New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tee: /etc/exports: Operation not permitted on macOS 10.14 Mojave with nfs exports #10234

Open
chregu opened this Issue Sep 24, 2018 · 32 comments

Comments

Projects
None yet
@chregu
Contributor

chregu commented Sep 24, 2018

On macOS 10.14 Mojave (official release from the app store) vagrant doesn't seem to be able to write to /etc/exports anymore while trying to make a NFS mount. root isn't allowed to do that anymore due to
System Integrity Protection. Disabling that permanently certainly isn't a solution, but helps to at least get back an /etc/exports file with all the needed entries.

Vagrant version

Vagrant 2.1.5

Host operating system

macOS 10.14 Mojave

Guest operating system

Linux, but doesn't matter, it fails bevore

Vagrantfile

Not important

Debug output

tee: /etc/exports: Operation not permitted
tee: /etc/exports: Operation not permitted
tee: /etc/exports: Operation not permitted

Expected behavior

It can write to /etc/exports

Actual behavior

It can't due to Mojave's apparently extended System Integrity Protection.

Steps to reproduce

  1. Install maxOS 10.14 Mojave
  2. vagrant up on a Vagrantfile with nfs mounts

References

https://groups.google.com/forum/#!topic/vagrant-up/iqyaZNpcyzM

@karlshea

This comment has been minimized.

karlshea commented Sep 24, 2018

You also can't just create the file with SIP disabled and then re-enable it. The file with the correct entries is there, but when it tries to mount it you just get an error:

mount -o vers=3 192.168.88.1:/<path> /var/www
mount.nfs: requested NFS version or transport protocol is not supported

showmount also returns errors:

showmount: Cannot retrieve info from host: 192.168.88.1: RPC: Program not registered
@chregu

This comment has been minimized.

Contributor

chregu commented Sep 24, 2018

Oh no, you're right. my /etc/exports was removed again, it's not there anymore at least... I guess some SIP process removed that again.. No idea how one is supposed to add exports to nfs nowadays.

@kamilgrzegorczyk

This comment has been minimized.

kamilgrzegorczyk commented Sep 24, 2018

I have same exact issue.

@chregu

This comment has been minimized.

Contributor

chregu commented Sep 24, 2018

The only real - but hopefully only temporary - solution I know of right now is to switch to "VirtualBox Shared Folders" with removing the nfs entries in your Vagrantfile. At least, your boxes works then again, slower maybe, but they do work. Or rsync, but I didn't test that.

@kamilgrzegorczyk

This comment has been minimized.

kamilgrzegorczyk commented Sep 24, 2018

I made the same fix - reverted to "default" sync type in my puPHPet config.yaml
Obviously it won't be so performant as NFS but will do for now.

It looks like we have again issues with NFS popping up after new system release (there were plenty of issues with NFS after High Sierra upgade).

@briancain

This comment has been minimized.

Member

briancain commented Sep 24, 2018

If rsync or virtualbox/vmware shared folders aren't an option, you can also use smb on macOS to sync folders as a temporary work around.

@karlshea

This comment has been minimized.

karlshea commented Sep 25, 2018

So this is what I've discovered:

It's not actually SIP or rebooting that's deleting /etc/exports after it's been created, it's Vagrant restarting the ntpd service (maybe that call is also now wrong? the file is moved to /etc/exportsbak, and then /etc/exports doesn't exist anymore).

If /etc/exports contains the correct items, and you pass nfs_export: false to the config.vm.synced_folder method in the options array so Vagrant leaves it alone, everything works fine (it must be false for every synced folder).

I figured this out because NFS Manager is compatible with Mojave and can edit /etc/exports through its GUI interface. When I recreated the correct items (while SIP is enabled) in the GUI and then afterwards did a vagrant up everything just worked right away.

What the Vagrant developers might want to look into is how NFS Manager is doing its job. There's a helper utility that you have to grant permissions to that it installs at /Library/PrivilegedHelperTools/NFSManager-PrivilegedTool, and then you add it to System Preferences > Security & Privacy > Privacy > Full Disk Access. Afterwards you'll get a password prompt when it tries to write to the file, but it will succeed and nfsd picks up the settings.

I tried just adding the vagrant binary but that didn't work. I'm guessing it has to be the actual script executing the commands and I'm not sure exactly what that is.

@vuongggggg

This comment has been minimized.

vuongggggg commented Sep 25, 2018

I've disabled SIP and it works. But I assumed that's just a temp solution https://support.accountek.com/support/solutions/articles/6000101816-odb-1-61d-install-disabling-sip-system-integrity-protection-on-mac-os-el-capitan-10-11-

Just note for normal users who have updated to the new version of macOS and got the same problem with Vagrant.


THIS IS A NOT-GOOD SOLUTION, please continue to scrolling and see more comments.

@ruudk

This comment has been minimized.

ruudk commented Sep 25, 2018

Same issue here... It's weird that it works on my Macbook with latest public beta (GM) without issues. Just updated my iMac and that one doesn't work.

@hjemmesidekongen

This comment has been minimized.

hjemmesidekongen commented Sep 25, 2018

I can confirm that disabling SIP works. Thanks @vuongggggg

@JohnYeohMY

This comment has been minimized.

JohnYeohMY commented Sep 25, 2018

Disabling SIP works for me too. Recommend everyone to do the same.

@chregu

This comment has been minimized.

Contributor

chregu commented Sep 25, 2018

You really should NOT disable SUP permanently. There's a reason for it being there and even extended now:

Don’t do this unless you have a very good reason to do so and know exactly what you’re doing! Most users won’t need to disable this security setting. It’s not intended to prevent you from messing with the system — it’s intended to prevent malware and other badly behaved programs from messing with the system

(From https://www.howtogeek.com/230424/how-to-disable-system-integrity-protection-on-a-mac-and-why-you-shouldnt/ )

@ruudk

This comment has been minimized.

ruudk commented Sep 25, 2018

This fixed it for me:
https://twitter.com/jordanpittman/status/1044374223664361473

screenshot 2018-09-25 at 13 26 26

screenshot 2018-09-25 at 13 22 05

Weird thing is, that my Macbook only needed it to be at Accessibility, and not Full Disk access.

@ruudk

This comment has been minimized.

ruudk commented Sep 25, 2018

When doing vagrant up in the regular Mac Terminal app I get:
screenshot 2018-09-25 at 13 35 45

After clicking OK it works without issues.

I guess this issue is with iTerm2.

@chregu

This comment has been minimized.

Contributor

chregu commented Sep 25, 2018

Great, adding Full Disk Access to iTerm did it for me too. That's the best approach yet, IMHO. iTerm should have Full Disk Access anyway, I assume :)

@dizballanze

This comment has been minimized.

dizballanze commented Sep 25, 2018

If you are using tmux, you should allow it as well.

@karlshea

This comment has been minimized.

karlshea commented Sep 25, 2018

Omg I didn't even think of trying to just add iTerm.

@DrLongGhost

This comment has been minimized.

DrLongGhost commented Sep 27, 2018

Thanks to everyone for the info. I'll attempt to summarize for everyone (though I may get some specifics wrong):

  • The Mojave upgrade removes/disables NFS, resulting the /etc/exports being renamed to /etc/exportsbak
  • Instead of moving the file back, it is recommended to use the NFS Manager to recreate the share (Directions for this provided above and on their page)
  • It is also necessary to go into OS-X settings and grant one of the NFS Manager's helper scripts and iTerm2 (or whatever terminal you use) full access to your file system. Again, directions are provided above.
  • Once you've got these things set up, restart your terminal, reload the vagrant box and NFS should be working again.
@chregu

This comment has been minimized.

Contributor

chregu commented Sep 27, 2018

Just the 3rd and 4th point seems to be enough. Vagrant will recreate/modify your exports file anyway

@42pe

This comment has been minimized.

42pe commented Sep 27, 2018

When doing vagrant up in the regular Mac Terminal app I get:
screenshot 2018-09-25 at 13 35 45

After clicking OK it works without issues.

I guess this issue is with iTerm2.

I get this but mine says "Alfred", which in turn is what started VSCode, which is where I start vagrant (with the terminal Window). I hit ok, and it works fine.

@karlshea

This comment has been minimized.

karlshea commented Sep 28, 2018

Thanks to everyone for the info. I'll attempt to summarize for everyone (though I may get some specifics wrong)

All of that will work, but if I do none of that except give iTerm Full Disk Access then everything works as before.

@ahmedelgabri

This comment has been minimized.

ahmedelgabri commented Oct 1, 2018

The Mojave upgrade removes/disables NFS, resulting the /etc/exports being renamed to /etc/exportsbak

That's not the case with a fresh install, I don't have /etc/exports or /etc/exportsbak files anywhere & I can't create one too.

Tried with sudo vi /etc/exports & sudo touch /etc/exports still didn't allow me to create the file

Edit: a system restart fixed the creation part & now everything works fine.

@digitalbridge

This comment has been minimized.

digitalbridge commented Oct 2, 2018

If you are using tmux, you should allow it as well.

How did you allow tmux? you cannot choose it from GUI.

@dizballanze

This comment has been minimized.

dizballanze commented Oct 2, 2018

If you are using tmux, you should allow it as well.

How did you allow tmux? you cannot choose it from GUI.

I created a symlink to /usr/local/bin where tmux binary is located on my machine:

ln -s /usr/local/bin /Users/.../localbin

After that you can choose it from GUI

@acodeninja

This comment has been minimized.

acodeninja commented Oct 4, 2018

If you are using tmux, you should allow it as well.

How did you allow tmux? you cannot choose it from GUI.

I created a symlink to /usr/local/bin where tmux binary is located on my machine:

ln -s /usr/local/bin /Users/.../localbin

After that you can choose it from GUI

No need to make any links, in recent versions of macOS you can view all hidden files using cmd + shift + .. In the finder window just cmd + up until you get to the root of the hard drive then dive down into /usr/local/bin.

@dmt0

This comment has been minimized.

dmt0 commented Oct 5, 2018

@mfn

This comment has been minimized.

mfn commented Oct 8, 2018

All of that will work, but if I do none of that except give iTerm Full Disk Access then everything works as before.

This is also my experience. Until I manually gave iTerm2 the full disk access, I could not get it working.

@lcharette

This comment has been minimized.

lcharette commented Oct 14, 2018

When doing vagrant up in the regular Mac Terminal app I get:
screenshot 2018-09-25 at 13 35 45

After clicking OK it works without issues.

I guess this issue is with iTerm2.

I've got the same thing on iMac + MacBook Air. Adding Terminal (or whatever launch the vagrant up command, ie Vagrant Manager, VSCode...) to the "Full Disk Access" privacy settings like @ruudk suggested will get rid of this warning.

@xnt

This comment has been minimized.

xnt commented Oct 16, 2018

Just a heads up that another thing I had to do, in addition to @ruudk 's fabulous fix, was updating VirtualBox.

5.2.10 won't run (but you won't know it unless you try to boot up VirtualBox, not Vagrant). 5.2.18 does the trick. Not sure of which version inbetween is the magic one.

VirtualBox download link.

@aibolik

This comment has been minimized.

aibolik commented Nov 12, 2018

@ruudk thank you much. That tweet fixed for me. Actually only Full Disk access is enough

@mager

This comment has been minimized.

mager commented Nov 16, 2018

I love that everyone is using Dark Mode. Setting Full Disk Access on iTerm2 worked for me.

@Bonemeijer

This comment has been minimized.

Bonemeijer commented Nov 26, 2018

Fixed it for me too.
To help future Googlers, this is how you give iterm full disk access https://gitlab.com/gnachman/iterm2/wikis/fulldiskaccess

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment