1. Remove the
[`/etc/machine-id`](https://www.freedesktop.org/software/systemd/man/machine-id.html)
file or write the string `uninitialized\n` into it. This file is supposed to
- carry a 128bit identifier unique to the system. Only when it is reset it
+ carry a 128-bit identifier unique to the system. Only when it is reset it
will be auto-generated on first boot and thus be truly unique. If this file
is not reset, and carries a valid ID every instance of the system will come
up with the same ID and that will likely lead to problems sooner or later,
as many network-visible identifiers are commonly derived from the machine
- ID, for example IPv6 addresses or transient MAC addresses.
+ ID, for example, IPv6 addresses or transient MAC addresses.
2. Remove the `/var/lib/systemd/random-seed` file (see
[`systemd-random-seed(8)`](https://www.freedesktop.org/software/systemd/man/systemd-random-seed.service.html)),
image than advisable.
3. Remove the `/loader/random-seed` file (see
- [`systemd-boot(7)`](https://www.freedesktop.org/software/systemd/man/systemd-boot.html)
+ [`systemd-boot(7)`](https://www.freedesktop.org/software/systemd/man/systemd-boot.html))
from the UEFI System Partition (ESP), in case the `systemd-boot` boot loader
is used in the image.
4. It might also make sense to remove
[`/etc/hostname`](https://www.freedesktop.org/software/systemd/man/hostname.html)
and
- [`/etc/machine-info`][`systemd-random-seed(8)`](https://www.freedesktop.org/software/systemd/man/machine-info.html)
+ [`/etc/machine-info`](https://www.freedesktop.org/software/systemd/man/machine-info.html)
which carry additional identifying information about the OS image.
+5. Remove `/var/lib/systemd/credential.secret` which is used for protecting
+ service credentials, see
+ [`systemd.exec(5)`](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Credentials)
+ and
+ [`systemd-creds(1)`](https://www.freedesktop.org/software/systemd/man/systemd-creds.html)
+ for details. Note that by removing this file access to previously encrypted
+ credentials from this image is lost. The file is automatically generated if
+ a new credential is encrypted and the file does not exist yet.
+
## Boot Menu Entry Identifiers
The
[`kernel-install(8)`](https://www.freedesktop.org/software/systemd/man/kernel-install.html)
-logic used to generate [Boot Loader Specification Type
-1](https://systemd.io/BOOT_LOADER_SPECIFICATION) entries by default uses the
-machine ID as stored in `/etc/machine-id` for naming boot menu entries and the
-directories in the ESP to place kernel images in. This is done in order to
-allow multiple installations of the same OS on the same system without
-conflicts. However, this is problematic if the machine ID shall be generated
-automatically on first boot: if the ID is not known before the first boot it
-cannot be used to name the most basic resources required for the boot process
-to complete.
+logic used to generate
+[Boot Loader Specification Type #1](https://uapi-group.org/specifications/specs/boot_loader_specification/#type-1-boot-loader-specification-entries)
+entries by default uses the machine ID as stored in `/etc/machine-id` for
+naming boot menu entries and the directories in the ESP to place kernel images
+in. This is done in order to allow multiple installations of the same OS on the
+same system without conflicts. However, this is problematic if the machine ID
+shall be generated automatically on first boot: if the ID is not known before
+the first boot it cannot be used to name the most basic resources required for
+the boot process to complete.
Thus, for images that shall acquire their identity on first boot only, it is
required to use a different identifier for naming boot menu entries. To allow
resources of the OS. If not configured explicitly it defaults to the machine
ID. The file `/etc/kernel/entry-token` may be used to configure this string
explicitly. Thus, golden image builders should write a suitable identifier into
-this file, for example the `IMAGE_ID=` or `ID=` field from
+this file, for example, the `IMAGE_ID=` or `ID=` field from
[`/etc/os-release`](https://www.freedesktop.org/software/systemd/man/os-release.html)
(also see below). It is recommended to do this before the `kernel-install`
functionality is invoked (i.e. before the package manager is used to install
Specifically, the following mechanisms are in place:
-1. The `swich-root` logic in systemd, that is used to switch from the initrd
+1. The `switch-root` logic in systemd, that is used to switch from the initrd
phase to the host will create the basic OS hierarchy skeleton if missing. It
will create a couple of directories strictly necessary to boot up
successfully, plus essential symlinks (such as those necessary for the
4. The
[`systemd-sysusers(8)`](https://www.freedesktop.org/software/systemd/man/systemd-sysusers.service.html)
- will component automatically populate `/etc/passwd` and `/etc/group` on
+ component will automatically populate `/etc/passwd` and `/etc/group` on
first boot with further necessary system users.
5. The
using available space. Specifically:
1. Additional partitions should be created, that make no sense to ship
- pre-built in the image. For example `/tmp/` or `/home/` partitions, or even
+ pre-built in the image. For example, `/tmp/` or `/home/` partitions, or even
`/var/` or the root file system (see above).
2. Additional partitions should be created that shall function as A/B
in. The `x-systemd.growfs` mount option in `/etc/fstab` is sufficient to
enable this logic for specific mounts. Alternatively appropriately set up
partitions can set GPT partition flag 59 to request this behaviour, see the
- [Discoverable Partitions
- Specification](https://systemd.io/DISCOVERABLE_PARTITIONS) for details. If
- the file system is already grown it executes no operation.
+ [Discoverable Partitions Specification](https://uapi-group.org/specifications/specs/discoverable_partitions_specification)
+ for details. If the file system is already grown it executes no operation.
3. Similar, the `systemd-makefs@.service` and `systemd-makeswap@.service`
services can format file systems and swap spaces before first use, if they
## Links
-[`machine-id(5)`](https://www.freedesktop.org/software/systemd/man/machine-id.html)
-[`systemd-random-seed(8)`](https://www.freedesktop.org/software/systemd/man/systemd-random-seed.service.html)
-[`os-release(5)`](https://www.freedesktop.org/software/systemd/man/os-release.html)
-[Boot Loader Specification](https://systemd.io/BOOT_LOADER_SPECIFICATION)<br>
-[Discoverable Partitions Specification](https://systemd.io/DISCOVERABLE_PARTITIONS)<br>
-[`mkosi`](https://github.com/systemd/mkosi)
+[`machine-id(5)`](https://www.freedesktop.org/software/systemd/man/machine-id.html)<br>
+[`systemd-random-seed(8)`](https://www.freedesktop.org/software/systemd/man/systemd-random-seed.service.html)<br>
+[`os-release(5)`](https://www.freedesktop.org/software/systemd/man/os-release.html)<br>
+[Boot Loader Specification](https://uapi-group.org/specifications/specs/boot_loader_specification)<br>
+[Discoverable Partitions Specification](https://uapi-group.org/specifications/specs/discoverable_partitions_specification)<br>
+[`mkosi`](https://github.com/systemd/mkosi)<br>
[`systemd-boot(7)`](https://www.freedesktop.org/software/systemd/man/systemd-boot.html)<br>
-[`systemd-repart(8)`](https://www.freedesktop.org/software/systemd/man/systemd-repart.service.html)
-[`systemd-growfs@(8).service`](https://www.freedesktop.org/software/systemd/man/systemd-growfs.html)
+[`systemd-repart(8)`](https://www.freedesktop.org/software/systemd/man/systemd-repart.service.html)<br>
+[`systemd-growfs@(8).service`](https://www.freedesktop.org/software/systemd/man/systemd-growfs.html)<br>