nix auto-allocate-uids -> nixbld users

2023-10-08 · 1 min read

• #nix

I've hit an obscure issue with my nix install on Pop!_OS where the nix auto-allocate-uids setting doesn't seem to work quite right with the build sandbox, due to some "hardening" in the Debian-based kernel build interacting poorly with the user namespace in the sandbox.

I installed nix with the DeterminateSystems/nix-installer, which is overall a great experience -- highly recommend. This installer sets you up with auto-allocate-uids for the multi-user install, which avoids littering your system with a bunch of nixbldX users.

Sadly we need those nixbldX users back; here's how to do that:

for n in $(seq 1 32); do \
    sudo useradd \
        --home-dir /var/empty \
        --comment "Nix build user ${n}" \
        --gid nixbld \
        --groups nixbld,kvm \
        --no-create-home \
        --no-user-group \
        --system \
        --uid $((30000 + n)) \
        --shell /sbin/nologin \
        --password "!" \
        nixbld$n \
        ;
done

We've also added the new nixbldX users to the kvm group, so they can run qemu VMs efficiently -- super handy when running NixOS tests.

Next let's remove the auto-allocate-uids setting from /etc/nix/nix.conf:

diff --git /etc/nix/nix.conf.old /etc/nix/nix.conf
--- /etc/nix/nix.conf.old
+++ /etc/nix/nix.conf
@@ -1,7 +1,9 @@
 # Generated by https://github.com/DeterminateSystems/nix-installer, version 0.9.1.
-experimental-features = nix-command flakes auto-allocate-uids
+experimental-features = nix-command flakes
 auto-optimise-store = true
 extra-nix-path = nixpkgs=flake:nixpkgs
 bash-prompt-prefix = (nix:$name)\040
 build-users-group = nixbld
-auto-allocate-uids = true

Finally restart the nix daemon:

$ sudo systemctl restart nix-daemon.service