Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Failure writing temporary files in MacOS X's /var/folders #3576

Closed
herbelin opened this Issue Oct 3, 2018 · 7 comments

Comments

Projects
None yet
2 participants
@herbelin
Copy link
Contributor

herbelin commented Oct 3, 2018

Hi, after upgrading to opam 2.0.0, I get fatal couldn't create cache file '/var/folders/...' and unable to open output file '/var/folders/...' errors on MacOS 10.11.1 for many packages (e.g. ocamlfind, ocamlbuild, camlp5, ...). This is apparently due to sandboxing permissions, since, if I add the line add_mounts rw "/var/folders/my/local_cryptic_name_folder to sandbox.sh, it stops failing. However, I have no idea what is the right thing to do. Do you have an idea whether this is a problem of configuration specifically on my installation or an opam-level problem? For instance, what are the policies wrt temporary files, their location, and there permissions?

opam config report gives:

# opam config report
# opam-version      2.0.0 
# self-upgrade      no
# system            arch=x86_64 os=macos os-distribution=homebrew os-version=10.11.1
# solver            builtin-mccs+glpk
# install-criteria  -removed,-count[version-lag,request],-count[version-lag,changed],-changed
# upgrade-criteria  -removed,-count[version-lag,solution],-new
# jobs              4
# repositories      5 (http), 1 (local), 2 (version-controlled) (default repo at d25a75a2)
# pinned            0
# current-switch    4.06.1
@herbelin

This comment has been minimized.

Copy link
Contributor Author

herbelin commented Oct 3, 2018

After further investigations, the problem comes from TMPDIR being undefined (for some reason my shell rc file used to unset TMPDIR, I don't remember why I did so at some time, maybe because I inherited the rc file from a non-MacOS X setting).

So, I think the issue can be reduced to the question of whether opam on MacOS X wants to be robust wrt to the absence of TMPDIR or not. Apparently, some tools used /var/folders even when TMPDIR is not set (this is apparently the case of m4, make). On its side, ocamlopt uses apparently both /var/folders and tmp since one of the errors I got was:

ocamlopt -I +compiler-libs -g -opaque -c findlib_config.ml
# error: unable to open output file '/var/folders/pj/crqn1jtj2_g8ss7_zkx8tv_h0000gn/T/camlasm6f6860-a22732.s': 'Operation not permitted'
# 1 error generated.
# File "findlib_config.ml", line 1:
# Error: Assembler error, input left in file /tmp/camlasm6f6860.s

So, from the moment makefiles know how to rely on /var/folders even when TMPDIR is not set, I would say that opam should know also. But one can also adopt the point of view that TMPDIR is not supposed to be undefined.

@rjbou

This comment has been minimized.

Copy link
Collaborator

rjbou commented Oct 3, 2018

Thanks for reporting.
On MacOS X, the TMPDIR var is rw mounted, but when undefined the default value is /tmp (here).
It appears that /var/folders is used for caching, but it should be defined in the TMPDIR (according this blog post). As there is randomisation on this folder, is it not possible just give rw permission to the specific session folder.
On solution would be, in case TMPDIR is undefined, get the information from DARWIN_USER_TEMP_DIR or DARWIN_USER_CACHE_DIR. Can you check that they are well defined even if you changed the default setup?
If an MacOS user have a suggestion, or a objection / validation, it's very welcome!

Note that on the linux script, we added the variable OPAM_USER_PATH_RO (cf . #3540 & #3534), in order to let user locate its opam root in unusual paths (but not useful for build which need to be rw).

@herbelin

This comment has been minimized.

Copy link
Contributor Author

herbelin commented Oct 3, 2018

One solution would be, in case TMPDIR is undefined, get the information from DARWIN_USER_TEMP_DIR or DARWIN_USER_CACHE_DIR. Can you check that they are well defined even if you changed the default setup?

Yes, they are (via getconf):

%getconf DARWIN_USER_TEMP_DIR
/var/folders/pj/crqn1jtj2_g8ss7_zkx8tv_h0000gn/T/
% getconf DARWIN_USER_CACHE_DIR
/var/folders/pj/crqn1jtj2_g8ss7_zkx8tv_h0000gn/C/

The following patch e.g. works, whether TMPDIR is defined or not:

if [ -z ${TMPDIR+x} ]; then
  TMP=`getconf DARWIN_USER_TEMP_DIR`
  add_mounts rw $TMP
  add_mounts rw /tmp
else
  add_mounts rw $TMPDIR
fi

Both DARWIN_USER_TEMP_DIR and /tmp needs to be added because some applications suspectingly relies on TMPDIR (and thus, not finding it, use /tmp) while others get the /var/folders name differently (by getconf or C++'s NSTemporaryDirectory presumably).

@rjbou

This comment has been minimized.

Copy link
Collaborator

rjbou commented Oct 10, 2018

Thanks for the check!
Would you like to do a PR with those changes?

@herbelin

This comment has been minimized.

Copy link
Contributor Author

herbelin commented Oct 10, 2018

I can make a PR but I can't certify it works on all intended installations. In particular, sandbox_exec.sh seems to be used also on Linux, so, I suppose that a test on the architecture must be done before calling getconf DARWIN_USER_TEMP_DIR and I don't know what the right way to do it is.

@rjbou

This comment has been minimized.

Copy link
Collaborator

rjbou commented Oct 10, 2018

Sorry, I forgot to give you some indications.
Indeed, the file to change is sandbox_exec.sh, it is the one for MacOS users, that uses sandbox-exec. Linux one is bwrap.sh.
What is confusing, is that when installed via opam init, they both are name sandbox.sh in the opam root.

@herbelin

This comment has been minimized.

Copy link
Contributor Author

herbelin commented Oct 10, 2018

Ah, ok, that's simpler then.

@rjbou rjbou closed this Feb 4, 2019

@rjbou rjbou added this to the 2.0.4 milestone Mar 28, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.