nix install breaks on UID clash

[ikuz]

Describe the bug

Tried to (re)install nix on mac os but it fails.

Steps To Reproduce

I followed instructions to remove a previous installation of nix: https://nixos.org/manual/nix/stable/installation/installing-binary.html

then did sh <(curl -L https://nixos.org/nix/install)

eventually it fails, because it looks like there are already _nixbld users on the system.

Log of the installation process:

% sh <(curl -L https://nixos.org/nix/install)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  4046  100  4046    0     0  12394      0 --:--:-- --:--:-- --:--:-- 12394
downloading Nix 2.6.1 binary tarball for aarch64-darwin from 'https://releases.nixos.org/nix/nix-2.6.1/nix-2.6.1-aarch64-darwin.tar.xz' to '/var/folders/6q/14m95v115x9b44w40cncnd8r0000gn/T/nix-binary-tarball-unpack.7ULme1Ndjy'...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 8998k  100 8998k    0     0  4714k      0  0:00:01  0:00:01 --:--:-- 4728k
Switching to the Multi-user Installer
Welcome to the Multi-User Nix Installation

This installation tool will set up your computer with the Nix package
manager. This will happen in a few stages:

1. Make sure your computer doesn't already have Nix. If it does, I
   will show you instructions on how to clean up your old install.

2. Show you what I am going to install and where. Then I will ask
   if you are ready to continue.

3. Create the system users and groups that the Nix daemon uses to run
   builds.

4. Perform the basic installation of the Nix files daemon.

5. Configure your shell to import special Nix Profile files, so you
   can use Nix.

6. Start the Nix daemon.

Would you like to see a more detailed list of what I will do?
[y/n] n


---- let's talk about sudo -----------------------------------------------------
This script is going to call sudo a lot. Every time I do, it'll
output exactly what it'll do, and why.

Just like this:

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo echo

to demonstrate how our sudo prompts look


This might look scary, but everything can be undone by running just a
few commands. I used to ask you to confirm each time sudo ran, but it
was too many times. Instead, I'll just ask you this one time:

Can I use sudo?
[y/n] y

Yay! Thanks! Let's get going!

~~> Fixing any leftover Nix volume state
Before I try to install, I'll check for any existing Nix volume config
and ask for your permission to remove it (so that the installer can
start fresh). I'll also ask for permission to fix any issues I spot.

---- Found existing Nix volume -------------------------------------------------
  special:	disk3s7
     uuid:	303B697C-12F9-41BC-8DC1-A4E8DAB0A5EC
encrypted:	no

---- warning! ------------------------------------------------------------------
FileVault is on, but your Nix Store volume isn't encrypted.

Should I encrypt it and add the decryption key to your keychain?
[y/n] y

Volume Nix Store on Nix Store mounted

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/bin/security -i

to add your Nix volume's password to Keychain

Password:

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/sbin/diskutil apfs encryptVolume Nix Store -user disk -stdinpassphrase

to encrypt your Nix volume

Encrypting with the new "Disk" crypto user on disk3s7
The new "Disk" user will be the only one who has initial access to disk3s7
The new APFS crypto user UUID will be 303B697C-12F9-41BC-8DC1-A4E8DAB0A5EC
Encryption has likely completed due to AES hardware; see "diskutil apfs list"
Volume Nix Store on disk3s7 force-unmounted

During install, I add 'nix' to /etc/synthetic.conf, which instructs
macOS to create an empty root directory for mounting the Nix volume.
Can I remove /etc/synthetic.conf?
[y/n] y


---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo rm /etc/synthetic.conf

to remove /etc/synthetic.conf

During install, I add '/nix' to /etc/fstab so that macOS knows what
mount options to use for the Nix volume.
I might be able to help you make this edit. Here's the diff:
  LABEL=Untitled none ntfs rw,auto,nobrowse
  # New NTFS HD:  on Wed 22 Apr 2015 11:21:27 EST
  LABEL= none ntfs rw,auto,nobrowse
- LABEL=Nix\040Store /nix apfs rw,nobrowse
Does the change above look right?
[y/n] y


---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/sbin/vifs

to cut nix from fstab

patching file /etc/fstab

~~> Checking for artifacts of previous installs
Before I try to install, I'll check for signs Nix already is or has
been installed on this system.

---- Nix config report ---------------------------------------------------------
        Temp Dir:	/var/folders/6q/14m95v115x9b44w40cncnd8r0000gn/T/tmp.71DOxB9xWu
        Nix Root:	/nix
     Build Users:	32
  Build Group ID:	30000
Build Group Name:	nixbld

build users:
    Username:	UID
     _nixbld1:	301
     _nixbld2:	302
     _nixbld3:	303
     _nixbld4:	304
     _nixbld5:	305
     _nixbld6:	306
     _nixbld7:	307
     _nixbld8:	308
     _nixbld9:	309
     _nixbld10:	310
     _nixbld11:	311
     _nixbld12:	312
     _nixbld13:	313
     _nixbld14:	314
     _nixbld15:	315
     _nixbld16:	316
     _nixbld17:	317
     _nixbld18:	318
     _nixbld19:	319
     _nixbld20:	320
     _nixbld21:	321
     _nixbld22:	322
     _nixbld23:	323
     _nixbld24:	324
     _nixbld25:	325
     _nixbld26:	326
     _nixbld27:	327
     _nixbld28:	328
     _nixbld29:	329
     _nixbld30:	330
     _nixbld31:	331
     _nixbld32:	332

Ready to continue?
[y/n] y


---- Preparing a Nix volume ----------------------------------------------------
    Nix traditionally stores its data in the root directory /nix, but
    macOS now (starting in 10.15 Catalina) has a read-only root directory.
    To support Nix, I will create a volume and configure macOS to mount it
    at /nix.

~~> Configuring /etc/synthetic.conf to make a mount-point at /nix

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/bin/ex --noplugin /etc/synthetic.conf

to add Nix to /etc/synthetic.conf


~~> Creating a Nix volume

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/sbin/diskutil unmount force disk3s7

to ensure the Nix volume is not mounted

disk3s7 was already unmounted

~~> Configuring /etc/fstab to specify volume mount options

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/sbin/vifs

to add nix to fstab


~~> Configuring LaunchDaemon to mount 'Nix Store'

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/bin/ex --noplugin /Library/LaunchDaemons/org.nixos.darwin-store.plist

to install the Nix volume mounter


---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo launchctl bootstrap system /Library/LaunchDaemons/org.nixos.darwin-store.plist

to launch the Nix volume mounter


---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo launchctl kickstart -k system/org.nixos.darwin-store

to launch the Nix volume mounter


~~> Setting up the build group nixbld

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/sbin/dseditgroup -o create -r Nix build group for nix-daemon -i 30000 nixbld

Create the Nix build group, nixbld

            Created:	Yes

~~> Setting up the build user _nixbld1

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/bin/dscl . create /Users/_nixbld1 UniqueID 301

Creating the Nix build user (#1), _nixbld1

<main> attribute status: eDSRecordAlreadyExists
<dscl_cmd> DS Error: -14135 (eDSRecordAlreadyExists)

---- oh no! --------------------------------------------------------------------
Jeeze, something went wrong. If you can take all the output and open
an issue, we'd love to fix the problem so nobody else has this issue.

:(

We'd love to help if you need it.

You can open an issue at https://github.com/nixos/nix/issues

Or feel free to contact the team:
 - Matrix: #nix:nixos.org
 - IRC: in #nixos on irc.libera.chat
 - twitter: @nixos_org
 - forum: https://discourse.nixos.org
 %

Expected behavior

nix installed correctly

Additional context

Mac OS version 12.1

[ikuz]

looking into this further, my system already has a user with UniqueID 301

[ikuz]

I ended up downloading the tarball, figuring out what user IDs are available on my system, modifying the appropriate file, and installing.

It would be nice to recognise this kind of fault and provide a suggestion for how to fix it.

[abathur]

I agree. Looks like it would detect a name clash but not a UID one. Can you update the title to mention the UID clash?

For anyone trying a fix:

1. The "best" fix would probably be to try and land the stalled overlapping work in WIP: Avoid using integer identifiers in install script #4346 (with modifications for the wrinkle Big Sur added). Since it is more focused on trying to avoid existing UIDs entirely, it should fix most instances of the error here (unless there aren't enough free UIDs), and avoid a user-unfriendly halt.

2. A narrow fix could probably add a poly_* function to run a UID check in this section, implement that function for the install-darwin-multi-user.sh and install-systemd-multi-user.sh scripts, and kick out a failure error along the lines of the name clash message already present.
   

   nix/scripts/install-multi-user.sh

   Lines 480 to 500 in cf7f984

   	uid=$(nix_uid_for_core "$coreid")
   	task "Setting up the build user $username"
   	if ! poly_user_exists "$username"; then
   	poly_create_build_user "$username" "$uid" "$coreid"
   	row " Created" "Yes"
   	else
   	actual_uid=$(poly_user_id_get "$username")
   	if [ "$actual_uid" != "$uid" ]; then
   	failure <<EOF
   	It seems the build user $username already exists, but with the UID
   	with the UID '$actual_uid'. This script can't really handle that right
   	now, so I'm going to give up.
   	If you already created the users and you know they start from
   	$actual_uid and go up from there, you can edit this script and change
   	NIX_FIRST_BUILD_UID near the top of the file to $actual_uid and try
   	again.
   	EOF
   	else

3. A better fix would probably be to perform both a name and UID check in validate_starting_assumptions here, using the for loop at the end of setup_report as a blueprint for how to iterate over the users. If we have to hard fail, it's best to do it before we've changed anything.

   nix/scripts/install-multi-user.sh

   Lines 379 to 446 in cf7f984

   	validate_starting_assumptions() {
   	task "Checking for artifacts of previous installs"
   	cat <<EOF
   	Before I try to install, I'll check for signs Nix already is or has
   	been installed on this system.
   	EOF
   	if type nix-env 2> /dev/null >&2; then
   	warning <<EOF
   	Nix already appears to be installed. This installer may run into issues.
   	If an error occurs, try manually uninstalling, then rerunning this script.
   	$(uninstall_directions)
   	EOF
   	fi
   	# TODO: I think it would be good for this step to accumulate more
   	# knowledge of older obsolete artifacts, if there are any.
   	# We could issue a "reminder" here that the user might want
   	# to clean them up?
   	for profile_target in "${PROFILE_TARGETS[@]}"; do
   	# TODO: I think it would be good to accumulate a list of all
   	# of the copies so that people don't hit this 2 or 3x in
   	# a row for different files.
   	if [ -e "$profile_target$PROFILE_BACKUP_SUFFIX" ]; then
   	# this backup process first released in Nix 2.1
   	failure <<EOF
   	I back up shell profile/rc scripts before I add Nix to them.
   	I need to back up $profile_target to $profile_target$PROFILE_BACKUP_SUFFIX,
   	but the latter already exists.
   	Here's how to clean up the old backup file:
   	1. Back up (copy) $profile_target and $profile_target$PROFILE_BACKUP_SUFFIX
   	to another location, just in case.
   	2. Ensure $profile_target$PROFILE_BACKUP_SUFFIX does not have anything
   	Nix-related in it. If it does, something is probably quite
   	wrong. Please open an issue or get in touch immediately.
   	3. Once you confirm $profile_target is backed up and
   	$profile_target$PROFILE_BACKUP_SUFFIX doesn't mention Nix, run:
   	mv $profile_target$PROFILE_BACKUP_SUFFIX $profile_target
   	EOF
   	fi
   	done
   	}
   	setup_report() {
   	header "Nix config report"
   	row " Temp Dir" "$SCRATCH"
   	row " Nix Root" "$NIX_ROOT"
   	row " Build Users" "$NIX_USER_COUNT"
   	row " Build Group ID" "$NIX_BUILD_GROUP_ID"
   	row "Build Group Name" "$NIX_BUILD_GROUP_NAME"
   	if [ "${ALLOW_PREEXISTING_INSTALLATION:-}" != "" ]; then
   	row "Preexisting Install" "Allowed"
   	fi
   	subheader "build users:"
   	row " Username" "UID"
   	for i in $(seq 1 "$NIX_USER_COUNT"); do
   	row " $(nix_user_for_core "$i")" "$(nix_uid_for_core "$i")"
   	done
   	echo ""
   	}

[idontgetoutmuch]

I have this problem but this

I ended up downloading the tarball, figuring out what user IDs are available on my system, modifying the appropriate file, and installing.

is too cryptic for me. How do I figure out what user IDs are available on my system and what are the appropriate files?

Why not just remove the offending user ids?

[idontgetoutmuch]

See also #2179

[abathur]

Not sure calling the comment by @ikuz cryptic will encourage them to provide more context...

How do I figure out what user IDs are available on my system

You can find answers to the basic how-do-I-check questions in #5928, where the reporter also mentioned a SonosDMS user.

and what are the appropriate files?

I suspect @ikuz is talking about downloading the installer tarball and editing it in line with the 2nd point in my comment at the end of #5928.

Why not just remove the offending user ids?

I don't think anyone will be able to answer this for you, because it's wrapped up in knowing what the user/UID are for and whether they are still in use. If the SonosDMS user is cruft from something you no longer use, removing it is probably fine. If not, removing it may break whatever uses it.

[ikuz]

Thanks @abathur. I'm including the detail here in case anyone else finds it useful

How do I figure out what user IDs are available on my system

I did

dscl . -list /Users UniqueID | sort -n -b -k 2

to get a sorted list of users and user IDs. Then I identified a suitable gap (of at least 32 ids) and used that as the range. (in my case the SonosDMS user had the conflicting ID 301 (and I didn't want to remove or change that in case it breaks my Sonos install), but there was a suitable gap from 302 onwards)

and what are the appropriate files?

I went to https://releases.nixos.org/ and browsed to find the tarball of nix that was relevant for my system (in my case it was
https://releases.nixos.org/nix/nix-2.6.1/nix-2.6.1-aarch64-darwin.tar.xz but nix versions have moved on since then, so that's not the newest nix anymore).

Then I unpacked the tarball and edited the install-darwin-multi-user.shfile. In my case I modified the NIX_FIRST_BUILD_UID line to be

NIX_FIRST_BUILD_UID="302"

Then I ran

 ./install

Note that running install failed several times for various reasons (typically due to files remaining after previous attempted installs). Each time I had to fix the problem and I had to manually clear out the _nixbld users that were created during the failed install. e.g.:

for i in `dscl . -list /Users  | grep nixb`; do echo $i; sudo dscl . delete /Users/$i; done

Eventually it succeeded.

Hope that's helpful.

[idontgetoutmuch]

@ikuz that's really helpful thanks - @abathur "cryptic for me" perhaps I should have said my brain is too small - the link to the previous ticket is also really helpful - I will report back when I get a chance to work on this again.

[idontgetoutmuch]

Well I got further

~~> Setting up the nix-daemon LaunchDaemon

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /bin/cp -f /nix/var/nix/profiles/default/Library/LaunchDaemons/org.nixos.nix-daemon.plist /Library/LaunchDaemons/org.nixos.nix-daemon.plist

to set up the nix-daemon as a LaunchDaemon

cp: /Library/LaunchDaemons/org.nixos.nix-daemon.plist and /nix/var/nix/profiles/default/Library/LaunchDaemons/org.nixos.nix-daemon.plist are identical (not copied).

---- oh no! --------------------------------------------------------------------
Jeeze, something went wrong. If you can take all the output and open
an issue, we'd love to fix the problem so nobody else has this issue.

:(

We'd love to help if you need it.

You can open an issue at https://github.com/nixos/nix/issues

Or feel free to contact the team:
 - Matrix: #nix:nixos.org
 - IRC: in #nixos on irc.libera.chat
 - twitter: @nixos_org
 - forum: https://discourse.nixos.org

I guess I should open a new ticket

[idontgetoutmuch]

Thanks for your help @abathur and @ikuz - I managed to solve my problem by deleting nix, deleting the user that had grabbed the UID and reinstalling.

[jyrimatti]

Could someone maybe change the install script so that NIX_FIRST_BUILD_UID can be passed as an environment variable to override the default value? Or something similar. Maybe also add to installation instructions something like that dscl . -list /Users UniqueID | sort -n -b -k 2 can be used to check if the default value should be overridden.

I think having an existing UID of 301 is a company-wide problem for us, and it would be a lot easier to persuade people to use Nix if I could just say "Please install it with NIX_FIRST_BUILD_UID=351 sh <(curl -L https://nixos.org/nix/install) --daemon instead of the default recommendation" (or however that parameter should be passed in).

In the long run it would of course be better if the install script handled this whole thing automatically.

[bjornfor]

Could someone maybe change the install script so that NIX_FIRST_BUILD_UID can be passed as an environment variable to override the default value?

Doesn't f4d57aa work?

[bjornfor]

Could someone maybe change the install script so that NIX_FIRST_BUILD_UID can be passed as an environment variable to override the default value?

Doesn't f4d57aa work?

OP says:

Tried to (re)install nix on mac os but it fails.

Ugh, it seems darwin uses a different code path:

$ git grep NIX_FIRST_BUILD_UID
scripts/bigsur-nixbld-user-migration.sh:((NEW_NIX_FIRST_BUILD_UID=301))
scripts/bigsur-nixbld-user-migration.sh:        ((next_id=NEW_NIX_FIRST_BUILD_UID))
scripts/install-darwin-multi-user.sh:NIX_FIRST_BUILD_UID="301"
scripts/install-multi-user.sh:NIX_FIRST_BUILD_UID="${NIX_FIRST_BUILD_UID:-30001}"
scripts/install-multi-user.sh:    echo $((NIX_FIRST_BUILD_UID + $1 - 1))
scripts/install-multi-user.sh:NIX_FIRST_BUILD_UID near the top of the file to $actual_uid and try