Skip to content

Commit

Permalink
install-darwin: move nixbld gid to match first UID
Browse files Browse the repository at this point in the history
  • Loading branch information
@abathur
abathur committed Jul 3, 2024
1 parent 0365ca7 commit e1776b0
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 4 deletions.
10 changes: 10 additions & 0 deletions scripts/install-darwin-multi-user.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,17 @@ set -eu
set -o pipefail

# System specific settings
# Notes:
# - up to macOS Big Sur we used the same GID/UIDs as Linux (30000:30001-32)
# - we changed UID to 301 because Big Sur updates failed into recovery mode
# we're targeting the 200-400 UID range for role users mentioned in the
# usage note for sysadminctl
# - we changed UID to 331 because Sequoia now uses UIDs 300-304 for its own
# daemon users
# - we changed GID to 331 alongside above just because it hides the nixbld
# group from the Users & Groups settings panel :)
export NIX_FIRST_BUILD_UID="${NIX_FIRST_BUILD_UID:-331}"
export NIX_BUILD_GROUP_ID="${NIX_BUILD_GROUP_ID:-331}"
export NIX_BUILD_USER_NAME_TEMPLATE="_nixbld%d"

readonly NIX_DAEMON_DEST=/Library/LaunchDaemons/org.nixos.nix-daemon.plist
Expand Down
6 changes: 2 additions & 4 deletions scripts/install-multi-user.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,10 @@ readonly RED='\033[31m'
# installer allows overriding build user count to speed up installation
# as creating each user takes non-trivial amount of time on macos
readonly NIX_USER_COUNT=${NIX_USER_COUNT:-32}
readonly NIX_BUILD_GROUP_ID="${NIX_BUILD_GROUP_ID:-30000}"
readonly NIX_BUILD_GROUP_NAME="nixbld"

This comment has been minimized.

Sign in to view

Copy link
@emilazy

emilazy Jul 3, 2024

Member

Maybe we should make this _nixbld to for consistency with the users and the other system groups in the range while we’re at it? Probably doesn’t matter that much, but I seem to recall we renamed the users to get them hidden in some way so it might not hurt to follow suit with the group.

This comment has been minimized.

Sign in to view

Copy link
@abathur

abathur Jul 3, 2024

Author Member

A little more bearish on fiddling with that:

  • This will re-namespace us again, which comes with a cascade of knock-on stuff like:

    • having to go update the uninstall documentation with caveats to handle both nixbld and _nixbld
    • obsoleting existing uninstall scripts/posts/comments floating around ~everywhere
    • since the installer isn't idempotent, it creates a new set of states people with old installs can end up in

  • I haven't read through how it works, but my mental model is that Nix is finding the build users by looking up members of the nixbld group, so I imagine renaming it will entail some change to nix-nix.

    (The manpage for nix.conf says there's a build-users-group setting for this, but it also says builds by root will default to nixbld even when this is unset and I think I see that hardcoded in src/libstore/globals.cc. I assume that means at least under some conditions a rename wouldn't be respected until an update Nix is widely deployed? I'm really not looking to step in something this squishy atm :])

This comment has been minimized.

Sign in to view

Copy link
@emilazy

emilazy Jul 3, 2024

Member

Ah, makes sense! Not worth it then.
# each system specific installer must set these:
# NIX_FIRST_BUILD_UID
# NIX_BUILD_GROUP_ID
# NIX_BUILD_USER_NAME_TEMPLATE
# Please don't change this. We don't support it, because the
# default shell profile that comes with Nix doesn't support it.
Expand Down Expand Up @@ -530,9 +530,7 @@ It seems the build group $NIX_BUILD_GROUP_NAME already exists, but
with the UID $primary_group_id. This script can't really handle
that right now, so I'm going to give up.
You can fix this by editing this script and changing the
NIX_BUILD_GROUP_ID variable near the top to from $NIX_BUILD_GROUP_ID
to $primary_group_id and re-run.
You can export NIX_BUILD_GROUP_ID=$primary_group_id and re-run.
EOF
else
row " Exists" "Yes"
Expand Down
1 change: 1 addition & 0 deletions scripts/install-systemd-multi-user.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ set -o pipefail

# System specific settings
export NIX_FIRST_BUILD_UID="${NIX_FIRST_BUILD_UID:-30001}"
export NIX_BUILD_GROUP_ID="${NIX_BUILD_GROUP_ID:-30000}"
export NIX_BUILD_USER_NAME_TEMPLATE="nixbld%d"

readonly SERVICE_SRC=/lib/systemd/system/nix-daemon.service
Expand Down

0 comments on commit e1776b0

Please sign in to comment.