Curing fails on macOS due to `darwin-store` LaunchDaemon

[pmaene]

Hi! I've been following this project with some interest and noticed that the release notes for v0.6.0 mentioned limited curing support and executed it on my existing macOS installation. However, the planner fails because it did not expect the contents of /Library/LaunchDaemons/org.nixos.darwin-store.plist. I've originally installed Nix through the official installation scripts not too long ago (about two or three months back).

Looking at the nix-installer, it seems APFS encryption is disabled by default, while my volume is encrypted (I can't remember whether this was an option in the original scripts or not). However, the error persists even when enabling encryption through --encrypt true.

You can find the file's current contents below, and I'm happy to answer any further questions.

Error

Error: 
   0: Planner error
   1: Error executing action
   2: Child action `create_file`
   3: `/Library/LaunchDaemons/org.nixos.darwin-store.plist` exists with different content than planned, consider removing it with `rm /Library/LaunchDaemons/org.nixos.darwin-store.plist`

Content

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>RunAtLoad</key>
  <true/>
  <key>Label</key>
  <string>org.nixos.darwin-store</string>
  <key>ProgramArguments</key>
  <array>
    <string>/bin/sh</string>
    <string>-c</string>
    <string>/usr/bin/security find-generic-password -s '40B720A5-D41A-4711-932C-E3685B8545A6' -w | /usr/sbin/diskutil apfs unlockVolume '40B720A5-D41A-4711-932C-E3685B8545A6' -mountpoint '/nix' -stdinpassphrase</string>
  </array>
</dict>
</plist>

[Hoverbear]

Hi @pmaene ! Thanks for this report.

We enable apfs encryption if it is detected. In this case the issue is the UUID I believe. This is unfortunately not something our limited curing can fix yet. I did test a similar situation and had success, let me try to reproduce today.

We hope to unlock this in the next version.

[pmaene]

Thanks for the quick update! I'm happy to try this again in the next version. It's definitely nothing urgent, since I have a perfectly working Nix install on my Mac ☺️!

Feel free to reach out if I can help out with anything (I noticed you've already opened a PR to address this issue)!

[pmaene]

Hi! I just ran plan macos after downloading v0.7.0, but I'm still getting an error related to the darwin-store LaunchDaemon. It seems that nix-installer fails to detect that the APFS volume is encrypted. Additionally, forcing encryption with --encrypt true doesn't seem to work either.

Error

Error: 
   0: Planner error
   1: Error executing action
   2: Child action `setup_volume_daemon`
   3: `/Library/LaunchDaemons/org.nixos.darwin-store.plist` contents differs, planned `LaunchctlMountPlist { run_at_load: true, label: "org.nixos.darwin-store", program_arguments: ["/usr/sbin/diskutil", "mount", "-mountPoint", "/nix", "40B720A5-D41A-4711-932C-E3685B8545A6"] }`, discovered `LaunchctlMountPlist { run_at_load: true, label: "org.nixos.darwin-store", program_arguments: ["/bin/sh", "-c", "/usr/bin/security find-generic-password -s '40B720A5-D41A-4711-932C-E3685B8545A6' -w | /usr/sbin/diskutil apfs unlockVolume '40B720A5-D41A-4711-932C-E3685B8545A6' -mountpoint '/nix' -stdinpassphrase"] }`

Metadata

key	value
version	0.7.0
os	macos
arch	x86_64

[Hoverbear]

Hi! Did you try to install 0.7.0 over 0.6.0? In 0.6.0 we had a bug with encryption detection and we fixed it, it's likely 0.6.0 wrongly detected it needed to encrypt. Could you try using the 0.6.0 uninstaller via /nix/nix-installer uninstall then rebooting and trying 0.7.0?

[pmaene]

I don't think 0.6.0 ever got past the planning stage. There's also no copy of the binary at /nix/nix-installer. Is there some state that I should reset manually? Thanks again!

[Hoverbear]

Hmmm could you try checking launchctl show org.nixos.darwin-store (which should be not exist) and diskutil apfs list | grep nix (which should not exist)?

If they exist or are running, we need to stop them and remove them. The volume would be diskutil apfs deleteVolume $NAME, the service you could launchctl stop org.nixos.darwin-store and then rm /Library/LaunchDaemons/org.nixos.darwin-store.plist.

Once you do those, we should be able to do a new nix install like normal.

Sadly we haven't quite gotten the curing on this quite right, I'm hoping to improve it.

Sorry about the bugs here. :(

[pmaene]

Sorry about the confusion! I do have a working Nix installation on my Mac (through the official installation script). However, I was interested in nix-installer's ability to create an installation receipt. This is one of the reasons I've been following the curing progress.

I totally understand that this is an edge-case and definitely not a priority, though!

[Hoverbear]

I think this is related to #361 having not worked properly. :thinking:

It may be fixed next version.

[Hoverbear]

I believe this ticket was resolved and got accidentally carried forward?

[pmaene]

Sorry for not having commented sooner, but I'm still running into this issue in v0.9.1. The planner returns the same error stating that the plist contents differ as before (https://github.com/DeterminateSystems/nix-installer/issues/357#issuecomment-1489886232). It seems that it does not correctly determine that the APFS volume is encrypted?

However, I totally understand it if curing an existing macOS installation from the official installation script is not a priority!

[Hoverbear]

Oh! Ok! I'll add it to the next milestone. :)

[pmaene]

Thanks for continuing to investigate this!