Installation on macOS Catalina

Starting with Catalina, the root file system becomes read-only. This breaks the basic Nix installation procedure for those on macOS, that is to say

sudo curl -L https://nixos.org/nix/install | sh

no longer works on Macs.

The Nix community has come up with solutions to the problem, and, according to Introduction the recommended way to install Nix on macOS Catalina is

sh <(curl https://nixos.org/nix/install) --darwin-use-unencrypted-nix-store-volume

This does not work.

What exactly do I mean by that?

I am investigating the possibility of using Nix in the context of a scientific research project. I believe that Nix has much to offer in this context, not only in terms of reliable reproducilble builds, but also for automated provision of development environments.

A significant portion of the people involved in this project use macOS. However great the aforementioned benefits might be, if there is no simple, reliable and well-documented way of installing Nix on Macs, then this whole idea will be stillborn, because the people involved are first and foremost scientists, and only incidentally developers, and therefore have a relatively low tolerance for such obstacles. It will be difficult to convince them that the pain is worth the eventual rewards.

So, when I say “This does not work” I mean that the first Mac-using guinea-pig collaborator who kindly volunteered some time to humour my “try-this-Nix-thing” whim, was unable to install Nix on Catalina using the recommended procedure … meanwhile the internet, as of today, tacitly implies that This Just Works and offers no further help. Yes, the manual goes into details of alternative possibilities, but if my scientific collaborators read this, they will only be convinced that we should stay away from Nix, because it introduces complexities which they don’t need.

I do not have a Mac myself, so it’s very difficult to investigate or offer further advice.

Does anyone have any experience with installing Nix on Catalina? Do you have any complementary information on the process? Any hints about troubleshooting?

Can we create some resources for helping others through this process?

My personal short-term fear is that, if reliably installing Nix on Macs has become significantly more complicated than the one-liner shown above, then Nix is simply not a viable solution for projects such as this. And that would be a great shame, because I really do believe that Nix has so much to offer here.

3 Likes

This is probably the same issue that necessitated the doc change in Instruct the user to follow redirects when installing Nix. by SamirTalwar · Pull Request #3716 · NixOS/nix · GitHub (i.e., the macOS install docs didn’t also get updated here).

I think using curl -L may get your collaborator rolling.

For others attempting to follow along, it looks like the underlying discussion about this starts at Manage with nix by jacg · Pull Request #727 · next-exp/IC · GitHub and runs through Manage with nix by jacg · Pull Request #727 · next-exp/IC · GitHub

Adding -L makes us progress further.

Now we stall at

Creating a Nix Store volume...
error: refusing to create Nix store volume because the boot volume is
       FileVault encrypted, but encryption-at-rest is not available.
       Manually create a volume for the store and re-run this script.
       See https://nixos.org/nix/manual/#sect-macos-installation

Which includes the line

Manually create a volume for the store and re-run this script.

I doubt that manually creating a volume is something I can reasonably ask of every Mac user on the team, as a prerequisite for being able to install, run and hack on the project’s software. So that might be the end of Nix, as far as this particular project is concerned.

However, I’m still interested in understanding more about the process.

The manual states:

The recommended approach, which creates an unencrypted APFS volume for your Nix store and a “synthetic” empty directory to mount it over at /nix, is least likely to impair Nix or your system.

If you’re using a recent Mac with a T2 chip, your drive will still be encrypted at rest (in which case “unencrypted” is a bit of a misnomer). To use this approach, just install Nix with:
$ sh <(curl https://nixos.org/nix/install) --darwin-use-unencrypted-nix-store-volume

I see two alternative interpretations of the stuff about the T2 chip:

  1. If you have a T2 chip, the volume will still be encrypted; on other chips it will not be encrypted.
  2. If you have a T2 chip, this is the command to use; if you don’t have a T2 chip, you’re on your own.

I hope the first is the correct interpretation, but I’m not entirely sure. It would be good if the manual left no room for doubt.

Looking at “but encryption-at-rest is not available” from the error message and “with a T2 chip, your drive will still be encrypted at rest” from the manual, I wonder whether iterpretation 2 is correct, and my collaborator’s Mac does not have a T2 chip.

2 Likes

See this comment for the motivation:
https://github.com/NixOS/nix/pull/3692#issuecomment-643609344

#2 is correct at the moment. It’s not ideal.

There’s a saga, but the rough TL;DR; is:

  • it isn’t acceptable for some users for us to automatically create an unencrypted store volume when they’ve gone to the effort of encrypting their boot volume
  • the encryption flow we identified during the initial push to update the installer for Catalina causes some problems of its own
  • an improvement has been identified that may fix these problems, but we need someone to implement it
1 Like

Couldn’t the installer just print out a warning and ask users if they’d like to proceed?

What’s the improvement/fix?

It roughly does, but the prompt is to rerun with the flag, or manually prep a volume. Many people use non-interactive installs, so prompts don’t replace the need for defensive defaults?