[petsc-dev] MacOS firewall annoyance while running tests + solution

Hapla Vaclav vaclav.hapla at erdw.ethz.ch
Fri Aug 28 18:47:32 CDT 2020

On 28 Aug 2020, at 22:32, Satish Balay <balay at mcs.anl.gov<mailto:balay at mcs.anl.gov>> wrote:

This is with --download-mpich - or also with --download-openmpi?

I'm currenly using MPICH 3.3.2. This affects all
--download-mpich --download-mpich-device=ch3:nemesis

I will try openmpi as well.

I wonder if there is some mpich/openmpi settings that avoid this.. [or is this from petsc and not mpi]

I don't think it's a petsc thing. See e.g.

* https://github.com/amusecode/amuse/issues/243
* https://libensemble.readthedocs.io/en/master/FAQ.html#macos-specific-errors
* https://stackoverflow.com/questions/18840007/avoid-accept-incoming-network-connections-dialog-in-mpirun-on-mac-osx
(BTW here they use openmpi, it seems, and have the same)
* https://stackoverflow.com/questions/17527700/do-you-want-the-application-to-accept-incoming-network-connection
* https://apple.stackexchange.com/questions/3271/how-to-get-rid-of-firewall-accept-incoming-connections-dialog
(I didn't get how that reply could be marked as accepted)
* https://superuser.com/questions/912656/how-do-i-stop-my-mac-from-asking-to-accept-incoming-network-connections
* …



On Fri, 28 Aug 2020, Hapla  Vaclav wrote:

On MacOS, maybe you also have lots of firewall popups appearing/disappearing when running tests like
 Do you want the application "ex29" to accept incoming network connections?

They are annoying, disturbing, slowing down, and virtually making any other work on the computer impossible (and driving me crazy).

There is not much information about this issue. Usually the hints involve enabling each application separately in Firewall settings (no support for wildcards), which is virtually impossible to do with all PETSc test executables (and not really working for me).

Some guys suggest signing the app using codesign<https://apple.stackexchange.com/a/150711> which also didn't work for me.

But I have finally found a reliable solution. So I'm sharing it, also for my own reference - not sure whether it could be added to PETSc directly in some form.

It consists in applying a small makefile patch (below) which uses MacOS firewall CLI (which is not much advertised). This way, make adds the executable to the firewall whitelist right after it's produced by a linker.

It uses sudo so it asks for your password for the first time.

Please let me know if you have a better solution - except of disabling the firewall ;-) - or other comments/questions.

See also
* man socketfilterfw<http://www.manpagez.com/man/8/socketfilterfw/>
* https://krypted.com/mac-security/command-line-firewall-management-in-os-x-10-10/


diff --git a/gmakefile.test b/gmakefile.test
index 95ff59b4ab..c513a0bc0c 100644
--- a/gmakefile.test
+++ b/gmakefile.test
@@ -192,18 +192,37 @@ $(TESTDIR)/snes/tests/ex1: PETSC_TEST_LIB = $(PETSC_SNES_LIB)
$(TESTDIR)/tao/tutorials/ex1: PETSC_TEST_LIB = $(PETSC_TAO_LIB)

+define macos-firewall-register
+  @APP=$(call abspath, $(1)); \
+    FW=/usr/libexec/ApplicationFirewall/socketfilterfw; \
+    if ! $$FW --getappblocked $$APP | grep 'is permitted' > /dev/null; then \
+      sudo $$FW --add $$APP && \
+      sudo $$FW --unblock $$APP; \
+    fi
+# Ensure mpiexec.hydra and test executable is on firewall list
+define macos-firewall-fix
+  $(call macos-firewall-register, $(shell which mpiexec.hydra))
+  $(call macos-firewall-register, $(1))
# Test executables
$(testexe.F) $(testexe.F90) : $(TESTDIR)/% : $(TESTDIR)/%.o $$^ $(libpetscall)
       $(call quiet,FLINKER) -o $@ $^ $(PETSC_TEST_LIB)
+       $(call macos-firewall-fix,$@)

$(testexe.c) $(testexe.cu) : $(TESTDIR)/% : $(TESTDIR)/%.o $$^ $(libpetscall)
       $(call quiet,CLINKER) -o $@ $^ $(PETSC_TEST_LIB)
+       $(call macos-firewall-fix,$@)

$(testexe.kokkos.cxx) : $(TESTDIR)/% : $(TESTDIR)/%.o $$^ $(libpetscall)
       $(call quiet,PETSC_LINK.kokkos.cxx) -o $@ $^ $(PETSC_TEST_LIB)
+       $(call macos-firewall-fix,$@)

$(testexe.cxx) : $(TESTDIR)/% : $(TESTDIR)/%.o $$^ $(libpetscall)
       $(call quiet,CXXLINKER) -o $@ $^ $(PETSC_TEST_LIB)
+       $(call macos-firewall-fix,$@)

# Fortran source files need petsc*.mod, which isn't explicitly managed in the makefile.
$(foreach pkg, $(pkgs), $(call concattestlang,$(pkg),F F90)) : $(libpetscall)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mcs.anl.gov/pipermail/petsc-dev/attachments/20200828/1fa7d49e/attachment-0001.html>

More information about the petsc-dev mailing list