nix macOS install failed -UID clash- (Jamf conterolled enterprise machine)

geffgh commented 8 months ago

Platform

[ V] macOS

Additional information

Main factor that might impact is this is an enterprise Jamf controlled machine. As you can see in the output each time a sudo is needed I am required to give a reason for this super user action. This is everywhere where you see this line:

Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects

Please also note there is a secondary non-blocking issue here in that the sudo command about to be run is not showing. Possibly due to the above mentioned "provide a reason" request.

Output

```log |~@machinename Tue 24-01-02T17:01 |%> sh <(curl -L https://nixos.org/nix/install) % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 4052 100 4052 0 0 4758 0 --:--:-- --:--:-- --:--:-- 20059 zsh: killed sh <(curl -L https://nixos.org/nix/install) ________________________________________________________________________________ |~@machinename Tue 24-01-02T17:16 |%> curl -L https://nixos.org/nix/install | sh % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 4052 100 4052 0 0 3965 0 0:00:01 0:00:01 --:--:-- 3965 downloading Nix 2.19.2 binary tarball for aarch64-darwin from 'https://releases.nixos.org/nix/nix-2.19.2/nix-2.19.2-aarch64-darwin.tar.xz' to '/var/folders/ch/2vynlq5n27n5gtx80lkyp4cr0000gp/T/nix-binary-tarball-unpack.XXXXXXXXXX.Kqe1hr8Fdh'... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 10.9M 100 10.9M 0 0 4506k 0 0:00:02 0:00:02 --:--:-- 4508k Switching to the Multi-user Installer Welcome to the Multi-User Nix Installation This installation tool will set up your computer with the Nix package manager. This will happen in a few stages: 1. Make sure your computer doesn't already have Nix. If it does, I will show you instructions on how to clean up your old install. 2. Show you what I am going to install and where. Then I will ask if you are ready to continue. 3. Create the system users (uids [301..332]) and groups (gid 30000) that the Nix daemon uses to run builds. 4. Perform the basic installation of the Nix files daemon. 5. Configure your shell to import special Nix Profile files, so you can use Nix. 6. Start the Nix daemon. Would you like to see a more detailed list of what I will do? No TTY, assuming you would say yes :) I will: - make sure your computer doesn't already have Nix files (if it does, I will tell you how to clean them up.) - create local users (see the list above for the users I'll make) - create a local group (nixbld) - install Nix in to /nix - create a configuration file in /etc/nix - set up the "default profile" by creating some Nix-related files in /var/root - back up /etc/bashrc to /etc/bashrc.backup-before-nix - update /etc/bashrc to include some Nix configuration - back up /etc/zshrc to /etc/zshrc.backup-before-nix - update /etc/zshrc to include some Nix configuration - create a Nix volume and a LaunchDaemon to mount it - create a LaunchDaemon (at /Library/LaunchDaemons/org.nixos.nix-daemon.plist) for nix-daemon Ready to continue? No TTY, assuming you would say yes :) ---- let's talk about sudo ----------------------------------------------------- This script is going to call sudo a lot. Normally, it would show you exactly what commands it is running and why. However, the script is run in a headless fashion, like this: $ curl -L https://nixos.org/nix/install | sh or maybe in a CI pipeline. Because of that, I'm going to skip the verbose output in the interest of brevity. If you would like to see the output, try like this: $ curl -L -o install-nix https://nixos.org/nix/install $ sh ./install-nix ~~> Fixing any leftover Nix volume state Before I try to install, I'll check for any existing Nix volume config and ask for your permission to remove it (so that the installer can start fresh). I'll also ask for permission to fix any issues I spot. ~~> Checking for artifacts of previous installs Before I try to install, I'll check for signs Nix already is or has been installed on this system. ---- Nix config report --------------------------------------------------------- Temp Dir: /var/folders/ch/2vynlq5n27n5gtx80lkyp4cr0000gp/T/tmp.mrmv0zLL6E Nix Root: /nix Build Users: 32 Build Group ID: 30000 Build Group Name: nixbld build users: Username: UID _nixbld1: 301 _nixbld2: 302 _nixbld3: 303 _nixbld4: 304 _nixbld5: 305 _nixbld6: 306 _nixbld7: 307 _nixbld8: 308 _nixbld9: 309 _nixbld10: 310 _nixbld11: 311 _nixbld12: 312 _nixbld13: 313 _nixbld14: 314 _nixbld15: 315 _nixbld16: 316 _nixbld17: 317 _nixbld18: 318 _nixbld19: 319 _nixbld20: 320 _nixbld21: 321 _nixbld22: 322 _nixbld23: 323 _nixbld24: 324 _nixbld25: 325 _nixbld26: 326 _nixbld27: 327 _nixbld28: 328 _nixbld29: 329 _nixbld30: 330 _nixbld31: 331 _nixbld32: 332 Ready to continue? No TTY, assuming you would say yes :) ---- Preparing a Nix volume ---------------------------------------------------- Nix traditionally stores its data in the root directory /nix, but macOS now (starting in 10.15 Catalina) has a read-only root directory. To support Nix, I will create a volume and configure macOS to mount it at /nix. ~~> Configuring /etc/synthetic.conf to make a mount-point at /nix Reason Required: You are about to run this Sudo Command with admin rights. Please enter a reason to proceed. Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects ~~> Creating a Nix volume Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects Reason Required: You are about to run this Sudo Command with admin rights. Please enter a reason to proceed. Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects disk3s7 was already unmounted ~~> Configuring /etc/fstab to specify volume mount options Reason Required: You are about to run this Sudo Command with admin rights. Please enter a reason to proceed. Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects ~~> Encrypt the Nix volume Reason Required: You are about to run this Sudo Command with admin rights. Please enter a reason to proceed. Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects Volume Nix Store on Nix Store mounted Reason Required: You are about to run this Sudo Command with admin rights. Please enter a reason to proceed. Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects Reason Required: You are about to run this Sudo Command with admin rights. Please enter a reason to proceed. Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects Encrypting with the new "Disk" crypto user on disk3s7 The new "Disk" user will be the only one who has initial access to disk3s7 The new APFS crypto user UUID will be 5FF8BC1C-0DD5-41D1-8334-D1A2A65A348E Encryption has likely completed due to AES hardware; see "diskutil apfs list" Reason Required: You are about to run this Sudo Command with admin rights. Please enter a reason to proceed. Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects Volume Nix Store on disk3s7 force-unmounted ~~> Configuring LaunchDaemon to mount 'Nix Store' Reason Required: You are about to run this Sudo Command with admin rights. Please enter a reason to proceed. Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects Reason Required: You are about to run this Sudo Command with admin rights. Please enter a reason to proceed. Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects Reason Required: You are about to run this Sudo Command with admin rights. Please enter a reason to proceed. Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects ~~> Setting up the build group nixbld Reason Required: You are about to run this Sudo Command with admin rights. Please enter a reason to proceed. Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects Created: Yes ~~> Setting up the build user _nixbld1 Reason Required: You are about to run this Sudo Command with admin rights. Please enter a reason to proceed. Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects

attribute status: eDSRecordAlreadyExists DS Error: -14135 (eDSRecordAlreadyExists) ---- oh no! -------------------------------------------------------------------- Oh no, something went wrong. If you can take all the output and open an issue, we'd love to fix the problem so nobody else has this issue. :( We'd love to help if you need it. You can open an issue at https://github.com/NixOS/nix/issues/new?labels=installer&template=installer.md Or get in touch with the community: https://nixos.org/community ________________________________________________________________________________ |~@machinename Tue 24-01-02T17:33 ```

Priorities

Add :+1: to issues you find important.

geffgh commented 8 months ago

Also FYI:

     +-> Volume disk3s7 ID-string
        ---------------------------------------------------
        APFS Volume Disk (Role):   disk3s7 (No specific role)
        Name:                      Nix Store (Case-insensitive)
        Mount Point:               /nix
        Capacity Consumed:         24576 B (24.6 KB)
        Sealed:                    No
        FileVault:                 Yes (Unlocked)

|%> ll / | grep nix                                                                                                                                                                                                    
drwxr-xr-x   3 root  wheel    96B  2 Jan 17:31 nix/
________________________________________________________________________________
|~@LONGEF-M Tue 24-01-02T18:10 
|%> ll /nix                                                                                                                                                                                                            
total 0
d-wx--x--t  3 root  wheel    96B  2 Jan 17:31 .Trashes/

  |%> ll /Library/LaunchDaemons/org.nixos.darwin-store.plist                                                                                                                                                             
 -rw-r--r--  1 root  wheel   615B  2 Jan 17:33 /Library/LaunchDaemons/org.nixos.darwin-store.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>RunAtLoad</key>
  <true/>
  <key>Label</key>
  <string>org.nixos.darwin-store</string>
  <key>ProgramArguments</key>
  <array>
    <string>/bin/sh</string>
    <string>-c</string>
    <string>/usr/bin/security find-generic-password -s 'ID-string' -w | /usr/sbin/diskutil apfs unlockVolume 'ID-string' -mountpoint '/nix' -stdinpassphrase</string>
  </array>
</dict>
</plist>

abathur commented 8 months ago

That sudo prompt is brutal, but I don't think it's directly causing the failure.

It sounds like you already have a user with the same 301 UID (see https://github.com/NixOS/nix/issues/6153).

Speaking generally, the way around is to either delete that user/users if you no longer use whatever software/services that need them, or try to manually identify a new UID range that doesn't conflict (there's an overview of how to find a new range in https://github.com/NixOS/nix/issues/6153#issuecomment-1068508475). On macOS I think this has to be between UIDs 200-400, and Apple/macOS use a fair share of 200-299.

Since a few artifacts are already set up, follow the uninstall instructions before trying anything below: https://nixos.org/manual/nix/stable/installation/uninstall.html#macos

I usually wouldn't recommend a third-party installer on this official issue tracker, but you may want to consider using the detsys installer (https://github.com/DeterminateSystems/nix-installer) for two specific reasons:

I believe it only invokes sudo once, so it should be far less tedious.
It looks like you can prefix the invocation with NIX_INSTALLER_NIX_BUILD_USER_ID_BASE=<UID> to override the first UID. (The same basic feature was recently added to the official installer, but there hasn't been a release since it was merged.)

If you can't free up the default UIDs and are not comfortable using a third-party installer, there are 3 potential options:

If you aren't under time pressure: In the near future it'll be possible to override this when you run the installer via https://github.com/NixOS/nix/pull/9639, but it isn't quite released yet. They should be on a 6-week cadence, so that should be coming up soon.
If you are under time pressure: I already linked it, but in addition to explaining how to find a different UID range, this comment also explains how to download and modify the installer: https://github.com/NixOS/nix/issues/6153#issuecomment-1068508475
There is a nix-community project that occasionally releases unstable builds of the official installer (usually each week), but it looks like the CI job started failing a few weeks ago. I opened an issue to let the maintainer know. I'll comment here if they manage to get that fixed before the next official release.

abathur commented 8 months ago

The community unstable installer has been updated, so that's now an option. Release at https://github.com/nix-community/nix-unstable-installer/releases/tag/nix-2.20.0pre20231220_75e10e4.

Should be able to invoke like:


NIX_FIRST_BUILD_ID=<first-uid> sh <(curl -L https://github.com/nix-community/nix-unstable-installer/releases/download/nix-2.20.0pre20231220_75e10e4/install)```

geffgh commented 8 months ago

First of all Travis @abathur thanks for your great help. I will attempt to follow, one or more of, them.

Clearly I should have searched here for the error message as I can now see there are many issues raised for this error. Looking at the other many duplicates of this issue. And also running:

/usr/bin/dscl . list /Users UniqueID | sort -n -k 2

I can see that it looks like many, maybe in particular enterprise managed, Macs generally have UIDs up until a small number of 30x already taken.

Maybe it might be a good idea to revisit the current nix, macOS, install approach? Not sure how come nix needs so many (32) user Ids, and how come must be between 200-400, but assuming it does maybe a much more flexible approach in what Ids are used might be advisable? E.g. using any free ones intermingled in this range.

Not sure what the max UIDs are in macOS but maybe starting somewhere at the top of the range (to avoid any regular userIDs that seems to start at 5xx) might be another option.

geffgh commented 8 months ago

duplicates (at least): #2179 , #2242 , #5928 , #6153

NixOS / nix