tree-wide: BLS and DPS are now on uapi-group website

[thirdparty/systemd.git] / man / systemd-firstboot.xml

<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->

<refentry id="systemd-firstboot" conditional='ENABLE_FIRSTBOOT'
    xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>
    <title>systemd-firstboot</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>systemd-firstboot</refentrytitle>
    <manvolnum>1</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>systemd-firstboot</refname>
    <refname>systemd-firstboot.service</refname>
    <refpurpose>Initialize basic system settings on or before the first boot-up of a system</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>systemd-firstboot</command>
      <arg choice="opt" rep="repeat">OPTIONS</arg>
    </cmdsynopsis>

    <para><filename>systemd-firstboot.service</filename></para>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para><command>systemd-firstboot</command> initializes the most
    basic system settings interactively on the first boot, or
    optionally non-interactively when a system image is created.
    The service is started if <varname>ConditionFirstBoot=yes</varname>
    is satisfied. This essentially means that <filename>/etc/</filename>
    is empty, see
    <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
    for details.</para>

    <para>The following settings may be set up:</para>

    <itemizedlist>
      <listitem><para>The system locale, more specifically the two
      locale variables <varname>LANG=</varname> and
      <varname>LC_MESSAGES</varname></para></listitem>

      <listitem><para>The system keyboard map</para></listitem>

      <listitem><para>The system time zone</para></listitem>

      <listitem><para>The system hostname</para></listitem>

      <listitem><para>The machine ID of the system</para></listitem>

      <listitem><para>The root user's password</para></listitem>
    </itemizedlist>

    <para>Each of the fields may either be queried interactively by
    users, set non-interactively on the tool's command line, or be
    copied from a host system that is used to set up the system
    image.</para>

    <para>If a setting is already initialized, it will not be
    overwritten and the user will not be prompted for the
    setting.</para>

    <para>Note that this tool operates directly on the file system and
    does not involve any running system services, unlike
    <citerefentry project='man-pages'><refentrytitle>localectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
    <citerefentry><refentrytitle>timedatectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
    or
    <citerefentry><refentrytitle>hostnamectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
    This allows <command>systemd-firstboot</command> to operate on
    mounted but not booted disk images and in early boot. It is not
    recommended to use <command>systemd-firstboot</command> on the
    running system while it is up.</para>
  </refsect1>

  <refsect1>
    <title>Options</title>

    <para>The following options are understood:</para>

    <variablelist>
      <varlistentry>
        <term><option>--root=<replaceable>root</replaceable></option></term>
        <listitem><para>Takes a directory path as an argument. All
        paths will be prefixed with the given alternate
        <replaceable>root</replaceable> path, including config search
        paths. This is useful to operate on a system image mounted to
        the specified directory instead of the host system itself.
        </para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--image=<replaceable>path</replaceable></option></term>
        <listitem><para>Takes a path to a disk image file or block device node. If specified all operations
        are applied to file system in the indicated disk image. This is similar to <option>--root=</option>
        but operates on file systems stored in disk images or block devices. The disk image should either
        contain just a file system or a set of file systems within a GPT partition table, following the
        <ulink url="https://uapi-group.org/specifications/specs/discoverable_partitions_specification">Discoverable Partitions
        Specification</ulink>. For further information on supported disk images, see
        <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
        switch of the same name.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--locale=<replaceable>LOCALE</replaceable></option></term>
        <term><option>--locale-messages=<replaceable>LOCALE</replaceable></option></term>

        <listitem><para>Sets the system locale, more specifically the
        <varname>LANG=</varname> and <varname>LC_MESSAGES</varname>
        settings. The argument should be a valid locale identifier,
        such as <literal>de_DE.UTF-8</literal>. This controls the
        <citerefentry project='man-pages'><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
        configuration file.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--keymap=<replaceable>KEYMAP</replaceable></option></term>

        <listitem><para>Sets the system keyboard layout. The argument should be a valid keyboard map,
        such as <literal>de-latin1</literal>. This controls the <literal>KEYMAP</literal> entry in the
        <citerefentry project='man-pages'><refentrytitle>vconsole.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
        configuration file.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--timezone=<replaceable>TIMEZONE</replaceable></option></term>

        <listitem><para>Sets the system time zone. The argument should
        be a valid time zone identifier, such as
        <literal>Europe/Berlin</literal>. This controls the
        <citerefentry><refentrytitle>localtime</refentrytitle><manvolnum>5</manvolnum></citerefentry>
        symlink.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--hostname=<replaceable>HOSTNAME</replaceable></option></term>

        <listitem><para>Sets the system hostname. The argument should
        be a hostname, compatible with DNS. This controls the
        <citerefentry><refentrytitle>hostname</refentrytitle><manvolnum>5</manvolnum></citerefentry>
        configuration file.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--machine-id=<replaceable>ID</replaceable></option></term>

        <listitem><para>Sets the system's machine ID. This controls
        the
        <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry>
        file.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--root-password=<replaceable>PASSWORD</replaceable></option></term>
        <term><option>--root-password-file=<replaceable>PATH</replaceable></option></term>
        <term><option>--root-password-hashed=<replaceable>HASHED_PASSWORD</replaceable></option></term>

        <listitem><para>Sets the password of the system's root user. This creates/modifies the
        <citerefentry project='die-net'><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry> and
        <citerefentry project='die-net'><refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum></citerefentry>
        files. This setting exists in three forms: <option>--root-password=</option> accepts the password to
        set directly on the command line, <option>--root-password-file=</option> reads it from a file and
        <option>--root-password-hashed=</option> accepts an already hashed password on the command line. See
        <citerefentry project='die-net'><refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum></citerefentry>
        for more information on the format of the hashed password. Note that it is not recommended to specify
        plaintext passwords on the command line, as other users might be able to see them simply by invoking
        <citerefentry project='die-net'><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
        </para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--root-shell=<replaceable>SHELL</replaceable></option></term>

        <listitem><para>Sets the shell of the system's root user. This creates/modifies the
        <citerefentry project='die-net'><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry>
        file.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--kernel-command-line=<replaceable>CMDLINE</replaceable></option></term>

        <listitem><para>Sets the system's kernel command line. This controls the
        <filename>/etc/kernel/cmdline</filename> file which is used by
        <citerefentry><refentrytitle>kernel-install</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
        </para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--prompt-locale</option></term>
        <term><option>--prompt-keymap</option></term>
        <term><option>--prompt-timezone</option></term>
        <term><option>--prompt-hostname</option></term>
        <term><option>--prompt-root-password</option></term>
        <term><option>--prompt-root-shell</option></term>

        <listitem><para>Prompt the user interactively for a specific
        basic setting. Note that any explicit configuration settings
        specified on the command line take precedence, and the user is
        not prompted for it.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--prompt</option></term>

        <listitem><para>Query the user for locale, keymap, timezone, hostname,
        root's password, and root's shell. This is equivalent to specifying
        <option>--prompt-locale</option>,
        <option>--prompt-keymap</option>,
        <option>--prompt-timezone</option>,
        <option>--prompt-hostname</option>,
        <option>--prompt-root-password</option>,
        <option>--prompt-root-shell</option> in combination.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--copy-locale</option></term>
        <term><option>--copy-keymap</option></term>
        <term><option>--copy-timezone</option></term>
        <term><option>--copy-root-password</option></term>
        <term><option>--copy-root-shell</option></term>

        <listitem><para>Copy a specific basic setting from the host.
        This only works in combination with <option>--root=</option>
        (see above).</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--copy</option></term>

        <listitem><para>Copy locale, keymap, time zone, root password and shell from the host. This is
        equivalent to specifying
        <option>--copy-locale</option>,
        <option>--copy-keymap</option>,
        <option>--copy-timezone</option>,
        <option>--copy-root-password</option>,
        <option>--copy-root-shell</option> in combination.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--setup-machine-id</option></term>

        <listitem><para>Initialize the system's machine ID to a random
        ID. This only works in combination with
        <option>--root=</option>.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--force</option></term>

        <listitem><para>systemd-firstboot doesn't modify existing files unless <option>--force</option>
        is specified. For modifications to <filename>/etc/passwd</filename> and
        <filename>/etc/shadow</filename>, systemd-firstboot only modifies the entry of the
        <literal>root</literal> user instead of overwriting the entire file.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--delete-root-password</option></term>

        <listitem><para>Removes the password of the system's root user, enabling login as root without a
        password unless the root account is locked. Note that this is extremely insecure and hence this
        option should not be used lightly.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--welcome=</option></term>

        <listitem><para>Takes a boolean argument. By default when prompting the user for configuration
        options a brief welcome text is shown before the first question is asked. Pass false to this option
        to turn off the welcome text.</para></listitem>
      </varlistentry>

      <xi:include href="standard-options.xml" xpointer="help" />
      <xi:include href="standard-options.xml" xpointer="version" />
    </variablelist>
  </refsect1>

  <refsect1>
    <title>Credentials</title>

    <para><command>systemd-firstboot</command> supports the service credentials logic as implemented by
    <varname>LoadCredential=</varname>/<varname>SetCredential=</varname> (see
    <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
    details). The following credentials are used when passed in:</para>

    <variablelist>
      <varlistentry>
        <term><literal>passwd.hashed-password.root</literal></term>
        <term><literal>passwd.plaintext-password.root</literal></term>

        <listitem><para>A hashed or plaintext version of the root password to use, in place of prompting the
        user. These credentials are equivalent to the same ones defined for the
        <citerefentry><refentrytitle>systemd-sysusers.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
        service.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><literal>passwd.shell.root</literal></term>

        <listitem><para>Specifies the shell binary to use for the specified account.
        Equivalent to the credential of the same name defined for the
        <citerefentry><refentrytitle>systemd-sysusers.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
        service.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><literal>firstboot.locale</literal></term>
        <term><literal>firstboot.locale-messages</literal></term>

        <listitem><para>These credentials specify the locale settings to set during first boot, in place of
        prompting the user.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><literal>firstboot.keymap</literal></term>

        <listitem><para>This credential specifies the keyboard setting to set during first boot, in place of
        prompting the user.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><literal>firstboot.timezone</literal></term>

        <listitem><para>This credential specifies the system timezone setting to set during first boot, in
        place of prompting the user.</para></listitem>
      </varlistentry>
    </variablelist>

    <para>Note that by default the <filename>systemd-firstboot.service</filename> unit file is set up to
    inherit the listed credentials
    from the service manager. Thus, when invoking a container with an unpopulated <filename>/etc/</filename>
    for the first time it is possible to configure the root user's password to be <literal>systemd</literal>
    like this:</para>

    <para><programlisting># systemd-nspawn --image=… --set-credential=firstboot.locale:de_DE.UTF-8 …</programlisting></para>

    <para>Note that these credentials are only read and applied during the first boot process. Once they are
    applied they remain applied for subsequent boots, and the credentials are not considered anymore.</para>
  </refsect1>

  <refsect1>
    <title>Exit status</title>

    <para>On success, 0 is returned, a non-zero failure code
    otherwise.</para>
  </refsect1>

  <refsect1>
    <title>Kernel Command Line</title>

    <variablelist class='kernel-commandline-options'>
      <varlistentry>
        <term><varname>systemd.firstboot=</varname></term>

        <listitem><para>Takes a boolean argument, defaults to on. If off, <filename>systemd-firstboot.service</filename>
        won't interactively query the user for basic settings at first boot, even if those settings are not
        initialized yet.</para></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>vconsole.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>localtime</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>hostname</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry project='die-net'><refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-machine-id-setup</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>localectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>timedatectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>hostnamectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
    </para>
  </refsect1>

</refentry>