[petsc-dev] MacOS firewall annoyance while running tests + solution

Hapla Vaclav vaclav.hapla at erdw.ethz.ch
Thu Sep 3 05:21:17 CDT 2020 

https://gitlab.com/petsc/petsc/-/merge_requests/3131

On 1 Sep 2020, at 11:33, Hapla Vaclav <vaclav.hapla at erdw.ethz.ch<mailto:vaclav.hapla at erdw.ethz.ch>> wrote:

OK, so a new configure option which sets a certain make variable which then enables that parts of gmakefile.test, right?

Something like —-with-add-macos-firewall-rules?

So it would be still be possible to pass that variable to make without reconfigure. I guess that's fine, I even take it as an advantage, but probably doesn't need to be documented. Only the configure option should be properly explained in —-help output. Do you agree?

Vaclav

On 31 Aug 2020, at 19:46, Barry Smith <bsmith at petsc.dev<mailto:bsmith at petsc.dev>> wrote:


I would make your fix a configure option that is off by default. It is silly that Apple makes you use sudo to tell it that a compiled code SHOULD NOT accept outside connections but they have it all bundled together without enough thought for developers.

Barry


On Aug 31, 2020, at 4:14 AM, Hapla Vaclav <vaclav.hapla at erdw.ethz.ch<mailto:vaclav.hapla at erdw.ethz.ch>> wrote:


On 29 Aug 2020, at 02:03, Hapla Vaclav <vaclav.hapla at erdw.ethz.ch<mailto:vaclav.hapla at erdw.ethz.ch>> wrote:



On 28 Aug 2020, at 22:47, Jed Brown <jed at jedbrown.org<mailto:jed at jedbrown.org>> wrote:

"Hapla  Vaclav" <vaclav.hapla at erdw.ethz.ch<mailto:vaclav.hapla at erdw.ethz.ch>> writes:

On MacOS, maybe you also have lots of firewall popups appearing/disappearing when running tests like
Do you want the application "ex29" to accept incoming network connections?

Is there a way to express that the application does not need (should not accept) incoming connections?

Oh yes, hadn't thought about before, but it's surely better to _block_ the incoming connections - feels safer for a user at least.

But the way is the same, requiring sudo:

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add $PETSC_DIR/$PETSC_ARCH/tests/dm/impls/plex/tests/ex9
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --block $PETSC_DIR/$PETSC_ARCH/tests/dm/impls/plex/tests/ex9

Funny enough, these commands don't fail without sudo but they have no effect.


Normalizing sudo during build/testing seems really bad.

I agree. It shouldn't be a normal part of the makefile. That's why I have been hesitant to create a MR. I think we could
1. just add an FAQ entry - but the patch can become out-of-date pretty quickly, and instructions without a patch are gonna be tedious
2. activate this part conditionally, requiring a user's action such as passing a very special variable to makefile
3. put it into a separate makefile and add a commented out include into gmakefile.test, so that the user has to explicitly uncomment the inclusion - or something like that
4. something else?

Jed, Barry, thoughts here?

Thanks,
Vaclav


Vaclav




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mcs.anl.gov/pipermail/petsc-dev/attachments/20200903/620ef820/attachment.html>

More information about the petsc-dev mailing list