resticprofile icon indicating copy to clipboard operation
resticprofile copied to clipboard

Published 20 hours ago β€’ verified publisher icon creativeprojects

Scheduling not working for local network targets on macOS 15 (Sequoia)

Open fhemberger opened this issue 8 months ago β€’ 9 comments

Not a bug in resticprofile, but documented the issue as it affects scheduling on macOS.

Apple introduced a new security feature on macOS Sequoia, which disables local network connections for applications by default. To re-enable access to backup locations and Prometheus pushgateway endpoints on your local network, you'll need to add resticprofile under Privacy and Security > Local Network, β€œAllow applications to find and communicate with devices on the local network”.

This works fine when you run resticprofile directly from your terminal, but running the exact same command via launchd scheduling will block the network connection:

launchd(8) log

2025-04-01 14:00:34.500905 <Notice> internal event: WILL_SPAWN, code = 0
2025-04-01 14:00:34.500934 <Notice> service state: spawn scheduled
2025-04-01 14:00:34.500937 <Notice> service state: spawning
2025-04-01 14:00:34.501003 <Notice> launching: one-shot
2025-04-01 14:00:34.502819 <Notice> xpcproxy spawned with pid 75670
2025-04-01 14:00:34.502845 <Notice> internal event: SPAWNED, code = 0
2025-04-01 14:00:34.502849 <Notice> service state: xpcproxy
2025-04-01 14:00:34.502893 <Notice> internal event: SOURCE_ATTACH, code = 0
2025-04-01 14:00:34.533344 <Notice> service state: running
2025-04-01 14:00:34.533369 <Notice> internal event: INIT, code = 0
2025-04-01 14:00:34.533454 <Notice> Successfully spawned resticprofile[75670] because one-shot
2025-04-01 14:00:34.833598 <Notice> exited due to exit(1), ran for 331ms
2025-04-01 14:00:34.833607 <Notice> service state: exited
2025-04-01 14:00:34.833612 <Notice> internal event: EXITED, code = 0
2025-04-01 14:00:34.833617 <Notice> service inactive: local.resticprofile.full-backup.backup
2025-04-01 14:00:34.833628 <Notice> service state: not running

scheduling log

2025/04/01 14:00:34 INFO  profile 'full-backup': initializing repository (if not existing)
2025/04/01 14:00:34 INFO  profile 'full-backup': starting 'backup'
Fatal: unable to open config file: Stat: Get "https://<minio ip>:9000/restic/?location=": dial tcp <minio ip>:9000: connect: no route to host
Is there a repository at the following location?
s3:https://<minio ip>:9000/restic/<host>
2025/04/01 14:00:34 ERROR backup on profile 'full-backup': exit status 1

I found some general documentation about the change in an Apple Developer Technote, but do far there doesn't seem to be a way for a user to explicitly allow local network connections for a single launchd task.

fhemberger avatar Apr 01 '25 12:04 fhemberger

Thanks for the information; I didn't notice the issue as I'm only pushing backups to the cloud actually 😐

... and that's annoying. Their security model is so non-user friendly πŸ€•

I'll add a note in the documentation, thank you

creativeprojects avatar Apr 02 '25 18:04 creativeprojects

Actually I can't replicate it. I tried a backup to a http rest server on my local network and it worked, without having resticprofile or Restic in the list of authorisation to access the local network. I do have my terminal application authorised though πŸ€”

How did it happen:

  • upgrade from Sonoma to Sequoia?
  • was resticprofile working before the upgrade?
  • was resticprofile installed after the upgrade?
  • was it a fresh install of Sequoia?
  • is it using system or user permission? (in this version user was in fact user_logon_on)

Thanks for your help πŸ˜„

creativeprojects avatar Apr 04 '25 21:04 creativeprojects

Hmm, that's strange.

  • Updated from Sonoma to Sequoia
  • restic/resticprofile are installed via Homebrew (I don't know if either was updated after the macOS update)
  • restic/resticprofile were working before. I used my own launchd definition, which broke after the update, so I switched to scheduling with resticprofile, but had same issue.
  • Ran with user_logged_in permissions (default setting)

fhemberger avatar Apr 05 '25 15:04 fhemberger

I'm a new user and this is happening to me too.

I can't add resticprofile to the Local Network pane. It doesn't show up in the list and there's no way to add it manually. How did you do it, @fhemberger?

So far the only workaround I can find is to schedule the job as a system daemon but I'd rather not run it as root.

NodeGuy avatar May 13 '25 20:05 NodeGuy

Backrest encountered this too and fixed it.

NodeGuy avatar May 13 '25 21:05 NodeGuy

@NodeGuy

I can't add resticprofile to the Local Network pane. It doesn't show up in the list and there's no way to add it manually. How did you do it, @fhemberger?

I'm sorry, I can't remember if I did something special. πŸ€·β€β™‚

fhemberger avatar May 16 '25 14:05 fhemberger

I can't add resticprofile to the Local Network pane.

Have you tried starting the schedule manually? In theory you should see the popup asking for network access with this command 🀞🏻

launchctl start local.resticprofile.profile-name.backup

creativeprojects avatar May 16 '25 18:05 creativeprojects

Yes, I started it manually but didn't get the popup.

NodeGuy avatar Jun 06 '25 02:06 NodeGuy

Yes, I started it manually but didn't get the popup.

It worked for me 😐 I'm not sure what to do to force it πŸ€”

creativeprojects avatar Jun 12 '25 19:06 creativeprojects