-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch to UID 351+ and GID 350 on macOS #1115
Comments
Also, just to clarify: Nix is going to use these values for all macOS installations going forward, not just ones on Sequoia+ (since that would present the same migration hazard as well as be needlessly inconsistent). |
Thanks for opening this issue to remind us!
(TL;DR of the below: New installs of whatever version that includes this new (pending) In versions of the installer >=0.14.0, we have a Figuring out the right logic may not be that trivial, but I do believe it's possible :) The good news is: As for the logic, it should be as trivial as deleting the existing build users and then creating the new ones against the old GID (I'll double-check the migration script upstream to ensure I'm not missing anything). (I am not comfortable changing the GID at the same time for similar reasons as expressed in abathur's comment here: NixOS/nix#11075 (comment).)
Yep, 100% agree with that -- all new installations should get these values by default. The reason we didn't do that when doing the temporary workaround is because we figured the upstream scripts might come to a different conclusion (as they did). |
Sounds good to me, thanks for explaining the plan! Is the idea to switch the default UIDs/GID before implementing migration logic for old installations, or will it all land at once? |
I'll probably do the requisite changes in two separate PRs, but they'll be released in the same version bump. |
(I was wrong -- the first change of setting the new base UID/GID was released in https://github.com/DeterminateSystems/nix-installer/releases/tag/v0.23.0, and I'm still working on the migration tool) |
I've got a draft PR that implements the sequoia repair subcommand up at #1143. I still have some more testing to do, but so far I'm mostly satisfied with how it works. Feel free to take a look (at the code or at actually using it). The default repair subcommand is still to repair the shell hooks ( |
@cole-h Do you know how soon the repair command for this is going to release? Sequoia’s release is scheduled for Monday and I am trying to get automated detection in nix-darwin to point users to the migration options ASAP before the update lands and breaks everyone’s installation. I think that is the highest‐impact thing we can do to mitigate the support burden and reputation hit the Sequoia release is going to represent for us, and the sooner I can land it the more people will be able to fix their installations before they break. I am reluctant to point people to the upstream Nix migration script unconditionally because it will cause the UIDs used to differ from what is in the |
(I answered this in the "Nix on macOS" matrix room, but paraphrasing for posterity) My goal is to cut the release before/on Thursday, and do our standard rollout procedure (which will take no longer than a day). In my PR, I do make an effort to update the UIDs in the receipt if the receipt is valid and parseable. This is kinda of dubious benefit: it'll only be able to update the UIDs if you're using However, that doesn't really matter -- we remove users by their name, not by their UID: nix-installer/src/action/base/create_user.rs Line 319 in 7ed9e26
(This holds true for Linux as well, where we use |
I'm not sure the repair command is working? After running the repair command, I now get the following error message:
It does migrate users but nix nevertheless blocks execution with a "correct" UID. |
Hi @cynddl, that’s our (nix-darwin) message, not a Nix one. The wording might be slightly confusing because I’m guessing you have a non‐standard configuration that’s causing this issue – do you set |
Thanks @emilazy! I had indeed set |
Good to know! We should maybe refine the error message in the case where it’s set to a custom value; I just kind of assumed that nobody did. |
We’ve finally bikeshedded final values for the new macOS UID/GID values to handle the Sequoia issues; an Apple devrel suggested the range above 350 and we have refined that to 351+ (i.e.
_nixbld1
having UID 351, etc.) to avoid an off‐by‐one compared to the previous UIDs and the Linux UIDs, and to maintain the correspondence between the last digit of the build user names and the last digit of their UIDs.We are also switching new installs to use GID 350, to align with the new UIDs (without overlapping them, as before and on Linux), because using a GID in the system range avoids the Nix build users group cluttering up System Settings.
Hopefully you can align with upstream Nix on this so that we can all be on the same page and finally put this issue behind us! (Except, uh, every installation is still going to break on upgrade. I don’t suppose you’re in a better position than upstream to make an automatic migration happen? We have a script, but informing people they need to run it is another thing…)
See also: NixOS/nix#10919 (comment), NixOS/nix#11372, abathur/nix#15.
The text was updated successfully, but these errors were encountered: