mirror of
https://github.com/systemd/systemd
synced 2024-11-05 18:25:39 +00:00
eb47031694
The intro of systemd-firstboot is rewritten to make it clearer how it fits into the big picture. Systemd does some machine-id and presets and systemd-firstboot.service is used to interactively fill in the blanks. Closes #22225.
473 lines
22 KiB
XML
473 lines
22 KiB
XML
<?xml version='1.0'?> <!--*-nxml-*-->
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
|
|
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
|
|
|
|
<refentry id="systemd-firstboot" conditional='ENABLE_FIRSTBOOT'
|
|
xmlns:xi="http://www.w3.org/2001/XInclude">
|
|
|
|
<refentryinfo>
|
|
<title>systemd-firstboot</title>
|
|
<productname>systemd</productname>
|
|
</refentryinfo>
|
|
|
|
<refmeta>
|
|
<refentrytitle>systemd-firstboot</refentrytitle>
|
|
<manvolnum>1</manvolnum>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>systemd-firstboot</refname>
|
|
<refname>systemd-firstboot.service</refname>
|
|
<refpurpose>Initialize basic system settings on or before the first boot-up of a system</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>systemd-firstboot</command>
|
|
<arg choice="opt" rep="repeat">OPTIONS</arg>
|
|
</cmdsynopsis>
|
|
|
|
<para><filename>systemd-firstboot.service</filename></para>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para>The <command>systemd-firstboot.service</command> unit is one of the units which are used to
|
|
initialize the machine configuration during "First Boot", i.e. when the system is freshly installed or
|
|
after a factory reset. The
|
|
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> manager
|
|
itself will initialize
|
|
<citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry> and preset
|
|
all units, enabling or disabling them according to the
|
|
<citerefentry><refentrytitle>systemd.preset</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
settings. <filename>systemd-firstboot.service</filename> is started later to interactively initialize
|
|
basic system configuration. It is started only if <varname>ConditionFirstBoot=yes</varname> is met, which
|
|
essentially means that <filename>/etc/</filename> is unpopulated, see
|
|
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
|
|
details. System credentials may be used to inject configuration; those settings are not queried
|
|
interactively.</para>
|
|
|
|
<para>The <command>systemd-firstboot</command> command can also be used to non-interactively initialize
|
|
an offline system image.</para>
|
|
|
|
<para>The following settings may be configured:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para>The machine ID of the system</para></listitem>
|
|
|
|
<listitem><para>The system locale, more specifically the two
|
|
locale variables <varname>LANG=</varname> and
|
|
<varname>LC_MESSAGES</varname></para></listitem>
|
|
|
|
<listitem><para>The system keyboard map</para></listitem>
|
|
|
|
<listitem><para>The system time zone</para></listitem>
|
|
|
|
<listitem><para>The system hostname</para></listitem>
|
|
|
|
<listitem><para>The kernel command line used when installing kernel images</para></listitem>
|
|
|
|
<listitem><para>The root user's password and shell</para></listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Each of the fields may either be queried interactively by
|
|
users, set non-interactively on the tool's command line, or be
|
|
copied from a host system that is used to set up the system
|
|
image.</para>
|
|
|
|
<para>If a setting is already initialized, it will not be
|
|
overwritten and the user will not be prompted for the
|
|
setting.</para>
|
|
|
|
<para>Note that this tool operates directly on the file system and
|
|
does not involve any running system services, unlike
|
|
<citerefentry project='man-pages'><refentrytitle>localectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
|
<citerefentry><refentrytitle>timedatectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
|
or
|
|
<citerefentry><refentrytitle>hostnamectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
|
|
This allows <command>systemd-firstboot</command> to operate on
|
|
mounted but not booted disk images and in early boot. It is not
|
|
recommended to use <command>systemd-firstboot</command> on the
|
|
running system after it has been set up.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Options</title>
|
|
|
|
<para>The following options are understood:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><option>--root=<replaceable>root</replaceable></option></term>
|
|
<listitem><para>Takes a directory path as an argument. All
|
|
paths will be prefixed with the given alternate
|
|
<replaceable>root</replaceable> path, including config search
|
|
paths. This is useful to operate on a system image mounted to
|
|
the specified directory instead of the host system itself.
|
|
</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v216"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--image=<replaceable>path</replaceable></option></term>
|
|
<listitem><para>Takes a path to a disk image file or block device node. If specified all operations
|
|
are applied to file system in the indicated disk image. This is similar to <option>--root=</option>
|
|
but operates on file systems stored in disk images or block devices. The disk image should either
|
|
contain just a file system or a set of file systems within a GPT partition table, following the
|
|
<ulink url="https://uapi-group.org/specifications/specs/discoverable_partitions_specification">Discoverable Partitions
|
|
Specification</ulink>. For further information on supported disk images, see
|
|
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
|
|
switch of the same name.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v246"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--locale=<replaceable>LOCALE</replaceable></option></term>
|
|
<term><option>--locale-messages=<replaceable>LOCALE</replaceable></option></term>
|
|
|
|
<listitem><para>Sets the system locale, more specifically the
|
|
<varname>LANG=</varname> and <varname>LC_MESSAGES</varname>
|
|
settings. The argument should be a valid locale identifier,
|
|
such as <literal>de_DE.UTF-8</literal>. This controls the
|
|
<citerefentry project='man-pages'><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
configuration file.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v216"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--keymap=<replaceable>KEYMAP</replaceable></option></term>
|
|
|
|
<listitem><para>Sets the system keyboard layout. The argument should be a valid keyboard map,
|
|
such as <literal>de-latin1</literal>. This controls the <literal>KEYMAP</literal> entry in the
|
|
<citerefentry project='man-pages'><refentrytitle>vconsole.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
configuration file.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v236"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--timezone=<replaceable>TIMEZONE</replaceable></option></term>
|
|
|
|
<listitem><para>Sets the system time zone. The argument should
|
|
be a valid time zone identifier, such as
|
|
<literal>Europe/Berlin</literal>. This controls the
|
|
<citerefentry><refentrytitle>localtime</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
symlink.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v216"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--hostname=<replaceable>HOSTNAME</replaceable></option></term>
|
|
|
|
<listitem><para>Sets the system hostname. The argument should
|
|
be a hostname, compatible with DNS. This controls the
|
|
<citerefentry><refentrytitle>hostname</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
configuration file.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v216"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--setup-machine-id</option></term>
|
|
|
|
<listitem><para>Initialize the system's machine ID to a random ID. This controls the
|
|
<citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry> file.
|
|
</para>
|
|
|
|
<para>This option only works in combination with <option>--root=</option> or
|
|
<option>--image=</option>. On a running system, <filename>machine-id</filename> is written by the
|
|
manager with help from
|
|
<citerefentry><refentrytitle>systemd-machine-id-commit.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
|
|
</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v216"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--machine-id=<replaceable>ID</replaceable></option></term>
|
|
|
|
<listitem><para>Set the system's machine ID to the specified value. The same restrictions apply
|
|
as to <option>--setup-machine-id</option>.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v216"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--root-password=<replaceable>PASSWORD</replaceable></option></term>
|
|
<term><option>--root-password-file=<replaceable>PATH</replaceable></option></term>
|
|
<term><option>--root-password-hashed=<replaceable>HASHED_PASSWORD</replaceable></option></term>
|
|
|
|
<listitem><para>Sets the password of the system's root user. This creates/modifies the
|
|
<citerefentry project='die-net'><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry> and
|
|
<citerefentry project='die-net'><refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
files. This setting exists in three forms: <option>--root-password=</option> accepts the password to
|
|
set directly on the command line, <option>--root-password-file=</option> reads it from a file and
|
|
<option>--root-password-hashed=</option> accepts an already hashed password on the command line. See
|
|
<citerefentry project='die-net'><refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
for more information on the format of the hashed password. Note that it is not recommended to specify
|
|
plaintext passwords on the command line, as other users might be able to see them simply by invoking
|
|
<citerefentry project='die-net'><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
|
|
</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v216"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--root-shell=<replaceable>SHELL</replaceable></option></term>
|
|
|
|
<listitem><para>Sets the shell of the system's root user. This creates/modifies the
|
|
<citerefentry project='die-net'><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
file.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v246"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--kernel-command-line=<replaceable>CMDLINE</replaceable></option></term>
|
|
|
|
<listitem><para>Sets the system's kernel command line. This controls the
|
|
<filename>/etc/kernel/cmdline</filename> file which is used by
|
|
<citerefentry><refentrytitle>kernel-install</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
|
|
</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v246"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--prompt-locale</option></term>
|
|
<term><option>--prompt-keymap</option></term>
|
|
<term><option>--prompt-timezone</option></term>
|
|
<term><option>--prompt-hostname</option></term>
|
|
<term><option>--prompt-root-password</option></term>
|
|
<term><option>--prompt-root-shell</option></term>
|
|
|
|
<listitem><para>Prompt the user interactively for a specific
|
|
basic setting. Note that any explicit configuration settings
|
|
specified on the command line take precedence, and the user is
|
|
not prompted for it.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v216"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--prompt</option></term>
|
|
|
|
<listitem><para>Query the user for locale, keymap, timezone, hostname,
|
|
root's password, and root's shell. This is equivalent to specifying
|
|
<option>--prompt-locale</option>,
|
|
<option>--prompt-keymap</option>,
|
|
<option>--prompt-timezone</option>,
|
|
<option>--prompt-hostname</option>,
|
|
<option>--prompt-root-password</option>,
|
|
<option>--prompt-root-shell</option> in combination.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v216"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--copy-locale</option></term>
|
|
<term><option>--copy-keymap</option></term>
|
|
<term><option>--copy-timezone</option></term>
|
|
<term><option>--copy-root-password</option></term>
|
|
<term><option>--copy-root-shell</option></term>
|
|
|
|
<listitem><para>Copy a specific basic setting from the host.
|
|
This only works in combination with <option>--root=</option> or <option>--image=</option>.
|
|
</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v216"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--copy</option></term>
|
|
|
|
<listitem><para>Copy locale, keymap, time zone, root password and shell from the host. This is
|
|
equivalent to specifying
|
|
<option>--copy-locale</option>,
|
|
<option>--copy-keymap</option>,
|
|
<option>--copy-timezone</option>,
|
|
<option>--copy-root-password</option>,
|
|
<option>--copy-root-shell</option> in combination.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v216"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--force</option></term>
|
|
|
|
<listitem><para>Write configuration even if the relevant files already exist. Without this option,
|
|
<command>systemd-firstboot</command> doesn't modify or replace existing files. Note that when
|
|
configuring the root account, even with this option, <command>systemd-firstboot</command> only
|
|
modifies the entry of the <literal>root</literal> user, leaving other entries in
|
|
<filename>/etc/passwd</filename> and <filename>/etc/shadow</filename> intact.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v246"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--reset</option></term>
|
|
|
|
<listitem><para>If specified, all existing files that are configured by
|
|
<command>systemd-firstboot</command> are removed. Note that the files are removed regardless of
|
|
whether they'll be configured with a new value or not. This operation ensures that the next boot of
|
|
the image will be considered a first boot, and <command>systemd-firstboot</command> will prompt again
|
|
to configure each of the removed files.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v254"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--delete-root-password</option></term>
|
|
|
|
<listitem><para>Removes the password of the system's root user, enabling login as root without a
|
|
password unless the root account is locked. Note that this is extremely insecure and hence this
|
|
option should not be used lightly.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v246"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--welcome=</option></term>
|
|
|
|
<listitem><para>Takes a boolean argument. By default when prompting the user for configuration
|
|
options a brief welcome text is shown before the first question is asked. Pass false to this option
|
|
to turn off the welcome text.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v246"/></listitem>
|
|
</varlistentry>
|
|
|
|
<xi:include href="standard-options.xml" xpointer="help" />
|
|
<xi:include href="standard-options.xml" xpointer="version" />
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Credentials</title>
|
|
|
|
<para><command>systemd-firstboot</command> supports the service credentials logic as implemented by
|
|
<varname>ImportCredential=</varname>/<varname>LoadCredential=</varname>/<varname>SetCredential=</varname>
|
|
(see <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
|
|
details). The following credentials are used when passed in:</para>
|
|
|
|
<variablelist class='system-credentials'>
|
|
<varlistentry>
|
|
<term><varname>passwd.hashed-password.root</varname></term>
|
|
<term><varname>passwd.plaintext-password.root</varname></term>
|
|
|
|
<listitem><para>A hashed or plaintext version of the root password to use, in place of prompting the
|
|
user. These credentials are equivalent to the same ones defined for the
|
|
<citerefentry><refentrytitle>systemd-sysusers.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
service.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v249"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>passwd.shell.root</varname></term>
|
|
|
|
<listitem><para>Specifies the shell binary to use for the specified account.
|
|
Equivalent to the credential of the same name defined for the
|
|
<citerefentry><refentrytitle>systemd-sysusers.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
service.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v249"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>firstboot.locale</varname></term>
|
|
<term><varname>firstboot.locale-messages</varname></term>
|
|
|
|
<listitem><para>These credentials specify the locale settings to set during first boot, in place of
|
|
prompting the user.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v249"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>firstboot.keymap</varname></term>
|
|
|
|
<listitem><para>This credential specifies the keyboard setting to set during first boot, in place of
|
|
prompting the user.</para>
|
|
|
|
<para>Note the relationship to the <varname>vconsole.keymap</varname> credential understood by
|
|
<citerefentry><refentrytitle>systemd-vconsole-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>:
|
|
both ultimately affect the same setting, but <varname>firstboot.keymap</varname> is written into
|
|
<filename>/etc/vconsole.conf</filename> on first boot (if not already configured), and then read from
|
|
there by <command>systemd-vconsole-setup</command>, while <varname>vconsole.keymap</varname> is read
|
|
on every boot, and is not persisted to disk (but any configuration in
|
|
<filename>vconsole.conf</filename> will take precedence if present).</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v249"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>firstboot.timezone</varname></term>
|
|
|
|
<listitem><para>This credential specifies the system timezone setting to set during first boot, in
|
|
place of prompting the user.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v249"/></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<para>Note that by default the <filename>systemd-firstboot.service</filename> unit file is set up to
|
|
inherit the listed credentials
|
|
from the service manager. Thus, when invoking a container with an unpopulated <filename>/etc/</filename>
|
|
for the first time it is possible to configure the root user's password to be <literal>systemd</literal>
|
|
like this:</para>
|
|
|
|
<para><programlisting># systemd-nspawn --image=… --set-credential=firstboot.locale:de_DE.UTF-8 …</programlisting></para>
|
|
|
|
<para>Note that these credentials are only read and applied during the first boot. Once they are applied
|
|
they remain applied for subsequent boots, and the credentials are not considered anymore.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Exit status</title>
|
|
|
|
<para>On success, 0 is returned, a non-zero failure code
|
|
otherwise.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Kernel Command Line</title>
|
|
|
|
<variablelist class='kernel-commandline-options'>
|
|
<varlistentry>
|
|
<term><varname>systemd.firstboot=</varname></term>
|
|
|
|
<listitem><para>Takes a boolean argument, defaults to on. If off, <filename>systemd-firstboot.service</filename>
|
|
won't interactively query the user for basic settings at first boot, even if those settings are not
|
|
initialized yet.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v233"/></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See Also</title>
|
|
<para><simplelist type="inline">
|
|
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
|
|
<member><citerefentry project='man-pages'><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
|
|
<member><citerefentry project='man-pages'><refentrytitle>vconsole.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
|
|
<member><citerefentry><refentrytitle>localtime</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
|
|
<member><citerefentry><refentrytitle>hostname</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
|
|
<member><citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
|
|
<member><citerefentry project='die-net'><refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
|
|
<member><citerefentry><refentrytitle>systemd-machine-id-setup</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
|
|
<member><citerefentry project='man-pages'><refentrytitle>localectl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
|
|
<member><citerefentry><refentrytitle>timedatectl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
|
|
<member><citerefentry><refentrytitle>hostnamectl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
|
|
</simplelist></para>
|
|
</refsect1>
|
|
|
|
</refentry>
|