Many macOS popups asking for incoming connections appear when running test suite for the first time

[marsonya]

I saw 10s of popups in MacOS asking "Do you want the application node to accept incoming network connections?" when I ran the test suite. They just keep coming, 1 every 5-10 seconds. The only way to stop is force close vscode. Happened when I ran ./configure && make -j4 test.

• Operating Sustem: MacOS
• Version: Big Sur 11.0.1

What steps will reproduce the bug?

• Cloned my Fork
• Made a few changes to tests (var to let/const)
• Ran the Test Suite ./configure && make -j4 test

How often does it reproduce? Is there a required condition?

This happened twice.
First time, I did not allow. Simply force closed vscode.
I wanted to try again to get a screenshot this time.
So I ran the test suite a second time, got the screenshot and allowed the application to get incoming calls.

What is the expected behavior?

One popup must be enough.

What do you see instead?

I see 10s of popups. They keep increasing. 1 every 5-10 seconds.

Additional information

The only way to make it stop is to force close vscode. The popups just keep coming.

[cjihrig]

If you run tools/macos-firewall.sh before the test suite it should help.

[Trott]

This depends on your firewall settings. It doesn't seem to happen on a default macOS setup, but tends to happen if you have a managed macOS machine or if the firewall settings are otherwise adjusted to be sufficiently strict.

I don't think there's much to do about this other than perhaps document the existence of tools/macos-firewall.sh a bit more prominently than it's currently documented?

I'm going to close this but feel free to comment or re-open if you think there's more to discuss and/or more to do here.

[marsonya]

I realise that tools/macos-firewall.sh will solve this issue and I do have custom firewall config on my system.
But my intention of creating this issue was to bring the infinite popups to your notice.
In my opinion, even if I have not run the tools/macos-firewall.sh, I should see only one popup.

[Trott]

In my opinion, even if I have not run the tools/macos-firewall.sh, I should see only one popup.

I'm not sure how we'd achieve that unless we run all the tests that require network access with a single invocation of node.

[marsonya]

I followed the BUILDING.md file along with the feedback in this discussion.

I built node.js using make. It was successful, or at least I think so. This is how my build ended in terminal:-

After that, I executed tools/macos-firewall.sh but this is what happens:-

Regardless, I ran the tests. The popups showed. All of em.

Am I missing something?

More Information:-
OS: macOS Big Sur

[Trott]

The output you show is expected. (I know it looks like a bunch of errors and brokenness, but I think what the script does is try everything possible, and only one or two of those are supposed to succeed.)

I think the docs may incorrectly be specifying to run the script with sudo. I run it without sudo and it works. Any chance running it without sudo works for you?

[Trott]

@danbev

[marsonya]

The output you show is expected. (I know it looks like a bunch of errors and brokenness, but I think what the script does is try everything possible, and only one or two of those are supposed to succeed.)

I think the docs may incorrectly be specifying to run the script with sudo. I run it without sudo and it works. Any chance running it without sudo works for you?

It works without sudo for me. Getting the same output I shared above.

[danbev]

Perhaps there is some change required for macOS Big Sur though for this script to work with it. Unfortunately I'm no longer using a mac and don't really have a good way to test/fix this 😞

[Trott]

It works without sudo for me. Getting the same output I shared above.

When you say it works without sudo, does that mean that running it without sudo means you no longer get all those dialogue boxes when running tests? If so, then the fix here I guess is to update the documentation. I'm not sure if the answer is to remove sudo or to suggest that it may require omitting sudo. (Like I said, I never run it with sudo.)

As for the output, it has always been that way, so I'm not too concerned about that (although if someone wants to fix it without affecting the script working across various macOS versions, then great).

[marsonya]

It works without sudo for me. Getting the same output I shared above.

When you say is works without sudo, does that mean that running it without sudo means you no longer get all those dialogue boxes when running tests? If so, then the fix here I guess is to update the documentation. I'm not sure if the answer is to remove sudo or to suggest that it may require omitting sudo. (Like I said, I never run it with sudo.)

As for the output, it has always been that way, so I'm not too concerned about that (although if someone wants to fix it without affecting the script working across various macOS versions, then great).

Unfortunately, running the script with or without sudo did not help. I am still seeing the popups.
On a side note, the tests are running without any problems as the popups keep coming.

[Trott]

Unfortunately, running the script with or without sudo did not help. I am still seeing the popups.
On a side note, the tests are running without any problems as the popups keep coming.

@marsonya What command are you using to run the tests?

[Trott]

@marsonya What is the output of /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate?

[marsonya]

Unfortunately, running the script with or without sudo did not help. I am still seeing the popups.
On a side note, the tests are running without any problems as the popups keep coming.

@marsonya What command are you using to run the tests?

I am using make -j4 test to run tests.

[marsonya]

/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate

This is the output on running it
Firewall is enabled. (State = 1)

[Trott]

This is the output on running it
Firewall is enabled. (State = 1)

Hmmm.. OK, in that case, what is the output of running each of these six commands in turn?

whoami
ls -l node
ls -l /Users/akhil/OpenSourceContributions/node/out/Release/node
/usr/libexec/ApplicationFirewall/socketfilterfw --remove /Users/akhil/OpenSourceContributions/node/out/Release/node
/usr/libexec/ApplicationFirewall/socketfilterfw --add /Users/akhil/OpenSourceContributions/node/out/Release/node
/usr/libexec/ApplicationFirewall/socketfilterfw --unblock /Users/akhil/OpenSourceContributions/node/out/Release/node

[Trott]

I am using make -j4 test to run tests.

It's possible that make -j4 test could build a new binary, requiring you to run the macos-firewall.sh script again.

[marsonya]

whoami
ls -l node
ls -l /Users/akhil/OpenSourceContributions/node/out/Release/node
/usr/libexec/ApplicationFirewall/socketfilterfw --remove /Users/akhil/OpenSourceContributions/node/out/Release/node
/usr/libexec/ApplicationFirewall/socketfilterfw --add /Users/akhil/OpenSourceContributions/node/out/Release/node
/usr/libexec/ApplicationFirewall/socketfilterfw --unblock /Users/akhil/OpenSourceContributions/node/out/Release/node

[Trott]

I've updated my personal laptop to Big Sur in the hopes of being able to figure out what's going on with this. I need to rebuild node and do some other things. More soon.

[Trott]

I see at https://developer.apple.com/forums/thread/666222?answerId=646899022#646899022 that @Qard has run into this problem. Maybe he knows something more than what we've figured out so far.

[Trott]

I see at https://developer.apple.com/forums/thread/666222?answerId=646899022#646899022 that @Qard has run into this problem. Maybe he knows something more than what we've figured out so far.

Based on that thread, it appears this may be a bug in Big Sur that may be fixed in an upcoming update.

[Trott]

Can confirm that now that I've updated to Big Sur, I'm seeing the same behavior. And it sure seems like a Big Sur bug.

[marsonya]

Can confirm that now that I've updated to Big Sur, I'm seeing the same behavior. And it sure seems like a Big Sur bug.

Apple patching up Big Sur might take some time.
Is there an alternative for the meantime? Something that can be done manually?

[Trott]

Apple patching up Big Sur might take some time.
Is there an alternative for the meantime? Something that can be done manually?

I'm not sure if any or all of these will work, but you can try:

1: You can go to System Preferences -> Security & Privacy -> Firewall -> Firewall Options and use the GUI to add your node binary and set it to "Allow incoming connections".

2: I just tried this and it worked, surprisingly to me. tools/test.py test/parallel/test-http will run one test that results in the dialogue box. I clicked "Allow" after the test finished and subsequent test runs did not result in the dialogue box showing up. I won't be surprised if that doesn't work, but it sure seemed to work for me.
¯\(ツ)/¯

3: Last resort, not recommended, but you can turn off the firewall entirely either from the command line or in the System Preferences -> Security & Privacy -> Firewall GUI.

[marsonya]

Apple patching up Big Sur might take some time.
Is there an alternative for the meantime? Something that can be done manually?

I'm not sure if any or all of these will work, but you can try:

1: You can go to System Preferences -> Security & Privacy -> Firewall -> Firewall Options and use the GUI to add your node binary and set it to "Allow incoming connections".

2: I just tried this and it worked, surprisingly to me. tools/test.py test/parallel/test-http will run one test that results in the dialogue box. I clicked "Allow" after the test finished and subsequent test runs did not result in the dialogue box showing up. I won't be surprised if that doesn't work, but it sure seemed to work for me.
¯_(ツ)_/¯

3: Last resort, not recommended, but you can turn off the firewall entirely either from the command line or in the System Preferences -> Security & Privacy -> Firewall GUI.

node is already set in Firewall Options. So 1 doesn't work for me.
I tried 2. Did not work.
I am uncomfortable with 3 :)

So, for the time being, I will just let the popups appear when I am running the full test suite. Takes like 5 mins only anyways. The popups are not at all a big problem when running tests for a specific subsystem. So that's a relief.

I really appreciate you looking into this and thanks for the options :)

[Trott]

node is already set in Firewall Options. So 1 doesn't work for me.

I imagine it says "Allow incoming connections" rather than "Block incoming connections". If not, definitely change it to "Allow".

If that doesn't work, one last thing to try might be to remove it and re-add it, just in case it's been added at a different path or something like that.

[marsonya]

I imagine it says "Allow incoming connections" rather than "Block incoming connections". If not, definitely change it to "Allow".

It did say "Allow Incoming connections". But did not work earlier.

If that doesn't work, one last thing to try might be to remove it and re-add it, just in case it's been added at a different path or something like that.

Then, I took your suggestion. Removed node and cctest from firewall options and added them again.
It worked like a Charm. Thanks.

[anonrig]

I'm having somehow a similar issue, where I believe running make -j8 test creates a new executable, and therefore dismisses the integrity check on the firewall and invalidates the tools/macos-firewall.sh changes on macOS Monterey 12.4 on M1. The only thing worked for me is to disable the firewall, but I'm interested in a better alternative. Anyone solved this?