Nix single user install on Linux wants 'nixbld' group and workers, else - it fails

[Anton-Latukha]

@edolstra
Setting-up with installer Nix in single-user (the default) mode on Linux crashes into error. Script inside runs the nix-store --init and nix-store --init throws:

warning: the group ‘nixbld’ specified in ‘build-users-group’ does not exist
warning: the group ‘nixbld’ specified in ‘build-users-group’ does not exist

nix-env -i /nix/store/xrqssm90gsrnqdn79rpfcs6dwx8597d2-nix-1.11.14 throws:

warning: the group ‘nixbld’ specified in ‘build-users-group’ does not exist
installing ‘nix-1.11.14’
building path(s) ‘/nix/store/gbvx4dcw6ibps16dx4wy4dxp3vf4i204-user-environment’
error: the group ‘nixbld’ specified in ‘build-users-group’ does not exist

And returns Exit code.

But that groups and workers are requirement of multi-user mode according to the documentation.

Reason probably in this block:

nix/src/libstore/build.cc

Lines 491 to 499 in 0b606aa

	UserLock::UserLock()
	{
	assert(settings.buildUsersGroup != "");
	/* Get the members of the build-users-group. */
	struct group * gr = getgrnam(settings.buildUsersGroup.get().c_str());
	if (!gr)
	throw Error(format("the group '%1%' specified in 'build-users-group' does not exist")
	% settings.buildUsersGroup);

Please, look into it.

There are 4 bug reports regarding this error:
2016-01-13. #936 Install Nix as root
2016-03-13. #879 install.sh homepage instructions only work without build-user-group
2015-11-13. #697 how to correctly install Nix on Arch Linux
2015-11-10. #692 Installation in alternate directory fails

Workarounds people use are straight-forward.

Create 'nixbld' by hand.

Or as @mboes mentioned:

echo "build-users-group =" > /etc/nix/nix.conf

After workaround addgroup nixbld:

building path(s) ‘/nix/store/gbvx4dcw6ibps16dx4wy4dxp3vf4i204-user-environment’
error: the build users group ‘nixbld’ has no members

It still goes the 'multi-user' way. and expects workers.

As workarounds are simple, and there are 4 bugreports already - most people find that bugrepots, so not file new, and if person decide to proceed official install - they need to use mentioned workarounds at the moment.

It happens on any clean Linux distro. Myself I reproduce it with 100% on Ubuntu and Arch Linux and Alpine Linux.

[Anton-Latukha]

This is why I came, I saw clearly, that community is:

• using NixOS,
• existing Nix setups,
• macOS
• official Docker image.

While installation to Linux distributions needs real work.

As I am a Linux maniac and DevOps, I know Linux systems on level of all nuts&bolts, and how to make most universal install. I want to take that task on myself, to take a hand in release of flood on Linux distributions of the Nix beast.

Official install code is the best documentation for IT hacker guys and Linux distribution maintainers. It is easy to replicate then, if universal one is made. From that, ridiculously, packages of Nix easily can be made for all distributions, to infect their ecosystem. Users are much more happy to install package with package manager they trust, than run unknown script install. And with distributions are much easier to talk, when you have legit package for their distro.

I am pretty far ahead on improving ./install-nix-from-closure.sh locally, but my 3 PRs not merged, and I need to merge them to not collide with myself in the commits to one file. Else I must make a huge monster PR, but then team needs to believe me that it works, and just needs more testing.
As nix-1.11.14 was released, it is possible to polish './install-nix-from-closure.sh' before next release.

[edolstra]

The installer currently does not support installing as root. It does print this warning:

warning: installing Nix as root is not supported by this script!

We should probably make this a fatal error.

[Anton-Latukha]

You unmade it from error to warning, long ago:
924e193#diff-c3a5a1b9e6689412725b16888b6057db

It also was discussed in #1143, that was done to solve #1125.

As root has no restrictions on the system, I can not understand why root install/operation is not possible.

I get on myself to make 'installing Nix as root is' well supported by install. As also from user.
All I need is to be assured, that Nix code itself can operate in single-user from root mode.

Then, move to multi-user.

And since you made that commit - not much was in Linux install. One big commit. That solved many bugreports. I mean, Linux is a huge and complex platform. No work happened for Linux install.

It causes problems and bugreports, because automatic install is not developed and not working for many cases of Linux environments that is why people keep writing.

Default installation HOWTO points to single-user installation.
Linux install uses single-user installation. Let's at least make single-user, before thinking to make multi-user on all Linux distributions work.
DevOps'es use one-liners on deployments...

Single-user installation from root - basically can be observed how classic Linux package manager mode. All classic Linux package managers operate from root.

This mode is much closer to most Linux admins, and they probably going to try it first, before moving to Nix. And get familiar with Nix multi-user then. Let's don't expect them to do huge jump, like 'classic rpm' -> 'purely functional package manager nix in multi-user mode'.

[Anton-Latukha]

[message merged]

[Anton-Latukha]

It looks like root install in Docker image works (docker: update to Nix 1.11.14 #1562).
It creates groups and workers there.
Why remove this possibility in installer.

Why this error is hit, and what is the facts that it is not possible to do single-user root.

He does mkdir -m 0755 /nix. That means that multi-user setup done there, works as single-user root.

We can also observe, that contributor does presetup, before running installation.

addgroup -g 30000 -S nixbld # is what we talk about here
for i in $(seq 1 30); do \
  adduser -S -D -h /var/empty -g "Nix build user $i" -u $((30000 + $i)) -G nixbld nixbld$i ; \
  done
mkdir -m 0755 /nix # must be solved partly by my #1555, partly by further progress, if we get there.

It is because he work-around bugs, and does what is preassummed in installation.

Before running:
USER=root sh nix-*-x86_64-linux/install

BTW even in that line, with USER=root we observe he work-arounds a kind bug for Docker setup.

That solved in my #1549, but at time not accepted by project, probably because I am somewhat not accepted.
Also it is the most probable cause: probably there is no active human that can take responsibility to accept to Linux installer Linux-side shell code.

[jcrben]

there's https://nixos.wiki/wiki/Nix_Installation_Guide#Single-user_install - perhaps it could be updated with some advice

[Anton-Latukha]

@jcrben Bugs should not be documented in the wiki. They should be resolved.

First this syndrome should be sorted-out.
Is it a bug. That single-user install requires special group with special users.
Or is it a feature. Than, I want to hear arguments in that regard, so I can grasp why is it so. Until that moment the only thing I can do is to be ignorant. I tried, and just not found particular valid arguments for this syndrome.

BTW if you want you can add info about this situation on the wiki. If this situation is still valid. Because it seems as a stalemate here.
But that you wrote here - shows that you found this issue, probably because this is still true.

[Anton-Latukha]

I am working, currently doing polish on portable POSIX install script, finishing it.

And decided to recheck, if this one is resolved or got any input. So then should do workaround or maybe solved. And I can be able to work on single-user/multi-user switches/options in a script.

Current check

Currently while installing for example even in banal Ubuntu Docker environment, users still receive this:

apt update && apt -yy install sudo curl && export USER=root && curl https://nixos.org/nix/install | sh

initialising Nix database...
warning: the group 'nixbld' specified in 'build-users-group' does not exist
warning: the group 'nixbld' specified in 'build-users-group' does not exist
Nix: creating /root/.nix-profile
warning: the group 'nixbld' specified in 'build-users-group' does not exist
installing 'nix-2.0.4'
error: the group 'nixbld' specified in 'build-users-group' does not exist

So people forced to web-search, and create groups&users themselves - to go further with Nix.

P.S

I had not received any input or help on this issue. I have no solid information to take solid action.

While single-user mode install goes, is this some feature or a bug.

I made a talk and raised that question to receive any input or help on installer and this bugs.
And people come to help me on installer, reviewing pull request. It was helpful.
But they not helped me understand this syndrome.

This bug & lack of input on it - in reality caused the work, code and installation process duplications inside Nix installers.

And that would also now require an additional integration and deduplication in install processes.

I have some great ideas and plans to discuss and that I can implement in Nix install after current merge.

I really do not want blindly do a workarounds for upstream bug, when I try to do work and present my work into the same upstream.

I really want to have meaningful communication and collaboration.

To make script overcome this syndrome is a couple of lines and couple of minutes to me, and then I can work to make it single-user/multi-user able.

But I need to get some authoritative input on this feature/bug.
Because if single-user mode without parallel building can function normally without those groups - we (I in install) can implement that for people. And this is what is in documentation.

[Anton-Latukha]

People, please, somebody @edolstra, @shlevy, @dtzWill. Year passed - take a notice that single-user mode is blocked due to some sort of hardcode.

Everything is written in the main post.

I already completely finished and polished cross-platform POSIX installer in #1565.

And I tested it quite rigorously. And Nix internal initialization, under single-user mode still fails as a year and even more ago. People do a work-around - installing Nix in multi-user.

If *this would not be resolved - I would need to enable workaround in the installer and install Nix for everyone in multi-user by default.

If multi-user mode is a policy now - someone needs to tell me that, and we should delete mentions and functioning of single-user in Manual, on Wiki and in code.

After POSIX install merge (once again I mean #1565) - enabling argument management and single/multi-user modes is quick. But if this is not resolved - I and users have no option but to multi-user.

[Anton-Latukha]

If you would look at the initial history of the installer - you would see why I know that mentioned:

warning: installing Nix as root is not supported by this script!

is a leftover from this time:
924e193#diff-c3a5a1b9e6689412725b16888b6057db

Which was drive-by changed in:
5d064e2
Which laid the guilt on the script.

I write the new script, please tell me how to install it in a single-user properly.

If I get upstream collaboration - we would have the most portable install in the industry right now. And then the most contributor-friendly and featureful installer by the middle of the winter. I know a secret weapon that would make it even better than any one-liners (online-script installers) in the industry, while making it even more casual for understanding and contributing to.

[grahamc]

Nix does not support a single-user installation being used as root, that is why the script warns about it. There is no proper single-user installation of Nix for the root user.

[Anton-Latukha]

How does it work in Docker?

I made you a presentation: and there this moment was covered right here https://youtu.be/hhgrCV_r7YE?t=7657

You were introducing me and sitting near me. We even talked couple of times.
And not you, not anyone in the audience got no questions.

But, let's get back to the topic.
I am the person who made the POSIX-compatible installer, who reported the problem, and you told me that there is no installer for this.

I don't know what to say.

I raised a 1-class bug report, even debugged C++ code and pointed the lines. And got no technical responce.

[testbird]

Strange, have you checked working with guix?

[Anton-Latukha]

@testbird thank you, but I raised particular Nix issue for particular purpose to sort it out.

[thedavidmeister]

@Anton-Latukha what is the workaround that works, do you know? i see a lot of noise in linked issues and a lot isn't working for me (debian w/ docker)

[zimbatm]

the workaround I have seen is to (simplified):

• create a temporary user with sudo access
• install nix under that user
• delete the user
• configure the root account with the nix profile

[Anton-Latukha]

@zimbatm you probably talking about the root user road block.

[Anton-Latukha]

@thedavidmeister Back in the day this issue was dodged by:

groupadd -r nixbld
for n in $(seq 1 10); do useradd -c "Nix build user $n" -d /var/empty -g nixbld -G nixbld -M -N -r -s "$(command -v nologin)" "nixbld$n"; done

It is an old way to switch Nix to multiuser state. Before this role took deamon (is it still systemd?) installer.

You can find the somewhat worse version of this block of code in the old versions of the Nix manual.

Nix basically switches to multiuser if nixbld and nixbld# system account users are created.
At least this is how it worked before.

They are required to be system account users by Nix. Why - I don't know, there is no information about that, and I got no response when I asked. But I know this system accounts were a roadblock for me to install Nix on BSD systems, since there is no such thing as system accounts in BSD, it is Linux addition which is relatively new.

Currently I do not know the state of installers of how current Nix works internally. I did everything that was I was able to do already. I'd wish there was better reciprocity.

There is virtually no difference for single Nix user enabling multiuser, while it allows more isolation of processes.

[thedavidmeister]

ok thanks for the info @Anton-Latukha !

[Anton-Latukha]

@thedavidmeister

I would recommend to enable multiuser install, because the single-user is a topic that has a contradiction which never seems to be dialog option with those that hold the rights (that is my work and expirience aboit it, as also seen at the start of this report).

Because we have no dialog - there is no information - and as such you should expect creator at any time closing the single-user mode, and then so that would be. BTW he already effectively did that with this hadrcode issue.

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/docker-build-issue/9495/3

[stale]

I marked this as stale due to inactivity. → More info

[filakhtov]

Just ran into this issue myself. I am trying to automate the build process of LXC container images and my objective is to achieve this in host-independent fashion. The way I am trying to approach it is the following:

• Download the base image and extract it into a temporary directory
• Mount kernel VFS (proc, sys, dev, etc)
• Download Nix installer script, make it executable
• Run Nix installer script inside of the chroot in single-user mode
• Use Nix inside of the chroot to download nixos-generate and use that to build the final image

As you have probably guessed by this point I am stuck on running the installer script and I need help sorting this out.

For more context: I want to be able to build an image anywhere, i.e. booting a live CD and doing from there, using a random VM I have, or somewhere else. The idea is that I have automated LXC hypervisor installation and configuration and I would like to spin up an LXC “operator” container with NixOS inside which then will have a profile with a lot of automation tools, such as Terraform, Ansible, k0sctl, etc and can bootstrap the rest of the environment I need from there (the idea is to rapidly spin up and tear down test lab environments of varying degree of complexity and configuration). I have early steps (hypervisor installation and initial configuration) and late steps (Terraform, Ansible, etc) more or less automated already and the only missing link in the chain is how to build this initial LXC image.

Thanks in advance for any ideas!

[CMCDragonkai]

I'm wondering is multiuser nix necessary when running nix inside a container image that is solely designed to build things with nix?

We used dockerTools.buildImageWithNixDb, and it appears by default it requests that there be nixbld users when we didn't have them.

I thought that if the container is only building things, it's not really necessary have nixbld users.

But if it gains a marginal amount of extra security/isolation, then perhaps it's better to just have it configured then. But then buildImageWithNixDb should probably set this up automatically.

---

Correct me if I'm wrong, but the only reason nixbld users are necessary even inside a single-user docker container (that does not have nix-daemon running) is because the container is using root user. If the container wasn't using root user, then nixbld users wouldn't be necessary.

This discussion seems to concur: #3415 (comment)