systemd/man/systemd-firstboot.xml
Zbigniew Jędrzejewski-Szmek eb47031694 man: mention that preset-all is performed during early boot
The intro of systemd-firstboot is rewritten to make it clearer how it fits into
the big picture. Systemd does some machine-id and presets and
systemd-firstboot.service is used to interactively fill in the blanks.

Closes #22225.
2024-02-08 20:36:44 +01:00

473 lines
22 KiB
XML

<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
<refentry id="systemd-firstboot" conditional='ENABLE_FIRSTBOOT'
xmlns:xi="http://www.w3.org/2001/XInclude">
<refentryinfo>
<title>systemd-firstboot</title>
<productname>systemd</productname>
</refentryinfo>
<refmeta>
<refentrytitle>systemd-firstboot</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>systemd-firstboot</refname>
<refname>systemd-firstboot.service</refname>
<refpurpose>Initialize basic system settings on or before the first boot-up of a system</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>systemd-firstboot</command>
<arg choice="opt" rep="repeat">OPTIONS</arg>
</cmdsynopsis>
<para><filename>systemd-firstboot.service</filename></para>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>The <command>systemd-firstboot.service</command> unit is one of the units which are used to
initialize the machine configuration during "First Boot", i.e. when the system is freshly installed or
after a factory reset. The
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> manager
itself will initialize
<citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry> and preset
all units, enabling or disabling them according to the
<citerefentry><refentrytitle>systemd.preset</refentrytitle><manvolnum>5</manvolnum></citerefentry>
settings. <filename>systemd-firstboot.service</filename> is started later to interactively initialize
basic system configuration. It is started only if <varname>ConditionFirstBoot=yes</varname> is met, which
essentially means that <filename>/etc/</filename> is unpopulated, see
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
details. System credentials may be used to inject configuration; those settings are not queried
interactively.</para>
<para>The <command>systemd-firstboot</command> command can also be used to non-interactively initialize
an offline system image.</para>
<para>The following settings may be configured:</para>
<itemizedlist>
<listitem><para>The machine ID of the system</para></listitem>
<listitem><para>The system locale, more specifically the two
locale variables <varname>LANG=</varname> and
<varname>LC_MESSAGES</varname></para></listitem>
<listitem><para>The system keyboard map</para></listitem>
<listitem><para>The system time zone</para></listitem>
<listitem><para>The system hostname</para></listitem>
<listitem><para>The kernel command line used when installing kernel images</para></listitem>
<listitem><para>The root user's password and shell</para></listitem>
</itemizedlist>
<para>Each of the fields may either be queried interactively by
users, set non-interactively on the tool's command line, or be
copied from a host system that is used to set up the system
image.</para>
<para>If a setting is already initialized, it will not be
overwritten and the user will not be prompted for the
setting.</para>
<para>Note that this tool operates directly on the file system and
does not involve any running system services, unlike
<citerefentry project='man-pages'><refentrytitle>localectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>timedatectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
or
<citerefentry><refentrytitle>hostnamectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
This allows <command>systemd-firstboot</command> to operate on
mounted but not booted disk images and in early boot. It is not
recommended to use <command>systemd-firstboot</command> on the
running system after it has been set up.</para>
</refsect1>
<refsect1>
<title>Options</title>
<para>The following options are understood:</para>
<variablelist>
<varlistentry>
<term><option>--root=<replaceable>root</replaceable></option></term>
<listitem><para>Takes a directory path as an argument. All
paths will be prefixed with the given alternate
<replaceable>root</replaceable> path, including config search
paths. This is useful to operate on a system image mounted to
the specified directory instead of the host system itself.
</para>
<xi:include href="version-info.xml" xpointer="v216"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--image=<replaceable>path</replaceable></option></term>
<listitem><para>Takes a path to a disk image file or block device node. If specified all operations
are applied to file system in the indicated disk image. This is similar to <option>--root=</option>
but operates on file systems stored in disk images or block devices. The disk image should either
contain just a file system or a set of file systems within a GPT partition table, following the
<ulink url="https://uapi-group.org/specifications/specs/discoverable_partitions_specification">Discoverable Partitions
Specification</ulink>. For further information on supported disk images, see
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
switch of the same name.</para>
<xi:include href="version-info.xml" xpointer="v246"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--locale=<replaceable>LOCALE</replaceable></option></term>
<term><option>--locale-messages=<replaceable>LOCALE</replaceable></option></term>
<listitem><para>Sets the system locale, more specifically the
<varname>LANG=</varname> and <varname>LC_MESSAGES</varname>
settings. The argument should be a valid locale identifier,
such as <literal>de_DE.UTF-8</literal>. This controls the
<citerefentry project='man-pages'><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
configuration file.</para>
<xi:include href="version-info.xml" xpointer="v216"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--keymap=<replaceable>KEYMAP</replaceable></option></term>
<listitem><para>Sets the system keyboard layout. The argument should be a valid keyboard map,
such as <literal>de-latin1</literal>. This controls the <literal>KEYMAP</literal> entry in the
<citerefentry project='man-pages'><refentrytitle>vconsole.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
configuration file.</para>
<xi:include href="version-info.xml" xpointer="v236"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--timezone=<replaceable>TIMEZONE</replaceable></option></term>
<listitem><para>Sets the system time zone. The argument should
be a valid time zone identifier, such as
<literal>Europe/Berlin</literal>. This controls the
<citerefentry><refentrytitle>localtime</refentrytitle><manvolnum>5</manvolnum></citerefentry>
symlink.</para>
<xi:include href="version-info.xml" xpointer="v216"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--hostname=<replaceable>HOSTNAME</replaceable></option></term>
<listitem><para>Sets the system hostname. The argument should
be a hostname, compatible with DNS. This controls the
<citerefentry><refentrytitle>hostname</refentrytitle><manvolnum>5</manvolnum></citerefentry>
configuration file.</para>
<xi:include href="version-info.xml" xpointer="v216"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--setup-machine-id</option></term>
<listitem><para>Initialize the system's machine ID to a random ID. This controls the
<citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry> file.
</para>
<para>This option only works in combination with <option>--root=</option> or
<option>--image=</option>. On a running system, <filename>machine-id</filename> is written by the
manager with help from
<citerefentry><refentrytitle>systemd-machine-id-commit.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
</para>
<xi:include href="version-info.xml" xpointer="v216"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--machine-id=<replaceable>ID</replaceable></option></term>
<listitem><para>Set the system's machine ID to the specified value. The same restrictions apply
as to <option>--setup-machine-id</option>.</para>
<xi:include href="version-info.xml" xpointer="v216"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--root-password=<replaceable>PASSWORD</replaceable></option></term>
<term><option>--root-password-file=<replaceable>PATH</replaceable></option></term>
<term><option>--root-password-hashed=<replaceable>HASHED_PASSWORD</replaceable></option></term>
<listitem><para>Sets the password of the system's root user. This creates/modifies the
<citerefentry project='die-net'><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry> and
<citerefentry project='die-net'><refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum></citerefentry>
files. This setting exists in three forms: <option>--root-password=</option> accepts the password to
set directly on the command line, <option>--root-password-file=</option> reads it from a file and
<option>--root-password-hashed=</option> accepts an already hashed password on the command line. See
<citerefentry project='die-net'><refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for more information on the format of the hashed password. Note that it is not recommended to specify
plaintext passwords on the command line, as other users might be able to see them simply by invoking
<citerefentry project='die-net'><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
</para>
<xi:include href="version-info.xml" xpointer="v216"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--root-shell=<replaceable>SHELL</replaceable></option></term>
<listitem><para>Sets the shell of the system's root user. This creates/modifies the
<citerefentry project='die-net'><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry>
file.</para>
<xi:include href="version-info.xml" xpointer="v246"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--kernel-command-line=<replaceable>CMDLINE</replaceable></option></term>
<listitem><para>Sets the system's kernel command line. This controls the
<filename>/etc/kernel/cmdline</filename> file which is used by
<citerefentry><refentrytitle>kernel-install</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
</para>
<xi:include href="version-info.xml" xpointer="v246"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--prompt-locale</option></term>
<term><option>--prompt-keymap</option></term>
<term><option>--prompt-timezone</option></term>
<term><option>--prompt-hostname</option></term>
<term><option>--prompt-root-password</option></term>
<term><option>--prompt-root-shell</option></term>
<listitem><para>Prompt the user interactively for a specific
basic setting. Note that any explicit configuration settings
specified on the command line take precedence, and the user is
not prompted for it.</para>
<xi:include href="version-info.xml" xpointer="v216"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--prompt</option></term>
<listitem><para>Query the user for locale, keymap, timezone, hostname,
root's password, and root's shell. This is equivalent to specifying
<option>--prompt-locale</option>,
<option>--prompt-keymap</option>,
<option>--prompt-timezone</option>,
<option>--prompt-hostname</option>,
<option>--prompt-root-password</option>,
<option>--prompt-root-shell</option> in combination.</para>
<xi:include href="version-info.xml" xpointer="v216"/>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--copy-locale</option></term>
<term><option>--copy-keymap</option></term>
<term><option>--copy-timezone</option></term>
<term><option>--copy-root-password</option></term>
<term><option>--copy-root-shell</option></term>
<listitem><para>Copy a specific basic setting from the host.
This only works in combination with <option>--root=</option> or <option>--image=</option>.
</para>
<xi:include href="version-info.xml" xpointer="v216"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--copy</option></term>
<listitem><para>Copy locale, keymap, time zone, root password and shell from the host. This is
equivalent to specifying
<option>--copy-locale</option>,
<option>--copy-keymap</option>,
<option>--copy-timezone</option>,
<option>--copy-root-password</option>,
<option>--copy-root-shell</option> in combination.</para>
<xi:include href="version-info.xml" xpointer="v216"/>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--force</option></term>
<listitem><para>Write configuration even if the relevant files already exist. Without this option,
<command>systemd-firstboot</command> doesn't modify or replace existing files. Note that when
configuring the root account, even with this option, <command>systemd-firstboot</command> only
modifies the entry of the <literal>root</literal> user, leaving other entries in
<filename>/etc/passwd</filename> and <filename>/etc/shadow</filename> intact.</para>
<xi:include href="version-info.xml" xpointer="v246"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--reset</option></term>
<listitem><para>If specified, all existing files that are configured by
<command>systemd-firstboot</command> are removed. Note that the files are removed regardless of
whether they'll be configured with a new value or not. This operation ensures that the next boot of
the image will be considered a first boot, and <command>systemd-firstboot</command> will prompt again
to configure each of the removed files.</para>
<xi:include href="version-info.xml" xpointer="v254"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--delete-root-password</option></term>
<listitem><para>Removes the password of the system's root user, enabling login as root without a
password unless the root account is locked. Note that this is extremely insecure and hence this
option should not be used lightly.</para>
<xi:include href="version-info.xml" xpointer="v246"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--welcome=</option></term>
<listitem><para>Takes a boolean argument. By default when prompting the user for configuration
options a brief welcome text is shown before the first question is asked. Pass false to this option
to turn off the welcome text.</para>
<xi:include href="version-info.xml" xpointer="v246"/></listitem>
</varlistentry>
<xi:include href="standard-options.xml" xpointer="help" />
<xi:include href="standard-options.xml" xpointer="version" />
</variablelist>
</refsect1>
<refsect1>
<title>Credentials</title>
<para><command>systemd-firstboot</command> supports the service credentials logic as implemented by
<varname>ImportCredential=</varname>/<varname>LoadCredential=</varname>/<varname>SetCredential=</varname>
(see <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
details). The following credentials are used when passed in:</para>
<variablelist class='system-credentials'>
<varlistentry>
<term><varname>passwd.hashed-password.root</varname></term>
<term><varname>passwd.plaintext-password.root</varname></term>
<listitem><para>A hashed or plaintext version of the root password to use, in place of prompting the
user. These credentials are equivalent to the same ones defined for the
<citerefentry><refentrytitle>systemd-sysusers.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
service.</para>
<xi:include href="version-info.xml" xpointer="v249"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>passwd.shell.root</varname></term>
<listitem><para>Specifies the shell binary to use for the specified account.
Equivalent to the credential of the same name defined for the
<citerefentry><refentrytitle>systemd-sysusers.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
service.</para>
<xi:include href="version-info.xml" xpointer="v249"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>firstboot.locale</varname></term>
<term><varname>firstboot.locale-messages</varname></term>
<listitem><para>These credentials specify the locale settings to set during first boot, in place of
prompting the user.</para>
<xi:include href="version-info.xml" xpointer="v249"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>firstboot.keymap</varname></term>
<listitem><para>This credential specifies the keyboard setting to set during first boot, in place of
prompting the user.</para>
<para>Note the relationship to the <varname>vconsole.keymap</varname> credential understood by
<citerefentry><refentrytitle>systemd-vconsole-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>:
both ultimately affect the same setting, but <varname>firstboot.keymap</varname> is written into
<filename>/etc/vconsole.conf</filename> on first boot (if not already configured), and then read from
there by <command>systemd-vconsole-setup</command>, while <varname>vconsole.keymap</varname> is read
on every boot, and is not persisted to disk (but any configuration in
<filename>vconsole.conf</filename> will take precedence if present).</para>
<xi:include href="version-info.xml" xpointer="v249"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>firstboot.timezone</varname></term>
<listitem><para>This credential specifies the system timezone setting to set during first boot, in
place of prompting the user.</para>
<xi:include href="version-info.xml" xpointer="v249"/></listitem>
</varlistentry>
</variablelist>
<para>Note that by default the <filename>systemd-firstboot.service</filename> unit file is set up to
inherit the listed credentials
from the service manager. Thus, when invoking a container with an unpopulated <filename>/etc/</filename>
for the first time it is possible to configure the root user's password to be <literal>systemd</literal>
like this:</para>
<para><programlisting># systemd-nspawn --image=… --set-credential=firstboot.locale:de_DE.UTF-8 …</programlisting></para>
<para>Note that these credentials are only read and applied during the first boot. Once they are applied
they remain applied for subsequent boots, and the credentials are not considered anymore.</para>
</refsect1>
<refsect1>
<title>Exit status</title>
<para>On success, 0 is returned, a non-zero failure code
otherwise.</para>
</refsect1>
<refsect1>
<title>Kernel Command Line</title>
<variablelist class='kernel-commandline-options'>
<varlistentry>
<term><varname>systemd.firstboot=</varname></term>
<listitem><para>Takes a boolean argument, defaults to on. If off, <filename>systemd-firstboot.service</filename>
won't interactively query the user for basic settings at first boot, even if those settings are not
initialized yet.</para>
<xi:include href="version-info.xml" xpointer="v233"/></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>See Also</title>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry project='man-pages'><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
<member><citerefentry project='man-pages'><refentrytitle>vconsole.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>localtime</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>hostname</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
<member><citerefentry project='die-net'><refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-machine-id-setup</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry project='man-pages'><refentrytitle>localectl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>timedatectl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>hostnamectl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
</simplelist></para>
</refsect1>
</refentry>