Logrotate config fails due to missing group 30000

jakubgs · May 27, 2023, 9:30am

I started getting a really weird error which prevents me from upgrading my system:

 > sudo nixos-rebuild build
building the system configuration...
error: builder for '/nix/store/7xg66r1jm4nl07i0vniwdgdna3mmgvrg-logrotate.conf.drv' failed with exit code 1;
       last 1 log lines:
       > /nix/store/98rnm10cy6liayss4gbhksmpvmykl6kd-coreutils-9.1/bin/id: cannot find name for group ID 30000
       For full logs, run 'nix log /nix/store/7xg66r1jm4nl07i0vniwdgdna3mmgvrg-logrotate.conf.drv'.
error: 1 dependencies of derivation '/nix/store/7knfxxjldjib2mrmhsh5nny85n99i5y9-unit-logrotate-checkconf.service.drv' failed to build
error: 1 dependencies of derivation '/nix/store/0hqi49l4l6axwlygbz3ax8sm3c5d00jf-system-units.drv' failed to build
error: 1 dependencies of derivation '/nix/store/wl1ighq6757mk88ml5kpyxvai4w86di9-etc.drv' failed to build
error: 1 dependencies of derivation '/nix/store/81fg8fc6nr7d6ha25cid7fz9j801zns7-nixos-system-zeruel-22.11.20230413.2b1bba7.drv' failed to build

The Logrotate config fails to build with: id: cannot find name for group ID 30000

I found this issue:

github.com/NixOS/nix

sandboxed builds without user namespace should require `sandbox-fallback` set to true

opened 09:01AM - 11 Aug 22 UTC

NickCao

bug

**Describe the bug** When running builds on machines without user namespace ena…bled or failing to create user namespaces, nix silently fallbacks to disabling user namespace without requiring `sandbox-fallback` to be set to true, causing hard to debug build failures. **Steps To Reproduce** 1. `sudo sysctl -w user.max_user_namespaces=0` 2. `nix build --impure --expr 'with import <nixpkgs> { }; runCommand "userns" { } "id -ng; touch $out"'` 3. build errors out with `id: cannot find name for group ID 30000` 4. `sudo sysctl -w user.max_user_namespaces=95605` 5. run the build again, it works this time **Expected behavior** When the creation of user namespace fails for whatever reason, and `sandbox-fallback` is not set to true, it should be a hard failure, or at least, a warning message should be printed. **`nix-env --version` output** nix-env (Nix) 2.10.3 **Additional context** This bug was found when debugging build failure in `services.logrotate`, namely at the line https://github.com/NixOS/nixpkgs/blob/6531c04987236301675ab5892117f4b799351684/nixos/modules/services/logging/logrotate.nix#L166

But my user.max_user_namespaces already isn’t zero:

 > sudo sysctl user.max_user_namespaces
user.max_user_namespaces = 95605

And the group with ID 30000 clearly exists:

 > grep 30000 /etc/group
nixbld:x:30000:nixbld1,nixbld10,nixbld11,nixbld12,nixbld13,nixbld14,nixbld15,nixbld16,nixbld17,nixbld18,nixbld19,nixbld2,nixbld20,nixbld21,nixbld22,nixbld23,nixbld24,nixbld25,nixbld26,nixbld27,nixbld28,nixbld29,nixbld3,nixbld30,nixbld31,nixbld32,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9

So I have no idae what this is about. Would appreciate some help.

aanderse · May 27, 2023, 11:51am

Maybe you can set services.logrotate.checkConfig = false; as a workaround for now. Might help.

jakubgs · May 28, 2023, 9:02am

Thanks. That indeed helped me upgrade the system. When I remove it the issue comes back, but at least now I can actually rebuild things.

Sill no idea what caused this.

jakubgs · May 28, 2023, 10:51am

Oh, I think it’s because of my hardened profile, but I have no idea which setting is causing it specifically.

MrQubo · June 20, 2023, 1:30pm

I have the same problem. Did you manage to fix it properly or find the cause?

jakubgs · June 20, 2023, 10:15pm

Nope. I just use the hack proposed by @aanderse. I did not identify which hardened profile setting is causing this yet.

con-f-use · July 23, 2023, 11:22am

Having a similar problem trying to build a pretty vanilla flake with very vanilla nix.conf settings:

$ nix build './#nixovabase'
error: builder for '/nix/store/i6s512b3s7319k2gpfzil614ylbr22fa-logrotate.conf.drv' failed with exit code 1;
       last 1 log lines:
       > /nix/store/ngw3m00r391w31n13q4m2x06amx4mqri-coreutils-9.1/bin/id: cannot find name for group
 ID 872415232

The workaround services.logrotate.checkConfig = false; helped, thanks Aaron!