies, thus you may have to
address@hidden those with binary-versions initially}. Later on once
+dependencies are satisfied you can re-build the newer package versions.
-Please note that sbuild may (or will most likely) fail during installation,
thus you really HAVE to @strong{check the logfiles} created during the
installation process. Certain packages may fail to build initially due to
missing dependencies, thus you may have to @strong{substitute those with
binary-versions initially}. Later on once dependencies are satisfied you can
re-build the newer package versions.
-
address@hidden is normal that you may have to repeat this step multiple times
and there is no uniform way to fix all compile-time issues, as the
build-process of many of the dependencies installed are rather unstable on
win32 and certain releases may not even compile at all.}
-
-Most dependencies for GNUnet have been set up by sbuild, thus we now should
add the bin/ directories in your new msys and mingw installations to PATH. You
will want to create a backup of your finished msys-environment by
address@hidden GNUnet Installation
address@hidden %**end of header
-
address@hidden Top
address@hidden is normal that you may have to repeat this step multiple times
and
+there is no uniform way to fix all compile-time issues, as the build-process
+of many of the dependencies installed are rather unstable on win32 and certain
+releases may not even compile at all.}
+Most dependencies for GNUnet have been set up by sbuild, thus we now should add
+the @file{bin/} directories in your new msys and mingw installations to PATH.
+You will want to create a backup of your finished msys-environment by now.
address@hidden GNUnet Installation
address@hidden GNUnet Installation
First, we need to launch our msys-shell, you can do this via
-C:\gnunet\sbuild\msys\msys.bat
address@hidden:\gnunet\sbuild\msys\msys.bat}
-You might wish to take a look at this file and adjust some login-parameters to
your msys environment.
+You might wish to take a look at this file and adjust some login-parameters to
+your msys environment.
-Also, sbuild added two pointpoints to your msys-environment, though those
might remain invisible:
address@hidden @bullet
+Also, sbuild added two pointpoints to your msys-environment, though those
+might remain invisible:
address@hidden @bullet
@item
-/mingw, which will mount your mingw-directory from sbuild/mingw and the other
one is
+/mingw, which will mount your mingw-directory from sbuild/mingw and the other
one is
@item
/src which contains all the installation sources sbuild just compiled.
@end itemize
+Check out the current gnunet-sources (svn-head) from the gnunet-repository,
+we will do this in your home directory:
-Check out the current gnunet-sources (svn-head) from the gnunet-repository, we
will do this in your home directory:
address@hidden checkout https://gnunet.org/svn/gnunet/ ~/gnunet}
- svn checkout https://gnunet.org/svn/gnunet/ ~/gnunet
-
-Now, we will first need to bootstrap the checked out installation and then
configure it accordingly.
+Now, we will first need to bootstrap the checked out installation and then
+configure it accordingly.
address@hidden
cd ~/gnunet@
- ./bootstrap@
- STRIP=true CPPFLAGS="-DUSE_IPV6=1 -DW32_VEH" CFLAGS="$CFLAGS -g -O2"
./configure --prefix=/ --docdir=/share/doc/gnunet --with-libiconv-prefix=/mingw
--with-libintl-prefix=/mingw --with-libcurl=/mingw --with-extractor=/mingw
--with-sqlite=/mingw --with-microhttpd=/mingw --with-plibc=/mingw
--enable-benchmarks --enable-expensivetests --enable-experimental
--with-qrencode=/mingw --enable-silent-rules --enable-experimental 2>&1 | tee
-a ./configure.log
-
- The parameters above will configure for a reasonable gnunet installation to
the your msys-root directory. Depending on which features your would like to
build or you may need to specify additional dependencies. Sbuild installed most
libs into the /mingw subdirectory, so remember to prefix library locations with
this path.
-
- Like on a unixoid system, you might want to use your home directory as prefix
for your own gnunet installation for development, without tainting the
buildenvironment. Just change the "prefix" parameter to point towards ~/ in
this case.
-
- Now it's time to compile gnunet as usual. Though this will take some time, so
you may fetch yourself a coffee or some Mate now...
-
- make@
- make install @settitle Adjusting Windows for running and testing GNUnet
address@hidden %**end of header
-
address@hidden Top
-
-
-
- Assuming the build succeeded and you @strong{added the bin directory of your
gnunet to PATH}, you can now use your gnunet-installation as usual. Remember
that UAC or the windows firewall may popup initially, blocking further
execution of gnunet until you acknowledge them (duh!).
-
- You will also have to take the usual steps to get p2p software running
properly (port forwarding, ...), and gnunet will require administrative
permissions as it may even install a device-driver (in case you are using
gnunet-vpn and/or gnunet-exit). @settitle Building the GNUnet Installer
address@hidden %**end of header
-
address@hidden Top
-
-
-
- The GNUnet installer is made with @uref{http://nsis.sourceforge.net/, NSIS}@
- The installer script is located in contrib\win in the GNUnet source tree.
@settitle Using GNUnet with Netbeans on Windows
address@hidden %**end of header
-
address@hidden Top
-
-
-
- TODO
address@hidden @bullet
-
-
address@hidden
-
address@hidden itemize
address@hidden Build instructions for Debian 7.5
address@hidden %**end of header
-
address@hidden Top
-
-
-
-These are the installation instructions for Debian 7.5. They were tested using
a minimal, fresh Debian 7.5 AMD64 installation without non-free software (no
contrib or non-free). By "minimal", we mean that during installation, we did
not select any desktop environment, servers or system utilities during the
"tasksel" step. Note that the packages and the dependencies that we will
install during this chapter take about 1.5 GB of disk space. Combined with
GNUnet and space for objects during [...]
-
-GNUnet's security model assumes that your @code{/home} directory is encrypted.
Thus, if possible, you should encrypt your home partition (or per-user home
directory).
-
-Naturally, the exact details of the starting state for your installation
should not matter much. For example, if you selected any of those installation
groups you might simply already have some of the necessary packages installed.
We did this for testing, as this way we are less likely to forget to mention a
required package. Note that we will not install a desktop environment, but of
course you will need to install one to use GNUnet's graphical user interfaces.
Thus, it is suggested tha [...]
address@hidden %**end of header
-
address@hidden Top
-
+./bootstrap@
+STRIP=true CPPFLAGS="-DUSE_IPV6=1 -DW32_VEH" CFLAGS="$CFLAGS -g -O2"
./configure --prefix=/ --docdir=/share/doc/gnunet --with-libiconv-prefix=/mingw
--with-libintl-prefix=/mingw --with-libcurl=/mingw --with-extractor=/mingw
--with-sqlite=/mingw --with-microhttpd=/mingw --with-plibc=/mingw
--enable-benchmarks --enable-expensivetests --enable-experimental
--with-qrencode=/mingw --enable-silent-rules --enable-experimental 2>&1 | tee
-a ./configure.log
address@hidden example
+The parameters above will configure for a reasonable gnunet installation to the
+your msys-root directory. Depending on which features your would like to build
+or you may need to specify additional dependencies. Sbuild installed most libs
+into the /mingw subdirectory, so remember to prefix library locations with
+this path.
-After any installation, you should begin by running@
address@hidden@
- # apt-get update@
- # apt-get upgrade@
-}@
- to ensure that all of your packages are up-to-date. Note that the "#" is used
to indicate that you need to type in this command as "root" (or prefix with
"sudo"), whereas "$" is used to indicate typing in a command as a normal
address@hidden Stable? Hah!
address@hidden %**end of header
+Like on a unixoid system, you might want to use your home directory as prefix
+for your own gnunet installation for development, without tainting the
+buildenvironment. Just change the "prefix" parameter to point towards
+~/ in this case.
address@hidden Top
+Now it's time to compile gnunet as usual. Though this will take some time, so
+you may fetch yourself a coffee or some Mate now...
address@hidden
+make@
+make install
address@hidden example
address@hidden Adjusting Windows for running and testing GNUnet
address@hidden Adjusting Windows for running and testing GNUnet
+
+Assuming the build succeeded and you
address@hidden the bin directory of your gnunet to PATH}, you can now use your
+gnunet-installation as usual. Remember that UAC or the windows firewall may
+popup initially, blocking further execution of gnunet until you acknowledge
+them (duh!).
+
+You will also have to take the usual steps to get p2p software running properly
+(port forwarding, ...), and gnunet will require administrative permissions as
+it may even install a device-driver (in case you are using gnunet-vpn and/or
+gnunet-exit).
+
address@hidden Building the GNUnet Installer
address@hidden Building the GNUnet Installer
+
+The GNUnet installer is made with @uref{http://nsis.sourceforge.net/, NSIS}@
+The installer script is located in @file{contrib\win} in the GNUnet source
tree.
+
address@hidden Using GNUnet with Netbeans on Windows
address@hidden Using GNUnet with Netbeans on Windows
+
+TODO
+
address@hidden Build instructions for Debian 7.5
address@hidden Build instructions for Debian 7.5
+
+These are the installation instructions for Debian 7.5. They were tested using
+a minimal, fresh Debian 7.5 AMD64 installation without non-free software
+(no contrib or non-free). By "minimal", we mean that during installation, we
+did not select any desktop environment, servers or system utilities during the
+"tasksel" step. Note that the packages and the dependencies that we will
+install during this chapter take about 1.5 GB of disk space. Combined with
+GNUnet and space for objects during compilation, you should not even attempt
+this unless you have about 2.5 GB free after the minimal Debian installation.
+Using these instructions to build a VM image is likely to require a minimum of
+4-5 GB for the VM (as you will likely also want a desktop manager).
+
+GNUnet's security model assumes that your @file{/home} directory is encrypted.
+Thus, if possible, you should encrypt your home partition
+(or per-user home directory).
+
+Naturally, the exact details of the starting state for your installation
+should not matter much. For example, if you selected any of those installation
+groups you might simply already have some of the necessary packages installed.
+We did this for testing, as this way we are less likely to forget to mention a
+required package. Note that we will not install a desktop environment, but of
+course you will need to install one to use GNUnet's graphical user interfaces.
+Thus, it is suggested that you simply install the desktop environment of your
+choice before beginning with the instructions.
+
address@hidden Update
address@hidden Update
+
+After any installation, you should begin by running
+
address@hidden
+# apt-get update@
+# apt-get upgrade@
address@hidden example
-Yes, we said we start with a Debian 7.5 "stable" system. However, to reduce
the amount of compilation by hand, we will begin by allowing the installation
of packages from the testing and unstable distributions as well. We will stick
to "stable" packages where possible, but some packages will be taken from the
other distributions. Start by modifying @code{/etc/apt/sources.list} to contain
the following (possibly adjusted to point to your mirror of choice):
address@hidden These were there before:
+to ensure that all of your packages are up-to-date. Note that the "#" is used
+to indicate that you need to type in this command as "root"
+(or prefix with "sudo"), whereas "$" is used to indicate typing in a command
+as a normal user.
+
address@hidden Stable? Hah!
address@hidden Stable? Hah!
+
+Yes, we said we start with a Debian 7.5 "stable" system. However, to reduce the
+amount of compilation by hand, we will begin by allowing the installation of
+packages from the testing and unstable distributions as well. We will stick to
+"stable" packages where possible, but some packages will be taken from the
+other distributions. Start by modifying @file{/etc/apt/sources.list} to contain
+the following (possibly adjusted to point to your mirror of choice):
address@hidden
+# These were there before:
deb http://ftp.de.debian.org/debian/ wheezy main
deb-src http://ftp.de.debian.org/debian/ wheezy main
deb http://security.debian.org/ wheezy/updates main
@@ -833,9 +858,11 @@ deb http://ftp.de.debian.org/debian/ testing main
deb http://ftp.de.debian.org/debian/ unstable main
@end example
+The next step is to create/edit your @file{/etc/apt/preferences} file to look
+like this:
-The next step is to create/edit your /etc/apt/preferences file to look like
this:
address@hidden: *
address@hidden
+Package: *
Pin: release a=stable,n=wheezy
Pin-Priority: 700
@@ -848,41 +875,49 @@ Pin: release o=Debian,a=unstable
Pin-Priority: 600
@end example
+You can read more about Apt Preferences here and here. Note that other pinnings
+are likely to also work for GNUnet, the key thing is that you need some
+packages from unstable (as shown below). However, as unstable is unlikely to
+be comprehensive (missing packages) or might be problematic (crashing
packages),
+you probably want others from stable and/or testing.
-You can read more about Apt Preferences here and here. Note that other
pinnings are likely to also work for GNUnet, the key thing is that you need
some packages from unstable (as shown below). However, as unstable is unlikely
to be comprehensive (missing packages) or might be problematic (crashing
packages), you probably want others from stable and/or address@hidden Update
again
address@hidden %**end of header
-
address@hidden Top
-
-
address@hidden Update again
address@hidden Update again
Now, run again@
address@hidden@
- # apt-get update@
- # apt-get upgrade@
-}@
- to ensure that all your new distribution indices are downloaded, and that
your pinning is correct: the upgrade step should cause no changes at
address@hidden Installing Packages
address@hidden %**end of header
address@hidden Top
address@hidden
+# apt-get update@
+# apt-get upgrade@
address@hidden example
+to ensure that all your new distribution indices are downloaded, and that your
+pinning is correct: the upgrade step should cause no changes at all.
address@hidden Installing Packages
address@hidden Installing Packages
We begin by installing a few Debian packages from stable:@
+
@code{@
- # apt-get install gcc make python-zbar libltdl-dev libsqlite3-dev
libunistring-dev libopus-dev libpulse-dev openssl libglpk-dev texlive
libidn11-dev libmysqlclient-dev libpq-dev libarchive-dev libbz2-dev
libexiv2-dev libflac-dev libgif-dev libglib2.0-dev libgtk-3-dev libmagic-dev
libjpeg8-dev libmpeg2-4-dev libmp4v2-dev librpm-dev libsmf-dev libtidy-dev
libtiff5-dev libvorbis-dev libogg-dev zlib1g-dev g++ gettext libgsf-1-dev
libunbound-dev libqrencode-dev libgladeui-dev nasm texlive-la [...]
+# apt-get install gcc make python-zbar libltdl-dev libsqlite3-dev
libunistring-dev libopus-dev libpulse-dev openssl libglpk-dev texlive
libidn11-dev libmysqlclient-dev libpq-dev libarchive-dev libbz2-dev
libexiv2-dev libflac-dev libgif-dev libglib2.0-dev libgtk-3-dev libmagic-dev
libjpeg8-dev libmpeg2-4-dev libmp4v2-dev librpm-dev libsmf-dev libtidy-dev
libtiff5-dev libvorbis-dev libogg-dev zlib1g-dev g++ gettext libgsf-1-dev
libunbound-dev libqrencode-dev libgladeui-dev nasm texlive-lat [...]
}@
- After that, we install a few more packages from unstable:@
address@hidden@
- # apt-get install -t unstable nettle-dev libgstreamer1.0-dev
gstreamer1.0-plugins-base gstreamer1.0-plugins-good
libgstreamer-plugins-base1.0-dev@
address@hidden Installing Dependencies from Source
address@hidden %**end of header
address@hidden Top
+After that, we install a few more packages from unstable:@
address@hidden@
+# apt-get install -t unstable nettle-dev libgstreamer1.0-dev
gstreamer1.0-plugins-base gstreamer1.0-plugins-good
libgstreamer-plugins-base1.0-dev@
+}
address@hidden Installing Dependencies from Source
address@hidden Installing Dependencies from Source
+
+Next, we need to install a few dependencies from source. You might want to do
+this as a "normal" user and only run the @code{make install} steps as root
+(hence the @code{sudo} in the commands below). Also, you do this from any
+directory. We begin by downloading all dependencies, then extracting the
+sources, and finally compiling and installing the libraries:@
-Next, we need to install a few dependencies from source. You might want to do
this as a "normal" user and only run the @code{make install} steps as root
(hence the @code{sudo} in the commands below). Also, you do this from any
directory. We begin by downloading all dependencies, then extracting the
sources, and finally compiling and installing the libraries:@
@code{@
$ wget https://libav.org/releases/libav-9.10.tar.xz@
$ wget http://ftp.gnu.org/gnu/libextractor/libextractor-1.3.tar.gz@
@@ -906,63 +941,44 @@ Next, we need to install a few dependencies from source.
You might want to do th
$ cd gnurl-7.34.0@
$ ./configure --enable-ipv6 --with-gnutls=/usr/local --without-libssh2
--without-libmetalink --without-winidn --without-librtmp --without-nghttp2
--without-nss --without-cyassl --without-polarssl --without-ssl
--without-winssl --without-darwinssl --disable-sspi --disable-ntlm-wb
--disable-ldap --disable-rtsp --disable-dict --disable-telnet --disable-tftp
--disable-pop3 --disable-imap --disable-smtp --disable-gopher --disable-file
--disable-ftp@
$ make ; sudo make install; cd ..@
address@hidden Installing GNUnet from Source
address@hidden %**end of header
-
address@hidden Top
-
-
-
-For this, simply follow the generic installation instructions from@
address@hidden But wait, there is more!
address@hidden %**end of header
-
address@hidden Top
-
-
-
-So far, we installed all of the packages and dependencies required to ensure
that all of GNUnet would be built. However, while for example the plugins to
interact with the MySQL or Postgres databases have been created, we did not
actually install or configure those databases. Thus, you will need to install
and configure those databases or stick with the default Sqlite database. Sqlite
is usually fine for most applications, but MySQL can offer better performance
and Postgres better resillience.
address@hidden @bullet
-
-
address@hidden
-
-
address@hidden
-Français
address@hidden itemize
address@hidden Installing GNUnet 0.10.1 on Ubuntu 14.04
address@hidden %**end of header
-
address@hidden Top
-
-
address@hidden @bullet
+}
address@hidden Installing GNUnet from Source
address@hidden Installing GNUnet from Source
address@hidden
-Matthias Wachs's blog
+For this, simply follow the generic installation instructions from
+here.
address@hidden
address@hidden But wait, there is more!
address@hidden But wait, there is more!
address@hidden itemize
+So far, we installed all of the packages and dependencies required to ensure
+that all of GNUnet would be built. However, while for example the plugins to
+interact with the MySQL or Postgres databases have been created, we did not
+actually install or configure those databases. Thus, you will need to install
+and configure those databases or stick with the default Sqlite database.
+Sqlite is usually fine for most applications, but MySQL can offer better
+performance and Postgres better resillience.
address@hidden Installing GNUnet 0.10.1 on Ubuntu 14.04
address@hidden Installing GNUnet 0.10.1 on Ubuntu 14.04
Install the required dependencies@
+
@code{@
- $ sudo apt-get install libltdl-dev libgpg-error-dev libidn11-dev
libunistring-dev libglpk-dev libbluetooth-dev libextractor-dev
libmicrohttpd-dev libgnutls28-dev@
+$ sudo apt-get install libltdl-dev libgpg-error-dev libidn11-dev
libunistring-dev libglpk-dev libbluetooth-dev libextractor-dev
libmicrohttpd-dev libgnutls28-dev@
}
Choose one or more database backends@
- SQLite3@
+SQLite3@
@code{@
$ sudo apt-get install libsqlite3-dev@
}@
- MySQL@
+MySQL@
@code{@
$ sudo apt-get install libmysqlclient-dev@
}@
- PostgreSQL@
+PostgreSQL@
@code{@
$ sudo apt-get install libpq-dev postgresql@
}
@@ -973,9 +989,9 @@ Install the optional dependencies for gnunet-conversation:@
}
Install the libgrypt 1.6:@
- For Ubuntu 14.04:@
+For Ubuntu 14.04:@
@code{$ sudo apt-get install libgcrypt20-dev}@
- For Ubuntu older 14.04:@
+For Ubuntu older 14.04:@
@code{$ wget ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.6.1.tar.bz2@
$ tar xf libgcrypt-1.6.1.tar.bz2@
$ cd libgcrypt-1.6.1@
@@ -1003,21 +1019,19 @@ Install GNUnet@
If you want to:
@itemize @bullet
-
@item
Install to a different directory:@
- --prefix=PREFIX
+ --prefix=PREFIX
@item
Have sudo permission, but do not want to compile as root:@
- --with-sudo
+ --with-sudo
@item
Want debug message enabled:@
- -- enable-logging=verbose
+ -- enable-logging=verbose
@end itemize
-
@code{@
$ ./configure [ --with-sudo | --prefix=PREFIX | --enable-logging=verbose]@
$ make; sudo make install@
@@ -1026,30 +1040,18 @@ Want debug message enabled:@
After installing it, you need to create an empty configuration file:@
@code{touch ~/.config/gnunet.conf}
-And finally you can start GNUnet with@
address@hidden gnunet-arm address@hidden Installing GNUnet from Git on Ubuntu
14.4
address@hidden %**end of header
-
address@hidden Top
-
-
address@hidden @bullet
-
-
address@hidden
-Matthias Wachs's blog
-
address@hidden
-
address@hidden itemize
+And finally you can start GNUnet with@
address@hidden gnunet-arm -s}
address@hidden Installing GNUnet from Git on Ubuntu 14.4
address@hidden Installing GNUnet from Git on Ubuntu 14.4
address@hidden the required build tools:@
address@hidden the required build tools:}
@code{@
$ sudo apt-get install git automake autopoint autoconf@
-}}
+}
address@hidden the required dependencies}@
address@hidden the required dependencies}
@code{@
$ sudo apt-get install libltdl-dev libgpg-error-dev libidn11-dev
libunistring-dev libglpk-dev libbluetooth-dev libextractor-dev
libmicrohttpd-dev libgnutls28-dev@
}
@@ -1106,15 +1108,15 @@ If you want to:
@item
Install to a different directory:@
- --prefix=PREFIX
+ --prefix=PREFIX
@item
Have sudo permission, but do not want to compile as root:@
- --with-sudo
+ --with-sudo
@item
Want debug message enabled:@
- -- enable-logging=verbose
+ -- enable-logging=verbose
@end itemize
@@ -1127,49 +1129,66 @@ After installing it, you need to create an empty
configuration file:@
@code{touch ~/.config/gnunet.conf}
And finally you can start GNUnet with@
address@hidden gnunet-arm address@hidden Build instructions for Debian 8
address@hidden %**end of header
-
address@hidden Top
-
-
-
-These are the installation instructions for Debian 8. They were tested using a
fresh Debian 8 AMD64 installation without non-free software (no contrib or
non-free). During installation, I only selected "lxde" for the desktop
environment. Note that the packages and the dependencies that we will install
during this chapter take about 1.5 GB of disk space. Combined with GNUnet and
space for objects during compilation, you should not even attempt this unless
you have about 2.5 GB free after [...]
-
-GNUnet's security model assumes that your @code{/home} directory is encrypted.
Thus, if possible, you should encrypt your entire disk, or at least just your
home partition (or per-user home directory).
-
-Naturally, the exact details of the starting state for your installation
should not matter much. For example, if you selected any of those installation
groups you might simply already have some of the necessary packages installed.
Thus, it is suggested that you simply install the desktop environment of your
choice before beginning with the address@hidden Update
address@hidden %**end of header
-
address@hidden Top
-
-
address@hidden gnunet-arm -s}
+
address@hidden Build instructions for Debian 8
address@hidden Build instructions for Debian 8
+
+These are the installation instructions for Debian 8. They were tested using a
+fresh Debian 8 AMD64 installation without non-free software (no contrib or
+non-free). During installation, I only selected "lxde" for the desktop
+environment. Note that the packages and the dependencies that we will install
+during this chapter take about 1.5 GB of disk space. Combined with GNUnet and
+space for objects during compilation, you should not even attempt this unless
+you have about 2.5 GB free after the Debian installation. Using these
+instructions to build a VM image is likely to require a minimum of 4-5 GB for
+the VM (as you will likely also want a desktop manager).
+
+GNUnet's security model assumes that your @code{/home} directory is encrypted.
+Thus, if possible, you should encrypt your entire disk, or at least just your
+home partition (or per-user home directory).
+
+Naturally, the exact details of the starting state for your installation should
+not matter much. For example, if you selected any of those installation groups
+you might simply already have some of the necessary packages installed. Thus,
+it is suggested that you simply install the desktop environment of your choice
+before beginning with the instructions.
+
address@hidden Update
address@hidden Update
After any installation, you should begin by running@
@code{@
# apt-get update@
# apt-get upgrade@
}@
- to ensure that all of your packages are up-to-date. Note that the "#" is used
to indicate that you need to type in this command as "root" (or prefix with
"sudo"), whereas "$" is used to indicate typing in a command as a normal
address@hidden Installing Packages
address@hidden %**end of header
-
address@hidden Top
-
+to ensure that all of your packages are up-to-date. Note that the "#" is used
+to indicate that you need to type in this command as "root" (or prefix with
+"sudo"), whereas "$" is used to indicate typing in a command as a normal
+user.
address@hidden Installing Packages
address@hidden Installing Packages
We begin by installing a few Debian packages from stable:@
@code{@
# apt-get install gcc make python-zbar libltdl-dev libsqlite3-dev
libunistring-dev libopus-dev libpulse-dev openssl libglpk-dev texlive
libidn11-dev libmysqlclient-dev libpq-dev libarchive-dev libbz2-dev libflac-dev
libgif-dev libglib2.0-dev libgtk-3-dev libmpeg2-4-dev libtidy-dev libvorbis-dev
libogg-dev zlib1g-dev g++ gettext libgsf-1-dev libunbound-dev libqrencode-dev
libgladeui-dev nasm texlive-latex-extra libunique-3.0-dev gawk miniupnpc
libfuse-dev libbluetooth-dev gstreamer1.0-pl [...]
address@hidden Installing Dependencies from Source
address@hidden %**end of header
-
address@hidden Top
+}
address@hidden Installing Dependencies from Source
address@hidden Installing Dependencies from Source
+Yes, we said we start with a Debian 8 "stable" system, but because Debian
+linked GnuTLS without support for DANE, we need to compile a few things, in
+addition to GNUnet, still by hand. Yes, you can run GNUnet using the respective
+Debian packages, but then you will not get DANE support.
-Yes, we said we start with a Debian 8 "stable" system, but because Debian
linked GnuTLS without support for DANE, we need to compile a few things, in
addition to GNUnet, still by hand. Yes, you can run GNUnet using the respective
Debian packages, but then you will not get DANE support.
+Next, we need to install a few dependencies from source. You might want to do
+this as a "normal" user and only run the @code{make install} steps as root
+(hence the @code{sudo} in the commands below). Also, you do this from any
+directory. We begin by downloading all dependencies, then extracting the
+sources, and finally compiling and installing the libraries:@
-Next, we need to install a few dependencies from source. You might want to do
this as a "normal" user and only run the @code{make install} steps as root
(hence the @code{sudo} in the commands below). Also, you do this from any
directory. We begin by downloading all dependencies, then extracting the
sources, and finally compiling and installing the libraries:@
@code{@
$ wget ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.12.tar.xz@
$ wget https://gnunet.org/sites/default/files/gnurl-7.40.0.tar.bz2@
@@ -1179,57 +1198,42 @@ Next, we need to install a few dependencies from
source. You might want to do th
$ cd gnurl-7.40.0@
$ ./configure --enable-ipv6 --with-gnutls=/usr/local --without-libssh2
--without-libmetalink --without-winidn --without-librtmp --without-nghttp2
--without-nss --without-cyassl --without-polarssl --without-ssl
--without-winssl --without-darwinssl --disable-sspi --disable-ntlm-wb
--disable-ldap --disable-rtsp --disable-dict --disable-telnet --disable-tftp
--disable-pop3 --disable-imap --disable-smtp --disable-gopher --disable-file
--disable-ftp --disable-smb@
$ make ; sudo make install; cd ..@
address@hidden Installing GNUnet from Source
address@hidden %**end of header
-
address@hidden Top
-
+}
address@hidden Installing GNUnet from Source
address@hidden Installing GNUnet from Source
For this, simply follow the generic installation instructions from@
address@hidden But wait, there is more!
address@hidden %**end of header
-
address@hidden Top
-
+here.
address@hidden But wait, there is more!
address@hidden But wait, there is more!
-So far, we installed all of the packages and dependencies required to ensure
that all of GNUnet would be built. However, while for example the plugins to
interact with the MySQL or Postgres databases have been created, we did not
actually install or configure those databases. Thus, you will need to install
and configure those databases or stick with the default Sqlite database. Sqlite
is usually fine for most applications, but MySQL can offer better performance
and Postgres better resillience.
address@hidden @bullet
-
-
address@hidden
-
address@hidden itemize
address@hidden Outdated build instructions for previous revisions
address@hidden %**end of header
-
address@hidden Top
-
-
-
-This chapter contains a collection of outdated, older installation guides.
They are mostly intended to serve as a starting point for writing up-to-date
instructions and should not be expected to work for GNUnet 0.10.x.
address@hidden @bullet
-
-
address@hidden
+So far, we installed all of the packages and dependencies required to ensure
+that all of GNUnet would be built. However, while for example the plugins to
+interact with the MySQL or Postgres databases have been created, we did not
+actually install or configure those databases. Thus, you will need to install
+and configure those databases or stick with the default Sqlite database. Sqlite
+is usually fine for most applications, but MySQL can offer better performance
+and Postgres better resillience.
address@hidden itemize
address@hidden Build instructions for Debian 5.0 using Subversion
address@hidden %**end of header
-
address@hidden Top
address@hidden Outdated build instructions for previous revisions
address@hidden Outdated build instructions for previous revisions
address@hidden This documentation may be outdated!
address@hidden %**end of header
-
address@hidden Top
+This chapter contains a collection of outdated, older installation guides. They
+are mostly intended to serve as a starting point for writing up-to-date
+instructions and should not be expected to work for GNUnet 0.10.x.
address@hidden Build instructions for Debian 5.0 using Subversion
address@hidden Build instructions for Debian 5.0 using Subversion
+This documentation may be outdated!
First, make sure Subversion is installed on your system:
address@hidden sudo apt-get install subversion
address@hidden
+$ sudo apt-get install subversion
@end example
+
@settitle Installing libextractor from subversion
@c %**end of header
@@ -1402,15 +1406,25 @@ First, make sure Subversion is installed on your
system:@
@code{@
$ svn checkout https://gnunet.org/svn/gnunet/@
}@
- Following, install all the dependencies which should be installed before the
installation of GNUnet. Now install
@uref{http://www.gnu.org/software/libextractor/, GNU libextractor 0.6.x}. If
your distribution includes an recent version of GNU libextractor, you can use
the version from your distribution.
+Following, install all the dependencies which should be installed before the
+installation of GNUnet. Now install
address@hidden://www.gnu.org/software/libextractor/, GNU libextractor 0.6.x}. If
+your distribution includes an recent version of GNU libextractor, you can use
+the version from your distribution.
- You can use following three commands to install all the other dependencies,
for example:@
+You can use following three commands to install all the other dependencies, for
+example:@
@code{@
# apt-get install libltdl7-dev automake autoconf libtool make gcc@
# apt-get install libmicrohttpd-dev libgcrypt11-dev libgmp3-dev
libcurl4-gnutls-dev cvs libunistring-dev@
# apt-get install libmysqlclient15-dev libsqlite3-dev libpq-dev@
}@
- The first command installs the required compiler tools. The second one the
various dependencies and finally the last line adds (optional) database
libraries. For testing, you will additionally need to install and configure the
respective database servers (except for sqLite, which does not need one). Once
all the dependencies needed are installed, you can just run the bootstrap file:@
+The first command installs the required compiler tools. The second one the
+various dependencies and finally the last line adds (optional) database
+libraries. For testing, you will additionally need to install and configure the
+respective database servers (except for sqLite, which does not need one). Once
+all the dependencies needed are installed, you can just run the bootstrap
+file:@
@code{@
$ ./bootstrap@
}@
@@ -1418,45 +1432,31 @@ First, make sure Subversion is installed on your
system:@
@code{@
$ ./configure --prefix=/home/username --with-extractor=/home/username
--enable-coverage@
}@
- After it you can run the @code{coverage.sh} shell script from the
@code{contrib/} directory to compute information about test coverage:@
+After it you can run the @code{coverage.sh} shell script from the
address@hidden/} directory to compute information about test coverage:@
@code{@
$ contrib/coverage.sh@
}@
- At last you can open the HTML file @code{index.html} that was created under
the @code{doc/coverage/} directory to check the current test coverage for all
tested files. For example, using @code{firefox} as the browser:@
+At last you can open the HTML file @code{index.html} that was created under the
address@hidden/coverage/} directory to check the current test coverage for all
+tested files. For example, using @code{firefox} as the browser:@
@code{@
- $ firefox doc/coverage/index.html &@
+$ firefox doc/coverage/index.html &@
}@
- Note that, before next time you run the @code{coverage.sh}, you should delete
all the @code{.gcda} files under the directory @code{../../src/util}, simply by@
+Note that, before next time you run the @code{coverage.sh}, you should delete
+all the @code{.gcda} files under the directory @code{../../src/util}, simply
+by@
@code{@
$ rm -f `find -name "*.gcda"`@
}@
- afterwards, be sure all the old compiled files under @code{../../gnunet}
should also be cleaned,@
+afterwards, be sure all the old compiled files under @code{../../gnunet} should
+also be cleaned,@
@code{@
$ make clean@
}@
- then, you can calculate coverage again.
address@hidden @bullet
-
-
address@hidden
-
+then, you can calculate coverage again.
address@hidden
-Español
address@hidden itemize
@settitle Build instructions for FreeBSD 8
address@hidden %**end of header
-
address@hidden Top
-
-
address@hidden @bullet
-
-
address@hidden
-Español
address@hidden itemize
-
To get GNUnet 0.9 to compile on FreeBSD (at least FreeBSD 8.0):@
in order to install the library @code{libiconv}, at first change the
directory to your ports directory, e.g.@
@@ -3252,7 +3252,8 @@ The server plugin supports reverse proxies, so a external
hostname can be set us
@item
transport-wlan
-There is a special article how to setup the WLAN plugin, so here only the
settings. Just specify the interface to use:@
+There is a special article how to setup the WLAN plugin, so here only the
+settings. Just specify the interface to use:@
@code{@
[transport-wlan]@
# Name of the interface in monitor mode (typically monX)@
@@ -3289,7 +3290,13 @@ Français
-The wlan transport plugin enables GNUnet to send and to receive data on a wlan
interface. It has not to be connected to a wlan network as long as sender and
receiver are on the same channel. This enables you to get connection to the
GNUnet where no internet access is possible, for example while catastrophes or
when censorship cuts you off the address@hidden Requirements
+The wlan transport plugin enables GNUnet to send and to receive data on a wlan
+interface. It has not to be connected to a wlan network as long as sender and
+receiver are on the same channel. This enables you to get connection to the
+GNUnet where no internet access is possible, for example while catastrophes or
+when censorship cuts you off the internet.
+
address@hidden Requirements
@c %**end of header
@node Top
@@ -3314,24 +3321,26 @@ Wlantools to create the a monitor interface, tested
with airmon-ng of the aircra
-There are the following options for the wlan plugin (they should be like this
in your default config file, you only need to adjust them if the values are
incorrect for your system)@
+There are the following options for the wlan plugin (they should be like this
+in your default config file, you only need to adjust them if the values are
+incorrect for your system)@
@code{@
- # section for the wlan transport plugin@
- [transport-wlan]@
- # interface to use, more information in the âBefore starting GNUnetâ
section@
- INTERFACE = mon0@
- # testmode for developers:@
- # 0 use wlan interface,@
- #1 or 2 use loopback driver for tests 1 = server, 2 = client@
- TESTMODE = 0@
address@hidden Before starting GNUnet
address@hidden %**end of header
-
address@hidden Top
-
+# section for the wlan transport plugin@
+[transport-wlan]@
+# interface to use, more information in the
+# "Before starting GNUnet" section of the handbook.
+INTERFACE = mon0@
+# testmode for developers:@
+# 0 use wlan interface,@
+#1 or 2 use loopback driver for tests 1 = server, 2 = client@
+TESTMODE = 0@
+}
address@hidden Before starting GNUnet
-Before starting GNUnet, you have to make sure that your wlan interface is in
monitor mode. One way to put the wlan interface into monitor mode (if your
interface name is wlan0) is by executing:@
+Before starting GNUnet, you have to make sure that your wlan interface is in
+monitor mode. One way to put the wlan interface into monitor mode (if your
+interface name is wlan0) is by executing:@
@code{@
sudo airmon-ng start wlan0@
}
@@ -3342,16 +3351,25 @@ Here is an example what the result should look like:@
wlan0 Intel 4965 a/b/g/n iwl4965 - [phy0]@
(monitor mode enabled on mon0)@
}@
- The monitor interface is mon0 is the one that you have to put into the
configuration address@hidden Limitations â know bugs
+The monitor interface is mon0 is the one that you have to put into the
+configuration file.
+
address@hidden Limitations and known bugs
@c %**end of header
@node Top
-Wlan speed is at the maximum of 1 Mbit/s because support for choosing the wlan
speed with packet injection was removed in newer kernels. Please pester the
kernel developers about fixing this.
+Wlan speed is at the maximum of 1 Mbit/s because support for choosing the wlan
+speed with packet injection was removed in newer kernels. Please pester the
+kernel developers about fixing this.
-The interface channel depends on the wlan network that the card is connected
to. If no connection has been made since the start of the computer, it is
usually the first channel of the card. Peers will only find each other and
communicate if they are on the same channel. Channels must be set manually
(i.e. using @code{iwconfig wlan0 channel 1}).
+The interface channel depends on the wlan network that the card is connected
+to. If no connection has been made since the start of the computer, it is
+usually the first channel of the card. Peers will only find each other and
+communicate if they are on the same channel. Channels must be set manually
+(i.e. using @code{iwconfig wlan0 channel 1}).
@itemize @bullet
@@ -3371,9 +3389,13 @@ Français
-The HTTP plugin supports data transfer using reverse proxies. A reverse proxy
forwards the HTTP request he receives with a certain URL to another webserver,
here a GNUnet peer.
+The HTTP plugin supports data transfer using reverse proxies. A reverse proxy
+forwards the HTTP request he receives with a certain URL to another webserver,
+here a GNUnet peer.
-So if you have a running Apache or nginx webserver you can configure it to be
a GNUnet reverse proxy. Especially if you have a well-known webiste this
improves censorship resistance since it looks as normal surfing behaviour.
+So if you have a running Apache or nginx webserver you can configure it to be a
+GNUnet reverse proxy. Especially if you have a well-known webiste this improves
+censorship resistance since it looks as normal surfing behaviour.
To do so, you have to do two things:
@itemize @bullet
@@ -3425,9 +3447,12 @@ In the respective @code{server config},@code{virtual
host} or @code{directory} s
@strong{Configure your Apache2 HTTPS webserver}
-We assume that you already have an HTTPS server running, if not please check
how to configure a HTTPS host. An easy to use example is the
"apache2/sites-available/default-ssl" example configuration file.
+We assume that you already have an HTTPS server running, if not please check
+how to configure a HTTPS host. An easy to use example is the
+"apache2/sites-available/default-ssl" example configuration file.
-In the respective HTTPS @code{server config},@code{virtual host} or
@code{directory} section add the following lines:@
+In the respective HTTPS @code{server config},@code{virtual host} or
address@hidden section add the following lines:@
@code{@
SSLProxyEngine On@
ProxyTimeout 300@
@@ -3472,7 +3497,8 @@ In the @code{server} section add:@
@strong{Configure your nginx HTTPS webserver}
-Edit your webserver configuration. Edit @code{/etc/nginx/nginx.conf} or the
site-specific configuration file.
+Edit your webserver configuration. Edit @code{/etc/nginx/nginx.conf} or the
+site-specific configuration file.
In the @code{server} section add:@
@code{@
@@ -3505,15 +3531,7 @@ To have your GNUnet peer announce the address, you have
to specify the
}
Now restart your webserver and your peer...
address@hidden @bullet
-
-
address@hidden
-
address@hidden
-Français
address@hidden itemize
@settitle Blacklisting peers
@c %**end of header
@@ -3521,14 +3539,15 @@ Français
-Transport service supports to deny connecting to a specific peer of to a
specific peer with a specific transport plugin using te blacklisting component
of transport service. With@
- blacklisting it is possible to deny connections to specific peers of@
- to use a specific plugin to a specific peer. Peers can be blacklisted using@
- the configuration or a blacklist client can be asked.
+Transport service supports to deny connecting to a specific peer of to a
+specific peer with a specific transport plugin using te blacklisting component
+of transport service. With@ blacklisting it is possible to deny connections to
+specific peers of@ to use a specific plugin to a specific peer. Peers can be
+blacklisted using@ the configuration or a blacklist client can be asked.
To blacklist peers using the configuration you have to add a section to your@
- configuration containing the peer id of the peer to blacklist and the plugin@
- if required.
+configuration containing the peer id of the peer to blacklist and the plugin@
+if required.
Example:@
To blacklist connections to P565... on peer AG2P... using tcp add:@
@@ -3547,53 +3566,56 @@ You can also add a blacklist client usign the blacklist
api. On a blacklist@
if not, it asks the blacklisting clients. Clients are asked if it is OK to@
connect to a peer ID, the plugin is omitted.
-On blacklist check for (peer, plugin)@
- - Do we have a local blacklist entry for this peer and this plugin?@
- - YES: disallow connection@
- - Do we have a local blacklist entry for this peer and all plugins?@
- - YES: disallow connection@
- - Does one of the clients disallow?@
- - YES: disallow connection
+On blacklist check for (peer, plugin)
@itemize @bullet
-
-
address@hidden
-
-
address@hidden
-Français
address@hidden Do we have a local blacklist entry for this peer and this
plugin?@
address@hidden YES: disallow connection@
address@hidden Do we have a local blacklist entry for this peer and all
plugins?@
address@hidden YES: disallow connection@
address@hidden Does one of the clients disallow?@
address@hidden YES: disallow connection
@end itemize
address@hidden Configuration of the HTTP and HTTPS transport plugins
address@hidden %**end of header
-
address@hidden Top
-
address@hidden Configuration of the HTTP and HTTPS transport plugins
-The client part of the http and https transport plugins can be configured to
use a proxy to connect to the hostlist server. This functionality can be
configured in the configuration file directly or using the gnunet-setup tool.
-
-The both the HTTP and HTTPS clients support the following proxy types at the
moment:
+The client part of the http and https transport plugins can be configured to
+use a proxy to connect to the hostlist server. This functionality can be
+configured in the configuration file directly or using the gnunet-setup tool.
- HTTP 1.1 proxy@
- SOCKS 4/4a/5/5 with hostname
+The both the HTTP and HTTPS clients support the following proxy types at the
+moment:
-In addition authentication at the proxy with username and password can be
configured.
address@hidden @bullet
address@hidden HTTP 1.1 proxy
address@hidden SOCKS 4/4a/5/5 with hostname
address@hidden itemize
-To configure proxy support for the clients in the gnunet-setup tool, select
the "transport" tab and activate the respective plugin. Now you can select the
appropriate proxy type. The hostname or IP address (including port if required)
has to be entered in the "Proxy hostname" textbox. If required, enter username
and password in the "Proxy username" and "Proxy password" boxes. Be aware that
these information will be stored in the configuration in plain text.
+In addition authentication at the proxy with username and password can be
+configured.
-To configure these options directly in the configuration, you can configure
the following settings in the [transport-http_client] and
[transport-https_client] section of the configuration:
+To configure proxy support for the clients in the gnunet-setup tool, select the
+"transport" tab and activate the respective plugin. Now you can select the
+appropriate proxy type. The hostname or IP address (including port if required)
+has to be entered in the "Proxy hostname" textbox. If required, enter username
+and password in the "Proxy username" and "Proxy password" boxes. Be aware that
+these information will be stored in the configuration in plain text.
+To configure these options directly in the configuration, you can configure the
+following settings in the [transport-http_client] and [transport-https_client]
+section of the configuration:
address@hidden
# Type of proxy server,@
- # Valid values: HTTP, SOCKS4, SOCKS5, SOCKS4A, SOCKS5_HOSTNAME@
- # Default: HTTP@
- # PROXY_TYPE = HTTP
+# Valid values: HTTP, SOCKS4, SOCKS5, SOCKS4A, SOCKS5_HOSTNAME@
+# Default: HTTP@
+# PROXY_TYPE = HTTP
# Hostname or IP of proxy server@
- # PROXY =@
- # User name for proxy server@
- # PROXY_USERNAME =@
- # User password for proxy server@
- # PROXY_PASSWORD =
+# PROXY =@
+# User name for proxy server@
+# PROXY_USERNAME =@
+# User password for proxy server@
+# PROXY_PASSWORD =
address@hidden example
@itemize @bullet
@@ -3607,22 +3629,27 @@ To configure these options directly in the
configuration, you can configure the
-Before you install GNUnet, make sure you have a user and group 'gnunet' as
well as an empty group 'gnunetdns'.
-
-When using GNUnet with system-wide DNS interception, it is absolutely
necessary for all GNUnet service processes to be started by
@code{gnunet-service-arm} as user and group 'gnunet'. You also need to be sure
to run @code{make install} as root (or use the @code{sudo} option to configure)
to grant GNUnet sufficient privileges.
-
-With this setup, all that is required for enabling system-wide DNS
interception is for some GNUnet component (VPN or GNS) to request it. The
@code{gnunet-service-dns} will then start helper programs that will make the
necessary changes to your firewall (@code{iptables}) rules.
-
-Note that this will NOT work if your system sends out DNS traffic to a
link-local IPv6 address, as in this case GNUnet can intercept the traffic, but
not inject the responses from the link-local IPv6 address. Hence you cannot use
system-wide DNS interception in conjunction with link-local IPv6-based DNS
servers. If such a DNS server is used, it will bypass GNUnet's DNS traffic
interception.
address@hidden @bullet
+Before you install GNUnet, make sure you have a user and group 'gnunet' as well
+as an empty group 'gnunetdns'.
+When using GNUnet with system-wide DNS interception, it is absolutely necessary
+for all GNUnet service processes to be started by @code{gnunet-service-arm} as
+user and group 'gnunet'. You also need to be sure to run @code{make install} as
+root (or use the @code{sudo} option to configure) to grant GNUnet sufficient
+privileges.
address@hidden
+With this setup, all that is required for enabling system-wide DNS interception
+is for some GNUnet component (VPN or GNS) to request it. The
address@hidden will then start helper programs that will make the
+necessary changes to your firewall (@code{iptables}) rules.
+Note that this will NOT work if your system sends out DNS traffic to a
+link-local IPv6 address, as in this case GNUnet can intercept the traffic, but
+not inject the responses from the link-local IPv6 address. Hence you cannot use
+system-wide DNS interception in conjunction with link-local IPv6-based DNS
+servers. If such a DNS server is used, it will bypass GNUnet's DNS traffic
+interception.
address@hidden
-Français
address@hidden itemize
@settitle Configuring the GNU Name System
@c %**end of header
@@ -3630,41 +3657,56 @@ Français
-Using the GNU Name System (GNS) requires two different configuration steps.
First of all, GNS needs to be integrated with the operating system. Most of
this section is about the operating system level integration.
+Using the GNU Name System (GNS) requires two different configuration steps.
+First of all, GNS needs to be integrated with the operating system. Most of
+this section is about the operating system level integration.
-Additionally, each individual user who wants to use the system must also
initialize his GNS zones. This can be done by running (after starting GNUnet)@
+Additionally, each individual user who wants to use the system must also
+initialize his GNS zones. This can be done by running (after starting GNUnet)@
@code{@
$ gnunet-gns-import.sh@
}@
- after the local GNUnet peer has been started. Note that the namestore (in
particular the namestore database backend) should not be reconfigured
afterwards (as records are not automatically migrated between backends).
+after the local GNUnet peer has been started. Note that the namestore (in
+particular the namestore database backend) should not be reconfigured
+afterwards (as records are not automatically migrated between backends).
-The remainder of this chapter will detail the various methods for configuring
the use of GNS with your operating system.
+The remainder of this chapter will detail the various methods for configuring
+the use of GNS with your operating system.
At this point in time you have different options depending on your OS:
@table @asis
address@hidden Use the gnunet-gns-proxy
-This approach works for all operating systems and is likely the easiest.
However, it enables GNS only for browsers, not for other applications that
might be using DNS, such as SSH. Still, using the proxy is required for using
HTTP with GNS and is thus recommended for all users. To do this, you simply
have to run the @code{gnunet-gns-proxy-setup-ca} script as the user who will
run the browser (this will create a GNS certificate authority (CA) on your
system and import its key into your br [...]
address@hidden Use a nsswitch plugin (recommended on GNU systems)
-This approach has the advantage of offering fully personalized resolution even
on multi-user systems. A potential disadvantage is that some applications might
be able to bypass GNS.
address@hidden Use a W32 resolver plugin (recommended on W32)
-This is currently the only option on W32 systems.
address@hidden Use system-wide DNS packet interception
-This approach is recommended for the GNUnet VPN. It can be used to handle GNS
at the same time; however, if you only use this method, you will only get one
root zone per machine (not so great for multi-user systems).
address@hidden
+Use the gnunet-gns-proxy This approach works for all operating systems
+and is likely the easiest. However, it enables GNS only for browsers, not for
+other applications that might be using DNS, such as SSH. Still, using the proxy
+is required for using HTTP with GNS and is thus recommended for all users. To
+do this, you simply have to run the @code{gnunet-gns-proxy-setup-ca} script as
+the user who will run the browser (this will create a GNS certificate authority
+(CA) on your system and import its key into your browser), then start
address@hidden and inform your browser to use the Socks5 proxy which
address@hidden makes available by default on port 7777.
address@hidden
+Use a
+nsswitch plugin (recommended on GNU systems) This approach has the advantage of
+offering fully personalized resolution even on multi-user systems. A potential
+disadvantage is that some applications might be able to bypass GNS.
address@hidden
+Use
+a W32 resolver plugin (recommended on W32) This is currently the only option on
+W32 systems.
address@hidden
+Use system-wide DNS packet interception This approach is
+recommended for the GNUnet VPN. It can be used to handle GNS at the same time;
+however, if you only use this method, you will only get one root zone per
+machine (not so great for multi-user systems).
@end table
You can combine system-wide DNS packet interception with the nsswitch plugin.@
- The setup of the system-wide DNS interception is described here. All of the
other GNS-specific configuration steps are described in the following sections.
address@hidden @bullet
+The setup of the system-wide DNS interception is described here. All of the
+other GNS-specific configuration steps are described in the following sections.
-
address@hidden
-
-
address@hidden
-Français
address@hidden itemize
@settitle Configuring the GNS nsswitch plugin
@c %**end of header
@@ -3672,33 +3714,43 @@ Français
-The Name Service Switch (NSS) is a facility in Unix-like operating systems
that provides a variety of sources for common configuration databases and name
resolution mechanisms. A system administrator usually configures the operating
system's name services using the file /etc/nsswitch.conf.
+The Name Service Switch (NSS) is a facility in Unix-like operating systems that
+provides a variety of sources for common configuration databases and name
+resolution mechanisms. A system administrator usually configures the operating
+system's name services using the file /etc/nsswitch.conf.
-GNS provides a NSS plugin to integrate GNS name resolution with the operating
system's name resolution process. To use the GNS NSS plugin you have to either
+GNS provides a NSS plugin to integrate GNS name resolution with the operating
+system's name resolution process. To use the GNS NSS plugin you have to either
@itemize @bullet
@item
-install GNUnet as root or
+install GNUnet as root or
@item
- compile GNUnet with the @code{--with-sudo=yes} switch.
+compile GNUnet with the @code{--with-sudo=yes} switch.
@end itemize
-Name resolution is controlled by the @emph{hosts} section in the NSS
configuration. By default this section first performs a lookup in the
/etc/hosts file and then in DNS. The nsswitch file should contain a line
similar to:@
+Name resolution is controlled by the @emph{hosts} section in the NSS
+configuration. By default this section first performs a lookup in the
+/etc/hosts file and then in DNS. The nsswitch file should contain a line
+similar to:@
@code{@
hosts: files dns [NOTFOUND=return] mdns4_minimal mdns4@
}
-Here the GNS NSS plugin can be added to perform a GNS lookup before performing
a DNS lookup. The GNS NSS plugin has to be added to the "hosts" section in
/etc/nsswitch.conf file before DNS related plugins:@
+Here the GNS NSS plugin can be added to perform a GNS lookup before performing
+a DNS lookup. The GNS NSS plugin has to be added to the "hosts" section in
+/etc/nsswitch.conf file before DNS related plugins:@
@code{@
...@
hosts: files gns [NOTFOUND=return] dns mdns4_minimal mdns4@
...@
}
-The @code{NOTFOUND=return} will ensure that if a @code{.gnu} name is not found
in GNS it will not be queried in DNS.
+The @code{NOTFOUND=return} will ensure that if a @code{.gnu} name is not found
+in GNS it will not be queried in DNS.
@itemize @bullet
@@ -3715,76 +3767,91 @@ Français
-This document is a guide to configuring GNU Name System on W32-compatible
platforms.
+This document is a guide to configuring GNU Name System on W32-compatible
+platforms.
After GNUnet is installed, run the w32nsp-install tool:
@examplew32nsp-install.exe address@hidden example
- ('0' is the library version of W32 NSP; it might increase in the future,
change the invocation accordingly).
+ ('0' is the library version of W32 NSP; it might increase in the future,
+ change the invocation accordingly).
-This will install GNS namespace provider into the system and allow other
applications to resolve names that end in '@strong{gnu}' and '@strong{zkey}'.
Note that namespace provider requires gnunet-gns-helper-service-w32 to be
running, as well as gns service itself (and its usual dependencies).
+This will install GNS namespace provider into the system and allow other
+applications to resolve names that end in '@strong{gnu}' and '@strong{zkey}'.
+Note that namespace provider requires gnunet-gns-helper-service-w32 to be
+running, as well as gns service itself (and its usual dependencies).
-Namespace provider is hardcoded to connect to @strong{127.0.0.1:5353}, and
this is where gnunet-gns-helper-service-w32 should be listening to (and is
configured to listen to by default).
+Namespace provider is hardcoded to connect to @strong{127.0.0.1:5353}, and this
+is where gnunet-gns-helper-service-w32 should be listening to (and is
+configured to listen to by default).
To uninstall the provider, run:
@address@hidden example
- (uses provider GUID to uninstall it, does not need a dll name).
-
-Note that while MSDN claims that other applications will only be able to use
the new namespace provider after re-starting, in reality they might stat to use
it without that. Conversely, they might stop using the provider after it's been
uninstalled, even if they were not re-started. W32 will not permit namespace
provider library to be deleted or overwritten while the provider is installed,
and while there is at least one process still using it (even after it was
uninstalled).
address@hidden @bullet
-
-
address@hidden
+(uses provider GUID to uninstall it, does not need a dll name).
+Note that while MSDN claims that other applications will only be able to use
+the new namespace provider after re-starting, in reality they might stat to use
+it without that. Conversely, they might stop using the provider after it's been
+uninstalled, even if they were not re-started. W32 will not permit namespace
+provider library to be deleted or overwritten while the provider is installed,
+and while there is at least one process still using it (even after it was
+uninstalled).
address@hidden
-Français
address@hidden itemize
@settitle GNS Proxy Setup
address@hidden %**end of header
address@hidden Top
-
-
-
-When using the GNU Name System (GNS) to browse the WWW, there are several
issues that can be solved by adding the GNS Proxy to your setup:
+When using the GNU Name System (GNS) to browse the WWW, there are several
+issues that can be solved by adding the GNS Proxy to your setup:
@itemize @bullet
address@hidden
-If the target website does not support GNS, it might assume that it is
operating under some name in the legacy DNS system (such as example.com). It
may then attempt to set cookies for that domain, and the web server might
expect a @code{Host: example.com} header in the request from your browser.
However, your browser might be using @code{example.gnu} for the @code{Host}
header and might only accept (and send) cookies for @code{example.gnu}. The GNS
Proxy will perform the necessary transl [...]
-
address@hidden
-If using HTTPS, the target site might include an SSL certificate which is
either only valid for the LEHO domain or might match a TLSA record in GNS.
However, your browser would expect a valid certificate for @code{example.gnu},
not for some legacy domain name. The proxy will validate the certificate
(either against LEHO or TLSA) and then on-the-fly produce a valid certificate
for the exchange, signed by your own CA. Assuming you installed the CA of your
proxy in your browser's certificat [...]
-
address@hidden
-Finally, the proxy will in the future indicate to the server that it speaks
GNS, which will enable server operators to deliver GNS-enabled web sites to
your browser (and continue to deliver legacy links to legacy browsers)
address@hidden If the target website does not support GNS, it might assume that
it is
+operating under some name in the legacy DNS system (such as example.com). It
+may then attempt to set cookies for that domain, and the web server might
+expect a @code{Host: example.com} header in the request from your browser.
+However, your browser might be using @code{example.gnu} for the @code{Host}
+header and might only accept (and send) cookies for @code{example.gnu}. The GNS
+Proxy will perform the necessary translations of the hostnames for cookies and
+HTTP headers (using the LEHO record for the target domain as the desired
+substitute).
+
address@hidden If using HTTPS, the target site might include an SSL certificate
which is
+either only valid for the LEHO domain or might match a TLSA record in GNS.
+However, your browser would expect a valid certificate for @code{example.gnu},
+not for some legacy domain name. The proxy will validate the certificate
+(either against LEHO or TLSA) and then on-the-fly produce a valid certificate
+for the exchange, signed by your own CA. Assuming you installed the CA of your
+proxy in your browser's certificate authority list, your browser will then
+trust the HTTPS/SSL/TLS connection, as the hostname mismatch is hidden by the
+proxy.
+
address@hidden Finally, the proxy will in the future indicate to the server
that it
+speaks GNS, which will enable server operators to deliver GNS-enabled web sites
+to your browser (and continue to deliver legacy links to legacy browsers)
@end itemize
address@hidden Setup
address@hidden %**end of header
-
address@hidden Top
-
address@hidden Setup
-First you need to create a CA certificate that the proxy can use. To do so use
the provided script gnunet-gns-proxy-ca:@
+First you need to create a CA certificate that the proxy can use. To do so use
+the provided script gnunet-gns-proxy-ca:@
@code{@
$ gnunet-gns-proxy-setup-ca@
}
-This will create a personal certification authority for you and add this
authority to the firefox and chrome database. The proxy will use the this CA
certificate to generate @code{*.gnu} client certificates on the fly.
-
-Note that the proxy uses libcurl. Make sure your version of libcurl uses
GnuTLS and NOT OpenSSL. The proxy will not work with libcurl compiled against
address@hidden Testing
address@hidden %**end of header
-
address@hidden Top
+This will create a personal certification authority for you and add this
+authority to the firefox and chrome database. The proxy will use the this CA
+certificate to generate @code{*.gnu} client certificates on the fly.
+Note that the proxy uses libcurl. Make sure your version of libcurl uses GnuTLS
+and NOT OpenSSL. The proxy will not work with libcurl compiled against
+OpenSSL.
address@hidden Testing
-Now for testing purposes we can create some records in our zone to test the
SSL functionality of the proxy:@
+Now for testing purposes we can create some records in our zone to test the SSL
+functionality of the proxy:@
@code{@
$ gnunet-namestore -a -e "1 d" -n "homepage" -t A -V 131.159.74.67@
$ gnunet-namestore -a -e "1 d" -n "homepage" -t LEHO -V "gnunet.org"@
@@ -3795,20 +3862,16 @@ At this point we can start the proxy. Simply execute@
$ gnunet-gns-proxy@
}
-Configure your browser to use this SOCKSv5 proxy on port 7777 and visit this
link.@
- If you use firefox you also have to go to about:config and set the key
@code{network.proxy.socks_remote_dns} to @code{true}.
-
-When you visit @code{https://homepage.gnu/}, you should get to the
@code{https://gnunet.org/} frontpage and the browser (with the correctly
configured proxy) should give you a valid SSL certificate for
@code{homepage.gnu} and no warnings. It should look like this@
+Configure your browser to use this SOCKSv5 proxy on port 7777 and visit this
+link.@ If you use firefox you also have to go to about:config and set the key
address@hidden to @code{true}.
address@hidden @bullet
-
-
address@hidden
+When you visit @code{https://homepage.gnu/}, you should get to the
address@hidden://gnunet.org/} frontpage and the browser (with the correctly
+configured proxy) should give you a valid SSL certificate for
address@hidden and no warnings. It should look like this@
address@hidden
-Français
address@hidden itemize
@table @asis
@@ -3826,128 +3889,142 @@ Size
-This page describes a possible option for 'automatic name shortening', which
you can choose to enable with the GNU Name System.
-
-When GNS encounters a name for the first time, it can use the 'NICK' record of
the originating zone to automatically generate a name for the zone. If
automatic shortening is enabled, those auto-generated names will be placed (as
private records) into your personal 'shorten' zone (to prevent confusion with
manually selected names). Then, in the future, if the same name is encountered
again, GNS will display the shortened name instead (the first time, the long
name will still be used as sh [...]
address@hidden @bullet
-
-
address@hidden
+This page describes a possible option for 'automatic name shortening', which
+you can choose to enable with the GNU Name System.
+When GNS encounters a name for the first time, it can use the 'NICK' record of
+the originating zone to automatically generate a name for the zone. If
+automatic shortening is enabled, those auto-generated names will be placed (as
+private records) into your personal 'shorten' zone (to prevent confusion with
+manually selected names). Then, in the future, if the same name is encountered
+again, GNS will display the shortened name instead (the first time, the long
+name will still be used as shortening typically happens asynchronously as
+looking up the 'NICK' record takes some time). Using this feature can be a
+convenient way to avoid very long @code{.gnu} names; however, note that names
+from the shorten-zone are assigned on a first-come-first-serve basis and should
+not be trusted. Furthermore, if you enable this feature, you will no longer see
+the full delegation chain for zones once shortening has been applied.
address@hidden
-Français
address@hidden itemize
@settitle Configuring the GNUnet VPN
address@hidden %**end of header
-
address@hidden Top
-
-
address@hidden @bullet
-
-
address@hidden
-
-
address@hidden
-Español
-
address@hidden
-Français
address@hidden itemize
-Before configuring the GNUnet VPN, please make sure that system-wide DNS
interception is configured properly as described in the section on the GNUnet
DNS setup.
+Before configuring the GNUnet VPN, please make sure that system-wide DNS
+interception is configured properly as described in the section on the GNUnet
+DNS setup.
-The default-options for the GNUnet VPN are usually sufficient to use GNUnet as
a Layer 2 for your Internet connection. However, what you always have to
specify is which IP protocol you want to tunnel: IPv4, IPv6 or both.
Furthermore, if you tunnel both, you most likely should also tunnel all of your
DNS requests. You theoretically can tunnel "only" your DNS traffic, but that
usually makes little sense.
+The default-options for the GNUnet VPN are usually sufficient to use GNUnet as
+a Layer 2 for your Internet connection. However, what you always have to
+specify is which IP protocol you want to tunnel: IPv4, IPv6 or both.
+Furthermore, if you tunnel both, you most likely should also tunnel all of your
+DNS requests. You theoretically can tunnel "only" your DNS traffic, but that
+usually makes little sense.
-The other options as shown on the gnunet-setup tool are:@settitle IPv4 address
for interface
+The other options as shown on the gnunet-setup tool are:
address@hidden IPv4 address for interface
@c %**end of header
@node Top
-This is the IPv4 address the VPN interface will get. You should pick an
'private' IPv4 network that is not yet in use for you system. For example, if
you use 10.0.0.1/255.255.0.0 already, you might use 10.1.0.1/255.255.0.0. If
you use 10.0.0.1/255.0.0.0 already, then you might use 192.168.0.1/255.255.0.0.
If your system is not in a private IP-network, using any of the above will work
fine.@
- You should try to make the mask of the address big enough (255.255.0.0 or,
even better, 255.0.0.0) to allow more mappings of remote IP Addresses into this
range. However, even a 255.255.255.0-mask will suffice for most address@hidden
IPv6 address for interface
address@hidden %**end of header
-
address@hidden Top
-
-
+This is the IPv4 address the VPN interface will get. You should pick an
+'private' IPv4 network that is not yet in use for you system. For example, if
+you use 10.0.0.1/255.255.0.0 already, you might use 10.1.0.1/255.255.0.0. If
+you use 10.0.0.1/255.0.0.0 already, then you might use 192.168.0.1/255.255.0.0.
+If your system is not in a private IP-network, using any of the above will work
+fine.@ You should try to make the mask of the address big enough (255.255.0.0
+or, even better, 255.0.0.0) to allow more mappings of remote IP Addresses into
+this range. However, even a 255.255.255.0-mask will suffice for most users.
-The IPv6 address the VPN interface will get. Here you can specify any
non-link-local address (the address should not begin with "fe80:"). A subnet
Unique Local Unicast (fd00::/8-prefix) that you are currently not using would
be a good address@hidden Configuring the GNUnet VPN DNS
address@hidden IPv6 address for interface
@c %**end of header
@node Top
address@hidden @bullet
-
-
address@hidden
-Français
address@hidden itemize
+The IPv6 address the VPN interface will get. Here you can specify any
+non-link-local address (the address should not begin with "fe80:"). A subnet
+Unique Local Unicast (fd00::/8-prefix) that you are currently not using would
+be a good choice.
-To resolve names for remote nodes, activate the DNS exit address@hidden
Configuring the GNUnet VPN Exit Service
address@hidden Configuring the GNUnet VPN DNS
@c %**end of header
address@hidden Top
-
-
address@hidden @bullet
-
-
address@hidden
-
-
address@hidden
-Français
address@hidden itemize
-
+To resolve names for remote nodes, activate the DNS exit option.
address@hidden Configuring the GNUnet VPN Exit Service
-If you want to allow other users to share your Internet connection (yes, this
may be dangerous, just as running a Tor exit node) or want to provide access to
services on your host (this should be less dangerous, as long as those services
are secure), you have to enable the GNUnet exit daemon.
+If you want to allow other users to share your Internet connection (yes, this
+may be dangerous, just as running a Tor exit node) or want to provide access to
+services on your host (this should be less dangerous, as long as those services
+are secure), you have to enable the GNUnet exit daemon.
-You then get to specify which exit functions you want to provide. By enabling
the exit daemon, you will always automatically provide exit functions for
manually configured local services (this component of the system is under
development and not documented further at this time). As for those services you
explicitly specify the target IP address and port, there is no significant
security risk in doing so.
+You then get to specify which exit functions you want to provide. By enabling
+the exit daemon, you will always automatically provide exit functions for
+manually configured local services (this component of the system is under
+development and not documented further at this time). As for those services you
+explicitly specify the target IP address and port, there is no significant
+security risk in doing so.
-Furthermore, you can serve as a DNS, IPv4 or IPv6 exit to the Internet. Being
a DNS exit is usually pretty harmless. However, enabling IPv4 or IPv6-exit
without further precautions may enable adversaries to access your local
network, send spam, attack other systems from your Internet connection and to
other mischief that will appear to come from your machine. This may or may not
get you into legal trouble. If you want to allow IPv4 or IPv6-exit
functionality, you should strongly consider [...]
+Furthermore, you can serve as a DNS, IPv4 or IPv6 exit to the Internet. Being a
+DNS exit is usually pretty harmless. However, enabling IPv4 or IPv6-exit
+without further precautions may enable adversaries to access your local
+network, send spam, attack other systems from your Internet connection and to
+other mischief that will appear to come from your machine. This may or may not
+get you into legal trouble. If you want to allow IPv4 or IPv6-exit
+functionality, you should strongly consider adding additional firewall rules
+manually to protect your local network and to restrict outgoing TCP traffic
+(i.e. by not allowing access to port 25). While we plan to improve
+exit-filtering in the future, you're currently on your own here. Essentially,
+be prepared for any kind of IP-traffic to exit the respective TUN interface
+(and GNUnet will enable IP-forwarding and NAT for the interface automatically).
-Additional configuration options of the exit as shown by the gnunet-setup tool
are:@settitle IP Address of external DNS resolver
+Additional configuration options of the exit as shown by the gnunet-setup tool
+are:
address@hidden IP Address of external DNS resolver
@c %**end of header
@node Top
-If DNS traffic is to exit your machine, it will be send to this DNS resolver.
You can specify an IPv4 or IPv6 address@hidden IPv4 address for Exit interface
address@hidden %**end of header
-
address@hidden Top
-
-
+If DNS traffic is to exit your machine, it will be send to this DNS resolver.
+You can specify an IPv4 or IPv6 address.
address@hidden IPv4 address for Exit interface
-This is the IPv4 address the Interface will get. Make the mask of the address
big enough (255.255.0.0 or, even better, 255.0.0.0) to allow more mappings of
IP addresses into this range. As for the VPN interface, any unused, private
IPv4 address range will address@hidden IPv6 address for Exit interface
+This is the IPv4 address the Interface will get. Make the mask of the address
+big enough (255.255.0.0 or, even better, 255.0.0.0) to allow more mappings of
+IP addresses into this range. As for the VPN interface, any unused, private
+IPv4 address range will do.
address@hidden IPv6 address for Exit interface
@c %**end of header
@node Top
-The public IPv6 address the interface will get. If your kernel is not a very
recent kernel and you are willing to manually enable IPv6-NAT, the IPv6 address
you specify here must be a globally routed IPv6 address of your host.
+The public IPv6 address the interface will get. If your kernel is not a very
+recent kernel and you are willing to manually enable IPv6-NAT, the IPv6 address
+you specify here must be a globally routed IPv6 address of your host.
Suppose your host has the address @code{2001:4ca0::1234/64}, then using@
address@hidden:4ca0::1:0/112} would be fine (keep the first 64 bits, then
change at least one bit in the range before the bitmask, in the example above
we changed bit 111 from 0 to 1).
address@hidden:4ca0::1:0/112} would be fine (keep the first 64 bits, then
change at
+least one bit in the range before the bitmask, in the example above we changed
+bit 111 from 0 to 1).
-You may also have to configure your router to route traffic for the entire
subnet (@code{2001:4ca0::1:0/112} for example) through your computer (this
should be automatic with IPv6, but obviously anything can be
disabled)address@hidden Bandwidth Configuration
+You may also have to configure your router to route traffic for the entire
+subnet (@code{2001:4ca0::1:0/112} for example) through your computer (this
+should be automatic with IPv6, but obviously anything can be
+disabled).
address@hidden Bandwidth Configuration
@c %**end of header
@node Top
-You can specify how many bandwidth GNUnet is allowed to use to receive and
send data. This is important for users with limited bandwidth or traffic volume.
+You can specify how many bandwidth GNUnet is allowed to use to receive and send
+data. This is important for users with limited bandwidth or traffic volume.
@itemize @bullet
@@ -3964,15 +4041,52 @@ Français
-Most hosts today do not have a normal global IP address but instead are behind
a router performing Network Address Translation (NAT) which assigns each host
in the local network a private IP address. As a result, these machines cannot
trivially receive inbound connections from the Internet. GNUnet supports NAT
traversal to enable these machines to receive incoming connections from other
peers despite their limitations.
-
-In an ideal world, you can press the "Attempt automatic configuration" button
in gnunet-setup to automatically configure your peer correctly. Alternatively,
your distribution might have already triggered this automatic configuration
during the installation process. However, automatic configuration can fail to
determine the optimal settings, resulting in your peer either not receiving as
many connections as possible, or in the worst case it not connecting to the
network at all.
-
-To manually configure the peer, you need to know a few things about your
network setup. First, determine if you are behind a NAT in the first place.
This is always the case if your IP address starts with "10.*" or "192.168.*".
Next, if you have control over your NAT router, you may choose to manually
configure it to allow GNUnet traffic to your host. If you have configured your
NAT to forward traffic on ports 2086 (and possibly 1080) to your host, you can
check the "NAT ports have been o [...]
-
-Some NAT boxes can be traversed using the autonomous NAT traversal method.
This requires certain GNUnet components to be installed with "SUID"
prividledges on your system (so if you're installing on a system you do not
have administrative rights to, this will not work). If you installed as 'root',
you can enable autonomous NAT traversal by checking the "Enable NAT traversal
using ICMP method". The ICMP method requires a way to determine your NAT's
external (global) IP address. This can b [...]
-
-Finally, if you yourself are not behind NAT but want to be able to connect to
NATed peers using autonomous NAT traversal, you need to check the "Enable
connecting to NATed peers using ICMP method" box.
+Most hosts today do not have a normal global IP address but instead are behind
+a router performing Network Address Translation (NAT) which assigns each host
+in the local network a private IP address. As a result, these machines cannot
+trivially receive inbound connections from the Internet. GNUnet supports NAT
+traversal to enable these machines to receive incoming connections from other
+peers despite their limitations.
+
+In an ideal world, you can press the "Attempt automatic configuration" button
+in gnunet-setup to automatically configure your peer correctly. Alternatively,
+your distribution might have already triggered this automatic configuration
+during the installation process. However, automatic configuration can fail to
+determine the optimal settings, resulting in your peer either not receiving as
+many connections as possible, or in the worst case it not connecting to the
+network at all.
+
+To manually configure the peer, you need to know a few things about your
+network setup. First, determine if you are behind a NAT in the first place.
+This is always the case if your IP address starts with "10.*" or "192.168.*".
+Next, if you have control over your NAT router, you may choose to manually
+configure it to allow GNUnet traffic to your host. If you have configured your
+NAT to forward traffic on ports 2086 (and possibly 1080) to your host, you can
+check the "NAT ports have been opened manually" option, which corresponds to
+the "PUNCHED_NAT" option in the configuration file. If you did not punch your
+NAT box, it may still be configured to support UPnP, which allows GNUnet to
+automatically configure it. In that case, you need to install the "upnpc"
+command, enable UPnP (or PMP) on your NAT box and set the "Enable NAT traversal
+via UPnP or PMP" option (corresponding to "ENABLE_UPNP" in the configuration
+file).
+
+Some NAT boxes can be traversed using the autonomous NAT traversal method. This
+requires certain GNUnet components to be installed with "SUID" prividledges on
+your system (so if you're installing on a system you do not have administrative
+rights to, this will not work). If you installed as 'root', you can enable
+autonomous NAT traversal by checking the "Enable NAT traversal using ICMP
+method". The ICMP method requires a way to determine your NAT's external
+(global) IP address. This can be done using either UPnP, DynDNS, or by manual
+configuration. If you have a DynDNS name or know your external IP address, you
+should enter that name under "External (public) IPv4 address" (which
+corresponds to the "EXTERNAL_ADDRESS" option in the configuration file). If you
+leave the option empty, GNUnet will try to determine your external IP address
+automatically (which may fail, in which case autonomous NAT traversal will then
+not work).
+
+Finally, if you yourself are not behind NAT but want to be able to connect to
+NATed peers using autonomous NAT traversal, you need to check the "Enable
+connecting to NATed peers using ICMP method" box.
@itemize @bullet
@@ -3989,46 +4103,67 @@ Français
-This section describes how to start a GNUnet peer. It assumes that you have
already compiled and installed GNUnet and its' dependencies. Before you start a
GNUnet peer, you may want to create a configuration file using gnunet-setup
(but you do not have to). Sane defaults should exist in your
@code{GNUNET_PREFIX/share/gnunet/config.d/} directory, so in practice you could
simply start without any configuration. If you want to configure your peer
later, you need to stop it before invoking t [...]
-
- The most important option you might have to still set by hand is in [PATHS].
Here, you use the option "GNUNET_HOME" to specify the path where GNUnet should
store its data. It defaults to @code{$HOME/}, which again should work for most
users. Make sure that the directory specified as GNUNET_HOME is writable to the
user that you will use to run GNUnet (note that you can run frontends using
other users, GNUNET_HOME must only be accessible to the user used to run the
background processes).
-
-You will also need to make one central decision: should all of GNUnet be run
under your normal UID, or do you want distinguish between system-wide
(user-independent) GNUnet services and personal GNUnet services. The multi-user
setup is slightly more complicated, but also more secure and generally
recommended. @settitle The Single-User Setup
address@hidden %**end of header
-
address@hidden Top
+This section describes how to start a GNUnet peer. It assumes that you have
+already compiled and installed GNUnet and its' dependencies. Before you start a
+GNUnet peer, you may want to create a configuration file using gnunet-setup
+(but you do not have to). Sane defaults should exist in your
address@hidden/share/gnunet/config.d/} directory, so in practice you could
+simply start without any configuration. If you want to configure your peer
+later, you need to stop it before invoking the @code{gnunet-setup} tool to
+customize further and to test your configuration (@code{gnunet-setup} has
+build-in test functions).
+ The most important option you might have to still set by hand is in [PATHS].
+ Here, you use the option "GNUNET_HOME" to specify the path where GNUnet should
+ store its data. It defaults to @code{$HOME/}, which again should work for most
+ users. Make sure that the directory specified as GNUNET_HOME is writable to
+ the user that you will use to run GNUnet (note that you can run frontends
+ using other users, GNUNET_HOME must only be accessible to the user used to run
+ the background processes).
+You will also need to make one central decision: should all of GNUnet be run
+under your normal UID, or do you want distinguish between system-wide
+(user-independent) GNUnet services and personal GNUnet services. The multi-user
+setup is slightly more complicated, but also more secure and generally
+recommended.
address@hidden The Single-User Setup
-For the single-user setup, you do not need to do anything special and can just
start the GNUnet background processes using @code{gnunet-arm}. By default,
GNUnet looks in @code{~/.config/gnunet.conf} for a configuration (or
$XDG_CONFIG_HOME/gnunet.conf if@
- $XDG_CONFIG_HOME is defined). If your configuration lives elsewhere, you need
to pass the @code{-c FILENAME} option to all GNUnet commands.
+For the single-user setup, you do not need to do anything special and can just
+start the GNUnet background processes using @code{gnunet-arm}. By default,
+GNUnet looks in @code{~/.config/gnunet.conf} for a configuration (or
+$XDG_CONFIG_HOME/gnunet.conf if@ $XDG_CONFIG_HOME is defined). If your
+configuration lives elsewhere, you need to pass the @code{-c FILENAME} option
+to all GNUnet commands.
- Assuming the configuration file is called @code{~/.config/gnunet.conf}, you
start your peer using the @code{gnunet-arm} command (say as user @code{gnunet})
using:
address@hidden -c ~/.config/gnunet.conf -s
address@hidden example
+ Assuming the configuration file is called @code{~/.config/gnunet.conf}, you
+ start your peer using the @code{gnunet-arm} command (say as user
+ @code{gnunet}) using: @examplegnunet-arm -c ~/.config/gnunet.conf -s @end
+ example
-The "-s" option here is for "start". The command should return almost
instantly. If you want to stop GNUnet, you can use:
address@hidden -c ~/.config/gnunet.conf -e
address@hidden example
+The "-s" option here is for "start". The command should return almost
+instantly. If you want to stop GNUnet, you can use: @examplegnunet-arm -c
+~/.config/gnunet.conf -e @end example
The "-e" option here is for "end".
- Note that this will only start the basic peer, no actual applications will be
available. If you want to start the file-sharing service, use (after starting
GNUnet):
address@hidden -c ~/.config/gnunet.conf -i fs
address@hidden example
+ Note that this will only start the basic peer, no actual applications will be
+ available. If you want to start the file-sharing service, use (after starting
+ GNUnet): @examplegnunet-arm -c ~/.config/gnunet.conf -i fs @end example
-The "-i fs" option here is for "initialize" the "fs" (file-sharing)
application. You can also selectively kill only file-sharing support using
address@hidden -c ~/.config/gnunet.conf -k fs
address@hidden example
+The "-i fs" option here is for "initialize" the "fs" (file-sharing)
+application. You can also selectively kill only file-sharing support using
address@hidden -c ~/.config/gnunet.conf -k fs @end example
-Assuming that you want certain services (like file-sharing) to be always
automatically started whenever you start GNUnet, you can activate them by
setting "FORCESTART=YES" in the respective section of the configuration file
(for example, "[fs]"). Then GNUnet with file-sharing support would be started
whenever you@
- enter:
address@hidden -c ~/.config/gnunet.conf -s
address@hidden example
+Assuming that you want certain services (like file-sharing) to be always
+automatically started whenever you start GNUnet, you can activate them by
+setting "FORCESTART=YES" in the respective section of the configuration file
+(for example, "[fs]"). Then GNUnet with file-sharing support would be started
+whenever you@ enter: @examplegnunet-arm -c ~/.config/gnunet.conf -s @end
+example
Alternatively, you can combine the two options:
@@ -4036,51 +4171,80 @@ Alternatively, you can combine the two options:
@end example
-Using @code{gnunet-arm} is also the preferred method for initializing GNUnet
from @code{init}.
+Using @code{gnunet-arm} is also the preferred method for initializing GNUnet
+from @code{init}.
- Finally, you should edit your @code{crontab} (using the @code{crontab}
command) and insert a line@
+Finally, you should edit your @code{crontab} (using the @code{crontab} command)
+and insert a line@
@code{@
@@reboot gnunet-arm -c ~/.config/gnunet.conf -s@
}@
- to automatically start your peer whenever your system address@hidden The
Multi-User Setup
+to automatically start your peer whenever your system boots.
address@hidden The Multi-User Setup
@c %**end of header
@node Top
-This requires you to create a user @code{gnunet} and an additional group
@code{gnunetdns}, prior to running @code{make install} during installation.
Then, you create a configuration file @code{/etc/gnunet.conf} which should
contain the lines:@
+This requires you to create a user @code{gnunet} and an additional group
address@hidden, prior to running @code{make install} during installation.
+Then, you create a configuration file @code{/etc/gnunet.conf} which should
+contain the lines:@
@code{@
[arm]@
SYSTEM_ONLY = YES@
USER_ONLY = NO@
}@
- Then, perform the same steps to run GNUnet as in the per-user configuration,
except as user @code{gnunet} (including the @code{crontab} installation). You
may also want to run @code{gnunet-setup} to configure your peer (databases,
etc.). Make sure to pass @code{-c /etc/gnunet.conf} to all commands. If you run
@code{gnunet-setup} as user @code{gnunet}, you might need to change permissions
on @code{/etc/gnunet.conf} so that the @code{gnunet} user can write to the file
(during setup).
-
-Afterwards, you need to perform another setup step for each normal user
account from which you want to access GNUnet. First, grant the normal user
(@code{$USER}) permission to the group gnunet:@
+ Then, perform the same steps to run GNUnet as in the per-user configuration,
+ except as user @code{gnunet} (including the @code{crontab} installation). You
+ may also want to run @code{gnunet-setup} to configure your peer (databases,
+ etc.). Make sure to pass @code{-c /etc/gnunet.conf} to all commands. If you
+ run @code{gnunet-setup} as user @code{gnunet}, you might need to change
+ permissions on @code{/etc/gnunet.conf} so that the @code{gnunet} user can
+ write to the file (during setup).
+
+Afterwards, you need to perform another setup step for each normal user account
+from which you want to access GNUnet. First, grant the normal user
+(@code{$USER}) permission to the group gnunet:@
@code{@
# adduser $USER gnunet@
}@
- Then, create a configuration file in @code{~/.config/gnunet.conf} for the
$USER with the lines:@
+Then, create a configuration file in @code{~/.config/gnunet.conf} for the $USER
+with the lines:@
@code{@
[arm]@
SYSTEM_ONLY = NO@
USER_ONLY = YES@
}@
- This will ensure that @code{gnunet-arm} when started by the normal user will
only run services that are per-user, and otherwise rely on the system-wide
services. Note that the normal user may run gnunet-setup, but the configuration
would be ineffective as the system-wide services will use
@code{/etc/gnunet.conf} and ignore options set by individual users.
+ This will ensure that @code{gnunet-arm} when started by the normal user will
+ only run services that are per-user, and otherwise rely on the system-wide
+ services. Note that the normal user may run gnunet-setup, but the
+ configuration would be ineffective as the system-wide services will use
+ @code{/etc/gnunet.conf} and ignore options set by individual users.
-Again, each user should then start the peer using @code{gnunet-arm -s} --- and
strongly consider adding logic to start the peer automatically to their crontab.
+Again, each user should then start the peer using @code{gnunet-arm -s} --- and
+strongly consider adding logic to start the peer automatically to their
+crontab.
-Afterwards, you should see two (or more, if you have more than one USER)
@code{gnunet-service-arm} processes running in your system. @settitle Killing
GNUnet services
+Afterwards, you should see two (or more, if you have more than one USER)
address@hidden processes running in your system. @settitle Killing
+GNUnet services
@c %**end of header
@node Top
-It is not necessary to stop GNUnet services explicitly when shutting down your
computer.
+It is not necessary to stop GNUnet services explicitly when shutting down your
+computer.
-It should be noted that manually killing "most" of the @code{gnunet-service}
processes is generally not a successful method for stopping a peer (since
@code{gnunet-service-arm} will instantly restart them). The best way to
explicitly stop a peer is using @code{gnunet-arm -e}; note that the per-user
services may need to be terminated before the system-wide services will
terminate normally.
+It should be noted that manually killing "most" of the @code{gnunet-service}
+processes is generally not a successful method for stopping a peer (since
address@hidden will instantly restart them). The best way to
+explicitly stop a peer is using @code{gnunet-arm -e}; note that the per-user
+services may need to be terminated before the system-wide services will
+terminate normally.
@itemize @bullet
@@ -4100,83 +4264,157 @@ Français
-This chapter documents how we plan to make access control work within the
GNUnet system for a typical peer. It should be read as a best-practice
installation guide for advanced users and builders of binary distributions. The
recommendations in this guide apply to POSIX-systems with full support for UNIX
domain sockets only.
+This chapter documents how we plan to make access control work within the
+GNUnet system for a typical peer. It should be read as a best-practice
+installation guide for advanced users and builders of binary distributions. The
+recommendations in this guide apply to POSIX-systems with full support for UNIX
+domain sockets only.
-Note that this is an advanced topic. The discussion presumes a very good
understanding of users, groups and file permissions. Normal users on hosts with
just a single user can just install GNUnet under their own account (and
possibly allow the installer to use SUDO to grant additional permissions for
special GNUnet tools that need additional rights). The discussion below largely
applies to installations where multiple users share a system and to
installations where the best possible secu [...]
+Note that this is an advanced topic. The discussion presumes a very good
+understanding of users, groups and file permissions. Normal users on hosts with
+just a single user can just install GNUnet under their own account (and
+possibly allow the installer to use SUDO to grant additional permissions for
+special GNUnet tools that need additional rights). The discussion below largely
+applies to installations where multiple users share a system and to
+installations where the best possible security is paramount.
A typical GNUnet system consists of components that fall into four categories:
@table @asis
@item User interfaces
-User interfaces are not security sensitive and are supposed to be run and used
by normal system users. The GTK GUIs and most command-line programs fall into
this category. Some command-line tools (like gnunet-transport) should be
excluded as they offer low-level access that normal users should not need.
+User interfaces are not security sensitive and are supposed to be run and used
+by normal system users. The GTK GUIs and most command-line programs fall into
+this category. Some command-line tools (like gnunet-transport) should be
+excluded as they offer low-level access that normal users should not need.
@item System services and support tools
-System services should always run and offer services that can then be accessed
by the normal users. System services do not require special permissions, but as
they are not specific to a particular user, they probably should not run as a
particular user. Also, there should typically only be one GNUnet peer per host.
System services include the gnunet-service and gnunet-daemon programs; support
tools include command-line programs such as gnunet-arm.
+System services should always run and offer services that can then be accessed
+by the normal users. System services do not require special permissions, but as
+they are not specific to a particular user, they probably should not run as a
+particular user. Also, there should typically only be one GNUnet peer per host.
+System services include the gnunet-service and gnunet-daemon programs; support
+tools include command-line programs such as gnunet-arm.
@item Priviledged helpers
-Some GNUnet components require root rights to open raw sockets or perform
other special operations. These gnunet-helper binaries are typically installed
SUID and run from services or daemons.
+Some GNUnet components require root rights to open raw sockets or perform other
+special operations. These gnunet-helper binaries are typically installed SUID
+and run from services or daemons.
@item Critical services
-Some GNUnet services (such as the DNS service) can manipulate the service in
deep and possibly highly security sensitive ways. For example, the DNS service
can be used to intercept and alter any DNS query originating from the local
machine. Access to the APIs of these critical services and their priviledged
helpers must be tightly controlled.
+Some GNUnet services (such as the DNS service) can manipulate the service in
+deep and possibly highly security sensitive ways. For example, the DNS service
+can be used to intercept and alter any DNS query originating from the local
+machine. Access to the APIs of these critical services and their priviledged
+helpers must be tightly controlled.
@end table
address@hidden Recommendation: Disable access to GNUnet services via TCP
address@hidden %**end of header
-
address@hidden Top
-
address@hidden Recommendation: Disable access to GNUnet services via TCP
address@hidden Recommendation: Disable access to GNUnet services via TCP
-GNUnet services allow two types of access: via TCP socket or via UNIX domain
socket. If the service is available via TCP, access control can only be
implemented by restricting connections to a particular range of IP addresses.
This is acceptable for non-critical services that are supposed to be available
to all users on the local system or local network. However, as TCP is generally
less efficient and it is rarely the case that a single GNUnet peer is supposed
to serve an entire local ne [...]
+GNUnet services allow two types of access: via TCP socket or via UNIX domain
+socket. If the service is available via TCP, access control can only be
+implemented by restricting connections to a particular range of IP addresses.
+This is acceptable for non-critical services that are supposed to be available
+to all users on the local system or local network. However, as TCP is generally
+less efficient and it is rarely the case that a single GNUnet peer is supposed
+to serve an entire local network, the default configuration should disable TCP
+access to all GNUnet services on systems with support for UNIX domain sockets.
+As of GNUnet 0.9.2, configuration files with TCP access disabled should be
+generated by default. Users can re-enable TCP access to particular services
+simply by specifying a non-zero port number in the section of the respective
address@hidden Recommendation: Run most GNUnet services as system user
+"gnunet"
@c %**end of header
@node Top
-GNUnet's main services should be run as a separate user "gnunet" in a special
group "gnunet". The user "gnunet" should start the peer using "gnunet-arm -s"
during system startup. The home directory for this user should be
"/var/lib/gnunet" and the configuration file should be "/etc/gnunet.conf". Only
the "gnunet" user should have the right to access "/var/lib/gnunet" (mode:
700)address@hidden Recommendation: Control access to GNUnet services using
group "gnunet"
+GNUnet's main services should be run as a separate user "gnunet" in a special
+group "gnunet". The user "gnunet" should start the peer using "gnunet-arm -s"
+during system startup. The home directory for this user should be
+"/var/lib/gnunet" and the configuration file should be "/etc/gnunet.conf". Only
+the "gnunet" user should have the right to access "/var/lib/gnunet" (mode:
+700)address@hidden Recommendation: Control access to GNUnet services using
group
+"gnunet"
@c %**end of header
@node Top
-Users that should be allowed to use the GNUnet peer should be added to the
group "gnunet". Using GNUnet's access control mechanism for UNIX domain
sockets, those services that are considered useful to ordinary users should be
made available by setting "UNIX_MATCH_GID=YES" for those services. Again, as
shipped, GNUnet provides reasonable defaults. Permissions to access the
transport and core subsystems might additionally be granted without necessarily
causing security concerns. Some servi [...]
+Users that should be allowed to use the GNUnet peer should be added to the
+group "gnunet". Using GNUnet's access control mechanism for UNIX domain
+sockets, those services that are considered useful to ordinary users should be
+made available by setting "UNIX_MATCH_GID=YES" for those services. Again, as
+shipped, GNUnet provides reasonable defaults. Permissions to access the
+transport and core subsystems might additionally be granted without necessarily
+causing security concerns. Some services, such as DNS, must NOT be made
+accessible to the "gnunet" group (and should thus only be accessible to the
+"gnunet" user and services running with this UID)address@hidden Recommendation:
+Limit access to certain SUID binaries by group "gnunet"
@c %**end of header
@node Top
-Most of GNUnet's SUID binaries should be safe even if executed by normal
users. However, it is possible to reduce the risk a little bit more by making
these binaries owned by the group "gnunet" and restricting their execution to
user of the group "gnunet" as well (4750)address@hidden Recommendation: Limit
access to critical gnunet-helper-dns to group "gnunetdns"
+Most of GNUnet's SUID binaries should be safe even if executed by normal users.
+However, it is possible to reduce the risk a little bit more by making these
+binaries owned by the group "gnunet" and restricting their execution to user of
+the group "gnunet" as well (4750)address@hidden Recommendation: Limit access to
+critical gnunet-helper-dns to group "gnunetdns"
@c %**end of header
@node Top
-A special group "gnunetdns" should be created for controlling access to the
"gnunet-helper-dns". The binary should then be owned by root and be in group
"gnunetdns" and be installed SUID and only be group-executable (2750). Note
that the group "gnunetdns" should have no users in it at all, ever. The
"gnunet-service-dns" program should be executed by user "gnunet" (via
gnunet-service-arm) with the binary owned by the user "root" and the group
"gnunetdns" and be SGID (2700). This way, @str [...]
+A special group "gnunetdns" should be created for controlling access to the
+"gnunet-helper-dns". The binary should then be owned by root and be in group
+"gnunetdns" and be installed SUID and only be group-executable (2750). Note
+that the group "gnunetdns" should have no users in it at all, ever. The
+"gnunet-service-dns" program should be executed by user "gnunet" (via
+gnunet-service-arm) with the binary owned by the user "root" and the group
+"gnunetdns" and be SGID (2700). This way, @strong{only} "gnunet-service-dns"
+can change its group to "gnunetdns" and execute the helper, and the helper can
+then run as root (as per SUID). Access to the API offered by
+"gnunet-service-dns" is in turn restricted to the user "gnunet" (not the
+group!), which means that only "benign" services can manipulate DNS queries
+using "gnunet-service-dns"address@hidden Differences between "make install" and
+these recommendations
@c %**end of header
@node Top
-The current build system does not set all permissions automatically based on
the recommendations above. In particular, it does not use the group "gnunet" at
all (so setting gnunet-helpers other than the gnunet-helper-dns to be owned by
group "gnunet" must be done manually). Furthermore, 'make install' will
silently fail to set the DNS binaries to be owned by group "gnunetdns" unless
that group already exists (!). An alternative name for the "gnunetdns" group
can be specified using the "- [...]
+The current build system does not set all permissions automatically based on
+the recommendations above. In particular, it does not use the group "gnunet" at
+all (so setting gnunet-helpers other than the gnunet-helper-dns to be owned by
+group "gnunet" must be done manually). Furthermore, 'make install' will
+silently fail to set the DNS binaries to be owned by group "gnunetdns" unless
+that group already exists (!). An alternative name for the "gnunetdns" group
+can be specified using the "--with-gnunetdns=GRPNAME" configure
address@hidden Peer Configuration
@c %**end of header
@node Top
-The "GNUNET_DATA_HOME" in "[path]" in /etc/gnunet.conf should be manually set
to "/var/lib/gnunet/data/" as the default "~/.local/share/gnunet/" is probably
not that appropriate in this case. Similarly, distributions may consider
pointing "GNUNET_RUNTIME_DIR" to "/var/run/gnunet/" and "GNUNET_HOME" to
"/var/lib/gnunet/". Also, should a distribution decide to override system
defaults, all of these changes should be done in a custom "/etc/gnunet.conf"
and not in the files in the "config.d/ [...]
-
-Given the proposed access permissions, the "gnunet-setup" tool must be run as
use "gnunet" (and with option "-c /etc/gnunet.conf" so that it modifies the
system configuration). As always, gnunet-setup should be run after the GNUnet
peer was stopped using "gnunet-arm -e". Distributions might want to include a
wrapper for gnunet-setup that allows the desktop-user to "sudo" (i.e. using
gtksudo) to the "gnunet" user account and then runs "gnunet-arm -e",
"gnunet-setup" and "gnunet-arm -s" in [...]
address@hidden @bullet
-
-
address@hidden
+The "GNUNET_DATA_HOME" in "[path]" in /etc/gnunet.conf should be manually set
+to "/var/lib/gnunet/data/" as the default "~/.local/share/gnunet/" is probably
+not that appropriate in this case. Similarly, distributions may consider
+pointing "GNUNET_RUNTIME_DIR" to "/var/run/gnunet/" and "GNUNET_HOME" to
+"/var/lib/gnunet/". Also, should a distribution decide to override system
+defaults, all of these changes should be done in a custom "/etc/gnunet.conf"
+and not in the files in the "config.d/" directory.
-
address@hidden
-Español
address@hidden itemize
+Given the proposed access permissions, the "gnunet-setup" tool must be run as
+use "gnunet" (and with option "-c /etc/gnunet.conf" so that it modifies the
+system configuration). As always, gnunet-setup should be run after the GNUnet
+peer was stopped using "gnunet-arm -e". Distributions might want to include a
+wrapper for gnunet-setup that allows the desktop-user to "sudo" (i.e. using
+gtksudo) to the "gnunet" user account and then runs "gnunet-arm -e",
+"gnunet-setup" and "gnunet-arm -s" in sequence.
@c
*****************************************************************************
@node GNU Free Documentation License
--
To stop receiving notification emails like this one, please contact
address@hidden
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [GNUnet-SVN] [gnunet-texinfo] branch master updated: installation.texi,
gnunet <=