Should concurrent jobs share one rsync destination directory?

No. Give each job a unique staging path, then atomic rename or publish via a versioned prefix. Sharing one live directory without locks invites half-written binaries and mixed permissions.

Is NFS always faster than rsync for artifacts?

Not always. NFS helps when many builders read the same warm layers and latency to the filer is stable. rsync wins for point-to-point promotion, air-gapped hops, or when you need explicit delete semantics and checksum verification per release.

What umask should build accounts use on a shared Mac?

Prefer 027 for shared service accounts so group-readable artifacts stay private to the team group; pair with consistent primary group on the artifact volume. Use 022 only when every consumer must be world-readable and you accept wider exposure.

How do SSH certificates map to rsync or NFS access?

Issue short-lived principals: ci-sync (rsync over SSH, read-only on archives), builder (write to job-scoped paths only), break-glass admin (separate CA). Map forced commands or filesystem ACLs so a stolen CI cert cannot rewrite everyone else's artifacts.

2026 Shared Remote Mac Build Artifacts: rsync vs NFS Cache Decision Matrix

Tech leads on a pooled shared remote Mac must pick how build artifacts exit the host: rsync, incremental sync, or NFS cache. Here we compare those models under concurrent builds, set permission isolation defaults, and provide a decision matrix, FAQ, and rollout steps.

Audience and keywords

Who this is for: small teams sharing remote Mac builders over SSH and CI who publish iOS or macOS outputs without collisions.

Core keywords: shared remote Mac, rsync, NFS, build artifacts, permission isolation, SSH certificate roles.

Pain points on shared artifact paths

Invisible races. Two jobs finish together and both write latest/ or a shared export tree; consumers see torn files or mixed POSIX ACLs.
Permission drift. One pipeline runs as a personal account with umask 077 while another uses a service user with 022, breaking downstream readers on the same volume.
Network illusion. NFS feels local until lock contention, attribute cache staleness, or Wi-Fi jitter appears; rsync feels slow until you measure checksum cost versus repeated full copies.

rsync direct, incremental sync, and NFS-mounted cache

These are different consistency models—not interchangeable copy commands.

Approach	Best when	Watch-outs
rsync direct	Promotion to object store, Linux runner, or second site; you want explicit deletes and logs.	Checksums cost CPU; skip `-c` on trusted LANs when policy allows.
Incremental rsync	Many small files change; keep read-only prefixes per build id and delta-update mirrors.	`--delete` on shared trees is risky; version destinations.
NFS cache mount	Several Macs read the same layers; writes are rare.	Locking differs from APFS; tune attribute cache if tools stat heavily.

Align storage with scheduling: see the runner routing matrix and Git worktree guide.

Decision matrix (signals → choice)

Signal	Lean toward	Starting parameter
Consumers are off-mac or multi-region	rsync direct to object storage or bastion	One destination path per build id; never reuse `latest` without two-phase publish
Repeated reads of the same 50–200 GB layers	NFS read-mostly mount + local ephemeral build dir	Dedicated subnet; mount option review for attribute caching
Legal or compliance needs byte-proven transfers	Incremental rsync with checksum on promotion only	Checksum gate on release tags; skip on inner dev loops
More than two concurrent publishers	Job-scoped dirs + lock file	Serialize writes to shared indices; parallelize only isolated prefixes

Concurrent builds: directory locks, umask, SSH certificates

Directory locks. Use flock on a pool lock file or per-prefix locks. On NFS, lock on local SSD staging then mv into the share.

umask. Standardize service accounts with 027 for group-readable, no world access—core permission isolation when builders share one UNIX group.

SSH certificate roles. See the SSH certificate rotation matrix: ci-sync read-only rsync, builder write-only under /artifacts/<job-id>/, break-glass shorter max cert age—map to forced commands so stolen CI keys cannot rewrite peer trees.

Conflict-aware rsync parameters

Skip --inplace when readers poll the tree; use temp files then rename.
--delay-updates / --delete-delay reduce torn views.
--timeout, --partial-dir, --link-dest cover hangs, fragments, and snapshot-based promotion.

FAQ

Can we mount NFS directly into Xcode DerivedData?: Generally no for interactive performance; keep DerivedData on local NVMe. Use NFS for shared caches (Pods, SPM mirrors, container layers) with documented invalidation.
How do we debug “artifact exists but checksum fails”?: Check umask, xattrs, and macOS -E; re-run checksum-only rsync from staging.
What is the minimum viable monitoring?: Log rsync exit codes, p95 duration, NFS RPC timeouts, disk free on Mac and filer; page if a global flock exceeds about five minutes.

Executable rollout steps

Inventory every path that CI writes after compile; tag each as ephemeral, shared cache, or published artifact.
Pick rsync versus NFS per the matrix row that matches your consumer locations and compliance needs.
Create service accounts with fixed primary group, umask 027, and home directories off interactive user paths.
Issue SSH user certificates per role; wire rsync modules or forced commands to path allow lists.
Add flock or mutex around any shared latest symlink updates; publish build ids immutably.
Document rollback: delete bad prefix, repoint symlink, re-run checksum rsync from known-good snapshot.

Citable parameters

Global publish lock warning threshold: hold longer than five minutes triggers page.
Service account umask default: 027; public drops explicitly opt in to 022.
SSH cert max age: twenty-four hours for builders, eight hours for ci-sync readers.
NFS attribute cache: review defaults when build tools perform more than roughly one thousand stats per minute on the share.

See multi-node Mac mesh collaboration and shared build permission isolation for the same permission isolation story.

Scale artifact bandwidth with more Mac nodes

When rsync or NFS traffic outgrows one host, add dedicated builder tiers on Meshmac. Open the homepage to compare hardware and rent without logging in, use help for SSH setup and security basics, and browse the blog index for queueing and mesh guides.

Rent a Mac (browse nodes) Help center Blog list