After macOS migration: installation script failed: error: the build users group 'nixbld' has no members

[drichardson]

Describe the bug

The installation script failed.

Reporting here per the instructions as the bottom of the output.

Steps To Reproduce

1. Install nix on mac A
2. Run macOS Migration Assistant to migrate data to mac B
3. On mac B, run nix installer.

NOTE: It's highly likely (2) was an aborted Migration.

Fails with:

error: the build users group 'nixbld' has no members

Expected behavior

Installation should succeed.

nix-env --version output

N/A because nix not installed yet.

Additional context

Full log

[I] doug@dougs-mbp ~/w/whatnot_live (main) [2]> bash
bash-5.1$ sh <(curl -L https://nixos.org/nix/install) --no-daemon
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  4046  100  4046    0     0  35844      0 --:--:-- --:--:-- --:--:-- 35844
downloading Nix 2.6.0 binary tarball for aarch64-darwin from 'https://releases.nixos.org/nix/nix-2.6.0/nix-2.6.0-aarch64-darwin.tar.xz' to '/var/folders/63/1z5rrdr90g58hgv4j03n01xh0000gn/T/nix-binary-tarball-unpack.XXXXXXXXXX.3eFoEoDc'...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 8962k  100 8962k    0     0  55.2M      0 --:--:-- --:--:-- --:--:-- 57.2M
Error: --no-daemon installs are no-longer supported on Darwin/macOS!
bash-5.1$ sh <(curl -L https://nixos.org/nix/install)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  4046  100  4046    0     0  40402      0 --:--:-- --:--:-- --:--:-- 40402
downloading Nix 2.6.0 binary tarball for aarch64-darwin from 'https://releases.nixos.org/nix/nix-2.6.0/nix-2.6.0-aarch64-darwin.tar.xz' to '/var/folders/63/1z5rrdr90g58hgv4j03n01xh0000gn/T/nix-binary-tarball-unpack.XXXXXXXXXX.RFziLjeN'...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 8962k  100 8962k    0     0  42.7M      0 --:--:-- --:--:-- --:--:-- 43.9M
Switching to the Multi-user Installer
Welcome to the Multi-User Nix Installation

This installation tool will set up your computer with the Nix package
manager. This will happen in a few stages:

1. Make sure your computer doesn't already have Nix. If it does, I
   will show you instructions on how to clean up your old install.

2. Show you what I am going to install and where. Then I will ask
   if you are ready to continue.

3. Create the system users and groups that the Nix daemon uses to run
   builds.

4. Perform the basic installation of the Nix files daemon.

5. Configure your shell to import special Nix Profile files, so you
   can use Nix.

6. Start the Nix daemon.

Would you like to see a more detailed list of what I will do?
[y/n] y


I will:

 - make sure your computer doesn't already have Nix files
   (if it does, I will tell you how to clean them up.)
 - create local users (see the list above for the users I'll make)
 - create a local group (nixbld)
 - install Nix in to /nix
 - create a configuration file in /etc/nix
 - set up the "default profile" by creating some Nix-related files in
   /var/root
 - back up /etc/bashrc to /etc/bashrc.backup-before-nix
 - update /etc/bashrc to include some Nix configuration
 - back up /etc/zshrc to /etc/zshrc.backup-before-nix
 - update /etc/zshrc to include some Nix configuration
 - create a Nix volume and a LaunchDaemon to mount it
 - create a LaunchDaemon (at /Library/LaunchDaemons/org.nixos.nix-daemon.plist) for nix-daemon

Ready to continue?
[y/n] y


---- let's talk about sudo -----------------------------------------------------
This script is going to call sudo a lot. Every time I do, it'll
output exactly what it'll do, and why.

Just like this:

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo echo

to demonstrate how our sudo prompts look


This might look scary, but everything can be undone by running just a
few commands. I used to ask you to confirm each time sudo ran, but it
was too many times. Instead, I'll just ask you this one time:

Can I use sudo?
[y/n] y

Yay! Thanks! Let's get going!

~~> Fixing any leftover Nix volume state
Before I try to install, I'll check for any existing Nix volume config
and ask for your permission to remove it (so that the installer can
start fresh). I'll also ask for permission to fix any issues I spot.

~~> Checking for artifacts of previous installs
Before I try to install, I'll check for signs Nix already is or has
been installed on this system.

---- Nix config report ---------------------------------------------------------
        Temp Dir:       /var/folders/63/1z5rrdr90g58hgv4j03n01xh0000gn/T/tmp.l3PoZQqnf1
        Nix Root:       /nix
     Build Users:       32
  Build Group ID:       30000
Build Group Name:       nixbld

build users:
    Username:   UID
     _nixbld1:  301
     _nixbld2:  302
     _nixbld3:  303
     _nixbld4:  304
     _nixbld5:  305
     _nixbld6:  306
     _nixbld7:  307
     _nixbld8:  308
     _nixbld9:  309
     _nixbld10: 310
     _nixbld11: 311
     _nixbld12: 312
     _nixbld13: 313
     _nixbld14: 314
     _nixbld15: 315
     _nixbld16: 316
     _nixbld17: 317
     _nixbld18: 318
     _nixbld19: 319
     _nixbld20: 320
     _nixbld21: 321
     _nixbld22: 322
     _nixbld23: 323
     _nixbld24: 324
     _nixbld25: 325
     _nixbld26: 326
     _nixbld27: 327
     _nixbld28: 328
     _nixbld29: 329
     _nixbld30: 330
     _nixbld31: 331
     _nixbld32: 332

Ready to continue?
[y/n] y


---- Preparing a Nix volume ----------------------------------------------------
    Nix traditionally stores its data in the root directory /nix, but
    macOS now (starting in 10.15 Catalina) has a read-only root directory.
    To support Nix, I will create a volume and configure macOS to mount it
    at /nix.

~~> Configuring /etc/synthetic.conf to make a mount-point at /nix

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/bin/ex --noplugin /etc/synthetic.conf

to add Nix to /etc/synthetic.conf

Password:

~~> Creating a Nix volume

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/sbin/diskutil apfs addVolume disk3 APFS Nix Store -nomount

to create a new APFS volume 'Nix Store' on disk3


---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/sbin/diskutil unmount force disk3s7

to ensure the Nix volume is not mounted

disk3s7 was already unmounted

~~> Configuring /etc/fstab to specify volume mount options

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/sbin/vifs

to add nix to fstab


~~> Configuring LaunchDaemon to mount 'Nix Store'

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/bin/ex --noplugin /Library/LaunchDaemons/org.nixos.darwin-store.plist

to install the Nix volume mounter


---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo launchctl bootstrap system /Library/LaunchDaemons/org.nixos.darwin-store.plist

to launch the Nix volume mounter


---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo launchctl kickstart -k system/org.nixos.darwin-store

to launch the Nix volume mounter

x`
~~> Setting up the build group nixbld

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/sbin/dseditgroup -o create -r Nix build group for nix-daemon -i 30000 nixbld

Create the Nix build group, nixbld

            Created:    Yes

~~> Setting up the build user _nixbld1
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 1
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld2
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 2
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld3
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 3
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld4
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 4
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld5
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 5
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld6
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 6
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld7
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 7
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld8
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 8
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld9
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 9
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld10
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 10
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld11
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 11
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld12
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 12
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld13
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 13
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld14
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 14
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld15
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 15
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld16
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 16
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld17
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 17
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld18
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 18
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld19
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 19
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld20
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 20
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld21
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 21
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld22
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 22
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld23
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 23
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld24
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 24
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld25
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 25
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld26
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 26
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld27
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 27
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld28
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 28
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld29
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 29
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld30
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 30
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld31
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 31
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the build user _nixbld32
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 32
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

~~> Setting up the basic directory structure

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/sbin/chown -R root:nixbld /nix

to take root ownership of existing Nix store files

chown: /nix/.Trashes: Operation not permitted
chown: /nix/.Trashes: Operation not permitted

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo install -dv -m 0755 /nix /nix/var /nix/var/log /nix/var/log/nix /nix/var/log/nix/drvs /nix/var/nix /nix/var/nix/db /nix/var/nix/gcroots /nix/var/nix/profiles /nix/var/nix/temproots /nix/var/nix/userpool /nix/var/nix/gcroots/per-user /nix/var/nix/profiles/per-user

to make the basic directory structure of Nix (part 1)

install: mkdir /nix/var
install: mkdir /nix/var/log
install: mkdir /nix/var/log/nix
install: mkdir /nix/var/log/nix/drvs
install: mkdir /nix/var/nix
install: mkdir /nix/var/nix/db
install: mkdir /nix/var/nix/gcroots
install: mkdir /nix/var/nix/profiles
install: mkdir /nix/var/nix/temproots
install: mkdir /nix/var/nix/userpool
install: mkdir /nix/var/nix/gcroots/per-user
install: mkdir /nix/var/nix/profiles/per-user

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo install -dv -g nixbld -m 1775 /nix/store

to make the basic directory structure of Nix (part 2)

install: mkdir /nix/store

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo install -dv -m 0555 /etc/nix

to place the default nix daemon configuration (part 1)

install: mkdir /etc/nix

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo install -m 0664 /var/folders/63/1z5rrdr90g58hgv4j03n01xh0000gn/T/tmp.l3PoZQqnf1/.nix-channels /var/root/.nix-channels

to set up the default system channel (part 1)


~~> Installing Nix

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo cp -RLp ./store/0jqnrzcrh5xxrjxiiisgwcmq62p07s68-apple-lib-libDER ./store/17m4bcp3y2y99g1bka0wfvp0x26l744g-aws-c-io-0.9.1 ./store/2cl9n67fjnczrbaqlww4ipp2z3mnw5dz-libkrb5-1.18 ./store/3pzpaacii5gb60n2x9f9hs93bnakyqgr-sqlite-3.35.5 ./store/5n7rr6x0zmi82x2p7scd8w1x8qnj6yfc-boehm-gc-8.0.4 ./store/669p1vjnzi56fib98qczwlaglcwcnip4-nix-2.6.0 ./store/775cc9g4k78ay84w4iy15z0q426yny1n-libcxx-11.1.0 ./store/8imb44frl4jrgjpq89hcph15s7lffhd0-bash-4.4-p23 ./store/92wka994gxzb5p5rgdj0a8p1kp9ayv0a-zstd-1.4.9 ./store/9dg39kyqa8zqnivp83h7cczkd21vmyp9-aws-c-cal-0.4.5 ./store/a6745bp7pzbzb7xbigg5jrbp75lanb61-editline-1.17.1 ./store/b3079yijhwkgp23rn3i5x1bm6zbfd3rb-bzip2-1.0.6.0.2 ./store/bn1svfd6w0mjscvndpr08z161i8zycb5-curl-7.76.1 ./store/c7lpgqfw4izdxspdy8s94rd9hwlpw78s-libiconv-50 ./store/f9sqmvn5vc31dy57iyv8rvsdakr281qx-apple-framework-CoreFoundation-11.0.0 ./store/gnmpa9am81x0qb0r7447fzn6asfvrnln-libobjc-11.0.0 ./store/gx0g26n0jjxcspz8g9ipq9sgjl7y0d4v-xz-5.2.5 ./store/hsbqghjjayl9k55ng276gvi26sn7g137-aws-checksums-0.1.11 ./store/jxxlf9z137d7nfinqmscinv5ma30ckz5-apple-framework-IOKit-11.0.0 ./store/kd0vg2scdiwrnhh8425ixjs7qfsif2s8-openssl-1.1.1l ./store/l6475m8070amp2lkxz8s36sxwykkqbn4-nss-cacert-3.66 ./store/lni8nijamx09clm42pgbl4by1gmaa6mv-aws-sdk-cpp-1.8.121 ./store/mak8qr0sq1v8h2gknkw2xhlp5xvjh6fz-zlib-1.2.11 ./store/mlspxp4w6nday8ggxp30lmx6acd61v7w-libxml2-2.9.12 ./store/mswlivp76jpf68069gcf0ivkc07kf1l3-nghttp2-1.43.0-lib ./store/pssw9x69dxpwmjn84ac8a8xf7irhy2qj-libssh2-1.9.0 ./store/pygjnddvk75kpxvk1ipr9y80wj03jrqa-libarchive-3.5.2-lib ./store/q2v2ikih1f014sazv74skisbj3ar834q-libsodium-1.0.18 ./store/rx5ij82mb3kdhiqr6qk206hmhyzi73gi-aws-c-common-0.5.5 ./store/s6p2agp3gxkjfwmjswjn8gpyv8l2ijxp-apple-framework-Security-11.0.0 ./store/sp33d11b1wqyaijrhyryvgpgz5vnpahk-aws-c-event-stream-0.2.7 ./store/xms94awpivf7k6gi2xk9qzpdbzv3f3zr-libcxxabi-11.1.0 ./store/yfg8rhph33103x3949w3zy0aapx1jcms-brotli-1.0.9-lib /nix/store/

to copy the basic Nix files to the new store at /nix/store


---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo chmod -R ugo-w /nix/store/

to make the new store non-writable at /nix/store

      Alright! We have our first nix at /nix/store/669p1vjnzi56fib98qczwlaglcwcnip4-nix-2.6.0

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /nix/store/669p1vjnzi56fib98qczwlaglcwcnip4-nix-2.6.0/bin/nix-store --load-db

to load data for the first time in to the Nix Database

      Just finished getting the nix database ready.

~~> Setting up shell profiles: /etc/bashrc /etc/profile.d/nix.sh /etc/zshrc /etc/bash.bashrc /etc/zsh/zshrc

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo cp /etc/bashrc /etc/bashrc.backup-before-nix

to back up your current /etc/bashrc to /etc/bashrc.backup-before-nix


---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo tee -a /etc/bashrc

extend your /etc/bashrc with nix-daemon settings


# Nix
if [ -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh' ]; then
  . '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh'
fi
# End Nix


---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo cp /etc/zshrc /etc/zshrc.backup-before-nix

to back up your current /etc/zshrc to /etc/zshrc.backup-before-nix


---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo tee -a /etc/zshrc

extend your /etc/zshrc with nix-daemon settings


# Nix
if [ -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh' ]; then
  . '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh'
fi
# End Nix


---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo touch /etc/bash.bashrc

to create a stub /etc/bash.bashrc which will be updated


---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo tee -a /etc/bash.bashrc

extend your /etc/bash.bashrc with nix-daemon settings


# Nix
if [ -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh' ]; then
  . '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh'
fi
# End Nix


~~> Setting up the default profile

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo HOME=/var/root /nix/store/669p1vjnzi56fib98qczwlaglcwcnip4-nix-2.6.0/bin/nix-env -i /nix/store/669p1vjnzi56fib98qczwlaglcwcnip4-nix-2.6.0

to install a bootstrapping Nix in to the default profile

installing 'nix-2.6.0'
error: the build users group 'nixbld' has no members

---- oh no! --------------------------------------------------------------------
Jeeze, something went wrong. If you can take all the output and open
an issue, we'd love to fix the problem so nobody else has this issue.

:(

We'd love to help if you need it.

You can open an issue at https://github.com/nixos/nix/issues

Or feel free to contact the team:
 - Matrix: #nix:nixos.org
 - IRC: in #nixos on irc.libera.chat
 - twitter: @nixos_org
 - forum: https://discourse.nixos.org
bash-5.1$

[drichardson]

Was able to get past install error after running this:

$ sudo dscl . -rm /Groups/nixbld
$ for x in $(dscl . -list /Users|grep nix); do sudo dscl . -rm /Users/$x; done

[abathur]

Not sure this is actionable without more context on the pre-install state (i.e., how/why the build users already existed but the group didn't).

[drichardson]

Not sure this is actionable without more context on the pre-install state (i.e., how/why the build users already existed but the group didn't).

It was a new machine. Only thing I can think of is that I tried to run the single user install (see steps to repro). But other than that, not sure.

[abathur]

I'm not sure either. We're obviously out in ~weird territory...

I'll show my math on why this doesn't add up, and then ask a few increasingly paranoid questions:

1

~~> Setting up the build group nixbld

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/sbin/dseditgroup -o create -r Nix build group for nix-daemon -i 30000 nixbld

Create the Nix build group, nixbld

            Created:    Yes

You can see in the underlying code here that it would say the group "exists" if it was already there, and say it was "created" if not:

nix/scripts/install-multi-user.sh

Lines 448 to 471 in 4d67ecb

	create_build_group() {
	local primary_group_id
	task "Setting up the build group $NIX_BUILD_GROUP_NAME"
	if ! poly_group_exists "$NIX_BUILD_GROUP_NAME"; then
	poly_create_build_group
	row " Created" "Yes"
	else
	primary_group_id=$(poly_group_id_get "$NIX_BUILD_GROUP_NAME")
	if [ "$primary_group_id" -ne "$NIX_BUILD_GROUP_ID" ]; then
	failure <<EOF
	It seems the build group $NIX_BUILD_GROUP_NAME already exists, but
	with the UID $primary_group_id. This script can't really handle
	that right now, so I'm going to give up.
	You can fix this by editing this script and changing the
	NIX_BUILD_GROUP_ID variable near the top to from $NIX_BUILD_GROUP_ID
	to $primary_group_id and re-run.
	EOF
	else
	row " Exists" "Yes"
	fi
	fi
	}

2

~~> Setting up the build user _nixbld1
            Exists:     Yes
            Hidden:     Yes
    Home Directory:     /var/empty
              Note:     Nix build user 1
   Logins Disabled:     Yes
  Member of nixbld:     Yes
    PrimaryGroupID:     30000

Likewise, it'll say whether the user already exists or is created:

nix/scripts/install-multi-user.sh

Lines 484 to 503 in 4d67ecb

	if ! poly_user_exists "$username"; then
	poly_create_build_user "$username" "$uid" "$coreid"
	row " Created" "Yes"
	else
	actual_uid=$(poly_user_id_get "$username")
	if [ "$actual_uid" != "$uid" ]; then
	failure <<EOF
	It seems the build user $username already exists, but with the UID
	with the UID '$actual_uid'. This script can't really handle that right
	now, so I'm going to give up.
	If you already created the users and you know they start from
	$actual_uid and go up from there, you can edit this script and change
	NIX_FIRST_BUILD_UID near the top of the file to $actual_uid and try
	again.
	EOF
	else
	row " Exists" "Yes"
	fi
	fi

3

https://github.com/NixOS/nix/blob/master/scripts/install-nix-from-closure.sh handles both the option parsing and the single-user install process. If you invoked with --no-daemon, you presumably hit this:

nix/scripts/install-nix-from-closure.sh

Lines 61 to 65 in 4d67ecb

	--no-daemon)
	if [ "$(uname -s)" = "Darwin" ]; then
	printf '\e[1;31mError: --no-daemon installs are no-longer supported on Darwin/macOS!\e[0m\n' >&2
	exit 1
	fi

It would abort your install before making any changes. You can confirm in the broader source (and, in any case, the single-user install creates no groups or users).

adding it up

So:

1. We're pretty sure the users existed before the install logged here.
2. We're pretty sure the group didn't.
3. We're pretty sure trying to run (or even successfully running) a single-user install can't cause this condition.

questions

1. Do you still have the initial install in your scrollback?
2. Is this your personal device? (More to the point: is it enrolled in an MDM or otherwise managed by an institution in some way that might weird our user/group assumptions?)
3. Was it already set up when you started using it, or did you go through the first-time setup yourself?
4. Either during first-time setup or after, did you happen to use the Migration Assistant? (It's been long enough since I last ran through setup that I don't recall if it uses those words; it'll say something about transferring data...)
5. Did you use any other kind of restore-from-backup process on it?
6. If the answer to either 4 or 5 is yes: did the previous system have Nix installed? If so:
   1. is this device still available (in whatever condition it was before migration)?
   2. what version of macOS does/did it have installed?
   3. what's your best guess as to when Nix was first installed on it?

[drichardson]

First off: you're a legend for thinking about this so much.

To answer your questions:

• Do you still have the initial install in your scrollback?

Unfortunately no. I do have some bash history I will include though, starting with the first attempt to do a single user install.

  360  sh <(curl -L https://nixos.org/nix/install) --no-daemon
  361  sh <(curl -L https://nixos.org/nix/install)
  362  nix-env
  363  dscl
  364  dscl .
  365  dscl . list
  366  dscl . list '/Users'
  367  man dscl
  368  ls
  369  sh <(curl -L https://nixos.org/nix/install)
  370  sh <(curl -L https://nixos.org/nix/install)
  371  sudo vim /etc/bashrc
  372  set
  373  set|rg nix
  374  ls
  375  sh <(curl -L https://nixos.org/nix/install)
  376  vim .bash_profile 
  377  rg .bash* f
  378  rg nix .bash*
  379  ls
  380  cd scripts/
  381  rg nix .bash*
  382  rg nix 
  383  cd ..
  384  rg nix 
  385  sh <(curl -L https://nixos.org/nix/install)
  386  ls
  387  find . -name '*nix*'
  388  cd /etc/nix/
  389  ls
  390  find .
  391  cd ..
  392  ls
  393  sudo rm -rf nix
  394  cd
  395  ls
  396  sh <(curl -L https://nixos.org/nix/install)
  397  sh <(curl -L https://nixos.org/nix/install)
  398  sh <(curl -L https://nixos.org/nix/install)
  399  cd /etc
  400  ls
  401  vim bashrc.backup-before-nix 
  402  diff bashrc.backup-before-nix bashrc
  403  sudo mv bashrc.backup-before-nix bashrc
  404  cd
  405  sh <(curl -L https://nixos.org/nix/install)
  406  sudo mv /etc/zshrc.backup-before-nix /etc/zshrc
  407  sh <(curl -L https://nixos.org/nix/install)
  408  sh <(curl -L https://nixos.org/nix/install)
  409  sudo mv /etc/zshrc.backup-before-nix /etc/zshrc
  410  sudo mv bashrc.backup-before-nix bashrc
  411  cd /etc
  412  diff bash.bashrc.backup-before-nix bashrc.backup-before-nix 
  413  sudo vim bashrc
  414  ls
  415  ls
  416  ls
  417  bash
  418  ls
  419  sh <(curl -L https://nixos.org/nix/install)
  420  cd /etc
  421  ls
  422  git diff bashrc
  423  vim bashrc.backup-before-nix 
  424  file bash*
  425  vim bash.bashrc
  426  sudo rm bash.bashrc
  427  sudo mv bashrc.backup-before-nix bashrc
  428  ls
  429  pwd
  430  file bash*
  431  sudo rm bashrc_Apple_Terminal 
  432  sudo rm bash.bashrc.backup-before-nix 
  433  ls bash*
  434  vim bashrc 
  435  ls zsh*
  436  cat zshrc_Apple_Terminal 
  437  sl
  438  ls
  439  ls
  440  sudo vim zshrc
  441  ls
  442  find . -name '*.nix*'
  443  mount
  444  sh <(curl -L https://nixos.org/nix/install)
  445  echo $SHELL
  446  dscl .
  447  dscl . list
  448  dscl . read
  449  dscl /Local list
  450  dscl . list
  451  dscl .
  452  dscl . lsit
  453  dscl . list
  454  dscl . read
  455  dscl read .
  456  dscl list .
  457  dscl
  458  dscl -h
  459  dscl .
  460  dscl . -h
  461  dscl . -list /
  462  dscl . -list /Users
  463  dscl . -list /Groups
  464  dscl . -list /Groups/nixbld
  465  dscl . -rm /Groups/nixbld
  466  sudo dscl . -rm /Groups/nixbld
  467  sudo dscl . -rm /Groups/nixbld
  468  sudo dscl . -list /Users/nix*
  469  sudo dscl . -list /Users/_nix*
  470  sudo dscl . -list '/Users/nix*'
  471  sudo dscl . -list /Users/
  472  sudo dscl . -list /Users
  473  sudo dscl . -list /Users/_
  474  sudo dscl . -list /Users/_nixbld*
  475  sudo dscl . -list '/Users/_nixbld*'
  476  sudo dscl . -list /Users/_
  477  sudo dscl . -list /Users/
  478  sudo dscl . -list /Users
  479  sudo dscl . -list /Users|rg _nix
  480  sudo dscl . -list /Users|grep nix
  481  dscl . -list /Users|grep nix
  482  for x in $(dscl . -list /Users|grep nix); do echo $x; done
  483  for x in $(dscl . -list /Users|grep nix); do echo dscl . -read /Users/$x; done
  484  for x in $(dscl . -list /Users|grep nix); do dscl . -read /Users/$x; done
  485  for x in $(dscl . -list /Users|grep nix); do sudo dscl . -rm /Users/$x; done
  486  for x in $(dscl . -list /Users|grep nix); do echo dscl . -read /Users/$x; done
  487  ls -l /Volumes/
  488  ls -l /
  489  mount
  490  which fish
  491  sudo chsh -s /opt/homebrew/bin/fish
  492  chsh -s /opt/homebrew/bin/fish
  493  sudo -s
  494  nix-shell

• Is this your personal device? (More to the point: is it enrolled in an MDM or otherwise managed by an institution in some way that might weird our user/group assumptions?)

It's a work computer, but I purchased it myself from and does not have MDM or any other kind of profile provisioning on it. Also, no body else at my company experienced this issue, just me (and there are several other nix users).

• Was it already set up when you started using it, or did you go through the first-time setup yourself?

I bought it new, unwrapped it, and set it up myself.

• Either during first-time setup or after, did you happen to use the Migration Assistant? (It's been long enough since I last ran through setup that I don't recall if it uses those words; it'll say something about transferring data...)

Yes. But it didn't work, so I (attempted) to wipe by doing a new install. I did have nix installed on my previous computer.

This seems really sus, I think you found the problem. I wonder if there's anyway for me to check if I had a partial migration. I bet I didn't actually wipe it like I thought I did.

• Did you use any other kind of restore-from-backup process on it?

Nope.

• If the answer to either 4 or 5 is yes: did the previous system have Nix installed? If so:

Yes.

1. is this device still available (in whatever condition it was before migration)?

No, I wiped it.

2. what version of macOS does/did it have installed?

Latest. I updated it right before I sent it to another colleague, so 12.x.x. (not sure exactly).

3. what's your best guess as to when Nix was first installed on it?

Sometime after Dec 13.

[drichardson]

SUS

$ ls /Library/SystemMigration/History
Migration-FCBA4AEA-A53F-4B53-A0E5-15635D75611F

I think you found the problem @abathur. Users/groups brought over from a migration.

[drichardson]

I actually forgot about the migration because (as I mentioned) I tried (and obviously failed) to wipe it.

[drichardson]

And look at this section from /Library/SystemMigration/History
Migration-FCBA4AEA-A53F-4B53-A0E5-15635D75611F/Request (which is a binary plist):

    220 => "groupCreation"
    221 => {
      "$class" => <CFKeyedArchiverUID 0x6000015ddec0 [0x22075c000]>{value = 36}
      "NS.objects" => [
        0 => <CFKeyedArchiverUID 0x6000015df840 [0x22075c000]>{value = 222}
        1 => <CFKeyedArchiverUID 0x6000015df860 [0x22075c000]>{value = 223}
        2 => <CFKeyedArchiverUID 0x6000015df880 [0x22075c000]>{value = 224}
      ]
    }
    222 => "nixbld"
    223 => "com.apple.sharepoint.group.2"
    224 => "com.apple.sharepoint.group.1"
    225 => {
      "$class" => <CFKeyedArchiverUID 0x6000015de020 [0x22075c000]>{value = 27}
      "NS.keys" => [
        0 => <CFKeyedArchiverUID 0x6000015df8a0 [0x22075c000]>{value = 226}
      ]
      "NS.objects" => [
        0 => <CFKeyedArchiverUID 0x6000015de120 [0x22075c000]>{value = 33}
      ]
    }

[drichardson]

QED.

Fields Medal for @abathur

[drichardson]

Other than detecting this and recovering, nothing to do for this issue I guess. Feel free to close and thanks for your awesome investigation!

[abathur]

Ha! I'm glad that seems like the culprit. We would've been deep in red yarn territory if none of these panned out.

I think it can stay open (and I don't have the power to close it, anyways). If you can find a way to phrase the migration assistant into the title it may help this thread be a better light-house for anyone else seeing the same.

---

As far as fixing this later goes:

• It may take a bit before someone equipped to test out a migration and figure out what isn't getting wired up, but it would be nice to find out what the condition is. Starting in Big Sur, macOS has been doing some weird things with users and groups (see macOS update "booted to Recovery" because "an error occurred migrating user data" on Big Sur/Monterey w/ multi-user Nix present  #4531). I think we've also seen a few nixbld-has-no-members reports recently. Isolating the condition might help us fix other problems.
• But, if we wait a while and can't find anyone who can investigate, I guess we could probably compensate by treating existing users/groups as something to "cure" (i.e., to handle with the same idioms as the curing procedures in scripts/create-darwin-volume.sh).

[drichardson]

If you can find a way to phrase the migration assistant into the title it may help this thread be a better light-house for anyone else seeing the same.

Done.

[charles-dyfis-net]

I'm assisting a user who appears to be hitting this issue (including the SystemMigration reference).

Even though dscl shows that the users and groups exist (if we create them), or don't exist (if we delete them); and dsmemberutil checkmembership shows the users to be members of the groups when they should, getgrnam() appears not to be including any list of users as associated with the group.

1. Do we have an actual resolution/workaround/mechanism to fix this?
2. Is there any concrete/specific investigation I can perform?

[abathur]

I'm assisting a user who appears to be hitting this issue (including the SystemMigration reference).

Even though dscl shows that the users and groups exist (if we create them), or don't exist (if we delete them); and dsmemberutil checkmembership shows the users to be members of the groups when they should, getgrnam() appears not to be including any list of users as associated with the group.

1. Do we have an actual resolution/workaround/mechanism to fix this?
2. Is there any concrete/specific investigation I can perform?

I'm not sure what to tell you, but I happened to notice this in my inbox right after you sent it, so I want to note that there are some poorly-understood quirks here with respect to user/group relations in macOS. You can see an example of this in #4532 (comment) and my 2 immediately-following comments.

I suspect the thing that'll get you on the road again is trying to follow these uninstall instructions before reinstalling: https://nixos.org/manual/nix/stable/installation/installing-binary.html#macos

That said, if you have a little bit of timeline wiggle here it would be nice to collect some information on the user/group setup on this device. (I don't personally work with users/groups much in macOS, but I've asked in chat to see if anyone has specific ideas...)

[charles-dyfis-net]

The user who was experiencing this is no longer in the impacted state: It was fixed by looping over the build accounts, running dscl . append /Groups/nixbld GroupMembership _nixbld$i.

I'm guessing that this added nixbld as a supplemental group, in addition to being a primary group by virtue of the GIDs matching. Why this was necessary is a very open question.

I did get a dump of the /Users and /Groups plists earlier, when this was still happening, and have them on hand to query.

[abathur]

Glad your user is sorted. :)

Also promising that they're related, since GroupMembership was involved yet again. If there's nothing sensitive in them, can you drop them in a code block, perhaps within a <details> tag, or even just attach a file/log containing them?

[charles-dyfis-net]

Okay, got a new dump, and comparing them, the difference is clear as day :)

Only after running the relevant dscl append commands does the nixbld group have a dsAttrTypeStandard:GroupMembership key at all. Just having matching GIDs doesn't suffice; a user needs to be explicitly listed in a GroupMembership array for the getgrnam() call in UserLock::findFreeUser() to return it.

[charles-dyfis-net]

btw, it's worth explicitly calling out that dsAttrTypeStandard:GroupMembers is populated in both the before and after cases; it's only dsAttrTypeStandard:GroupMembership that was unpopulated in the faulty state. This explains why many of the OS's tools were claiming that the group membership was already correct.

[abathur]

Sorry for the slow response--I had this mostly-written in a tab but then discovered some plagiarism and had my day/week/month upended...

Thanks for the update! I'm glad that we seem to have a culprit. (But broadly frustrated that there's so much lurking complexity here...)

---

Some thoughts on potential next steps:

1. One thing we should try to keep in-frame is whether this might be a byproduct of migrating versions of macOS before some version. (Maybe this is a requirement they added at some point, and added to their tooling for new users, but migration is able to smuggle group/account setups unchanged from before this requirement existed.)

   @drichardson @charles-dyfis-net do you happen to know what macOS versions the old/migrated systems were running?

2. We might be holding the user/groups tooling wrong, or there might be bugs/omissions in the macOS migration routine and tooling. We could maybe open a feedback? My record with getting useful responses to feedbacks is not great. Don't feel obliged, but let me know the FB number if you have or happen to open one?

   @drichardson @charles-dyfis-net On the off chance either of you opened a Feedback, can you give me the FB number? (Not expecting you to open one if you haven't, but I'll reference it if I get a chance to follow up w/ them.)

3. Unless we find out that we're holding the user/groups tooling wrong, I'm not sure there'll be an actionable thing we can do to keep migrations from catapulting people into this problem.

   • It's not clear from the thread, but if this initially manifests, post-migration, as a failure to find build users in Nix, we might be able to coax someone into special-casing the error for macOS to point them in the right direction?
   • I guess it's at least plausible that there's some way to pre-flag the Nix store and its users/groups as something that shouldn't be migrated (but I doubt it, and shallow search didn't find anything).

4. We could probably update the installer to either try to narrowly detect and repair dsAttrTypeStandard:GroupMembership, or we could add these users and groups to the list of things the macOS installer can "cure" by completely removing and replacing them.

   (This is probably the easiest way to fix issues like this without having to really understand them, but it would also make repeat installs significantly slower and might keep us from learning enough about the causes to just fix them before they break on users?)

[drichardson]

1. @drichardson @charles-dyfis-net do you happen to know what macOS versions the old/migrated systems were running?

No I don't remember the exact version, but can hazard some guesses.

I was migrating from an almost brand new M1 machine to another new M1 machine with almost identical specs (the new one just had more RAM). The "old" machine was almost certainly up to date (I update regularly). Based on https://en.wikipedia.org/wiki/MacOS_Monterey it looks like that would have been 12.1, 12.2, or 12.2.1 (unlikely since it was released the same day I reported this issue.

I don't remember what the "new" machine had on it, but I started using it almost as soon as it arrived, so assuming Apple gave me a recently built computer (which I imagine they did since I had to wait a while for it) it also was probably running 12.1 or 12.2.

[drichardson]

2. @drichardson @charles-dyfis-net On the off chance either of you opened a Feedback, can you give me the FB number? (Not expecting you to open one if you haven't, but I'll reference it if I get a chance to follow up w/ them.)

I did not. I'm not sure what "a Feedback" is (but I'm guessing some nixOS thing).

[abathur]

@drichardson drat; I guess we won't age out of it then. Thanks for narrowing it down :)

By feedback I just mean a report in the Apple Feedback Assistant.

[charles-dyfis-net]

The most recent system it was observed on was a M1 Mac received within the last two weeks. I don't have the precise version number at hand.

Going through my old emails, my prior Apple Support engagements don't appear to have transcripts, so at least from the emailed receipts I don't have enough information to pin down which of them corresponded with this issue (I reported it to them once after it happened on then-recent M1-based personal hardware some time last year, which AFAIK nothing ever came of). I don't believe I've ever used the Feedback Assistant.

[charles-dyfis-net]

Insofar as this issue is pretty easy to identify by querying a dumped group plist, I'd imagine we could (1) patch the installer to identify and repair it (as a bare minimum, to ensure that reinstalling does fix the issue); and (2) possibly add some pre-startup logic to the nix-daemon launchd service.