Installation error on M1 Macbook Pro: SUIS premount dissented

[robertlagrant]

Describe the bug

Installing Nix for the first time on MacOS Monterey, on an M1 Macbook Pro - it failed with SUIS premount dissented.

Steps To Reproduce

1. sh <(curl -L https://nixos.org/nix/install)
2. Say y to the prompts
3. Enter sudo password
4. See error:

<!---- SNIP ----!>
~~> Encrypt the Nix volume

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/sbin/diskutil mount Nix Store

to mount your Nix volume for encrypting

Volume on disk3s7 failed to mount: "SUIS premount dissented"

---- oh no! --------------------------------------------------------------------
Jeeze, something went wrong. If you can take all the output and open
an issue, we'd love to fix the problem so nobody else has this issue.

:(

We'd love to help if you need it.

You can open an issue at https://github.com/nixos/nix/issues

Or feel free to contact the team:
 - Matrix: #nix:nixos.org
 - IRC: in #nixos on irc.libera.chat
 - twitter: @nixos_org
 - forum: https://discourse.nixos.org```

Expected behavior

It installs cleanly.

nix-env --version output

zsh: command not found: nix-env

:)

Additional context

No other context comes to mind.

[abathur]

What does diskutil info disk3s7 report?

[robertlagrant]

Here it is - nothing seems unsharable online:

% diskutil info disk3s7
   Device Identifier:         disk3s7
   Device Node:               /dev/disk3s7
   Whole:                     No
   Part of Whole:             disk3

   Volume Name:               Nix Store
   Mounted:                   No

   Partition Type:            41504653-0000-11AA-AA11-00306543ECAC
   File System Personality:   APFS
   Type (Bundle):             apfs
   Name (User Visible):       APFS
   Owners:                    Disabled

   OS Can Be Installed:       No
   Booter Disk:               disk3s2
   Recovery Disk:             disk3s3
   Media Type:                Generic
   Protocol:                  Apple Fabric
   SMART Status:              Verified
   Volume UUID:               8A444050-6199-4451-B333-823B85DE6EAF
   Disk / Partition UUID:     8A444050-6199-4451-B333-823B85DE6EAF

   Disk Size:                 994.7 GB (994662584320 Bytes) (exactly 1942700360 512-Byte-Units)
   Device Block Size:         4096 Bytes

   Container Total Space:     994.7 GB (994662584320 Bytes) (exactly 1942700360 512-Byte-Units)
   Container Free Space:      909.3 GB (909346447360 Bytes) (exactly 1776067280 512-Byte-Units)

   Media OS Use Only:         No
   Media Read-Only:           No
   Volume Read-Only:          Not applicable (not mounted)

   Device Location:           Internal
   Removable Media:           Fixed

   Solid State:               Yes
   Hardware AES Support:      Yes

   This disk is an APFS Volume.  APFS Information:
   APFS Container:            disk3
   APFS Physical Store:       disk0s2
   Fusion Drive:              No
   FileVault:                 No
   Sealed:                    No
   Locked:                    No

[abathur]

Is this an organization laptop? I see some mentions (https://apple.stackexchange.com/questions/221455/ntfs-disk-failed-to-mount#comment528069_304154 https://community.jamf.com/t5/jamf-pro/imac-21-5-inch-late-2013-can-t-mount-drive-in-tdm/td-p/44179) suggesting that this might be a profile thing.

Edit: though I'll be a little disappointed if that is blocking mounting a volume on the internal drive...

[robertlagrant]

It is an org laptop. Yes, that is disappointing! Is there any way to get nix to install in another directory? ~/.nix?

[abathur]

My rough understanding, having not done this myself:

1. You can, in theory, download the outer installer, and then download/unpack the inner installer tarball, and modify the script to change the install path. (There may also be some hardcoded paths elsewhere to fix?)

   The bigger problem is that being able to use the cache depends on all installs sharing this path, so (assuming no other hardcoded paths cause trouble) a nonstandard path will at minimum mean building everything locally (or maintaining a shared cache for multiple machines using the same path...).

2. You can also, in theory, use the system's /etc/synthetic.conf (see man synthetic.conf) to set /nix up as a symlink to some other path on your system. AFAIR, this kinda works, but people have reported some things that will indeed break if you do it this way. If you don't need any of those things, it might be fine?

   It's a bit of a dumpster-fire, but you can open the original read-only-root thread (/nix will not be writable on macOS Catalina #2925) and search for "symlink" there to see reports on how this went for people and where they ran into trouble (you'll have to click "Load more..." several times to see all of the comments).

   The darwin volume-creation code is designed to detect this and try to tug everyone towards standard installs, but at least per the below you should be able to skip that process by invoking the installer like NIX_VOLUME_CREATE=0 sh <(curl...):

   nix/scripts/install-darwin-multi-user.sh

   Lines 7 to 8 in 7e301fd

   	# create by default; set 0 to DIY, use a symlink, etc.
   	readonly NIX_VOLUME_CREATE=${NIX_VOLUME_CREATE:-1} # now default

[robertlagrant]

@abathur thank you very much for the time taken to give me those pointers. Given this is a work laptop I don't want to dive too deep in, and while I would love to give Nix a try to give my work laptop a reproducible build, I might need to try it at home first and get comfortable.

I'm not sure I should close the issue. Perhaps it could be amended to add an installer check for Catalina+ Apple Macs to tell them to follow some extra steps?

[abathur]

I'm not sure I should close the issue.

Fine to leave it open. Someone else may hit the same.

Perhaps it could be amended to add an installer check for Catalina+ Apple Macs to tell them to follow some extra steps?

Probably narrower. It would be nice if we could detect the condition and fail clearly. Testing for it would be a little better than just looking for your error message, since those can evolve. If you're willing to play Guinea pig, i guess we could see if we can figure something out...

[abathur]

It looks like there's a profiles command that might yield interesting info, though it doesn't really do anything without profiles installed.

I'm not sure how verbose and shareable the information will be, but you could try:

profiles status
profiles list
profiles show

They may require sudo to be useful (it sounds like there are separate concepts of user and system profiles?)

[robertlagrant]

@abathur thanks - I'll leave it open. I don't want to use my corporate laptop for that purpose, and unfortunately I don't have a Mac as a personal device, so I can't be the guinea pig!

[giovanniberi93]

I'm getting the same error message when running the same installation script.

sh <(curl -L https://nixos.org/nix/install) --daemon
and after hitting y/entering sudo password a few times I get:

---- sudo execution ------------------------------------------------------------
I am executing:

    $ sudo /usr/sbin/diskutil mount Nix Store

to mount your Nix volume for encrypting

Password:
Volume on disk3s7 failed to mount: "SUIS premount dissented"

---- oh no! --------------------------------------------------------------------
Oh no, something went wrong. If you can take all the output and open
an issue, we'd love to fix the problem so nobody else has this issue.

:(

We'd love to help if you need it.

You can open an issue at https://github.com/nixos/nix/issues

Or feel free to contact the team:
 - Matrix: #nix:nixos.org
 - IRC: in #nixos on irc.libera.chat
 - twitter: @nixos_org
 - forum: https://discourse.nixos.org

I also am on a corporate laptop. Was there any progress on this issue?

[abathur]

@giovanniberi93 no (but I don't think there is anything we can fix if this is an mdm profile blocking the action--~progress will probably just look like detecting the condition and failing).

I speculated before on how we might test for it:

It looks like there's a profiles command that might yield interesting info, though it doesn't really do anything without profiles installed.

I'm not sure how verbose and shareable the information will be, but you could try:

profiles status
profiles list
profiles show

They may require sudo to be useful (it sounds like there are separate concepts of user and system profiles?)

[giovanniberi93]

I've run the same installation script today, and it just worked - after 2 unsuccessful attempts yesterday. That's better for me I guess, but it won't help figuring out what went wrong yesterday.

(Not sure if that's useful in any way, but:

└─ sudo profiles list | grep jamf
Password:
_computerlevel[1] attribute: profileIdentifier: com.jamf.protect.daemon.pppc
_computerlevel[17] attribute: profileIdentifier: com.jamfsoftware.tcc.management
_computerlevel[44] attribute: profileIdentifier: com.jamf.connect.notifications.settings
_computerlevel[46] attribute: profileIdentifier: com.jamf.connect.login.pppc
_computerlevel[48] attribute: profileIdentifier: com.jamf.notifications.settings

I'm just sharing the jamf-related entries as I'm not sure what I'm allowed to share of the other ones; overall, there 50 system configuration profiles installed)

[abathur]

@giovanniberi93 Hmm. Glad it worked for you, at least, though it seems to blow up our only good thesis about what causes the error message. (or suggests that the profile enforcement is flaky?)

Do you know how to open a report through Apple Feedback? If so, and if you can give me a feedback number, we can at least reach out to the devrel to see if they can illuminate :)

[farismhmd1]

did anyone get any solution for this issue?