[petsc-dev] MacOS firewall annoyance while running tests + solution

Hapla Vaclav vaclav.hapla at erdw.ethz.ch
Fri Aug 28 14:17:12 CDT 2020

On MacOS, maybe you also have lots of firewall popups appearing/disappearing when running tests like
  Do you want the application "ex29" to accept incoming network connections?

They are annoying, disturbing, slowing down, and virtually making any other work on the computer impossible (and driving me crazy).

There is not much information about this issue. Usually the hints involve enabling each application separately in Firewall settings (no support for wildcards), which is virtually impossible to do with all PETSc test executables (and not really working for me).

Some guys suggest signing the app using codesign<https://apple.stackexchange.com/a/150711> which also didn't work for me.

But I have finally found a reliable solution. So I'm sharing it, also for my own reference - not sure whether it could be added to PETSc directly in some form.

It consists in applying a small makefile patch (below) which uses MacOS firewall CLI (which is not much advertised). This way, make adds the executable to the firewall whitelist right after it's produced by a linker.

It uses sudo so it asks for your password for the first time.

Please let me know if you have a better solution - except of disabling the firewall ;-) - or other comments/questions.

See also
* man socketfilterfw<http://www.manpagez.com/man/8/socketfilterfw/>
* https://krypted.com/mac-security/command-line-firewall-management-in-os-x-10-10/


diff --git a/gmakefile.test b/gmakefile.test
index 95ff59b4ab..c513a0bc0c 100644
--- a/gmakefile.test
+++ b/gmakefile.test
@@ -192,18 +192,37 @@ $(TESTDIR)/snes/tests/ex1: PETSC_TEST_LIB = $(PETSC_SNES_LIB)
 $(TESTDIR)/ts/tests/ex2: PETSC_TEST_LIB = $(PETSC_TS_LIB)
 $(TESTDIR)/tao/tutorials/ex1: PETSC_TEST_LIB = $(PETSC_TAO_LIB)

+define macos-firewall-register
+  @APP=$(call abspath, $(1)); \
+    FW=/usr/libexec/ApplicationFirewall/socketfilterfw; \
+    if ! $$FW --getappblocked $$APP | grep 'is permitted' > /dev/null; then \
+      sudo $$FW --add $$APP && \
+      sudo $$FW --unblock $$APP; \
+    fi
+# Ensure mpiexec.hydra and test executable is on firewall list
+define macos-firewall-fix
+  $(call macos-firewall-register, $(shell which mpiexec.hydra))
+  $(call macos-firewall-register, $(1))
 # Test executables
 $(testexe.F) $(testexe.F90) : $(TESTDIR)/% : $(TESTDIR)/%.o $$^ $(libpetscall)
        $(call quiet,FLINKER) -o $@ $^ $(PETSC_TEST_LIB)
+       $(call macos-firewall-fix,$@)

 $(testexe.c) $(testexe.cu) : $(TESTDIR)/% : $(TESTDIR)/%.o $$^ $(libpetscall)
        $(call quiet,CLINKER) -o $@ $^ $(PETSC_TEST_LIB)
+       $(call macos-firewall-fix,$@)

 $(testexe.kokkos.cxx) : $(TESTDIR)/% : $(TESTDIR)/%.o $$^ $(libpetscall)
        $(call quiet,PETSC_LINK.kokkos.cxx) -o $@ $^ $(PETSC_TEST_LIB)
+       $(call macos-firewall-fix,$@)

 $(testexe.cxx) : $(TESTDIR)/% : $(TESTDIR)/%.o $$^ $(libpetscall)
        $(call quiet,CXXLINKER) -o $@ $^ $(PETSC_TEST_LIB)
+       $(call macos-firewall-fix,$@)

 # Fortran source files need petsc*.mod, which isn't explicitly managed in the makefile.
 $(foreach pkg, $(pkgs), $(call concattestlang,$(pkg),F F90)) : $(libpetscall)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mcs.anl.gov/pipermail/petsc-dev/attachments/20200828/4d98b23b/attachment.html>

More information about the petsc-dev mailing list