After macOS migration: installation script failed: error: the build users group 'nixbld' has no members

[drichardson]

Describe the bug

The installation script failed.

Reporting here per the instructions as the bottom of the output.

Steps To Reproduce

1. Install nix on mac A
2. Run macOS Migration Assistant to migrate data to mac B
3. On mac B, run nix installer.

NOTE: It's highly likely (2) was an aborted Migration.

Fails with:

error: the build users group 'nixbld' has no members

Expected behavior

Installation should succeed.

nix-env --version output

N/A because nix not installed yet.

Additional context

Full log

[I] doug@dougs-mbp ~/w/whatnot_live (main) [2]> bash
bash-5.1$ sh <(curl -L https://nixos.org/nix/install) --no-daemon
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  4046  100  4046    0     0  35844      0 --:--:-- --:--:-- --:--:-- 35844
downloading Nix 2.6.0 binary tarball for aarch64-darwin from 'https://releases.nixos.org/nix/nix-2.6.0/nix-2.6.0-aarch64-darwin.tar.xz' to '/var/folders/63/1z5rrdr90g58hgv4j03n01xh0000gn/T/nix-binary-tarball-unpack.XXXXXXXXXX.3eFoEoDc'...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 8962k  100 8962k    0     0  55.2M      0 --:--:-- --:--:-- --:--:-- 57.2M
Error: --no-daemon installs are no-longer supported on Darwin/macOS!
bash-5.1$ sh <(curl -L https://nixos.org/nix/install)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  4046  100  4046    0     0  40402      0 --:--:-- --:--:-- --:--:-- 40402
downloading Nix 2.6.0 binary tarball for aarch64-darwin from 'https://releases.nixos.org/nix/nix-2.6.0/nix-2.6.0-aarch64-darwin.tar.xz' to '/var/folders/63/1z5rrdr90g58hgv4j03n01xh0000gn/T/nix-binary-tarball-unpack.XXXXXXXXXX.RFziLjeN'...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 8962k  100 8962k    0     0  42.7M      0 --:--:-- --:--:-- --:--:-- 43.9M
Switching to the Multi-user Installer
Welcome to the Multi-User Nix Installation

This installation tool will set up your computer with the Nix package
manager. This will happen in a few stages:

1. Make sure your computer doesn't already have Nix. If it does, I
   will show you instructions on how to clean up your old install.

2. Show you what I am going to install and where. Then I will ask
   if you are ready to continue.

3. Create the system users and groups that the Nix daemon uses to run
   builds.

4. Perform the basic installation of the Nix files daemon.

5. Configure your shell to import special Nix Profile files, so you
   can use Nix.

6. Start the Nix daemon.

Would you like to see a more detailed list of what I will do?
[y/n] y

I will:

 - make sure your computer doesn't already have Nix files
   (if it does, I will tell you how to clean them up.)
 - create local users (see the list above for the users I'll make)
 - create a local group (nixbld)
 - install Nix in to /nix
 - create a configuration file in /etc/nix
 - set up the "default profile" by creating some Nix-related files in
   /var/root
 - back up /etc/bashrc to /etc/bashrc.backup-before-nix
 - update /etc/bashrc to include some Nix configuration
 - back up /etc/zshrc to /etc/zshrc.backup-before-nix
 - update /etc/zshrc to include some Nix configuration
 - create a Nix volume and a LaunchDaemon to mount it
 - create a LaunchDaemon (at /Library/LaunchDaemons/org.nixos.nix-daemon.plist) for nix-daemon

Ready to continue?
[y/n] y

---- let's talk about sudo -----------------------------------------------------
This script is going to call sudo a lot. Every time I do, it'll
output exactly what it'll do, and why.

Just like this:

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo echo

to demonstrate how our sudo prompts look

This might look scary, but everything can be undone by running just a
few commands. I used to ask you to confirm each time sudo ran, but it
was too many times. Instead, I'll just ask you this one time:

Can I use sudo?
[y/n] y

Yay! Thanks! Let's get going!

~~> Fixing any leftover Nix volume state
Before I try to install, I'll check for any existing Nix volume config
and ask for your permission to remove it (so that the installer can
start fresh). I'll also ask for permission to fix any issues I spot.

~~> Checking for artifacts of previous installs
Before I try to install, I'll check for signs Nix already is or has
been installed on this system.

---- Nix config report ---------------------------------------------------------
        Temp Dir:       /var/folders/63/1z5rrdr90g58hgv4j03n01xh0000gn/T/tmp.l3PoZQqnf1
        Nix Root:       /nix
     Build Users:       32
  Build Group ID:       30000
Build Group Name:       nixbld

build users:
    Username:   UID
     _nixbld1:  301
     _nixbld2:  302
     _nixbld3:  303
     _nixbld4:  304
     _nixbld5:  305
     _nixbld6:  306
     _nixbld7:  307
     _nixbld8:  308
     _nixbld9:  309
     _nixbld10: 310
     _nixbld11: 311
     _nixbld12: 312
     _nixbld13: 313
     _nixbld14: 314
     _nixbld15: 315
     _nixbld16: 316
     _nixbld17: 317
     _nixbld18: 318
     _nixbld19: 319
     _nixbld20: 320
     _nixbld21: 321
     _nixbld22: 322
     _nixbld23: 323
     _nixbld24: 324
     _nixbld25: 325
     _nixbld26: 326
     _nixbld27: 327
     _nixbld28: 328
     _nixbld29: 329
     _nixbld30: 330
     _nixbld31: 331
     _nixbld32: 332

Ready to continue?
[y/n] y

---- Preparing a Nix volume ----------------------------------------------------
    Nix traditionally stores its data in the root directory /nix, but
    macOS now (starting in 10.15 Catalina) has a read-only root directory.
    To support Nix, I will create a volume and configure macOS to mount it
    at /nix.

~~> Configuring /etc/synthetic.conf to make a mount-point at /nix

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/bin/ex --noplugin /etc/synthetic.conf

to add Nix to /etc/synthetic.conf

Password:

~~> Creating a Nix volume

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/sbin/diskutil apfs addVolume disk3 APFS Nix Store -nomount

to create a new APFS volume 'Nix Store' on disk3

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/sbin/diskutil unmount force disk3s7

to ensure the Nix volume is not mounted

disk3s7 was already unmounted

~~> Configuring /etc/fstab to specify volume mount options

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/sbin/vifs

to add nix to fstab

~~> Configuring LaunchDaemon to mount 'Nix Store'

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/bin/ex --noplugin /Library/LaunchDaemons/org.nixos.darwin-store.plist

to install the Nix volume mounter

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo launchctl bootstrap system /Library/LaunchDaemons/org.nixos.darwin-store.plist

to launch the Nix volume mounter

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo launchctl kickstart -k system/org.nixos.darwin-store

to launch the Nix volume mounter

x`
~~> Setting up the build group nixbld

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/sbin/dseditgroup -o create -r Nix build group for nix-daemon -i 30000 nixbld

Create the Nix build group, nixbld

            Created:    Yes

~~> Setting up the build user _nixbld1
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 1
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld2
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 2
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld3
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 3
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld4
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 4
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld5
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 5
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld6
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 6
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld7
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 7
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld8
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 8
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld9
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 9
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld10
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 10
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld11
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 11
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld12
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 12
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld13
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 13
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld14
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 14
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld15
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 15
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld16
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 16
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld17
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 17
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld18
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 18
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld19
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 19
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld20
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 20
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld21
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 21
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld22
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 22
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld23
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 23
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld24
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 24
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld25
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 25
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld26
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 26
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld27
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 27
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld28
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 28
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld29
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 29
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld30
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 30
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld31
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 31
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld32
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 32
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the basic directory structure

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/sbin/chown -R root:nixbld /nix

to take root ownership of existing Nix store files

chown: /nix/.Trashes: Operation not permitted
chown: /nix/.Trashes: Operation not permitted

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo install -dv -m 0755 /nix /nix/var /nix/var/log /nix/var/log/nix /nix/var/log/nix/drvs /nix/var/nix /nix/var/nix/db /nix/var/nix/gcroots /nix/var/nix/profiles /nix/var/nix/temproots /nix/var/nix/userpool /nix/var/nix/gcroots/per-user /nix/var/nix/profiles/per-user

to make the basic directory structure of Nix (part 1)

install: mkdir /nix/var
install: mkdir /nix/var/log
install: mkdir /nix/var/log/nix
install: mkdir /nix/var/log/nix/drvs
install: mkdir /nix/var/nix
install: mkdir /nix/var/nix/db
install: mkdir /nix/var/nix/gcroots
install: mkdir /nix/var/nix/profiles
install: mkdir /nix/var/nix/temproots
install: mkdir /nix/var/nix/userpool
install: mkdir /nix/var/nix/gcroots/per-user
install: mkdir /nix/var/nix/profiles/per-user

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo install -dv -g nixbld -m 1775 /nix/store

to make the basic directory structure of Nix (part 2)

install: mkdir /nix/store

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo install -dv -m 0555 /etc/nix

to place the default nix daemon configuration (part 1)

install: mkdir /etc/nix

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo install -m 0664 /var/folders/63/1z5rrdr90g58hgv4j03n01xh0000gn/T/tmp.l3PoZQqnf1/.nix-channels /var/root/.nix-channels

to set up the default system channel (part 1)

~~> Installing Nix

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo cp -RLp ./store/0jqnrzcrh5xxrjxiiisgwcmq62p07s68-apple-lib-libDER ./store/17m4bcp3y2y99g1bka0wfvp0x26l744g-aws-c-io-0.9.1 ./store/2cl9n67fjnczrbaqlww4ipp2z3mnw5dz-libkrb5-1.18 ./store/3pzpaacii5gb60n2x9f9hs93bnakyqgr-sqlite-3.35.5 ./store/5n7rr6x0zmi82x2p7scd8w1x8qnj6yfc-boehm-gc-8.0.4 ./store/669p1vjnzi56fib98qczwlaglcwcnip4-nix-2.6.0 ./store/775cc9g4k78ay84w4iy15z0q426yny1n-libcxx-11.1.0 ./store/8imb44frl4jrgjpq89hcph15s7lffhd0-bash-4.4-p23 ./store/92wka994gxzb5p5rgdj0a8p1kp9ayv0a-zstd-1.4.9 ./store/9dg39kyqa8zqnivp83h7cczkd21vmyp9-aws-c-cal-0.4.5 ./store/a6745bp7pzbzb7xbigg5jrbp75lanb61-editline-1.17.1 ./store/b3079yijhwkgp23rn3i5x1bm6zbfd3rb-bzip2-1.0.6.0.2 ./store/bn1svfd6w0mjscvndpr08z161i8zycb5-curl-7.76.1 ./store/c7lpgqfw4izdxspdy8s94rd9hwlpw78s-libiconv-50 ./store/f9sqmvn5vc31dy57iyv8rvsdakr281qx-apple-framework-CoreFoundation-11.0.0 ./store/gnmpa9am81x0qb0r7447fzn6asfvrnln-libobjc-11.0.0 ./store/gx0g26n0jjxcspz8g9ipq9sgjl7y0d4v-xz-5.2.5 ./store/hsbqghjjayl9k55ng276gvi26sn7g137-aws-checksums-0.1.11 ./store/jxxlf9z137d7nfinqmscinv5ma30ckz5-apple-framework-IOKit-11.0.0 ./store/kd0vg2scdiwrnhh8425ixjs7qfsif2s8-openssl-1.1.1l ./store/l6475m8070amp2lkxz8s36sxwykkqbn4-nss-cacert-3.66 ./store/lni8nijamx09clm42pgbl4by1gmaa6mv-aws-sdk-cpp-1.8.121 ./store/mak8qr0sq1v8h2gknkw2xhlp5xvjh6fz-zlib-1.2.11 ./store/mlspxp4w6nday8ggxp30lmx6acd61v7w-libxml2-2.9.12 ./store/mswlivp76jpf68069gcf0ivkc07kf1l3-nghttp2-1.43.0-lib ./store/pssw9x69dxpwmjn84ac8a8xf7irhy2qj-libssh2-1.9.0 ./store/pygjnddvk75kpxvk1ipr9y80wj03jrqa-libarchive-3.5.2-lib ./store/q2v2ikih1f014sazv74skisbj3ar834q-libsodium-1.0.18 ./store/rx5ij82mb3kdhiqr6qk206hmhyzi73gi-aws-c-common-0.5.5 ./store/s6p2agp3gxkjfwmjswjn8gpyv8l2ijxp-apple-framework-Security-11.0.0 ./store/sp33d11b1wqyaijrhyryvgpgz5vnpahk-aws-c-event-stream-0.2.7 ./store/xms94awpivf7k6gi2xk9qzpdbzv3f3zr-libcxxabi-11.1.0 ./store/yfg8rhph33103x3949w3zy0aapx1jcms-brotli-1.0.9-lib /nix/store/

to copy the basic Nix files to the new store at /nix/store

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo chmod -R ugo-w /nix/store/

to make the new store non-writable at /nix/store

      Alright! We have our first nix at /nix/store/669p1vjnzi56fib98qczwlaglcwcnip4-nix-2.6.0

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /nix/store/669p1vjnzi56fib98qczwlaglcwcnip4-nix-2.6.0/bin/nix-store --load-db

to load data for the first time in to the Nix Database

      Just finished getting the nix database ready.

~~> Setting up shell profiles: /etc/bashrc /etc/profile.d/nix.sh /etc/zshrc /etc/bash.bashrc /etc/zsh/zshrc

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo cp /etc/bashrc /etc/bashrc.backup-before-nix

to back up your current /etc/bashrc to /etc/bashrc.backup-before-nix

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo tee -a /etc/bashrc

extend your /etc/bashrc with nix-daemon settings

# Nix
if [ -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh' ]; then
  . '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh'
fi
# End Nix

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo cp /etc/zshrc /etc/zshrc.backup-before-nix

to back up your current /etc/zshrc to /etc/zshrc.backup-before-nix

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo tee -a /etc/zshrc

extend your /etc/zshrc with nix-daemon settings

# Nix
if [ -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh' ]; then
  . '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh'
fi
# End Nix

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo touch /etc/bash.bashrc

to create a stub /etc/bash.bashrc which will be updated

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo tee -a /etc/bash.bashrc

extend your /etc/bash.bashrc with nix-daemon settings

# Nix
if [ -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh' ]; then
  . '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh'
fi
# End Nix

~~> Setting up the default profile

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo HOME=/var/root /nix/store/669p1vjnzi56fib98qczwlaglcwcnip4-nix-2.6.0/bin/nix-env -i /nix/store/669p1vjnzi56fib98qczwlaglcwcnip4-nix-2.6.0

to install a bootstrapping Nix in to the default profile

installing 'nix-2.6.0'
error: the build users group 'nixbld' has no members

---- oh no! --------------------------------------------------------------------
Jeeze, something went wrong. If you can take all the output and open
an issue, we'd love to fix the problem so nobody else has this issue.

:(

We'd love to help if you need it.

You can open an issue at https://github.com/nixos/nix/issues

Or feel free to contact the team:
 - Matrix: #nix:nixos.org
 - IRC: in #nixos on irc.libera.chat
 - twitter: @nixos_org
 - forum: https://discourse.nixos.org
bash-5.1$

[drichardson]

Was able to get past install error after running this:

$ sudo dscl . -rm /Groups/nixbld
$ for x in $(dscl . -list /Users|grep nix); do sudo dscl . -rm /Users/$x; done

[abathur]

Not sure this is actionable without more context on the pre-install state (i.e., how/why the build users already existed but the group didn't).

[drichardson]

Not sure this is actionable without more context on the pre-install state (i.e., how/why the build users already existed but the group didn't).

It was a new machine. Only thing I can think of is that I tried to run the single user install (see steps to repro). But other than that, not sure.

[abathur]

I'm not sure either. We're obviously out in ~weird territory...

I'll show my math on why this doesn't add up, and then ask a few increasingly paranoid questions:

1

~~> Setting up the build group nixbld

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/sbin/dseditgroup -o create -r Nix build group for nix-daemon -i 30000 nixbld

Create the Nix build group, nixbld

            Created:    Yes

You can see in the underlying code here that it would say the group "exists" if it was already there, and say it was "created" if not: https://github.com/NixOS/nix/blob/4d67ecbbb2a00b22b1b23073f5853bcb5b100b75/scripts/install-multi-user.sh#L448-L471

2

~~> Setting up the build user _nixbld1
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 1
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

Likewise, it'll say whether the user already exists or is created: https://github.com/NixOS/nix/blob/4d67ecbbb2a00b22b1b23073f5853bcb5b100b75/scripts/install-multi-user.sh#L484-L503

3

https://github.com/NixOS/nix/blob/master/scripts/install-nix-from-closure.sh handles both the option parsing and the single-user install process. If you invoked with --no-daemon, you presumably hit this: https://github.com/NixOS/nix/blob/4d67ecbbb2a00b22b1b23073f5853bcb5b100b75/scripts/install-nix-from-closure.sh#L61-L65

It would abort your install before making any changes. You can confirm in the broader source (and, in any case, the single-user install creates no groups or users).

adding it up

So:

1. We're pretty sure the users existed before the install logged here.
2. We're pretty sure the group didn't.
3. We're pretty sure trying to run (or even successfully running) a single-user install can't cause this condition.

questions

1. Do you still have the initial install in your scrollback?
2. Is this your personal device? (More to the point: is it enrolled in an MDM or otherwise managed by an institution in some way that might weird our user/group assumptions?)
3. Was it already set up when you started using it, or did you go through the first-time setup yourself?
4. Either during first-time setup or after, did you happen to use the Migration Assistant? (It's been long enough since I last ran through setup that I don't recall if it uses those words; it'll say something about transferring data...)
5. Did you use any other kind of restore-from-backup process on it?
6. If the answer to either 4 or 5 is yes: did the previous system have Nix installed? If so:
   1. is this device still available (in whatever condition it was before migration)?
   2. what version of macOS does/did it have installed?
   3. what's your best guess as to when Nix was first installed on it?

[drichardson]

First off: you're a legend for thinking about this so much.

To answer your questions:

• Do you still have the initial install in your scrollback?

Unfortunately no. I do have some bash history I will include though, starting with the first attempt to do a single user install.

``` 360 sh <(curl -L https://nixos.org/nix/install) --no-daemon 361 sh <(curl -L https://nixos.org/nix/install) 362 nix-env 363 dscl 364 dscl . 365 dscl . list 366 dscl . list '/Users' 367 man dscl 368 ls 369 sh <(curl -L https://nixos.org/nix/install) 370 sh <(curl -L https://nixos.org/nix/install) 371 sudo vim /etc/bashrc 372 set 373 set|rg nix 374 ls 375 sh <(curl -L https://nixos.org/nix/install) 376 vim .bash_profile 377 rg .bash* f 378 rg nix .bash* 379 ls 380 cd scripts/ 381 rg nix .bash* 382 rg nix 383 cd .. 384 rg nix 385 sh <(curl -L https://nixos.org/nix/install) 386 ls 387 find . -name '*nix*' 388 cd /etc/nix/ 389 ls 390 find . 391 cd .. 392 ls 393 sudo rm -rf nix 394 cd 395 ls 396 sh <(curl -L https://nixos.org/nix/install) 397 sh <(curl -L https://nixos.org/nix/install) 398 sh <(curl -L https://nixos.org/nix/install) 399 cd /etc 400 ls 401 vim bashrc.backup-before-nix 402 diff bashrc.backup-before-nix bashrc 403 sudo mv bashrc.backup-before-nix bashrc 404 cd 405 sh <(curl -L https://nixos.org/nix/install) 406 sudo mv /etc/zshrc.backup-before-nix /etc/zshrc 407 sh <(curl -L https://nixos.org/nix/install) 408 sh <(curl -L https://nixos.org/nix/install) 409 sudo mv /etc/zshrc.backup-before-nix /etc/zshrc 410 sudo mv bashrc.backup-before-nix bashrc 411 cd /etc 412 diff bash.bashrc.backup-before-nix bashrc.backup-before-nix 413 sudo vim bashrc 414 ls 415 ls 416 ls 417 bash 418 ls 419 sh <(curl -L https://nixos.org/nix/install) 420 cd /etc 421 ls 422 git diff bashrc 423 vim bashrc.backup-before-nix 424 file bash* 425 vim bash.bashrc 426 sudo rm bash.bashrc 427 sudo mv bashrc.backup-before-nix bashrc 428 ls 429 pwd 430 file bash* 431 sudo rm bashrc_Apple_Terminal 432 sudo rm bash.bashrc.backup-before-nix 433 ls bash* 434 vim bashrc 435 ls zsh* 436 cat zshrc_Apple_Terminal 437 sl 438 ls 439 ls 440 sudo vim zshrc 441 ls 442 find . -name '*.nix*' 443 mount 444 sh <(curl -L https://nixos.org/nix/install) 445 echo $SHELL 446 dscl . 447 dscl . list 448 dscl . read 449 dscl /Local list 450 dscl . list 451 dscl . 452 dscl . lsit 453 dscl . list 454 dscl . read 455 dscl read . 456 dscl list . 457 dscl 458 dscl -h 459 dscl . 460 dscl . -h 461 dscl . -list / 462 dscl . -list /Users 463 dscl . -list /Groups 464 dscl . -list /Groups/nixbld 465 dscl . -rm /Groups/nixbld 466 sudo dscl . -rm /Groups/nixbld 467 sudo dscl . -rm /Groups/nixbld 468 sudo dscl . -list /Users/nix* 469 sudo dscl . -list /Users/_nix* 470 sudo dscl . -list '/Users/nix*' 471 sudo dscl . -list /Users/ 472 sudo dscl . -list /Users 473 sudo dscl . -list /Users/_ 474 sudo dscl . -list /Users/_nixbld* 475 sudo dscl . -list '/Users/_nixbld*' 476 sudo dscl . -list /Users/_ 477 sudo dscl . -list /Users/ 478 sudo dscl . -list /Users 479 sudo dscl . -list /Users|rg _nix 480 sudo dscl . -list /Users|grep nix 481 dscl . -list /Users|grep nix 482 for x in $(dscl . -list /Users|grep nix); do echo $x; done 483 for x in $(dscl . -list /Users|grep nix); do echo dscl . -read /Users/$x; done 484 for x in $(dscl . -list /Users|grep nix); do dscl . -read /Users/$x; done 485 for x in $(dscl . -list /Users|grep nix); do sudo dscl . -rm /Users/$x; done 486 for x in $(dscl . -list /Users|grep nix); do echo dscl . -read /Users/$x; done 487 ls -l /Volumes/ 488 ls -l / 489 mount 490 which fish 491 sudo chsh -s /opt/homebrew/bin/fish 492 chsh -s /opt/homebrew/bin/fish 493 sudo -s 494 nix-shell ```

• Is this your personal device? (More to the point: is it enrolled in an MDM or otherwise managed by an institution in some way that might weird our user/group assumptions?)

It's a work computer, but I purchased it myself from and does not have MDM or any other kind of profile provisioning on it. Also, no body else at my company experienced this issue, just me (and there are several other nix users).

• Was it already set up when you started using it, or did you go through the first-time setup yourself?

I bought it new, unwrapped it, and set it up myself.

• Either during first-time setup or after, did you happen to use the Migration Assistant? (It's been long enough since I last ran through setup that I don't recall if it uses those words; it'll say something about transferring data...)

Yes. But it didn't work, so I (attempted) to wipe by doing a new install. I did have nix installed on my previous computer.

This seems really sus, I think you found the problem. I wonder if there's anyway for me to check if I had a partial migration. I bet I didn't actually wipe it like I thought I did.

• Did you use any other kind of restore-from-backup process on it?

Nope.

• If the answer to either 4 or 5 is yes: did the previous system have Nix installed? If so:

Yes.

1. is this device still available (in whatever condition it was before migration)?

No, I wiped it.

2. what version of macOS does/did it have installed?

Latest. I updated it right before I sent it to another colleague, so 12.x.x. (not sure exactly).

3. what's your best guess as to when Nix was first installed on it?

Sometime after Dec 13.

[drichardson]

SUS

$ ls /Library/SystemMigration/History
Migration-FCBA4AEA-A53F-4B53-A0E5-15635D75611F

I think you found the problem @abathur. Users/groups brought over from a migration.

[drichardson]

I actually forgot about the migration because (as I mentioned) I tried (and obviously failed) to wipe it.

[drichardson]

And look at this section from /Library/SystemMigration/History Migration-FCBA4AEA-A53F-4B53-A0E5-15635D75611F/Request (which is a binary plist):

    220 => "groupCreation"
    221 => {
      "$class" => <CFKeyedArchiverUID 0x6000015ddec0 [0x22075c000]>{value = 36}
      "NS.objects" => [
        0 => <CFKeyedArchiverUID 0x6000015df840 [0x22075c000]>{value = 222}
        1 => <CFKeyedArchiverUID 0x6000015df860 [0x22075c000]>{value = 223}
        2 => <CFKeyedArchiverUID 0x6000015df880 [0x22075c000]>{value = 224}
      ]
    }
    222 => "nixbld"
    223 => "com.apple.sharepoint.group.2"
    224 => "com.apple.sharepoint.group.1"
    225 => {
      "$class" => <CFKeyedArchiverUID 0x6000015de020 [0x22075c000]>{value = 27}
      "NS.keys" => [
        0 => <CFKeyedArchiverUID 0x6000015df8a0 [0x22075c000]>{value = 226}
      ]
      "NS.objects" => [
        0 => <CFKeyedArchiverUID 0x6000015de120 [0x22075c000]>{value = 33}
      ]
    }

[drichardson]

QED.

Fields Medal for @abathur

[drichardson]

Other than detecting this and recovering, nothing to do for this issue I guess. Feel free to close and thanks for your awesome investigation!

[abathur]

Ha! I'm glad that seems like the culprit. We would've been deep in red yarn territory if none of these panned out.

I think it can stay open (and I don't have the power to close it, anyways). If you can find a way to phrase the migration assistant into the title it may help this thread be a better light-house for anyone else seeing the same.

---

As far as fixing this later goes:

• It may take a bit before someone equipped to test out a migration and figure out what isn't getting wired up, but it would be nice to find out what the condition is. Starting in Big Sur, macOS has been doing some weird things with users and groups (see https://github.com/NixOS/nix/issues/4531). I think we've also seen a few nixbld-has-no-members reports recently. Isolating the condition might help us fix other problems.
• But, if we wait a while and can't find anyone who can investigate, I guess we could probably compensate by treating existing users/groups as something to "cure" (i.e., to handle with the same idioms as the curing procedures in scripts/create-darwin-volume.sh).

[drichardson]

If you can find a way to phrase the migration assistant into the title it may help this thread be a better light-house for anyone else seeing the same.

Done.

[charles-dyfis-net]

I'm assisting a user who appears to be hitting this issue (including the SystemMigration reference).

Even though dscl shows that the users and groups exist (if we create them), or don't exist (if we delete them); and dsmemberutil checkmembership shows the users to be members of the groups when they should, getgrnam() appears not to be including any list of users as associated with the group.

1. Do we have an actual resolution/workaround/mechanism to fix this?
2. Is there any concrete/specific investigation I can perform?

[abathur]

I'm assisting a user who appears to be hitting this issue (including the SystemMigration reference).

Even though dscl shows that the users and groups exist (if we create them), or don't exist (if we delete them); and dsmemberutil checkmembership shows the users to be members of the groups when they should, getgrnam() appears not to be including any list of users as associated with the group.

1. Do we have an actual resolution/workaround/mechanism to fix this?
2. Is there any concrete/specific investigation I can perform?

I'm not sure what to tell you, but I happened to notice this in my inbox right after you sent it, so I want to note that there are some poorly-understood quirks here with respect to user/group relations in macOS. You can see an example of this in https://github.com/NixOS/nix/pull/4532#issuecomment-775274318 and my 2 immediately-following comments.

I suspect the thing that'll get you on the road again is trying to follow these uninstall instructions before reinstalling: https://nixos.org/manual/nix/stable/installation/installing-binary.html#macos

That said, if you have a little bit of timeline wiggle here it would be nice to collect some information on the user/group setup on this device. (I don't personally work with users/groups much in macOS, but I've asked in chat to see if anyone has specific ideas...)

[charles-dyfis-net]

The user who was experiencing this is no longer in the impacted state: It was fixed by looping over the build accounts, running dscl . append /Groups/nixbld GroupMembership _nixbld$i.

I'm guessing that this added nixbld as a supplemental group, in addition to being a primary group by virtue of the GIDs matching. Why this was necessary is a very open question.

I did get a dump of the /Users and /Groups plists earlier, when this was still happening, and have them on hand to query.

[abathur]

Glad your user is sorted. :)

Also promising that they're related, since GroupMembership was involved yet again. If there's nothing sensitive in them, can you drop them in a code block, perhaps within a <details> tag, or even just attach a file/log containing them?

[charles-dyfis-net]

Okay, got a new dump, and comparing them, the difference is clear as day :)

Only after running the relevant dscl append commands does the nixbld group have a dsAttrTypeStandard:GroupMembership key at all. Just having matching GIDs doesn't suffice; a user needs to be explicitly listed in a GroupMembership array for the getgrnam() call in UserLock::findFreeUser() to return it.

[charles-dyfis-net]

btw, it's worth explicitly calling out that dsAttrTypeStandard:GroupMembers is populated in both the before and after cases; it's only dsAttrTypeStandard:GroupMembership that was unpopulated in the faulty state. This explains why many of the OS's tools were claiming that the group membership was already correct.

[abathur]

Sorry for the slow response--I had this mostly-written in a tab but then discovered some plagiarism and had my day/week/month upended...

Thanks for the update! I'm glad that we seem to have a culprit. (But broadly frustrated that there's so much lurking complexity here...)

---

Some thoughts on potential next steps:

1. One thing we should try to keep in-frame is whether this might be a byproduct of migrating versions of macOS before some version. (Maybe this is a requirement they added at some point, and added to their tooling for new users, but migration is able to smuggle group/account setups unchanged from before this requirement existed.)

   @drichardson @charles-dyfis-net do you happen to know what macOS versions the old/migrated systems were running?

2. We might be holding the user/groups tooling wrong, or there might be bugs/omissions in the macOS migration routine and tooling. We could maybe open a feedback? My record with getting useful responses to feedbacks is not great. Don't feel obliged, but let me know the FB number if you have or happen to open one?

   @drichardson @charles-dyfis-net On the off chance either of you opened a Feedback, can you give me the FB number? (Not expecting you to open one if you haven't, but I'll reference it if I get a chance to follow up w/ them.)

3. Unless we find out that we're holding the user/groups tooling wrong, I'm not sure there'll be an actionable thing we can do to keep migrations from catapulting people into this problem.
   • It's not clear from the thread, but if this initially manifests, post-migration, as a failure to find build users in Nix, we might be able to coax someone into special-casing the error for macOS to point them in the right direction?
   • I guess it's at least plausible that there's some way to pre-flag the Nix store and its users/groups as something that shouldn't be migrated (but I doubt it, and shallow search didn't find anything).

4. We could probably update the installer to either try to narrowly detect and repair dsAttrTypeStandard:GroupMembership, or we could add these users and groups to the list of things the macOS installer can "cure" by completely removing and replacing them.

   (This is probably the easiest way to fix issues like this without having to really understand them, but it would also make repeat installs significantly slower and might keep us from learning enough about the causes to just fix them before they break on users?)

[drichardson]

1. @drichardson @charles-dyfis-net do you happen to know what macOS versions the old/migrated systems were running?

No I don't remember the exact version, but can hazard some guesses.

I was migrating from an almost brand new M1 machine to another new M1 machine with almost identical specs (the new one just had more RAM). The "old" machine was almost certainly up to date (I update regularly). Based on https://en.wikipedia.org/wiki/MacOS_Monterey it looks like that would have been 12.1, 12.2, or 12.2.1 (unlikely since it was released the same day I reported this issue.

I don't remember what the "new" machine had on it, but I started using it almost as soon as it arrived, so assuming Apple gave me a recently built computer (which I imagine they did since I had to wait a while for it) it also was probably running 12.1 or 12.2.

[drichardson]

2. @drichardson @charles-dyfis-net On the off chance either of you opened a Feedback, can you give me the FB number? (Not expecting you to open one if you haven't, but I'll reference it if I get a chance to follow up w/ them.)

I did not. I'm not sure what "a Feedback" is (but I'm guessing some nixOS thing).

[abathur]

@drichardson drat; I guess we won't age out of it then. Thanks for narrowing it down :)

By feedback I just mean a report in the Apple Feedback Assistant.

[charles-dyfis-net]

The most recent system it was observed on was a M1 Mac received within the last two weeks. I don't have the precise version number at hand.

Going through my old emails, my prior Apple Support engagements don't appear to have transcripts, so at least from the emailed receipts I don't have enough information to pin down which of them corresponded with this issue (I reported it to them once after it happened on then-recent M1-based personal hardware some time last year, which AFAIK nothing ever came of). I don't believe I've ever used the Feedback Assistant.

[charles-dyfis-net]

Insofar as this issue is pretty easy to identify by querying a dumped group plist, I'd imagine we could (1) patch the installer to identify and repair it (as a bare minimum, to ensure that reinstalling does fix the issue); and (2) possibly add some pre-startup logic to the nix-daemon launchd service.