Closed Luflosi closed 2 months ago
Is there no way to continue using DynamicUser? Great find btw
I didn't remove the DynamicUser = true;
line. I'm just creating the user and group beforehand, so they're not dynamically allocated anymore. All the other effects of DynamicUser
still apply.
If SupplementaryGroups
worked, then I would have only needed to create an additional group while the user and main group would have still been dynamically allocated. But this didn't work in my testing and I found the Nix issue linked above.
I would welcome you testing SupplementaryGroups
again to make sure I didn't make a mistake.
Previously we relied on the
nix-settings.allowed-users
option to be kept at the default. If the user sets this setting to[]
, themacos-ventura
systemd service wouldn't be allowed to talk to the daemon and the run script would fail to create a garbage collection root. This would cause the base image to be eventually deleted by the garbage collector, leading to an unbootable macOS VM. To fix this, I add a new group and allow it to talk to the Nix daemon.I first tried to use
SupplementaryGroups
instead but that didn't work, see https://github.com/NixOS/nix/issues/9071.I also modified the run script to create the
macos-ventura.qcow2
image based on the symlink to the base image instead of using the store path directly. This way, if thenix-store
command above fails to create the GC root in the future, it will be very obvious.