ERROR system_manager] We need root permissions.

[andreyadrian]

A) Describe the bug
Im following the installaton guide, I have added it to my flake, and added the default.nix.
And then running it with the command shown:
nix run 'github:numtide/system-manager' -- switch --flake '.'

But I get
haerin@orangepizero3:~/.config/home-manager$ nix run 'github:numtide/system-manager' -- switch --flake '.' warning: input 'rust-overlay' has an override for a non-existent input 'flake-utils' [2024-06-26T18:43:36Z INFO system_manager::register] Trying flake URI: .#systemConfigs.orangepizero3... warning: Git tree '/home/haerin/.config/home-manager' is dirty [2024-06-26T18:43:37Z INFO system_manager::register] Attribute .#systemConfigs.orangepizero3 not found in flake. [2024-06-26T18:43:37Z INFO system_manager::register] Trying flake URI: .#systemConfigs.default... warning: Git tree '/home/haerin/.config/home-manager' is dirty [2024-06-26T18:43:37Z INFO system_manager::register] Success, using .#systemConfigs.default [2024-06-26T18:43:37Z INFO system_manager::register] Building new system-manager generation... [2024-06-26T18:43:37Z INFO system_manager::register] Running nix build... warning: Git tree '/home/haerin/.config/home-manager' is dirty [2024-06-26T18:43:37Z INFO system_manager::register] Built system-manager profile /nix/store/npin69q4riknxihbk060a9960p0py3jx-system-manager [2024-06-26T18:43:37Z ERROR system_manager] We need root permissions.

What stands to me its the last bit ERROR system_manager] We need root permissions.

B) To Reproduce

Steps to reproduce the behavior:

1. My current flake.nix:

`{
description = "Home Manager configuration of haerin";

inputs = {
# Specify the source of Home Manager and Nixpkgs.
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";

home-manager = {
  url = "github:nix-community/home-manager";
  inputs.nixpkgs.follows = "nixpkgs";
};

nvchad-config = {
  url = "git+https://codeberg.org/andreyadrian/nvchad-starter";
  flake = false;
};

system-manager = {
  url = "github:numtide/system-manager";
  inputs.nixpkgs.follows = "nixpkgs";
};

};

outputs = { nixpkgs, home-manager, nvchad-config, system-manager,... }:
let
system = "aarch64-linux";
pkgs = nixpkgs.legacyPackages.${system};
in {

  # 1. This one is for home-manager
  homeConfigurations."haerin" = home-manager.lib.homeManagerConfiguration {

    inherit pkgs;

    # Specify your home configuration modules here, for example,
    # the path to your home.nix.
    modules = [ ./home.nix ];

    # Optionally use extraSpecialArgs
    # to pass through arguments to home.nix
    extraSpecialArgs = {
      nvchadConfig = nvchad-config;
    };

  };

  # 2. This one is for system-manager
  systemConfigs.default = system-manager.lib.makeSystemConfig {

    modules = [ ./default.nix ];

  };

};

}
`

2. My current default.nix (is the default template):

`{ config, lib, pkgs, ... }:

{
config = {
system-manager.allowAnyDistro = true;
nixpkgs.hostPlatform = "aarch64-linux";

environment = {
  etc = {
    "foo.conf".text = ''
      launch_the_rockets = true
    '';
  };
  systemPackages = [
    pkgs.fd
    pkgs.hello
  ];
};

systemd.services = {
  foo = {
    enable = true;
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
    };
    wantedBy = [ "system-manager.target" ];
    script = ''
      ${lib.getBin pkgs.hello}/bin/hello
      echo "We launched the rockets!"
    '';
  };
};

};
}
`

C) Expected behavior

To run with no errors, and let me use system-manager to manage services like docker.

D) System information

OS: Armbian (24.8.0-trunk.36) aarch64
####### Host: OrangePi Zero3
########### Kernel: 6.6.31-current-sunxi64

E) Additional context

I do have root access but trying
sudo nix run 'github:numtide/system-manager' -- switch --flake '.'
wont work
haerin@orangepizero3:~/.config/home-manager$ sudo nix run 'github:numtide/system-manager' -- switch --flake '.' sudo: nix: command not found

[aanderse]

please clean up formatting of your messages it is too difficult to read as you have posted

[r-vdp]

Yeah so system-manager needs root permissions, as the error says. This is normal, since it will be managing system-level config, which is all owned by root.

Did you try running it with sudo for instance?

[andreyadrian]

Yeah so system-manager needs root permissions, as the error says. This is normal, since it will be managing system-level config, which is all owned by root.

Did you try running it with sudo for instance?

Yeah I'd try with:
'sudo nix run 'github:numtide/system-manager' -- switch --flake '.''

It returns
'sudo: nix: command not found'

[aanderse]

sounds like an Ubuntu issue: https://unix.stackexchange.com/questions/83191/how-to-make-sudo-preserve-path

[andreyadrian]

sounds like an Ubuntu issue: https://unix.stackexchange.com/questions/83191/how-to-make-sudo-preserve-path

Im gonna be trying with this instead then:
'$ sudo /nix/var/nix/profiles/default/bin/nix run 'github:numtide/system-manager' -- switch --flake '.''

Thats what i got after running
'$ which nix'

Lets see

[andreyadrian]

So this time i got a different error

`haerin@orangepizero3:~/.config/home-manager$ sudo /nix/var/nix/profiles/default/bin/nix run 'github:numtide/system-manager' -- switch --flake '.'
warning: input 'rust-overlay' has an override for a non-existent input 'flake-utils'
[2024-06-26T22:23:24Z INFO system_manager::register] Trying flake URI: .#systemConfigs.orangepizero3...
error:
… while fetching the input 'git+file:///home/haerin/.config/home-manager'

   error: getting the HEAD of the Git tree '/home/haerin/.config/home-manager' failed with exit code 1:
   error: executing 'git': No such file or directory

[2024-06-26T22:23:27Z INFO system_manager::register] Attribute .#systemConfigs.orangepizero3 not found in flake.
[2024-06-26T22:23:27Z INFO system_manager::register] Trying flake URI: .#systemConfigs.default...
error:
… while fetching the input 'git+file:///home/haerin/.config/home-manager'

   error: getting the HEAD of the Git tree '/home/haerin/.config/home-manager' failed with exit code 1:
   error: executing 'git': No such file or directory

[2024-06-26T22:23:27Z INFO system_manager::register] Attribute .#systemConfigs.default not found in flake.
[2024-06-26T22:23:27Z ERROR system_manager] No suitable flake attribute found, giving up.
haerin@orangepizero3:~/.config/home-manager$`

[r-vdp]

This seems to also have to do with your PATH variable, I think that this is nix who expects git to be provided by the system.

One way to get around this, would be to launch a root shell, and then get a nix shell with everything that nix and system-manager need:

sudo -i
nix-shell -p nix git

But I also think that something is quite broken in your system's setup, I don't think that this is how sudo is usually configured.

[jlbribeiro]

@r-vdp

But I also think that something is quite broken in your system's setup, I don't think that this is how sudo is usually configured.

Just to double check: does system-manager support single-user installations (~"daemonless"; docs)? Some of the messages seem to imply this is a single-user installation, and running as sudo "by force" (using sudo "$(which nix)", sudo env "PATH=$PATH", ...) would cause the /nix/store to end up with root-owned files, and the installation would become "broken" during normal usage.
Is system-manager able to handle a non-root owned nix store, while using sudo only while installing (i.e. creating symlinks, ...) the system-wide changes?

(If that's not the case, it might be worth adding to the README.md that it only supports multi-user installations.)

@andreyadrian Can you confirm that is (was?) the case (i.e. that you installed it as a single-user installation)?
You can check this by looking for the owner of your /nix/store and its subpaths (ls -ld /nix/store, and ls -la /nix/store); notice that if you've already executed a semi-successful sudo nix, the ownership of /nix/store might have changed, but if you were in a single-user installation, other subpaths will probably have different ("the original") ownership.

[r-vdp]

@jlbribeiro I didn't test this explicitly, but if your nix single-user installation is set up correctly, this should work. Nix knows how to write outputs into the store with the correct permissions. The daemon also runs as root, so it's essentially the same.

[jlbribeiro]

@r-vdp As I might be missing something, please bear with me.

$ sudo nix
sudo: nix: command not found

has to do with the fact that nix is not on the root's PATH; that's caused by the fact that many (most?) distros define the /etc/sudoers secure_path option to a "safe" value by default. (easier way to check: sudo sudo -V | grep '$PATH')

From there, I'm guessing the only nix/nix-* binaries the non-root user has are the ones in their $PATH, so the sudo -i + nix-shell suggestion is also not possible because nix-shell would not exist in the root shell (at least I can see the secure_path policy being applied in my case: the command is also not found).

So, as far as I can tell, we're left with passing the $PATH to sudo by either sudo env "PATH=$PATH", sudo "$(which nix)", ...
Assuming that's the case (and please correct me if not), there's different behavior depending on the running user:

$ nix-shell
error: no argument specified and no 'shell.nix' or 'default.nix' file found in the working directory

$ sudo env "PATH=$PATH" nix-shell
warning: the group 'nixbld' specified in 'build-users-group' does not exist
error: no argument specified and no 'shell.nix' or 'default.nix' file found in the working directory

So,

Nix knows how to write outputs into the store with the correct permissions.

might be true, but Nix does behave differently and has different assumptions about the setup depending on the user; I'm guessing that's because it no longer relies on ~/.config/nix/nix.conf, probably has different defaults for root, ... (notice there's no /etc/nix/nix.conf). And while I don't want to re-run the commands I did yesterday (including creating the users along these lines to address the warning from above - like in a multi-user installation!)... all I can say is that I had to nuke my /nix directory, manually remove any symlinks in /etc pointing to /nix, and reinstall Nix. Issues like this seem to confirm that. This old PR also aggregates some interesting issues + context.

(and to provide additional context: I use NixOS in all my machines except two: a multi-user non-NixOS Linux installation, and this one - my work's laptop, where the single-user installation is recommended due to security reasons, namely SELinux)

While I understand single-user installations are unusual (probably not recommended for most use cases, even), I want to make sure whether system-manager is supposed to work correctly on those setups; it might not, given it's not tested.
And that's more than fine! Single-user installations are indeed the exotic ones. But it's probably better to keep that in mind, and possibly add a warning if that's the case.

Please let me know if I'm missing something, or something else I didn't try.

(btw: thank you for this project! found out about it because of wanting to try soupglasses/nix-system-graphics, and it feels like the missing "nix-darwin"-like piece for non-NixOS Linux!)

[cognivore]

I have a similar sentiment to @jlbribeiro!

I install my Nix like this: https://github.com/cognivore/icfpc-compute/blob/main/installer.sh#L36

And yet, after I switch with system-manager, it puts root-owned stuff into /nix.

[r-vdp]

Yeah, I'd need to set up a VM with a single user install to further debug this. I think things can probably be configured in a way to get everything to work, but I haven't tried it before and so I'm not entirely sure.

If using s-m with single user mode breaks your nix setup, then I agree we should add a warning.
I'd like to have this working, but I'm not sure when I'll get to this.

[cognivore]

Yes, I also think that it's possible to make it work with chgrp magic, but to be clear for anyone who reads my misguided message from above: I realised that I was wrong to think that I had a m-u install!

I have reinstalled Nix in m-u using the installer I linked above and everything works like a charm.