Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Installer occasionally fails to create user on macOS GitHub Actions runner #12140

Open
3 of 5 tasks
Rhys-T opened this issue Jan 6, 2025 · 4 comments
Open
3 of 5 tasks

Comments

@Rhys-T
Copy link

Rhys-T commented Jan 6, 2025

Platform

  • Linux:
  • macOS
  • WSL

Additional information

The GitHub Actions workflow on my repository just failed to create the _nixbld1 user on the macos-latest runner. It was a scheduled run, not one where I had changed anything on my end. Edit: Misremembered - that one was actually a push, but I hadn't changed any files that should affect the 'install' step - and as mentioned below, other projects are getting the same error intermittently.

<dscl_cmd> DS Error: -14988 (eNotYetImplemented)
create: DS error: eNotYetImplemented

Both Ansible and the Determinate Nix installer have had similar intermittent issues lately. It seems like it's being caused by a bug in macOS. The latter ended up working around it by retrying the dscl command if it got that error.

Edit: Forgot to mention that I'm using https://github.com/cachix/install-nix-action. I can reopen the issue there if you think that's more appropriate, but the error came from the Nix installer itself and linked me to this issue template.

Output

Output

https://github.com/Rhys-T/nur-packages/actions/runs/12617424570/job/35159680300#step:5:237

installer options: --no-channel-add --darwin-use-unencrypted-nix-store-volume --nix-extra-conf-file /var/folders/9f/9p4dh6hs5yddrk7drxq8rc_80000gn/T/tmp.f4yOqr8n/nix.conf --daemon --daemon-user-count 8
* Host releases.nixos.org:443 was resolved.
* IPv6: (none)
* IPv4: 151.101.66.217, 151.101.194.217, 151.101.2.217, 151.101.130.217
*   Trying 151.101.66.217:443...
* ALPN: curl offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [104 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2827 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305 / x25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=releases.nixos.org
*  start date: Oct 11 20:56:16 2024 GMT
*  expire date: Nov 12 20:56:15 2025 GMT
*  subjectAltName: host "releases.nixos.org" matched cert's "releases.nixos.org"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Atlas R3 DV TLS CA 2024 Q4
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Connected to releases.nixos.org (151.101.66.217) port 443
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://releases.nixos.org/nix/nix-2.24.9/install
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: releases.nixos.org]
* [HTTP/2] [1] [:path: /nix/nix-2.24.9/install]
* [HTTP/2] [1] [user-agent: curl/8.11.1]
* [HTTP/2] [1] [accept: */*]
} [5 bytes data]
> GET /nix/nix-2.24.9/install HTTP/2
> Host: releases.nixos.org
> User-Agent: curl/8.11.1
> Accept: */*
> 
* Request completely sent off
{ [5 bytes data]
< HTTP/2 200 
< last-modified: Fri, 27 Sep 2024 22:02:35 GMT
< etag: "3b9a4f8ba852b9257c3c6d8c19f92eb6"
< x-amz-server-side-encryption: AES256
< content-type: text/plain
< server: AmazonS3
< via: 1.1 varnish, 1.1 varnish
< access-control-allow-origin: *
< accept-ranges: bytes
< age: 87353
< date: Sun, 05 Jan 2025 07:03:42 GMT
< x-served-by: cache-dub4357-DUB, cache-dfw-kdfw8210033-DFW
< x-cache: HIT, HIT
< x-cache-hits: 64, 0
< content-length: 4267
< 
{ [5 bytes data]
* Connection #0 to host releases.nixos.org left intact
downloading Nix 2.24.9 binary tarball for x86_64-darwin from 'https://releases.nixos.org/nix/nix-2.24.9/nix-2.24.9-x86_64-darwin.tar.xz' to '/var/folders/9f/9p4dh6hs5yddrk7drxq8rc_80000gn/T/nix-binary-tarball-unpack.XXXXXXXXXX.0MwRwvZv'...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
 44 17.6M   44 8062k    0     0  49.3M      0 --:--:-- --:--:-- --:--:-- 49.2M
100 17.6M  100 17.6M    0     0  80.6M      0 --:--:-- --:--:-- --:--:-- 80.5M
Warning: the flag --darwin-use-unencrypted-nix-store-volume
         is no longer needed and will be removed in the future.

Switching to the Multi-user Installer
Welcome to the Multi-User Nix Installation

This installation tool will set up your computer with the Nix package
manager. This will happen in a few stages:

1. Make sure your computer doesn't already have Nix. If it does, I
   will show you instructions on how to clean up your old install.

2. Show you what I am going to install and where. Then I will ask
   if you are ready to continue.

3. Create the system users (uids [351..358]) and groups (gid 350)
   that the Nix daemon uses to run builds. To create system users
   in a different range, exit and run this tool again with
   NIX_FIRST_BUILD_UID set.

4. Perform the basic installation of the Nix files daemon.

5. Configure your shell to import special Nix Profile files, so you
   can use Nix.

6. Start the Nix daemon.

Would you like to see a more detailed list of what I will do?
No TTY, assuming you would say yes :)

I will:

 - make sure your computer doesn't already have Nix files
   (if it does, I will tell you how to clean them up.)
 - create local users (see the list above for the users I'll make)
 - create a local group (nixbld)
 - install Nix in /nix
 - create a configuration file in /etc/nix
 - set up the "default profile" by creating some Nix-related files in
   /var/root
 - back up /etc/bashrc to /etc/bashrc.backup-before-nix
 - update /etc/bashrc to include some Nix configuration
 - back up /etc/zshrc to /etc/zshrc.backup-before-nix
 - update /etc/zshrc to include some Nix configuration
 - create a Nix volume and a LaunchDaemon to mount it
 - create a LaunchDaemon (at /Library/LaunchDaemons/org.nixos.nix-daemon.plist) for nix-daemon

Ready to continue?
No TTY, assuming you would say yes :)

---- let's talk about sudo -----------------------------------------------------
This script is going to call sudo a lot. Normally, it would show you
exactly what commands it is running and why. However, the script is
run in a headless fashion, like this:

  $ curl -L https://nixos.org/nix/install | sh

or maybe in a CI pipeline. Because of that, I'm going to skip the
verbose output in the interest of brevity.

If you would like to
see the output, try like this:

  $ curl -L -o install-nix https://nixos.org/nix/install
  $ sh ./install-nix


~~> Fixing any leftover Nix volume state
Before I try to install, I'll check for any existing Nix volume config
and ask for your permission to remove it (so that the installer can
start fresh). I'll also ask for permission to fix any issues I spot.

~~> Checking for artifacts of previous installs
Before I try to install, I'll check for signs Nix already is or has
been installed on this system.

---- Nix config report ---------------------------------------------------------
        Temp Dir:	/var/folders/9f/9p4dh6hs5yddrk7drxq8rc_80000gn/T/tmp.webSd6HZ
        Nix Root:	/nix
     Build Users:	8
  Build Group ID:	350
Build Group Name:	nixbld

build users:
    Username:	UID
     _nixbld1:	351
     _nixbld2:	352
     _nixbld3:	353
     _nixbld4:	354
     _nixbld5:	355
     _nixbld6:	356
     _nixbld7:	357
     _nixbld8:	358

Ready to continue?
No TTY, assuming you would say yes :)

---- Preparing a Nix volume ----------------------------------------------------
    Nix traditionally stores its data in the root directory /nix, but
    macOS now (starting in 10.15 Catalina) has a read-only root directory.
    To support Nix, I will create a volume and configure macOS to mount it
    at /nix.

~~> Configuring /etc/synthetic.conf to make a mount-point at /nix

~~> Creating a Nix volume
disk1s7 was already unmounted

~~> Configuring /etc/fstab to specify volume mount options

~~> Configuring LaunchDaemon to mount 'Nix Store'

~~> Setting up the build group nixbld
            Created:	Yes

~~> Setting up the build user _nixbld1
<dscl_cmd> DS Error: -14988 (eNotYetImplemented)
create: DS error: eNotYetImplemented

---- oh no! --------------------------------------------------------------------
Oh no, something went wrong. If you can take all the output and open
an issue, we'd love to fix the problem so nobody else has this issue.

:(

We'd love to help if you need it.

You can open an issue at
https://github.com/NixOS/nix/issues/new?labels=installer&template=installer.md

Or get in touch with the community: https://nixos.org/community

Error: Process completed with exit code 1.

Checklist


Add 👍 to issues you find important.

@Mic92
Copy link
Member

Mic92 commented Jan 7, 2025

If it fails once, does it also fail on the second run? Maybe we can just retry the command in this case. Tip: If you change the installer script, and open a pull request our CI will upload a runnable installer. You can find it at the end: https://github.com/NixOS/nix/actions/runs/12646087601

@Rhys-T
Copy link
Author

Rhys-T commented Jan 7, 2025

It's happening rarely enough (as in I've only seen it once so far) that I'm not really sure how to test that, but according to DeterminateSystems/nix-installer#1300 (comment), retrying the dscl command seemed to work, and they ended up adding that workaround to their installer in DeterminateSystems/nix-installer#1301.

@Mic92
Copy link
Member

Mic92 commented Jan 8, 2025

Can you test: #12152 ?

@Rhys-T
Copy link
Author

Rhys-T commented Jan 12, 2025

Sorry, I meant to get back to you sooner. I can try pointing cachix/install-nix-action at those installer builds if you want1, but without knowing how to get dscl to fail again, I'm not sure how I'll know whether it did anything to help or not.

Footnotes

  1. Although the obvious approach is failing because it isn't logged into GitHub and can't see artifacts, so I'll have to figure out how to work around that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants