-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
macOS 15 Sequoia clobbers _nixbld1-4 users #10892
Comments
cat /etc/passwd on sequoia shows
|
Perhaps count down from 400? That's what I've done locally to fix the immediate issue. FYI, everything works with an arbitrary range, e.g. 3001–3032. |
No personal objection to counting down as a strategy, but:
|
Question 1: Q1 RFC: Question 2: |
@michaelvanstraten noted in #6153 (comment) that you can get unblocked on new installs for testing with:
|
Some thoughts on where to reassign the IDs: We need to be below (or equal to?) UID 400, and Apple has now used up to UID 304. Clearly we should expect they might keep adding users to the low end of this range occasionally. However, running right up against the 400 limit doesn’t seem safe to me either; We default to 32 build users currently. The main reason you might want more is that it limits the number of concurrent build jobs, and the number of those you might want to run is proportional to the cores/threads on your machine. The highest number of cores on a currently-shipping Mac is the 24‐core M2 Ultra, they used to ship Xeons with 48 threads (24 cores × 2 threads/core), and there are rumours of a 32‐core M3 Ultra and even a 64‐core M3 Ultimate. We can’t fit more than 96 users at the absolute maximum as of Sequoia, and that would obviously be risky, so let’s say we want to plan to have space for around 64 to 80 build users. I suggest we start at 331 (if we want to keep the last digit matching the build user number) or 330 (if we don’t). That gives us enough margin for Apple to add ~26 new users before we run into problems again, 38 empty spaces above the top UID for the current default of 32 users, and just enough space to squeeze in 64 users before hitting the 395 ID that Apple has already used for a group. The other good candidate would be 321/320; that reduces the margin on the low end to ~16 new Apple users, but increases the margin on the upper end, to (if using 320) just barely allow squeezing in 80 users in the available range. Personally I feel like the release of an 80‐core Mac would make me scared for 96 to 128‐core Macs that we have no realistic way of adding enough users for with our current approach anyway, and we have precedent that Apple is happy to add users on the low end of the range, so I lean towards 331 to give us more margin on that side. But I’m ambivalent if people have a strong preference for more margin to add and think that Apple will continue adding system users at a restrained enough pace compared to core count inflation. 331 spreads our users around the middle of the available range for 32 users, 321 does the same for 64 users. This would also be a good opportunity to change the group ID; the current default of 30000 has the unfortunate effect of making the group show up in System Settings, unlike system groups. I would suggest using a related ID of 330 or 320 depending on the choice, and perhaps renaming it to Since we have to coordinate this with two installers and nix-darwin and get a migration plan in place before the release of Sequoia, I hope we can commit to a set of IDs ASAP to enable this to go smoothly. |
Incidentally I note that |
Some more investigation: It seems like groups with GID < 500 don’t show up in System Settings. This may imply that the system UID range has also expanded, but I don’t know a convenient way to check, and anyway considering that Apple is using the middle of that range with 441 it might be awkward real estate to occupy; who knows what values Apple might pick in future. (There are also groups with higher GIDs that don’t show up in System Settings (e.g. The maximum in‐use UID < 400 went from 297 to 304 in one version. I don’t know what the historical growth rate is like, but I’d definitely be more comfortable with 331 than 321 given that. If the growth continued at the rate of Sequoia (which seems unlikely, but still), we’d have to think of a new idea in 4 OS releases rather than 3. In general it seems like we’re on borrowed time here and I’m not really sure what the long‐term solution is. We may have to migrate now with the expectation of migrating again later. If we could verify that UIDs < 500 now work fine, I suppose one solution would be to start at, say, 360 now, and hope Apple don’t eat up the lower 400s range if we start having machines that want 64 users. But I don’t remember how to test that. |
Does this mean you looked at the usage info for
Yeah. The main manifestation I recall was the system giving an obtuse adrenaline-inducing error message and booting into recovery mode during system updates that require a full reboot cycle. Looking back over the thread, it looks like that got less-scary on the next point release. The other was the build users showing up in a user list. If we wanted to try moving outside of the current range, I suspect a workable protocol would be installing into the new range on a sub-sequoia version and then running the sequoia update and seeing if it blows up. (I don't currently have a spare mac that's eligible for this update, so someone else will have to drive...) It can't save us from needing to fix this UID issue in the short run, but one way to address the long-run problem would be to figure out if we can get the various issues with auto-allocate-uids sorted out in order to make it the default. (The detsys folks tried defaulting to this in their installer and ran into trouble that compelled them to revert it on both macOS and Linux.) After I hit post here I'll start drafting a feedback/radar report for Apple. Once I do, I'll also email their devrel about it, and post the FB number here in case anyone wants to refer to it from their own FB report. I'm not terribly optimistic about that helping (for example, I never got a response on the reports I opened about the big sur issue in 2021), but I guess there's an outside chance they'll improve their updater to relocate any UID/GID they trample to another valid ID. (That would leave people with Weird installs--they might fail to fully clean up when they follow the uninstall instructions for example--but I think it would at least not break every existing macOS install made since early 2022 or whenever the multi-user default was released...) For searchability, here's one real manifestation of this on an existing install (from ##10912):
|
On Sonoma, which already has that
I think filling up the visible user list with 32 random daemon users is scary and off‐putting to users (especially in the absence of an official upstream uninstaller), so even if the more fundamental issues might be solved now I’d be reluctant to settle on that unless we can find another way to hide them.
Yes, I would love this. If we can commit in the interim to e.g. UIDs starting at 331 and a GID of 330, hopefully that would give us enough runway to make something workable out of |
Ok, I've reported this in FB13917314 and emailed the devrel about it. For reference, report is roughly:
|
I can confirm that Sequoia’s |
On Macos 15 beta, users added with -roleAccount but no leading _ get an automatic user id >500. While the help still gives the footnote: |
For searchability too (thanks @abathur!), I had
|
FYI on my work laptop (still Sonoma 14) I have these:
Note:
EDIT: confirmed that these two are SentinelOne |
Yes, if the Nix repository is compromised then users have bigger problems. Especially since the very comment containing the command to run is in the Nix repository. |
I have two Macs with Nix, both installed via the official
(I believe the only difference here vs the recommended one-liner in the issue description is that I'm separating download from execution. I make a habit of keeping a local copy of all download-and-execute scripts like this, so that I can manually inspect the exact script that I have executed if/when anything goes wrong.) Unsurprisingly given that the two scripts appear to be invoking |
I agree that those versions shouldn't have anything to do with the issue. Afaik this is our first report of the problem, so the tractability of this will likely hinge on what you can figure out locally (at least until we figure out how to reproduce it). A few questions to get us started:
|
No active MDM profiles on either Mac. Technically, the 14.7 machine is erroneously listed on a MDM auto-enrollment list from its previous life as an MDM-managed machine for about 6 months in 2020, but has never actually been re-enrolled after the previous owner removed their MDM profile and Recovery-wiped the machine for resale. (Yeah, I'm annoyed that the former owners could never be bothered to fix their mess after confirming that their auto-enrollment claim is erroneous, but that whole sordid tale should be irrelevant for our current purposes.) The 15.0.1 machine has no previous owners and has always been completely MDM-free; it originally shipped directly from Apple in early 2023 with 13.x preinstalled, and then has been kept regularly updated with production (non-beta) OS releases since. Also no restored backups; I set up both machines from scratch from their clean OS installs as soon as they entered my hands and never looked back. As a result they have both been through multiple major MacOS upgrades over time. IIRC my original Nix installation on each of these machines was after upgrading the corresponding Mac's OS to 14.x. Adding |
Iirc warp is a terminal app, yeah? Are you using it on both systems? If so can you try again in Terminal.app? |
Oh hey, I found this old comment which suggested that the problem might be my choice of terminal emulator (I had previously discounted that as being potentially relevant because I'm using different third-party terminal apps on each of the two machines), and indeed the script works as expected in Terminal.app. (fun, looks we got to the same place at the same time 🙂 ) |
@butterflyhug have you granted full disk access to either Terminal.app or Warp? |
@Enzime fair question. In my case, the terminal.app hunch was because the log attached earlier shows some sandbox/tccd errors related to warp, which makes me think macos is further restricting permissions here. I suspect we'd have heard by now if FDA was required to run these dscl commands broadly, but it is certainly still possible that there's something specific up with these systems and FDA explains why the command succeeded in Terminal (but I am hoping this isn't the reason). |
Terminal.app doesn't have FDA by default either. |
[Edit] Taking this comment to the correct place to avoid clutter. Thanks very much @cole-h for the redirect! original commentI missed this during an upgrade to Sequoia mandated by MDM for work. I installed Before researching and finding this thread, I tried
`nix-installer` needs to run as `root`, attempting to escalate now via `sudo`...
Nix uninstall plan (v0.18.0)
Planner: macos (with default settings) Planned actions:
Proceed? ([Y]es/[n]o/[e]xplain):
0: Location: Backtrace omitted. Run with RUST_BACKTRACE=1 environment variable to display it. Consider reporting this error using this URL: ... I tried
Nix uninstall plan (v0.18.0)
Planner: macos (with default settings) Planned actions:
Proceed? ([Y]es/[n]o/[e]xplain):
0: Location: Backtrace omitted. Run with RUST_BACKTRACE=1 environment variable to display it. Consider reporting this error using this URL: ... (much longer URL) When I run the recommended
info: downloading installer https://install.determinate.systems/nix/tag/v0.26.0/nix-installer-aarch64-darwin
INFO nix-installer v0.26.0
`nix-installer` needs to run as `root`, attempting to escalate now via `sudo`...
INFO nix-installer v0.26.0
WARN get_existing_receipt: Could not parse receipt. Your receipt will not be updated to account for the new UIDs
Will move the _nixbld users to the Sequoia-compatible 350+ UID range and WILL NOT update the receipt
Proceed? ([Y]es/[n]o): 0: Location: Backtrace omitted. Run with RUST_BACKTRACE=1 environment variable to display it. Consider reporting this error using this URL: ... At this point, I'm just wondering: how best to recover? |
@mwilsoncoding Hi! (Next time, please file issues with our installer against our installer at https://github.com/DeterminateSystems/nix-installer/issues, so we don't clutter upstream issues!) To answer your question:
Based on the output you've posted, Nix is (mostly) successfully uninstalled. The first errors about "user _nixbld1 not found" are what would have been fixed by the After rebooting, you should be able to attempt another install. If it complains about the disk, it should give you remediation steps you can try before running it again. For future reference: you should run the repair tool while Nix is installed -- that's the only time it will work. If Nix is not installed, then it can't do anything. |
I don't know what was included in this macOS update. But the problem seems to be fixed in version Sequoia 15.1 (24B83). At least for me. Can anyone else confirm this? |
Can you clarify some details here? Maybe like:
|
Yes, sorry.
I can no longer say in detail which NixOS version it was before. But now it is currently Nix 2.24.10. I use a Mac14,6 Apple M2 Max. |
I cannot get this working due to the following error:
I tried the suggested In fact, I can't even succesfully uninstall due to the error mentioned above that sent me down this path in the first place.
|
I don't know what "this" is here, but the error message sounds like you're trying to run the installer with un-migrated build users present. I'd follow the uninstall instructions before reinstalling: https://nixos.org/manual/nix/stable/installation/uninstall.html#macos |
I did, and step three returns the same error as trying to properly fix the initial _nixbld1-4 issues. That is what I'm referring to as "this", i.e. this github issue
Aka not only can I not migrate the build users, I can't uninstall for the same issue. |
Can you please provide a full console log here? (of the uninstall) |
can you log the user ids that are being used and paste it here? |
If I set
it complains about
But, if I set
it complains about
Yes, I had nix installed previous and I followed clear instruction how to remove it properly, yet it did not do so. The users still exist, I circumvented this by running: for i in $(seq 1 32); do sudo /usr/bin/dscl . -delete "/Users/_nixbld$i"; done |
User removal is covered in step 3 of the uninstall instructions: https://nixos.org/manual/nix/stable/installation/uninstall.html#macos |
Sorry for late response but I decided to just factory reset |
This issue has been mentioned on NixOS Discourse. There might be relevant details there: |
The macOS 15 Sequoia update takes 4 UIDs in the range we've been using, clobbering any _nixbldN users in the way (typically _nixbld1-4).
This manifests as:
On existing installs, build errors like:
error: the user '_nixbld1' in the group 'nixbld' does not exist
To fix this, run our migration script (which relocates/replaces _nixbld users) before or after taking the macOS 15 Sequoia update:
On fresh installs (with unpatched installer versions), the following error creating user
_nixbld1
:While the 2.24.6+ installers are fixed, older installers don't all work at the moment. (The installer fixes for this have been backported for every release back to the 2.18 series--but these aren't all quite released yet.)
If you're trying to install versions from 2.20.0 and 2.24.5, you can explicitly override the starting UID:
If you run into this error with versions older than 2.18, you'll need to download the installer tarball for your platform, unpack it, and update the first UID in
install-darwin-multi-user.sh
to 351.More background/context on the issue
Edit: As the macOS release is near, I'm tucking context away to focus the first comment on how users can fix broken installs.
Reports are percolating about the upcoming macOS Sequoia 15 (from people trying the beta out) using 4 UIDs in the range we've been using:
History on our previous change and ID range selection is in:
PRs to address:
The text was updated successfully, but these errors were encountered: