nix macOS install failed -UID clash- (Jamf conterolled enterprise machine)

[geffgh]

Platform

• [ V] macOS

Additional information

Main factor that might impact is this is an enterprise Jamf controlled machine.
As you can see in the output each time a sudo is needed I am required to give a reason for this super user action.
This is everywhere where you see this line:

Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects

Please also note there is a secondary non-blocking issue here in that the sudo command about to be run is not showing.
Possibly due to the above mentioned "provide a reason" request.

Output

Output

|~@machinename Tue 24-01-02T17:01 
|%> sh <(curl -L https://nixos.org/nix/install)                                                                                                                                                                        
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  4052  100  4052    0     0   4758      0 --:--:-- --:--:-- --:--:-- 20059
zsh: killed     sh <(curl -L https://nixos.org/nix/install)
________________________________________________________________________________
|~@machinename Tue 24-01-02T17:16 
|%> curl -L https://nixos.org/nix/install | sh                                                                                                                                                                         
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  4052  100  4052    0     0   3965      0  0:00:01  0:00:01 --:--:--  3965
downloading Nix 2.19.2 binary tarball for aarch64-darwin from 'https://releases.nixos.org/nix/nix-2.19.2/nix-2.19.2-aarch64-darwin.tar.xz' to '/var/folders/ch/2vynlq5n27n5gtx80lkyp4cr0000gp/T/nix-binary-tarball-unpack.XXXXXXXXXX.Kqe1hr8Fdh'...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 10.9M  100 10.9M    0     0  4506k      0  0:00:02  0:00:02 --:--:-- 4508k
Switching to the Multi-user Installer
Welcome to the Multi-User Nix Installation

This installation tool will set up your computer with the Nix package
manager. This will happen in a few stages:

1. Make sure your computer doesn't already have Nix. If it does, I
   will show you instructions on how to clean up your old install.

2. Show you what I am going to install and where. Then I will ask
   if you are ready to continue.

3. Create the system users (uids [301..332]) and groups (gid 30000)
   that the Nix daemon uses to run builds.

4. Perform the basic installation of the Nix files daemon.

5. Configure your shell to import special Nix Profile files, so you
   can use Nix.

6. Start the Nix daemon.

Would you like to see a more detailed list of what I will do?
No TTY, assuming you would say yes :)

I will:

 - make sure your computer doesn't already have Nix files
   (if it does, I will tell you how to clean them up.)
 - create local users (see the list above for the users I'll make)
 - create a local group (nixbld)
 - install Nix in to /nix
 - create a configuration file in /etc/nix
 - set up the "default profile" by creating some Nix-related files in
   /var/root
 - back up /etc/bashrc to /etc/bashrc.backup-before-nix
 - update /etc/bashrc to include some Nix configuration
 - back up /etc/zshrc to /etc/zshrc.backup-before-nix
 - update /etc/zshrc to include some Nix configuration
 - create a Nix volume and a LaunchDaemon to mount it
 - create a LaunchDaemon (at /Library/LaunchDaemons/org.nixos.nix-daemon.plist) for nix-daemon

Ready to continue?
No TTY, assuming you would say yes :)

---- let's talk about sudo -----------------------------------------------------
This script is going to call sudo a lot. Normally, it would show you
exactly what commands it is running and why. However, the script is
run in a headless fashion, like this:

  $ curl -L https://nixos.org/nix/install | sh

or maybe in a CI pipeline. Because of that, I'm going to skip the
verbose output in the interest of brevity.

If you would like to
see the output, try like this:

  $ curl -L -o install-nix https://nixos.org/nix/install
  $ sh ./install-nix


~~> Fixing any leftover Nix volume state
Before I try to install, I'll check for any existing Nix volume config
and ask for your permission to remove it (so that the installer can
start fresh). I'll also ask for permission to fix any issues I spot.

~~> Checking for artifacts of previous installs
Before I try to install, I'll check for signs Nix already is or has
been installed on this system.

---- Nix config report ---------------------------------------------------------
        Temp Dir:	/var/folders/ch/2vynlq5n27n5gtx80lkyp4cr0000gp/T/tmp.mrmv0zLL6E
        Nix Root:	/nix
     Build Users:	32
  Build Group ID:	30000
Build Group Name:	nixbld

build users:
    Username:	UID
     _nixbld1:	301
     _nixbld2:	302
     _nixbld3:	303
     _nixbld4:	304
     _nixbld5:	305
     _nixbld6:	306
     _nixbld7:	307
     _nixbld8:	308
     _nixbld9:	309
     _nixbld10:	310
     _nixbld11:	311
     _nixbld12:	312
     _nixbld13:	313
     _nixbld14:	314
     _nixbld15:	315
     _nixbld16:	316
     _nixbld17:	317
     _nixbld18:	318
     _nixbld19:	319
     _nixbld20:	320
     _nixbld21:	321
     _nixbld22:	322
     _nixbld23:	323
     _nixbld24:	324
     _nixbld25:	325
     _nixbld26:	326
     _nixbld27:	327
     _nixbld28:	328
     _nixbld29:	329
     _nixbld30:	330
     _nixbld31:	331
     _nixbld32:	332

Ready to continue?
No TTY, assuming you would say yes :)

---- Preparing a Nix volume ----------------------------------------------------
    Nix traditionally stores its data in the root directory /nix, but
    macOS now (starting in 10.15 Catalina) has a read-only root directory.
    To support Nix, I will create a volume and configure macOS to mount it
    at /nix.

~~> Configuring /etc/synthetic.conf to make a mount-point at /nix
Reason Required: You are about to run this Sudo Command with admin rights. Please enter a reason to proceed.
Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects

~~> Creating a Nix volume
Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects
Reason Required: You are about to run this Sudo Command with admin rights. Please enter a reason to proceed.
Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects
disk3s7 was already unmounted

~~> Configuring /etc/fstab to specify volume mount options
Reason Required: You are about to run this Sudo Command with admin rights. Please enter a reason to proceed.
Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects

~~> Encrypt the Nix volume
Reason Required: You are about to run this Sudo Command with admin rights. Please enter a reason to proceed.
Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects
Volume Nix Store on Nix Store mounted
Reason Required: You are about to run this Sudo Command with admin rights. Please enter a reason to proceed.
Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects
Reason Required: You are about to run this Sudo Command with admin rights. Please enter a reason to proceed.
Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects
Encrypting with the new "Disk" crypto user on disk3s7
The new "Disk" user will be the only one who has initial access to disk3s7
The new APFS crypto user UUID will be 5FF8BC1C-0DD5-41D1-8334-D1A2A65A348E
Encryption has likely completed due to AES hardware; see "diskutil apfs list"
Reason Required: You are about to run this Sudo Command with admin rights. Please enter a reason to proceed.
Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects
Volume Nix Store on disk3s7 force-unmounted

~~> Configuring LaunchDaemon to mount 'Nix Store'
Reason Required: You are about to run this Sudo Command with admin rights. Please enter a reason to proceed.
Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects
Reason Required: You are about to run this Sudo Command with admin rights. Please enter a reason to proceed.
Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects
Reason Required: You are about to run this Sudo Command with admin rights. Please enter a reason to proceed.
Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects

~~> Setting up the build group nixbld
Reason Required: You are about to run this Sudo Command with admin rights. Please enter a reason to proceed.
Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects
            Created:	Yes

~~> Setting up the build user _nixbld1
Reason Required: You are about to run this Sudo Command with admin rights. Please enter a reason to proceed.
Please provide a reason: Installing nix package manager. To better separate environments and support a development process with no side effects
<main> attribute status: eDSRecordAlreadyExists
<dscl_cmd> DS Error: -14135 (eDSRecordAlreadyExists)

---- oh no! --------------------------------------------------------------------
Oh no, something went wrong. If you can take all the output and open
an issue, we'd love to fix the problem so nobody else has this issue.

:(

We'd love to help if you need it.

You can open an issue at
https://github.com/NixOS/nix/issues/new?labels=installer&template=installer.md

Or get in touch with the community: https://nixos.org/community
________________________________________________________________________________
|~@machinename Tue 24-01-02T17:33 

Priorities

Add 👍 to issues you find important.

[geffgh]

Also FYI:

     +-> Volume disk3s7 ID-string
        ---------------------------------------------------
        APFS Volume Disk (Role):   disk3s7 (No specific role)
        Name:                      Nix Store (Case-insensitive)
        Mount Point:               /nix
        Capacity Consumed:         24576 B (24.6 KB)
        Sealed:                    No
        FileVault:                 Yes (Unlocked)

|%> ll / | grep nix                                                                                                                                                                                                    
drwxr-xr-x   3 root  wheel    96B  2 Jan 17:31 nix/
________________________________________________________________________________
|~@LONGEF-M Tue 24-01-02T18:10 
|%> ll /nix                                                                                                                                                                                                            
total 0
d-wx--x--t  3 root  wheel    96B  2 Jan 17:31 .Trashes/

  |%> ll /Library/LaunchDaemons/org.nixos.darwin-store.plist                                                                                                                                                             
 -rw-r--r--  1 root  wheel   615B  2 Jan 17:33 /Library/LaunchDaemons/org.nixos.darwin-store.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>RunAtLoad</key>
  <true/>
  <key>Label</key>
  <string>org.nixos.darwin-store</string>
  <key>ProgramArguments</key>
  <array>
    <string>/bin/sh</string>
    <string>-c</string>
    <string>/usr/bin/security find-generic-password -s 'ID-string' -w | /usr/sbin/diskutil apfs unlockVolume 'ID-string' -mountpoint '/nix' -stdinpassphrase</string>
  </array>
</dict>
</plist>

[abathur]

That sudo prompt is brutal, but I don't think it's directly causing the failure.

It sounds like you already have a user with the same 301 UID (see #6153).

Speaking generally, the way around is to either delete that user/users if you no longer use whatever software/services that need them, or try to manually identify a new UID range that doesn't conflict (there's an overview of how to find a new range in #6153 (comment)). On macOS I think this has to be between UIDs 200-400, and Apple/macOS use a fair share of 200-299.

Since a few artifacts are already set up, follow the uninstall instructions before trying anything below: https://nixos.org/manual/nix/stable/installation/uninstall.html#macos

---

I usually wouldn't recommend a third-party installer on this official issue tracker, but you may want to consider using the detsys installer (https://github.com/DeterminateSystems/nix-installer) for two specific reasons:

1. I believe it only invokes sudo once, so it should be far less tedious.
2. It looks like you can prefix the invocation with NIX_INSTALLER_NIX_BUILD_USER_ID_BASE=<UID> to override the first UID. (The same basic feature was recently added to the official installer, but there hasn't been a release since it was merged.)

If you can't free up the default UIDs and are not comfortable using a third-party installer, there are 3 potential options:

• If you aren't under time pressure: In the near future it'll be possible to override this when you run the installer via installer: allow overriding of NIX_FIRST_BUILD_ID on darwin #9639, but it isn't quite released yet. They should be on a 6-week cadence, so that should be coming up soon.
• If you are under time pressure: I already linked it, but in addition to explaining how to find a different UID range, this comment also explains how to download and modify the installer: nix install breaks on UID clash #6153 (comment)
• There is a nix-community project that occasionally releases unstable builds of the official installer (usually each week), but it looks like the CI job started failing a few weeks ago. I opened an issue to let the maintainer know. I'll comment here if they manage to get that fixed before the next official release.

[abathur]

The community unstable installer has been updated, so that's now an option. Release at https://github.com/nix-community/nix-unstable-installer/releases/tag/nix-2.20.0pre20231220_75e10e4.

Should be able to invoke like:

NIX_FIRST_BUILD_ID=<first-uid> sh <(curl -L https://github.com/nix-community/nix-unstable-installer/releases/download/nix-2.20.0pre20231220_75e10e4/install)```

[geffgh]

First of all Travis @abathur thanks for your great help. I will attempt to follow, one or more of, them.

Clearly I should have searched here for the error message as I can now see there are many issues raised for this error.
Looking at the other many duplicates of this issue.
And also running:

/usr/bin/dscl . list /Users UniqueID | sort -n -k 2

I can see that it looks like many, maybe in particular enterprise managed, Macs generally have UIDs up until a small number of 30x already taken.

Maybe it might be a good idea to revisit the current nix, macOS, install approach?
Not sure how come nix needs so many (32) user Ids, and how come must be between 200-400, but assuming it does maybe a much more flexible approach in what Ids are used might be advisable? E.g. using any free ones intermingled in this range.

Not sure what the max UIDs are in macOS but maybe starting somewhere at the top of the range (to avoid any regular userIDs that seems to start at 5xx) might be another option.

[geffgh]

duplicates (at least): #2179 , #2242 , #5928 , #6153