-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add UID migration script for macOS Sequoia 15 #11075
add UID migration script for macOS Sequoia 15 #11075
Conversation
It does.
IIUC the script seems to migrate a set of existing users to a safe spot, but if like me you had a few users overwritten by Apple they need to be recreated. In my specific case I had
|
@lloeki Any chance you can include output from running those on your system? (It'll be really helpful to know what the first command outputs, and I'm also a little surprised "create" works on the users since as far as I can tell from other reports they do still exist, they just don't have a UID set anymore.) |
Before (recreated, but 200% sure it's exact because I stared at it multiple times over for quite a while):
|
For the heck of it I ran this again, looks like
And going deeper into the rabbit hole I'd say
|
Thanks for this script. I wasn't relishing the idea of reinstalling Nix with a fixed installer before upgrading my Macs to Sequoia. As I understand it, the Determinate Systems installer starts from uid This is based on a comment from @ahcm: It would be nice to keep the two installers (and this script) in sync. |
@dhess My understanding is that their use of 450+ is a sequoia-specific short term fix and that they intend to sync up with the decisions we make ~here. (I intend to follow up w/ Apple to see if we can get any guidance on range. I was hoping to send that mon/tues this week but we're having a time in Houston, though that was probably net good since we have learned a little that I should include in the summary this week.) |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/2024-07-10-nix-team-meeting-minutes-160/49101/1 |
I force-pushed to (hopefully) fix the script for the uid-less users that people are seeing post-upgrade. If anyone is in the position to take this update whether in a VM or on bare metal, it would be good to confirm it runs clean and does the right thing when run both pre-upgrade and post-upgrade. |
I just tested this in a VM, and unfortunately, the current approach doesn't work. Before I get into the issues, I'll first describe how I tested it:
It bailed out at the very first iteration: |
@cole-h Thanks for giving it a shake. Sigh. Not ideal :) If they aren't there at all, we'll need full logic to create them correctly. I guess I could change heuristics again to try and figure out how to find the highest-numbered nixbld user and then go create/migrate all of them up to that number. Here's where the assumption that they exist but lack a UID comes from: For grins, can you try the command I suggested there (edit: Nevermind. I see from Matrix that you did):
Now that I review that issue, I suppose it isn't absolutely sworn there that Sequoia is the cause, so aside from the possibility that they've "fixed" this issue by actually fully deleting the users, it's also possible that's actually some Nth issue. |
@abathur Sorry for the delay, here's the output you asked for: (To summarize the screenshot: I get a |
49322d1
to
b83215a
Compare
Force-pushed to try to scaffold an approach that can backfill missing users and migrate the rest. Not generally tested on my end. I did find at least one bug in the script as it existed while revising for this. |
I followed a similar process as @cole-h, and I think it mostly worked. I think it ran into
|
b83215a
to
de7b485
Compare
@mkenigs Good catch. I think excluding _nixbld users from the ID availability check should be enough. Force-pushed. |
e17114e
to
3d5d24b
Compare
3d5d24b
to
8b037a8
Compare
@abathur this would be a fast way to check and bypass migration if not necessary. diff --git a/scripts/sequoia-nixbld-user-migration.sh b/scripts/sequoia-nixbld-user-migration.sh
index 45a6f1bfc..858aaabeb 100755
--- a/scripts/sequoia-nixbld-user-migration.sh
+++ b/scripts/sequoia-nixbld-user-migration.sh
@@ -128,11 +128,33 @@ change_nixbld_uids(){
echo "dscl . list /Users UniqueID | grep _nixbld | sort -n -k2"
fi
}
+needs_migration(){
+ local name uid next_id user_n
+
+ ((next_id=NEW_NIX_FIRST_BUILD_UID))
+ ((user_n=1))
+
+ while read -r name uid; do
+ expected_name="$(nix_user_n "$user_n")"
+ if [[ "$expected_name" != "$name" ]]; then
+ return 0
+ fi
+ if [[ "$next_id" != "$uid" ]]; then
+ return 0
+ fi
+ ((next_id++))
+ ((user_n++))
+ done < <(dscl . list /Users UniqueID | grep _nixbld | sort -n -k2)
+ return 1
+}
+
if any_nixbld; then
- echo "Attempting to migrate _nixbld users."
- temporarily_move_existing_nixbld_uids
- change_nixbld_uids
+ if needs_migration; then
+ echo "Attempting to migrate _nixbld users."
+ temporarily_move_existing_nixbld_uids
+ change_nixbld_uids
+ fi
else
echo "Didn't find any _nixbld users. Perhaps you have single-user Nix?"
exit 1 Another check to be done is to ensure we have the correct number of builders. |
@abathur worked for me with that most recent change! |
8b037a8
to
91027b0
Compare
@abathur I'm inclined to have this run on all OSX installs + upgrade. Perhaps not unconditionally, but only if we detect UIDs in a dangerous range (either _nixbld or otherwise, both indicate potential problems). People without a conflict may have already moved them or are doing something custom. |
I've applied this in the latest force-push.
Can you elaborate on what you have in mind? I'm not sure if you mean as a sanity/work-avoidance check similar to above or as a confirmation at the end, but one reason for the cumbersome implementation is that I'm trying to ~handle installs with a non-default number of users via That said, this currently doesn't do anything ~smart for installs that overrode NIX_FIRST_BUILD_UID for a few reasons:
I had been thinking we might just message (everywhere we announce this migration) that these installs aren't supported and leave decisions about whether/how to migrate up to those users? I have thought about bailing if the existing UIDs are unexpected, but this would make it harder to recommend the script to people who have been DIYing their first UIDs to work around this problem and get them back on ~normal UIDs. Summing these up, I feel like:
|
The situation I mean is that they somehow lost some users at the end of the range, either in uid or in names. We would not recreate them, or ly any lost in the beginning. This is not very likely, nor such a critical problem. |
While we don't have any easy way to forcibly notify everyone about the impending breakage (or forcibly migrate the users on their system), this script enables those who do hear about the problem to migrate their systems before they take the macOS update. It should also enable people who only discover it after the update when a build fails to ~fix their installs without a full reinstall.
91027b0
to
0fabb34
Compare
I guess we should probably get #10919 finished soon if this is ready to go. I missed getting an official response about numbering! Did the DevRel specify an opinion on 350 vs. 351? I think having an off‐by‐one from the Nix builder numbers, and from the numbering before the migration, is a bit unfortunate. Edit: Ah, I see #10919 has been updated (although it still uses the old UID range). |
We didn't put that specific 350/351 question to them. Our reasoning for changing the open PRs to their recommendation during the installer meeting last week was roughly:
I didn't mean to suggest that the UID choice was settled beyond debate by marking these ready for review--just that human testing had indicated that the logic might finally be ~right (minus some edge cases around installs that used custom first UIDs which I don't plan to address). Not sure I have a super strong opinion on 350/351, but I agree it would be more consistent and if you think we're making a mistake here I don't see any reason not to center that question for debate in a followup PR as soon as #10919 lands?
Good catch. I did update that PR with the new range for the actual installer, but I forgot to also apply it in the old bigsur migration script (which unfortunately is the first file GH shows :). I've force-pushed to fix that. |
Yeah, sure, not trying to bikeshed all this even more, and I’m very glad Apple gave us a recommendation :) I prefer 351 because it preserves last digit of Sorry for never getting around to doing extensive VM testing here; I had too much on the stack. I really appreciate you carrying this awkward migration through despite my nitpicking, and please do let me know if I can do anything to amplify the message about migration when Sequoia is released. |
No worries. I introduced the consistency issue by not thinking a step beyond their suggestion. I think we should try to settle the UID before we start putting effort into communicating, but the script should work whether you've taken the macOS update or not--so we can start messaging as soon as we're confident rather than waiting for Apple to release it. It may also be helpful to start towards ~temporarily documenting the problem with notes/warnings anywhere we think people may land when flailing around with a broken install? I know I need to update the open pinned issue to describe how to run the script (and maybe reference missing _nixbld1 in the title), but it seems like a fair number of people don't look for open issues before trying to reinstall. |
We should at least backport the installer changes all the way back to 2.18, I think (there’s NixOS/nixpkgs#335342, but 24.05 is still a thing and will presumably default to 2.18 for its lifetime). Unfortunately I’m not really sure where we can reliably message stuff other than the places we run code on user machines. Certainly we should put it in the release notes, but nobody reads those. A Discourse post would be a good idea, but I was planning to just spend a lot of time sending rote replies on Matrix mostly :) FWIW I’m happy to open a PR to bump the UIDs by 1 myself if you think it sounds reasonable (and then I guess we should wait for the Determinate Systems installer to deploy the same UID/GID values before we start messaging?), though since the installer PR hasn’t landed yet maybe it should be adjusted there first. No desire to bikeshed the value beyond that because a recommendation from Apple makes me very happy! |
@abathur Thoughts on migrating the GID as well in this script? |
We discussed during the installer wg meeting I think. I had tentatively added this at one point because I generally like minimizing differences across the install base, but someone made a good point about the risk of introducing file ownership issues (i.e., the group is the GID and not symbolic) on existing installs. |
Even though I don't have nix.configureBuildUsers set[1], the increment communicates a known level of compatibility with the future macOS Sequoia. I ran Nix's Sequoia migration script[2] manually prior to any OS update for good measure. $ curl -L https://raw.githubusercontent.com/NixOS/nix/f2e7e996/scripts/sequoia-nixbld-user-migration.sh | bash Attempting to migrate _nixbld users. Step 1: move existing _nixbld users out of the destination UID range. Password: Temporarily moved _nixbld1 from uid 301 -> 31000 Temporarily moved _nixbld2 from uid 302 -> 31001 Temporarily moved _nixbld3 from uid 303 -> 31002 Temporarily moved _nixbld4 from uid 304 -> 31003 Temporarily moved _nixbld5 from uid 305 -> 31004 Temporarily moved _nixbld6 from uid 306 -> 31005 Temporarily moved _nixbld7 from uid 307 -> 31006 Temporarily moved _nixbld8 from uid 308 -> 31007 Temporarily moved _nixbld9 from uid 309 -> 31008 Temporarily moved _nixbld10 from uid 310 -> 31009 Temporarily moved _nixbld11 from uid 311 -> 31010 Temporarily moved _nixbld12 from uid 312 -> 31011 Temporarily moved _nixbld13 from uid 313 -> 31012 Temporarily moved _nixbld14 from uid 314 -> 31013 Temporarily moved _nixbld15 from uid 315 -> 31014 Temporarily moved _nixbld16 from uid 316 -> 31015 Temporarily moved _nixbld17 from uid 317 -> 31016 Temporarily moved _nixbld18 from uid 318 -> 31017 Temporarily moved _nixbld19 from uid 319 -> 31018 Temporarily moved _nixbld20 from uid 320 -> 31019 Temporarily moved _nixbld21 from uid 321 -> 31020 Temporarily moved _nixbld22 from uid 322 -> 31021 Temporarily moved _nixbld23 from uid 323 -> 31022 Temporarily moved _nixbld24 from uid 324 -> 31023 Temporarily moved _nixbld25 from uid 325 -> 31024 Temporarily moved _nixbld26 from uid 326 -> 31025 Temporarily moved _nixbld27 from uid 327 -> 31026 Temporarily moved _nixbld28 from uid 328 -> 31027 Temporarily moved _nixbld29 from uid 329 -> 31028 Temporarily moved _nixbld30 from uid 330 -> 31029 Temporarily moved _nixbld31 from uid 331 -> 31030 Temporarily moved _nixbld32 from uid 332 -> 31031 Step 2: re-create missing early _nixbld# users. Step 3: relocate remaining _nixbld# UIDs to 351+ _nixbld1 migrated to uid: 351 _nixbld2 migrated to uid: 352 _nixbld3 migrated to uid: 353 _nixbld4 migrated to uid: 354 _nixbld5 migrated to uid: 355 _nixbld6 migrated to uid: 356 _nixbld7 migrated to uid: 357 _nixbld8 migrated to uid: 358 _nixbld9 migrated to uid: 359 _nixbld10 migrated to uid: 360 _nixbld11 migrated to uid: 361 _nixbld12 migrated to uid: 362 _nixbld13 migrated to uid: 363 _nixbld14 migrated to uid: 364 _nixbld15 migrated to uid: 365 _nixbld16 migrated to uid: 366 _nixbld17 migrated to uid: 367 _nixbld18 migrated to uid: 368 _nixbld19 migrated to uid: 369 _nixbld20 migrated to uid: 370 _nixbld21 migrated to uid: 371 _nixbld22 migrated to uid: 372 _nixbld23 migrated to uid: 373 _nixbld24 migrated to uid: 374 _nixbld25 migrated to uid: 375 _nixbld26 migrated to uid: 376 _nixbld27 migrated to uid: 377 _nixbld28 migrated to uid: 378 _nixbld29 migrated to uid: 379 _nixbld30 migrated to uid: 380 _nixbld31 migrated to uid: 381 _nixbld32 migrated to uid: 382 Migrated 32 users. If you want to double-check, try: dscl . list /Users UniqueID | grep _nixbld | sort -n -k2 [1]: LnL7/nix-darwin#1069 [2]: NixOS/nix#11075
I guess this will need to be backported? |
I expect most users will get this script via |
(What would be really good to have backported into a release is #11415, so that the Nix version used by Nixpkgs 24.05 and (for now) 24.11-pre can be installed correctly on macOS Sequoia. Currently nix-darwin has to do ugly CI hacks to work around that.) |
Agree with Emily that the migration script does not need to be backported for now. (Just the actual installer fixes.) |
Motivation
Unless Apple fixes the current behavior of the macOS Sequoia 15 beta updaters (which is ~taking UIDs 301-304 from our _nixbld1-4 users) before public beta, we'll likely get a lot of support requests from users with broken installs.
Unless it's feasible for Nix itself to automatically migrate them, it's probably worth having a migration script that people can manually run before or after their update.
Early iterations of this migrated to 331+, but I've more recently relocated to 350+ on suggestion from an Apple devrel.
Context
Priorities and Process
Add 👍 to pull requests you find important.
The Nix maintainer team uses a GitHub project board to schedule and track reviews.