Virtual-environments: allow incoming network connections

Created on 2 Jun 2020  路  15Comments  路  Source: actions/virtual-environments

Describe the bug
When running UI tests for our Mac app we start the service that triggers firewall permissions alert.

Area for Triage:
Apple, Servers
Question, Bug, or Feature?:
Bug

Virtual environments affected

  • [X] macOS 10.15
  • [ ] Ubuntu 16.04 LTS
  • [ ] Ubuntu 18.04 LTS
  • [ ] Windows Server 2016 R2
  • [ ] Windows Server 2019

Expected behavior
Firewall rules to allow incoming connections or options to allow some.

Actual behavior
A description with steps to reproduce the issue. If your have a public example or repo to share,
please provide the link.

  1. start a server from action
  2. see firewall alert

Screenshot_C8264548-8383-4C4F-9786-6E04C3E32D72

Image administration macOS awaiting-deployment bug
Source
picture paulz

All 15 comments

@paulz could you please provide steps to reproduce the issue? It'll ease the debug process

miketimofeev picture miketimofeev on 2 Jun 2020

Thank you for looking into the issue, Mike.
Could you access our project here: https://github.com/sparta-science/scan-app/runs/729912285?

paulz picture paulz on 2 Jun 2020

@paulz unfortunately not

miketimofeev picture miketimofeev on 2 Jun 2020

@paulz by the way, does your app signed?
https://support.apple.com/en-us/HT201642

miketimofeev picture miketimofeev on 2 Jun 2020

And as a workaround, could you try to add this line as the first step of your workflow?
sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 0

miketimofeev picture miketimofeev on 2 Jun 2020

the app is signed using development certificate but we need ability to download and run Elixir components, which are not signed.

Here is what we tried:
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
which works on a local machine, but did not help on virtual-environments macOS.

will try you suggestion again later.

We are looking for way to either have configuration option or action that can control firewall settings.

paulz picture paulz on 3 Jun 2020

Here are the steps to reproduce the issue:

We start python server that comes with the image as part of our UI tests:
https://github.com/sparta-science/connect/runs/736373878?check_suite_focus=true

by running:
python -m SimpleHTTPServer
see in our action:
https://github.com/sparta-science/connect/actions/runs/124159981/workflow#L23

and we get firewall popup, see the screenshot below:
GitHubActionMacOSFirewallBlocksOurUITests

paulz picture paulz on 4 Jun 2020

And as a workaround, could you try to add this line as the first step of your workflow?
sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 0

We tried that workaround, still seeing the firewall prompt, so it did not work for us, see this run:

https://github.com/sparta-science/connect/suites/752598440/artifacts/7743970
Github Action says it's successful, but the test is actually failing and screenshot is the same.

If you want to download artifacts, expand zip and rename folder with extension .xcresult
So you can open it in Xcode and See the screenshots and steps.

paulz picture paulz on 4 Jun 2020

@paulz, Hi. Could you please run socketfilterfw with sudo?

  1. setglobalstate with sudo
    sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off

  2. add application to the list

brew install coreutils
app=$(realpath $(which python))
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add $app
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --unblockapp $app 
python -m SimpleHTTPServer

or
app=$(python -c "import os; print(os.path.realpath('$(which python)'))")

al-cheb picture al-cheb on 4 Jun 2020

Thank you, we tried that:
https://github.com/sparta-science/connect/runs/739669606?check_suite_focus=true

22s
23
Incoming connection to the application is permitted 
1
Run sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 0
11
Firewall already disabled
12
==> Downloading https://homebrew.bintray.com/bottles/coreutils-8.32.catalina.bottle.tar.gz
13
==> Downloading from https://akamai.bintray.com/67/67a4452d75a1882bd7fb977b384204edfa2758276d66290e595487922368e093?__gda__=exp=1591296496~hmac=38dc0ae6503bc9b463b487ed9c5208ad3da3c2e8809ca47df269aedc581f0504&response-content-disposition=attachment%3Bfilename%3D%22coreutils-8.32.catalina.bottle.tar.gz%22&response-content-type=application%2Fgzip&requestInfo=U2FsdGVkX19XYQsk8Uiwukag-wRfIX_x_9doVauYhYSN2Z01eo68JKSBqanBRXqEdsf-ZBLD_XhAb4hC3XcPSYc5OlW9-a4IR3ug1vSeU8YEnWCCU99N5xsIu2psbcGe2TPW_OUiihEain5Dp1rpsw&response-X-Checksum-Sha1=a3e01de37be8190b04bc7f39398272fb9ee30f2f&response-X-Checksum-Sha2=67a4452d75a1882bd7fb977b384204edfa2758276d66290e595487922368e093
14
==> Pouring coreutils-8.32.catalina.bottle.tar.gz
15
==> Caveats
16
Commands also provided by macOS have been installed with the prefix "g".
17
If you need to use these commands with their normal names, you
18
can add a "gnubin" directory to your PATH from your bashrc like:
19
  PATH="/usr/local/opt/coreutils/libexec/gnubin:$PATH"
20
==> Summary
21
馃嵑  /usr/local/Cellar/coreutils/8.32: 476 files, 9.2MB
22
Application at path ( /usr/local/Cellar/python@2/2.7.17_1/Frameworks/Python.framework/Versions/2.7/bin/python2.7 ) added to firewall 
23
Incoming connection to the application is permitted

Still seeing the popup:
Screenshot_34B15652-47C9-4887-A564-DE267BDE4EB7

which mentions Python.app. Could this be different python then /System/Library/Frameworks/Python.framework/Versions/2.7/bin/python2.7?

paulz picture paulz on 4 Jun 2020

@paulz, Check please with strict path:

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
app="/usr/local/Cellar/python@2/2.7.17_1/Frameworks/Python.framework/Versions/2.7/Resources/Python.app"
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add $app
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --unblockapp $app

test - Copy

al-cheb picture al-cheb on 4 Jun 2020

Thank you, @al-cheb it helped, no more firewall popups.

Test still fails:
https://github.com/sparta-science/connect/runs/736373878?check_suite_focus=true

Because now we have another popup blocking UITests:
Screenshot_5C5C9277-CFB4-4D50-A9CB-C54C9CA458A2
The name of your computer is already in use on this network. Guess it's another issue.

Thank you!

paulz picture paulz on 4 Jun 2020

@paulz, Thank you.
Could you please test a firewall popup window with the settings?

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
sudo /usr/libexec/ApplicationFirewall/socketfilterfw -k

How to close notification window?

# Close Finder
launchctl unload /System/Library/LaunchAgents/com.apple.Finder.plist
# Close Notification window
killall UserNotificationCenter

The name of your computer is already in use on this network.

We are planning to roll-out a new image version with fix the window in one or two weeks.

al-cheb picture al-cheb on 4 Jun 2020

Yes, that looks like worked, thank you @al-cheb

We have first successful test: https://github.com/sparta-science/connect/runs/736373878?check_suite_focus=true

I had to change
killall UserNotificationCenter
to
killall UserNotificationCenter || true
as it sometimes fails with process not found

Looking forward for the new macOS image!

paulz picture paulz on 5 Jun 2020
🎉1

we've deployed the image with Apple Script support and we implemented an image build step that closes all Finder windows at the end of the build so no more windows at the beginning of the workflow, except that one about the same computer name
https://github.com/actions/virtual-environments/issues/978
I'm going to close the issue, but feel free to contact us if you have any concerns.

miketimofeev picture miketimofeev on 18 Jun 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

raulpopadineti picture raulpopadineti  路  3Comments
estebanes22 picture estebanes22  路  3Comments
Tnze picture Tnze  路  4Comments
jayaddison picture jayaddison  路  3Comments
matthewfeickert picture matthewfeickert  路  3Comments