NFS access issues on macOS 10.15 (Catalina)

macOS has a habit of throwing curveballs for NFS with recent releases. Here’s the one from Catalina and how to deal with it.

You’ve upgraded your Mac to macOS Catalina and your local dev environment based on Docker Desktop or VirtualBox/Vagrant stopped working and throws vague errors?

Something like this:

ERROR: ... stat /var/lib/docker/volumes/volume_name/_data: stale NFS file handle ...

Or this for Docksal users (makes a bit more sense):

ERROR:  The path is not accessible in Docker
        Could not access /Users/user/Documents/myproject
        It is not shared from your host to Docker.

You are not alone:

• https://github.com/hashicorp/vagrant/issues/10961
• https://objekt.click/2019/11/docker-the-problem-with-macos-catalina/
• https://github.com/docksal/docksal/issues/1350

Your project’s codebase likely resides under one of the standard user folders in macOS (e.g., Downloads, Documents, Desktop) or on an external drive.

macOS now treats those folders with special care, requiring user’s explicit consent to allow access to apps. In this case, the app is nfsd (the NFS daemon).

Changes in the “Transparency, Consent, and Control” (TCC) framework in macOS 10.15 (Catalina) affected every local dev stack that utilized NFS for file sharing (whether using Vagrant/VirtualBox or Docker Desktop under the hood).

For those with time and interest in TCC, you can dive into the details.

The NFS daemon does not have privileges to access user folders by default, meaning your dev stack cannot access them either in this chain:

~/Documents/myproject <-X- nfds <-- Docker/VirtualBox/Vagrant

There are currently only two ways to solve this problem and neither can be automated behind the scenes. Users have to manually make adjustments 😒

Option 1

Grant Full Disk Access privileges to /sbin/nfsd:

1. Open System Preferences
2. Go to Security & Privacy → Privacy → Full Disk Access
3. 🔒 Click the lock to make changes
4. Click +
5. Press ⌘ command + shift + G
6. Enter /sbin/nfsd and click Go, then click Open

Grant “Full Disk Access” to “nfsd” on macOS Catalina

This option is universal and will allow nfsd (and thus your dev stack) access any file/folder on your Mac’s internal or attached disks.

Option 2

If you are not feeling comfortable with your local development stack having access to your private user folders, then you will have to move your project’s codebase out of those folders.

With Docksal, we recommend using ~/Projects. This path has no issues with the new TCC policies in macOS Catalina.

If you keep your projects on an external disk, then you’ll have to stick with Option 1.