Logrotate config fails due to missing group 30000

I started getting a really weird error which prevents me from upgrading my system:

 > sudo nixos-rebuild build
building the system configuration...
error: builder for '/nix/store/7xg66r1jm4nl07i0vniwdgdna3mmgvrg-logrotate.conf.drv' failed with exit code 1;
       last 1 log lines:
       > /nix/store/98rnm10cy6liayss4gbhksmpvmykl6kd-coreutils-9.1/bin/id: cannot find name for group ID 30000
       For full logs, run 'nix log /nix/store/7xg66r1jm4nl07i0vniwdgdna3mmgvrg-logrotate.conf.drv'.
error: 1 dependencies of derivation '/nix/store/7knfxxjldjib2mrmhsh5nny85n99i5y9-unit-logrotate-checkconf.service.drv' failed to build
error: 1 dependencies of derivation '/nix/store/0hqi49l4l6axwlygbz3ax8sm3c5d00jf-system-units.drv' failed to build
error: 1 dependencies of derivation '/nix/store/wl1ighq6757mk88ml5kpyxvai4w86di9-etc.drv' failed to build
error: 1 dependencies of derivation '/nix/store/81fg8fc6nr7d6ha25cid7fz9j801zns7-nixos-system-zeruel-22.11.20230413.2b1bba7.drv' failed to build

The Logrotate config fails to build with: id: cannot find name for group ID 30000

I found this issue:

https://github.com/NixOS/nix/issues/6898

But my user.max_user_namespaces already isn’t zero:

 > sudo sysctl user.max_user_namespaces
user.max_user_namespaces = 95605

And the group with ID 30000 clearly exists:

 > grep 30000 /etc/group
nixbld:x:30000:nixbld1,nixbld10,nixbld11,nixbld12,nixbld13,nixbld14,nixbld15,nixbld16,nixbld17,nixbld18,nixbld19,nixbld2,nixbld20,nixbld21,nixbld22,nixbld23,nixbld24,nixbld25,nixbld26,nixbld27,nixbld28,nixbld29,nixbld3,nixbld30,nixbld31,nixbld32,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9

So I have no idae what this is about. Would appreciate some help.

Maybe you can set services.logrotate.checkConfig = false; as a workaround for now. Might help.

Thanks. That indeed helped me upgrade the system. When I remove it the issue comes back, but at least now I can actually rebuild things.

Sill no idea what caused this.

Oh, I think it’s because of my hardened profile, but I have no idea which setting is causing it specifically.

I have the same problem. Did you manage to fix it properly or find the cause?

Nope. I just use the hack proposed by @aanderse. I did not identify which hardened profile setting is causing this yet.

Having a similar problem trying to build a pretty vanilla flake with very vanilla nix.conf settings:

$ nix build './#nixovabase'
error: builder for '/nix/store/i6s512b3s7319k2gpfzil614ylbr22fa-logrotate.conf.drv' failed with exit code 1;
       last 1 log lines:
       > /nix/store/ngw3m00r391w31n13q4m2x06amx4mqri-coreutils-9.1/bin/id: cannot find name for group
 ID 872415232

The workaround services.logrotate.checkConfig = false; helped, thanks Aaron!

Weird, I am running into the same issue right now. But I haven’t really changed anything since prior rebuilds. Wonder if it’s a regression somewhere.

I believe the cause is due to user namespaces being disabled in the hardened profile.

You can check that with sudo sysctl kernel.unprivileged_userns_clone (0 is disabled, 1 is enabled).

I then enabled user namespaces with sudo sysctl kernel.unprivileged_userns_clone=1 and was then able to rebuild.

Keep in mind that will only be enabled until next reboot, so if you want a permanent solution you need to make sure security.unprivilegedUsernsClone is not changed or set it back to true if it is set to false somewhere.

Alex, much thanks. I forgot to reply and just ran into this issue again – you’re on the mark. Even just toggling this while running nixos-rebuild will prevent the issue.

I wonder if this also will lead me to fix another long standing issue I’ve been having with linux (LXC) containers, where for some reason the user ids aren’t being mapped to container specific uids (like mapping the container’s root to 1000000) but that’s off topic for this conversation.