Questions for the Filesystems lab (Wednesday, June 5th at 5:00 PM)

Question: What are the ASR commands for the following scenarios?:



1. Replication of an APFS volume to an existing target, where target volume is erased

2. Replication of an APFS volume to a newly-created target volume

3. Replication of an APFS snapshot to an existing target volume, where target volume is erased

4. Replication of an APFS snapshot to a target volume with an earlier snapshot on it, to bring the target volume up to date with the latest snapshot.



Answer:



Replication of an APFS volume to an existing target, where target volume is erased as part of the process:


asr restore --source filename_here.dmg --target /Volumes/target_volume_name_here --erase




Replication of an APFS volume to a newly-created target volume:


asr restore --source filename_here.dmg --target /dev/disk_id_goes_here




Replication of an APFS snapshot to an existing target volume, where target volume is erased:


asr restore --source filename_here.dmg --target /Volumes/target_volume_name_here --toSnapshot snapshot_name_here



Replication of an APFS snapshot to a target volume with an earlier snapshot on it, to bring the target volume up to date with the latest snapshot:


asr restore --source filename_here.dmg --target /Volumes/target_volume_name_here --fromSnapshot first_snapshot_name_here --toSnapshot second_snapshot_name_here


Watch https://developer.apple.com/videos/play/wwdc2019/710/ to get commands.





Question: Can firmlinks be created by endusers, or are they reserved to the system? If they can be created by the enduser, what commands are used to create them?



Answer: No, firmlinks can't be created by endusers. This is reserved currently to the system. There will be synthetic firmlinks coming, which can be used as mount points for network resources.





Question: If firmlinks can be created by endusers, is there an advantage to using firmlinks over using Unix symlinks?



Answer: Firmlinks can't be created by endusers. Symlinks will be more flexible because they are path-based and able to point to that path regardless of volume ID changes. Firmlinks will be referring to a particular volume.





Question: If making the system volume read/write on Catalina via disabling SIP, does disabling SIP by itself make the system volume read/write? If not, what additional commands are needed to make the system volume read/write?



Answer: Disabling SIP by itself won't make system volume read/write. You will need to run an additional command:


mount -uw /



This mounts the system volume as a read-write volume. The change is not permanent; rebooting will cause the system volume to go back to being read-only.



Question: Do the commands used to make the system volume read/write need to be run from macOS Recovery?


Answer: The mount command can be run from outside Recovery, once SIP is disabled.





Question: Have there been improvements to diskutil apfs updatePreboot? Currently unable to remove UUIDs from removed users.


Answer: This is a bug. To help fix, file Radar with a sysdiagnose and the output of the following command:


diskutil apfs listusers APFS_volume_id_here



For example:


diskutil apfs listusers /dev/disk1s1


Also, please take pictures of the FileVault pre-boot login when it's showing a deleted user at the pre-boot login screen.




Question: With the new ‘read-only’ (read: SIP-protected) volume, can Admins put things on there in a persistent way, e.g. verifiable via a UAMDM/DEP allowance?


Answer: No. The read-only system volume is Apple's and reserved for their use only.





Question: One of the bootstrap token criteria states: “The Mac must be enrolled in an MDM solution associated with Apple School Manager or Apple Business Manager.”


Does this mean that this is for ONLY ABM-based MDM enrollments or does a UAMDM enrolled system whose MDM is also configured in DEP meet this requirement?



Answer: Ask in Security Lab. These commands are reserved for supervised macOS, so UAMDM may not be enough. For more details, please see the links below:



Set Bootstrap Token: https://developer.apple.com/documentation/devicemanagement/set_bootstrap_token



Get Bootstrap Token: https://developer.apple.com/documentation/devicemanagement/get_bootstrap_token

Replies

Many thanks for these notes! Has anyone asked what commands could be used to figure out whether an item is on the system or the data volume, and/or is there a definitive list of what is where? Formerly, the SIP-protected items were in various location, and it may be the case that all these have moved to the system volume but I don’t know how to check.


One reason I ask is /System/Library/User Templates. On Catalina this folder is empty save for a folder named “*”. This either means that User Templates don’t exist anymore, which seems unlikely, or have moved to a different location to make it easier to exclude from the system Volume. It leads to the question, “is FUT dead?”.


Another silly question would be: is the system bootable if the data volume is wiped/deleted? Can the data folder be recreated from Recovery?


Thanks, Graham

You can use df on a file to see the stats for the file system it's on, including device and mount point. You can also use stat -f%Sd to get the device name.

Did anyone ask if there's an updatePreboot equivalent to have the system recreate or repair firmlinks between a system and data volume?


Or, whether you can use asr to copy a live source (as opposed to restoring from a DMG) that can't be unmounted?


Or...how, exactly, they expect backup programs to actually work? (Not that I'd have any particular interest in that or anything...)

This says you can make the file system writable with:


$ mount -uw /


This works for me (even with SIP ON!), but it's unclear how to go the other way. How can I put the system back in read-only mode? I tried this, with no success:


$ sudo mount -ur /
mount_apfs: mount: Invalid argument
mount: / failed with 73

You would have to unmount the volume to re-mount it as read-only

Thanks for the notes!


Does anyone know where the -Data volume appears in the shell?


For example, MacintoshHD shows up under '/', but I can't find MacintoshHD-Data anywhere. I can see the files in the finder, I can copy them to MacintoshHD and have them show up in '/', but I'd rather just access the -Data volume directly from the shell.


Thanks!

It's at /System/Volumes/Data (and firmlinked all over the place).

An additional question - will the read-only nature of a system-role APFS volume be enforced if a different group is the startup group?

I too was concerned about the User Template as it still plays a vital role in allowing the creation of an initial user experience. It looks like it has been moved to /Library/User Template. I've created some content in the Non-Localized and the language specific folder and all appears to operated as before.


Looks like we will all be repackaging and editing scripts to direct content to this new location. So FUT is not dead but it will need an upgrade to recognize the new path.

We have replication of volumes back with ASR, which is great! But what are supported methods of pushing? Netboot is dead, which was the best way!