NixOS
nix install breaks on UID clash
Describe the bug
Tried to (re)install nix on mac os but it fails.
Steps To Reproduce
I followed instructions to remove a previous installation of nix: https://nixos.org/manual/nix/stable/installation/installing-binary.html
then did sh <(curl -L https://nixos.org/nix/install)
eventually it fails, because it looks like there are already _nixbld users on the system.
Log of the installation process:
% sh <(curl -L https://nixos.org/nix/install)
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 4046 100 4046 0 0 12394 0 --:--:-- --:--:-- --:--:-- 12394
downloading Nix 2.6.1 binary tarball for aarch64-darwin from 'https://releases.nixos.org/nix/nix-2.6.1/nix-2.6.1-aarch64-darwin.tar.xz' to '/var/folders/6q/14m95v115x9b44w40cncnd8r0000gn/T/nix-binary-tarball-unpack.7ULme1Ndjy'...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 8998k 100 8998k 0 0 4714k 0 0:00:01 0:00:01 --:--:-- 4728k
Switching to the Multi-user Installer
Welcome to the Multi-User Nix Installation
This installation tool will set up your computer with the Nix package
manager. This will happen in a few stages:
1. Make sure your computer doesn't already have Nix. If it does, I
will show you instructions on how to clean up your old install.
2. Show you what I am going to install and where. Then I will ask
if you are ready to continue.
3. Create the system users and groups that the Nix daemon uses to run
builds.
4. Perform the basic installation of the Nix files daemon.
5. Configure your shell to import special Nix Profile files, so you
can use Nix.
6. Start the Nix daemon.
Would you like to see a more detailed list of what I will do?
[y/n] n
---- let's talk about sudo -----------------------------------------------------
This script is going to call sudo a lot. Every time I do, it'll
output exactly what it'll do, and why.
Just like this:
---- sudo execution ------------------------------------------------------------
I am executing:
$ sudo echo
to demonstrate how our sudo prompts look
This might look scary, but everything can be undone by running just a
few commands. I used to ask you to confirm each time sudo ran, but it
was too many times. Instead, I'll just ask you this one time:
Can I use sudo?
[y/n] y
Yay! Thanks! Let's get going!
~~> Fixing any leftover Nix volume state
Before I try to install, I'll check for any existing Nix volume config
and ask for your permission to remove it (so that the installer can
start fresh). I'll also ask for permission to fix any issues I spot.
---- Found existing Nix volume -------------------------------------------------
special: disk3s7
uuid: 303B697C-12F9-41BC-8DC1-A4E8DAB0A5EC
encrypted: no
---- warning! ------------------------------------------------------------------
FileVault is on, but your Nix Store volume isn't encrypted.
Should I encrypt it and add the decryption key to your keychain?
[y/n] y
Volume Nix Store on Nix Store mounted
---- sudo execution ------------------------------------------------------------
I am executing:
$ sudo /usr/bin/security -i
to add your Nix volume's password to Keychain
Password:
---- sudo execution ------------------------------------------------------------
I am executing:
$ sudo /usr/sbin/diskutil apfs encryptVolume Nix Store -user disk -stdinpassphrase
to encrypt your Nix volume
Encrypting with the new "Disk" crypto user on disk3s7
The new "Disk" user will be the only one who has initial access to disk3s7
The new APFS crypto user UUID will be 303B697C-12F9-41BC-8DC1-A4E8DAB0A5EC
Encryption has likely completed due to AES hardware; see "diskutil apfs list"
Volume Nix Store on disk3s7 force-unmounted
During install, I add 'nix' to /etc/synthetic.conf, which instructs
macOS to create an empty root directory for mounting the Nix volume.
Can I remove /etc/synthetic.conf?
[y/n] y
---- sudo execution ------------------------------------------------------------
I am executing:
$ sudo rm /etc/synthetic.conf
to remove /etc/synthetic.conf
During install, I add '/nix' to /etc/fstab so that macOS knows what
mount options to use for the Nix volume.
I might be able to help you make this edit. Here's the diff:
LABEL=Untitled none ntfs rw,auto,nobrowse
# New NTFS HD: on Wed 22 Apr 2015 11:21:27 EST
LABEL= none ntfs rw,auto,nobrowse
- LABEL=Nix\040Store /nix apfs rw,nobrowse
Does the change above look right?
[y/n] y
---- sudo execution ------------------------------------------------------------
I am executing:
$ sudo /usr/sbin/vifs
to cut nix from fstab
patching file /etc/fstab
~~> Checking for artifacts of previous installs
Before I try to install, I'll check for signs Nix already is or has
been installed on this system.
---- Nix config report ---------------------------------------------------------
Temp Dir: /var/folders/6q/14m95v115x9b44w40cncnd8r0000gn/T/tmp.71DOxB9xWu
Nix Root: /nix
Build Users: 32
Build Group ID: 30000
Build Group Name: nixbld
build users:
Username: UID
_nixbld1: 301
_nixbld2: 302
_nixbld3: 303
_nixbld4: 304
_nixbld5: 305
_nixbld6: 306
_nixbld7: 307
_nixbld8: 308
_nixbld9: 309
_nixbld10: 310
_nixbld11: 311
_nixbld12: 312
_nixbld13: 313
_nixbld14: 314
_nixbld15: 315
_nixbld16: 316
_nixbld17: 317
_nixbld18: 318
_nixbld19: 319
_nixbld20: 320
_nixbld21: 321
_nixbld22: 322
_nixbld23: 323
_nixbld24: 324
_nixbld25: 325
_nixbld26: 326
_nixbld27: 327
_nixbld28: 328
_nixbld29: 329
_nixbld30: 330
_nixbld31: 331
_nixbld32: 332
Ready to continue?
[y/n] y
---- Preparing a Nix volume ----------------------------------------------------
Nix traditionally stores its data in the root directory /nix, but
macOS now (starting in 10.15 Catalina) has a read-only root directory.
To support Nix, I will create a volume and configure macOS to mount it
at /nix.
~~> Configuring /etc/synthetic.conf to make a mount-point at /nix
---- sudo execution ------------------------------------------------------------
I am executing:
$ sudo /usr/bin/ex --noplugin /etc/synthetic.conf
to add Nix to /etc/synthetic.conf
~~> Creating a Nix volume
---- sudo execution ------------------------------------------------------------
I am executing:
$ sudo /usr/sbin/diskutil unmount force disk3s7
to ensure the Nix volume is not mounted
disk3s7 was already unmounted
~~> Configuring /etc/fstab to specify volume mount options
---- sudo execution ------------------------------------------------------------
I am executing:
$ sudo /usr/sbin/vifs
to add nix to fstab
~~> Configuring LaunchDaemon to mount 'Nix Store'
---- sudo execution ------------------------------------------------------------
I am executing:
$ sudo /usr/bin/ex --noplugin /Library/LaunchDaemons/org.nixos.darwin-store.plist
to install the Nix volume mounter
---- sudo execution ------------------------------------------------------------
I am executing:
$ sudo launchctl bootstrap system /Library/LaunchDaemons/org.nixos.darwin-store.plist
to launch the Nix volume mounter
---- sudo execution ------------------------------------------------------------
I am executing:
$ sudo launchctl kickstart -k system/org.nixos.darwin-store
to launch the Nix volume mounter
~~> Setting up the build group nixbld
---- sudo execution ------------------------------------------------------------
I am executing:
$ sudo /usr/sbin/dseditgroup -o create -r Nix build group for nix-daemon -i 30000 nixbld
Create the Nix build group, nixbld
Created: Yes
~~> Setting up the build user _nixbld1
---- sudo execution ------------------------------------------------------------
I am executing:
$ sudo /usr/bin/dscl . create /Users/_nixbld1 UniqueID 301
Creating the Nix build user (#1), _nixbld1
<main> attribute status: eDSRecordAlreadyExists
<dscl_cmd> DS Error: -14135 (eDSRecordAlreadyExists)
---- oh no! --------------------------------------------------------------------
Jeeze, something went wrong. If you can take all the output and open
an issue, we'd love to fix the problem so nobody else has this issue.
:(
We'd love to help if you need it.
You can open an issue at https://github.com/nixos/nix/issues
Or feel free to contact the team:
- Matrix: #nix:nixos.org
- IRC: in #nixos on irc.libera.chat
- twitter: @nixos_org
- forum: https://discourse.nixos.org
%
Expected behavior
nix installed correctly
Additional context
Mac OS version 12.1
I ended up downloading the tarball, figuring out what user IDs are available on my system, modifying the appropriate file, and installing.
It would be nice to recognise this kind of fault and provide a suggestion for how to fix it.
I agree. Looks like it would detect a name clash but not a UID one. Can you update the title to mention the UID clash?
For anyone trying a fix:
-
The "best" fix would probably be to try and land the stalled overlapping work in #4346 (with modifications for the wrinkle Big Sur added). Since it is more focused on trying to avoid existing UIDs entirely, it should fix most instances of the error here (unless there aren't enough free UIDs), and avoid a user-unfriendly halt.
-
A narrow fix could probably add a
poly_*function to run a UID check in this section, implement that function for the install-darwin-multi-user.sh and install-systemd-multi-user.sh scripts, and kick out a failure error along the lines of the name clash message already present. https://github.com/NixOS/nix/blob/cf7f98483a8b190cc17831f9d4031f895fac514f/scripts/install-multi-user.sh#L480-L500 -
A better fix would probably be to perform both a name and UID check in
validate_starting_assumptionshere, using the for loop at the end ofsetup_reportas a blueprint for how to iterate over the users. If we have to hard fail, it's best to do it before we've changed anything. https://github.com/NixOS/nix/blob/cf7f98483a8b190cc17831f9d4031f895fac514f/scripts/install-multi-user.sh#L379-L446
I have this problem but this
I ended up downloading the tarball, figuring out what user IDs are available on my system, modifying the appropriate file, and installing.
is too cryptic for me. How do I figure out what user IDs are available on my system and what are the appropriate files?
Why not just remove the offending user ids?
Not sure calling the comment by @ikuz cryptic will encourage them to provide more context...
How do I figure out what user IDs are available on my system
You can find answers to the basic how-do-I-check questions in #5928, where the reporter also mentioned a SonosDMS user.
and what are the appropriate files?
I suspect @ikuz is talking about downloading the installer tarball and editing it in line with the 2nd point in my comment at the end of #5928.
Why not just remove the offending user ids?
I don't think anyone will be able to answer this for you, because it's wrapped up in knowing what the user/UID are for and whether they are still in use. If the SonosDMS user is cruft from something you no longer use, removing it is probably fine. If not, removing it may break whatever uses it.
Thanks @abathur. I'm including the detail here in case anyone else finds it useful
How do I figure out what user IDs are available on my system
I did
dscl . -list /Users UniqueID | sort -n -b -k 2
to get a sorted list of users and user IDs. Then I identified a suitable gap (of at least 32 ids) and used that as the range. (in my case the SonosDMS user had the conflicting ID 301 (and I didn't want to remove or change that in case it breaks my Sonos install), but there was a suitable gap from 302 onwards)
and what are the appropriate files?
I went to https://releases.nixos.org/ and browsed to find the tarball of nix that was relevant for my system (in my case it was https://releases.nixos.org/nix/nix-2.6.1/nix-2.6.1-aarch64-darwin.tar.xz but nix versions have moved on since then, so that's not the newest nix anymore).
Then I unpacked the tarball and edited the install-darwin-multi-user.shfile. In my case I modified the NIX_FIRST_BUILD_UID line to be
NIX_FIRST_BUILD_UID="302"
Then I ran
./install
Note that running install failed several times for various reasons (typically due to files remaining after previous attempted installs). Each time I had to fix the problem and I had to manually clear out the _nixbld users that were created during the failed install. e.g.:
for i in `dscl . -list /Users | grep nixb`; do echo $i; sudo dscl . delete /Users/$i; done
Eventually it succeeded.
Hope that's helpful.
@ikuz that's really helpful thanks - @abathur "cryptic for me" perhaps I should have said my brain is too small - the link to the previous ticket is also really helpful - I will report back when I get a chance to work on this again.
Well I got further
~~> Setting up the nix-daemon LaunchDaemon
---- sudo execution ------------------------------------------------------------
I am executing:
$ sudo /bin/cp -f /nix/var/nix/profiles/default/Library/LaunchDaemons/org.nixos.nix-daemon.plist /Library/LaunchDaemons/org.nixos.nix-daemon.plist
to set up the nix-daemon as a LaunchDaemon
cp: /Library/LaunchDaemons/org.nixos.nix-daemon.plist and /nix/var/nix/profiles/default/Library/LaunchDaemons/org.nixos.nix-daemon.plist are identical (not copied).
---- oh no! --------------------------------------------------------------------
Jeeze, something went wrong. If you can take all the output and open
an issue, we'd love to fix the problem so nobody else has this issue.
:(
We'd love to help if you need it.
You can open an issue at https://github.com/nixos/nix/issues
Or feel free to contact the team:
- Matrix: #nix:nixos.org
- IRC: in #nixos on irc.libera.chat
- twitter: @nixos_org
- forum: https://discourse.nixos.org
I guess I should open a new ticket
Thanks for your help @abathur and @ikuz - I managed to solve my problem by deleting nix, deleting the user that had grabbed the UID and reinstalling.
Could someone maybe change the install script so that NIX_FIRST_BUILD_UID can be passed as an environment variable to override the default value? Or something similar. Maybe also add to installation instructions something like that dscl . -list /Users UniqueID | sort -n -b -k 2 can be used to check if the default value should be overridden.
I think having an existing UID of 301 is a company-wide problem for us, and it would be a lot easier to persuade people to use Nix if I could just say "Please install it with NIX_FIRST_BUILD_UID=351 sh <(curl -L https://nixos.org/nix/install) --daemon instead of the default recommendation" (or however that parameter should be passed in).
In the long run it would of course be better if the install script handled this whole thing automatically.
Could someone maybe change the install script so that NIX_FIRST_BUILD_UID can be passed as an environment variable to override the default value?
Doesn't https://github.com/nixos/nix/commit/f4d57aa4907515802301dc6e540abc08809d311c work?
Could someone maybe change the install script so that NIX_FIRST_BUILD_UID can be passed as an environment variable to override the default value?
Doesn't f4d57aa work?
OP says:
Tried to (re)install nix on mac os but it fails.
Ugh, it seems darwin uses a different code path:
$ git grep NIX_FIRST_BUILD_UID
scripts/bigsur-nixbld-user-migration.sh:((NEW_NIX_FIRST_BUILD_UID=301))
scripts/bigsur-nixbld-user-migration.sh: ((next_id=NEW_NIX_FIRST_BUILD_UID))
scripts/install-darwin-multi-user.sh:NIX_FIRST_BUILD_UID="301"
scripts/install-multi-user.sh:NIX_FIRST_BUILD_UID="${NIX_FIRST_BUILD_UID:-30001}"
scripts/install-multi-user.sh: echo $((NIX_FIRST_BUILD_UID + $1 - 1))
scripts/install-multi-user.sh:NIX_FIRST_BUILD_UID near the top of the file to $actual_uid and try
On Ventura, with the system-installed grep, @ikuz 's one-liner to remove existing users did not work for me. I had to use:
for i in `dscl . -list /Users | grep -h nixb -`; do echo $i; sudo dscl . delete /Users/$i; done
(the difference is the inclusion of the -h flag)
After that, running my modified ./install worked correctly!
Hi @bjornfor Is there any plan to upstream your fix?
I don't have anything other than the draft above, and don't have a good solution/time to fix it so that it can be integrated.
I just got bit by this. In my case there was a "SonosDMS" user at 301—looks like some vestige of an old install. I just deleted the user to get past it (since I haven't used a Sonos product in years). The rest of the install worked fine.
Could we both have a configurable first user id and if not provided, try incrementing uids until we either find an open block that can be used or fail if we are going to exceed the maximum number of uids?
might run into this on macOS 15.
301 occupied by new daemon
AppleMetaNodeLocation: /Local/Default
GeneratedUID: ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000012D
GroupMembers: FFFFEEEE-DDDD-CCCC-BBBB-AAAA0000012D
GroupMembership: _modelmanagerd
Password: *
PrimaryGroupID: 301
RealName:
Model Manager
RecordName: _modelmanagerd
RecordType: dsRecTypeStandard:Groups
yup same here
---- sudo execution ------------------------------------------------------------
I am executing:
$ sudo /usr/bin/dscl . create /Users/_nixbld1 UniqueID 301
Creating the Nix build user (#1), _nixbld1
<main> attribute status: eDSRecordAlreadyExists
<dscl_cmd> DS Error: -14135 (eDSRecordAlreadyExists)
dscl . -search /Users UniqueID "301" ─╯
_modelmanagerd UniqueID = (
301
)
Egh--I guess that's both a UID and GID :)
Can you survey the ID space to see what contiguous ranges are open? I think maybe cat /etc/passwd will show them.
We picked 301+ since it seemed like Apple focused on the 200 range. I'm hoping they've just filled it and are spilling over (and not, say, sprawling out over the 200-400 service user range and leaving us no good contiguous block).
Hopefully we can just move new installs up to 360 or something. IDK.
@cole-h Do you recall whether the detsys installer is sensitive to this same issue, or does it just skip UIDs that are taken?
The last few are these here:
_aonsensed:*:300:300:Always On Sense Daemon:/var/db/aonsensed:/usr/bin/false
_modelmanagerd:*:301:301:Model Manager:/var/db/modelmanagerd:/usr/bin/false
_reportsystemmemory:*:302:302:ReportSystemMemory:/var/empty:/usr/bin/false
_swtransparencyd:*:303:303:Software Transparency Services:/var/db/swtransparencyd:/usr/bin/false
_naturallanguaged:*:304:304:Natural Language Services:/var/db/com.apple.naturallanguaged:/usr/bin/false
_oahd:*:441:441:OAH Daemon:/var/empty:/usr/bin/false
Maybe go 450+?
To repeat @ikuz's solution again:
For a quick fix on macOS 15 install/reinstall with:
NIX_FIRST_BUILD_UID="305" sh <(curl -L https://nixos.org/nix/install)
@michaelvanstraten After upgrade to macOS 15, I've run your suggested command but get the following error:
It seems the build user _nixbld1 already exists, but with the UID
with the UID ''. This script can't really handle that right
now, so I'm going to give up.
If you already created the users and you know they start from
and go up from there, you can edit this script and change
NIX_FIRST_BUILD_UID near the top of the file to and try
again.
Did you experience something similar?
@niklasravnsborg you can try the following with caution:
for u in $(sudo dscl . -list /Users | grep _nixbld); do sudo dscl . -delete /Users/$u; done
for u in $(sudo dscl . -list /Users | grep _nixbld); do sudo dscl . -delete /Users/$u; done
Awesome, that did the trick for me regarding the nix installation :) Thank you