Would it be appropriate to provide this functionality as an optional argument in configure or make and warn people that using the option requires ’sudo’ ?
The macOS firewall thing really *is* a significant annoyance for running and testing anything on a Mac. It would be nice to have a reliable solution for it. Alp > On Aug 28, 2020, at 2:36 PM, Satish Balay via petsc-dev > <[email protected]> wrote: > > I don't think we should be doing such 'sudo' changes on user machines. > > Satish > > On Fri, 28 Aug 2020, Barry Smith wrote: > >> >> Maybe you could make this a MR? >> >> Barry >> >> >> >>> On Aug 28, 2020, at 2:17 PM, Hapla Vaclav <[email protected]> wrote: >>> >>> On MacOS, maybe you also have lots of firewall popups >>> appearing/disappearing when running tests like >>> Do you want the application "ex29" to accept incoming network connections? >>> >>> They are annoying, disturbing, slowing down, and virtually making any other >>> work on the computer impossible (and driving me crazy). >>> >>> There is not much information about this issue. Usually the hints involve >>> enabling each application separately in Firewall settings (no support for >>> wildcards), which is virtually impossible to do with all PETSc test >>> executables (and not really working for me). >>> >>> Some guys suggest signing the app using codesign >>> <https://apple.stackexchange.com/a/150711> which also didn't work for me. >>> >>> But I have finally found a reliable solution. So I'm sharing it, also for >>> my own reference - not sure whether it could be added to PETSc directly in >>> some form. >>> >>> It consists in applying a small makefile patch (below) which uses MacOS >>> firewall CLI (which is not much advertised). This way, make adds the >>> executable to the firewall whitelist right after it's produced by a linker. >>> >>> It uses sudo so it asks for your password for the first time. >>> >>> Please let me know if you have a better solution - except of disabling the >>> firewall ;-) - or other comments/questions. >>> >>> See also >>> * man socketfilterfw <http://www.manpagez.com/man/8/socketfilterfw/> >>> * >>> https://krypted.com/mac-security/command-line-firewall-management-in-os-x-10-10/ >>> >>> <https://krypted.com/mac-security/command-line-firewall-management-in-os-x-10-10/> >>> >>> Vaclav >>> >>> >>> >>> diff --git a/gmakefile.test b/gmakefile.test >>> index 95ff59b4ab..c513a0bc0c 100644 >>> --- a/gmakefile.test >>> +++ b/gmakefile.test >>> @@ -192,18 +192,37 @@ $(TESTDIR)/snes/tests/ex1: PETSC_TEST_LIB = >>> $(PETSC_SNES_LIB) >>> $(TESTDIR)/ts/tests/ex2: PETSC_TEST_LIB = $(PETSC_TS_LIB) >>> $(TESTDIR)/tao/tutorials/ex1: PETSC_TEST_LIB = $(PETSC_TAO_LIB) >>> >>> +define macos-firewall-register >>> + @APP=$(call abspath, $(1)); \ >>> + FW=/usr/libexec/ApplicationFirewall/socketfilterfw; \ >>> + if ! $$FW --getappblocked $$APP | grep 'is permitted' > /dev/null; >>> then \ >>> + sudo $$FW --add $$APP && \ >>> + sudo $$FW --unblock $$APP; \ >>> + fi >>> +endef >>> + >>> +# Ensure mpiexec.hydra and test executable is on firewall list >>> +define macos-firewall-fix >>> + $(call macos-firewall-register, $(shell which mpiexec.hydra)) >>> + $(call macos-firewall-register, $(1)) >>> +endef >>> + >>> # Test executables >>> $(testexe.F) $(testexe.F90) : $(TESTDIR)/% : $(TESTDIR)/%.o $$^ >>> $(libpetscall) >>> $(call quiet,FLINKER) -o $@ $^ $(PETSC_TEST_LIB) >>> + $(call macos-firewall-fix,$@) >>> >>> $(testexe.c) $(testexe.cu) : $(TESTDIR)/% : $(TESTDIR)/%.o $$^ >>> $(libpetscall) >>> $(call quiet,CLINKER) -o $@ $^ $(PETSC_TEST_LIB) >>> + $(call macos-firewall-fix,$@) >>> >>> $(testexe.kokkos.cxx) : $(TESTDIR)/% : $(TESTDIR)/%.o $$^ $(libpetscall) >>> $(call quiet,PETSC_LINK.kokkos.cxx) -o $@ $^ $(PETSC_TEST_LIB) >>> + $(call macos-firewall-fix,$@) >>> >>> $(testexe.cxx) : $(TESTDIR)/% : $(TESTDIR)/%.o $$^ $(libpetscall) >>> $(call quiet,CXXLINKER) -o $@ $^ $(PETSC_TEST_LIB) >>> + $(call macos-firewall-fix,$@) >>> >>> # Fortran source files need petsc*.mod, which isn't explicitly managed in >>> the makefile. >>> $(foreach pkg, $(pkgs), $(call concattestlang,$(pkg),F F90)) : >>> $(libpetscall) >> >> >
