]>
Commit | Line | Data |
---|---|---|
30f10abf | 1 | <?xml version='1.0'?> <!--*-nxml-*--> |
3a54a157 | 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" |
12b42c76 | 3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> |
db9ecf05 | 4 | <!-- SPDX-License-Identifier: LGPL-2.1-or-later --> |
30f10abf | 5 | |
efd51554 | 6 | <refentry id="systemd-firstboot" conditional='ENABLE_FIRSTBOOT' |
798d3a52 ZJS |
7 | xmlns:xi="http://www.w3.org/2001/XInclude"> |
8 | ||
9 | <refentryinfo> | |
10 | <title>systemd-firstboot</title> | |
11 | <productname>systemd</productname> | |
798d3a52 ZJS |
12 | </refentryinfo> |
13 | ||
14 | <refmeta> | |
15 | <refentrytitle>systemd-firstboot</refentrytitle> | |
16 | <manvolnum>1</manvolnum> | |
17 | </refmeta> | |
18 | ||
19 | <refnamediv> | |
20 | <refname>systemd-firstboot</refname> | |
21 | <refname>systemd-firstboot.service</refname> | |
22 | <refpurpose>Initialize basic system settings on or before the first boot-up of a system</refpurpose> | |
23 | </refnamediv> | |
24 | ||
25 | <refsynopsisdiv> | |
26 | <cmdsynopsis> | |
27 | <command>systemd-firstboot</command> | |
28 | <arg choice="opt" rep="repeat">OPTIONS</arg> | |
29 | </cmdsynopsis> | |
30 | ||
31 | <para><filename>systemd-firstboot.service</filename></para> | |
32 | </refsynopsisdiv> | |
33 | ||
34 | <refsect1> | |
35 | <title>Description</title> | |
36 | ||
37 | <para><command>systemd-firstboot</command> initializes the most | |
38 | basic system settings interactively on the first boot, or | |
c954f332 ZJS |
39 | optionally non-interactively when a system image is created. |
40 | The service is started if <varname>ConditionFirstBoot=yes</varname> | |
3b121157 | 41 | is satisfied. This essentially means that <filename>/etc/</filename> |
c954f332 ZJS |
42 | is empty, see |
43 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
44 | for details.</para> | |
45 | ||
46 | <para>The following settings may be set up:</para> | |
798d3a52 ZJS |
47 | |
48 | <itemizedlist> | |
49 | <listitem><para>The system locale, more specifically the two | |
50 | locale variables <varname>LANG=</varname> and | |
51 | <varname>LC_MESSAGES</varname></para></listitem> | |
52 | ||
ed457f13 TB |
53 | <listitem><para>The system keyboard map</para></listitem> |
54 | ||
798d3a52 ZJS |
55 | <listitem><para>The system time zone</para></listitem> |
56 | ||
38b38500 | 57 | <listitem><para>The system hostname</para></listitem> |
798d3a52 ZJS |
58 | |
59 | <listitem><para>The machine ID of the system</para></listitem> | |
60 | ||
61 | <listitem><para>The root user's password</para></listitem> | |
62 | </itemizedlist> | |
63 | ||
a8eaaee7 JE |
64 | <para>Each of the fields may either be queried interactively by |
65 | users, set non-interactively on the tool's command line, or be | |
798d3a52 ZJS |
66 | copied from a host system that is used to set up the system |
67 | image.</para> | |
68 | ||
b938cb90 | 69 | <para>If a setting is already initialized, it will not be |
798d3a52 ZJS |
70 | overwritten and the user will not be prompted for the |
71 | setting.</para> | |
72 | ||
73 | <para>Note that this tool operates directly on the file system and | |
74 | does not involve any running system services, unlike | |
3ba3a79d | 75 | <citerefentry project='man-pages'><refentrytitle>localectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
798d3a52 ZJS |
76 | <citerefentry><refentrytitle>timedatectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> |
77 | or | |
78 | <citerefentry><refentrytitle>hostnamectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>. | |
79 | This allows <command>systemd-firstboot</command> to operate on | |
80 | mounted but not booted disk images and in early boot. It is not | |
81 | recommended to use <command>systemd-firstboot</command> on the | |
82 | running system while it is up.</para> | |
83 | </refsect1> | |
84 | ||
85 | <refsect1> | |
86 | <title>Options</title> | |
87 | ||
88 | <para>The following options are understood:</para> | |
89 | ||
90 | <variablelist> | |
91 | <varlistentry> | |
92 | <term><option>--root=<replaceable>root</replaceable></option></term> | |
93 | <listitem><para>Takes a directory path as an argument. All | |
94 | paths will be prefixed with the given alternate | |
95 | <replaceable>root</replaceable> path, including config search | |
96 | paths. This is useful to operate on a system image mounted to | |
97 | the specified directory instead of the host system itself. | |
98 | </para></listitem> | |
99 | </varlistentry> | |
100 | ||
dcfdd621 LP |
101 | <varlistentry> |
102 | <term><option>--image=<replaceable>path</replaceable></option></term> | |
103 | <listitem><para>Takes a path to a disk image file or block device node. If specified all operations | |
104 | are applied to file system in the indicated disk image. This is similar to <option>--root=</option> | |
105 | but operates on file systems stored in disk images or block devices. The disk image should either | |
106 | contain just a file system or a set of file systems within a GPT partition table, following the | |
db811444 | 107 | <ulink url="https://uapi-group.org/specifications/specs/discoverable_partitions_specification">Discoverable Partitions |
dcfdd621 LP |
108 | Specification</ulink>. For further information on supported disk images, see |
109 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s | |
110 | switch of the same name.</para></listitem> | |
111 | </varlistentry> | |
112 | ||
798d3a52 ZJS |
113 | <varlistentry> |
114 | <term><option>--locale=<replaceable>LOCALE</replaceable></option></term> | |
115 | <term><option>--locale-messages=<replaceable>LOCALE</replaceable></option></term> | |
116 | ||
117 | <listitem><para>Sets the system locale, more specifically the | |
118 | <varname>LANG=</varname> and <varname>LC_MESSAGES</varname> | |
119 | settings. The argument should be a valid locale identifier, | |
120 | such as <literal>de_DE.UTF-8</literal>. This controls the | |
3ba3a79d | 121 | <citerefentry project='man-pages'><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
798d3a52 ZJS |
122 | configuration file.</para></listitem> |
123 | </varlistentry> | |
124 | ||
ed457f13 TB |
125 | <varlistentry> |
126 | <term><option>--keymap=<replaceable>KEYMAP</replaceable></option></term> | |
127 | ||
128 | <listitem><para>Sets the system keyboard layout. The argument should be a valid keyboard map, | |
129 | such as <literal>de-latin1</literal>. This controls the <literal>KEYMAP</literal> entry in the | |
130 | <citerefentry project='man-pages'><refentrytitle>vconsole.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
131 | configuration file.</para></listitem> | |
132 | </varlistentry> | |
133 | ||
798d3a52 ZJS |
134 | <varlistentry> |
135 | <term><option>--timezone=<replaceable>TIMEZONE</replaceable></option></term> | |
136 | ||
137 | <listitem><para>Sets the system time zone. The argument should | |
138 | be a valid time zone identifier, such as | |
139 | <literal>Europe/Berlin</literal>. This controls the | |
140 | <citerefentry><refentrytitle>localtime</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
141 | symlink.</para></listitem> | |
142 | </varlistentry> | |
143 | ||
144 | <varlistentry> | |
145 | <term><option>--hostname=<replaceable>HOSTNAME</replaceable></option></term> | |
146 | ||
147 | <listitem><para>Sets the system hostname. The argument should | |
38b38500 | 148 | be a hostname, compatible with DNS. This controls the |
798d3a52 ZJS |
149 | <citerefentry><refentrytitle>hostname</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
150 | configuration file.</para></listitem> | |
151 | </varlistentry> | |
152 | ||
153 | <varlistentry> | |
154 | <term><option>--machine-id=<replaceable>ID</replaceable></option></term> | |
155 | ||
156 | <listitem><para>Sets the system's machine ID. This controls | |
157 | the | |
158 | <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
159 | file.</para></listitem> | |
160 | </varlistentry> | |
161 | ||
162 | <varlistentry> | |
163 | <term><option>--root-password=<replaceable>PASSWORD</replaceable></option></term> | |
164 | <term><option>--root-password-file=<replaceable>PATH</replaceable></option></term> | |
676339a1 | 165 | <term><option>--root-password-hashed=<replaceable>HASHED_PASSWORD</replaceable></option></term> |
798d3a52 | 166 | |
c4a53ebf DDM |
167 | <listitem><para>Sets the password of the system's root user. This creates/modifies the |
168 | <citerefentry project='die-net'><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry> and | |
3ba3a79d | 169 | <citerefentry project='die-net'><refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
c4a53ebf | 170 | files. This setting exists in three forms: <option>--root-password=</option> accepts the password to |
676339a1 DDM |
171 | set directly on the command line, <option>--root-password-file=</option> reads it from a file and |
172 | <option>--root-password-hashed=</option> accepts an already hashed password on the command line. See | |
173 | <citerefentry project='die-net'><refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
174 | for more information on the format of the hashed password. Note that it is not recommended to specify | |
175 | plaintext passwords on the command line, as other users might be able to see them simply by invoking | |
176 | <citerefentry project='die-net'><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>. | |
177 | </para></listitem> | |
798d3a52 ZJS |
178 | </varlistentry> |
179 | ||
28900a1b DDM |
180 | <varlistentry> |
181 | <term><option>--root-shell=<replaceable>SHELL</replaceable></option></term> | |
182 | ||
183 | <listitem><para>Sets the shell of the system's root user. This creates/modifies the | |
184 | <citerefentry project='die-net'><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
185 | file.</para></listitem> | |
186 | </varlistentry> | |
187 | ||
a5925354 DDM |
188 | <varlistentry> |
189 | <term><option>--kernel-command-line=<replaceable>CMDLINE</replaceable></option></term> | |
190 | ||
191 | <listitem><para>Sets the system's kernel command line. This controls the | |
192 | <filename>/etc/kernel/cmdline</filename> file which is used by | |
193 | <citerefentry><refentrytitle>kernel-install</refentrytitle><manvolnum>8</manvolnum></citerefentry>. | |
194 | </para></listitem> | |
195 | </varlistentry> | |
196 | ||
798d3a52 ZJS |
197 | <varlistentry> |
198 | <term><option>--prompt-locale</option></term> | |
ed457f13 | 199 | <term><option>--prompt-keymap</option></term> |
798d3a52 ZJS |
200 | <term><option>--prompt-timezone</option></term> |
201 | <term><option>--prompt-hostname</option></term> | |
202 | <term><option>--prompt-root-password</option></term> | |
28900a1b | 203 | <term><option>--prompt-root-shell</option></term> |
798d3a52 ZJS |
204 | |
205 | <listitem><para>Prompt the user interactively for a specific | |
206 | basic setting. Note that any explicit configuration settings | |
207 | specified on the command line take precedence, and the user is | |
208 | not prompted for it.</para></listitem> | |
209 | </varlistentry> | |
210 | ||
211 | <varlistentry> | |
212 | <term><option>--prompt</option></term> | |
213 | ||
885a4e6c ZJS |
214 | <listitem><para>Query the user for locale, keymap, timezone, hostname, |
215 | root's password, and root's shell. This is equivalent to specifying | |
798d3a52 | 216 | <option>--prompt-locale</option>, |
ed457f13 | 217 | <option>--prompt-keymap</option>, |
798d3a52 ZJS |
218 | <option>--prompt-timezone</option>, |
219 | <option>--prompt-hostname</option>, | |
28900a1b DDM |
220 | <option>--prompt-root-password</option>, |
221 | <option>--prompt-root-shell</option> in combination.</para> | |
798d3a52 ZJS |
222 | </listitem> |
223 | </varlistentry> | |
224 | ||
225 | <varlistentry> | |
226 | <term><option>--copy-locale</option></term> | |
ed457f13 | 227 | <term><option>--copy-keymap</option></term> |
798d3a52 ZJS |
228 | <term><option>--copy-timezone</option></term> |
229 | <term><option>--copy-root-password</option></term> | |
28900a1b | 230 | <term><option>--copy-root-shell</option></term> |
798d3a52 ZJS |
231 | |
232 | <listitem><para>Copy a specific basic setting from the host. | |
233 | This only works in combination with <option>--root=</option> | |
234 | (see above).</para></listitem> | |
235 | </varlistentry> | |
236 | ||
237 | <varlistentry> | |
238 | <term><option>--copy</option></term> | |
239 | ||
75909cc7 ZJS |
240 | <listitem><para>Copy locale, keymap, time zone, root password and shell from the host. This is |
241 | equivalent to specifying | |
798d3a52 | 242 | <option>--copy-locale</option>, |
ed457f13 | 243 | <option>--copy-keymap</option>, |
798d3a52 | 244 | <option>--copy-timezone</option>, |
28900a1b DDM |
245 | <option>--copy-root-password</option>, |
246 | <option>--copy-root-shell</option> in combination.</para> | |
798d3a52 ZJS |
247 | </listitem> |
248 | </varlistentry> | |
249 | ||
250 | <varlistentry> | |
251 | <term><option>--setup-machine-id</option></term> | |
252 | ||
253 | <listitem><para>Initialize the system's machine ID to a random | |
254 | ID. This only works in combination with | |
255 | <option>--root=</option>.</para></listitem> | |
256 | </varlistentry> | |
257 | ||
b4909a3f DDM |
258 | <varlistentry> |
259 | <term><option>--force</option></term> | |
260 | ||
261 | <listitem><para>systemd-firstboot doesn't modify existing files unless <option>--force</option> | |
262 | is specified. For modifications to <filename>/etc/passwd</filename> and | |
263 | <filename>/etc/shadow</filename>, systemd-firstboot only modifies the entry of the | |
264 | <literal>root</literal> user instead of overwriting the entire file.</para></listitem> | |
265 | </varlistentry> | |
266 | ||
4926ceaf DDM |
267 | <varlistentry> |
268 | <term><option>--delete-root-password</option></term> | |
269 | ||
270 | <listitem><para>Removes the password of the system's root user, enabling login as root without a | |
271 | password unless the root account is locked. Note that this is extremely insecure and hence this | |
272 | option should not be used lightly.</para></listitem> | |
273 | </varlistentry> | |
274 | ||
a1225020 LP |
275 | <varlistentry> |
276 | <term><option>--welcome=</option></term> | |
277 | ||
278 | <listitem><para>Takes a boolean argument. By default when prompting the user for configuration | |
279 | options a brief welcome text is shown before the first question is asked. Pass false to this option | |
280 | to turn off the welcome text.</para></listitem> | |
281 | </varlistentry> | |
282 | ||
798d3a52 ZJS |
283 | <xi:include href="standard-options.xml" xpointer="help" /> |
284 | <xi:include href="standard-options.xml" xpointer="version" /> | |
285 | </variablelist> | |
416f7b3a LP |
286 | </refsect1> |
287 | ||
288 | <refsect1> | |
289 | <title>Credentials</title> | |
290 | ||
291 | <para><command>systemd-firstboot</command> supports the service credentials logic as implemented by | |
292 | <varname>LoadCredential=</varname>/<varname>SetCredential=</varname> (see | |
293 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>1</manvolnum></citerefentry> for | |
294 | details). The following credentials are used when passed in:</para> | |
295 | ||
296 | <variablelist> | |
297 | <varlistentry> | |
298 | <term><literal>passwd.hashed-password.root</literal></term> | |
299 | <term><literal>passwd.plaintext-password.root</literal></term> | |
300 | ||
301 | <listitem><para>A hashed or plaintext version of the root password to use, in place of prompting the | |
302 | user. These credentials are equivalent to the same ones defined for the | |
303 | <citerefentry><refentrytitle>systemd-sysusers.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
304 | service.</para></listitem> | |
305 | </varlistentry> | |
306 | ||
307 | <varlistentry> | |
308 | <term><literal>passwd.shell.root</literal></term> | |
309 | ||
be0d27ee | 310 | <listitem><para>Specifies the shell binary to use for the specified account. |
3d62af7d | 311 | Equivalent to the credential of the same name defined for the |
416f7b3a LP |
312 | <citerefentry><refentrytitle>systemd-sysusers.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
313 | service.</para></listitem> | |
314 | </varlistentry> | |
315 | ||
316 | <varlistentry> | |
317 | <term><literal>firstboot.locale</literal></term> | |
318 | <term><literal>firstboot.locale-messages</literal></term> | |
319 | ||
320 | <listitem><para>These credentials specify the locale settings to set during first boot, in place of | |
321 | prompting the user.</para></listitem> | |
322 | </varlistentry> | |
323 | ||
324 | <varlistentry> | |
325 | <term><literal>firstboot.keymap</literal></term> | |
326 | ||
327 | <listitem><para>This credential specifies the keyboard setting to set during first boot, in place of | |
328 | prompting the user.</para></listitem> | |
329 | </varlistentry> | |
330 | ||
331 | <varlistentry> | |
332 | <term><literal>firstboot.timezone</literal></term> | |
333 | ||
334 | <listitem><para>This credential specifies the system timezone setting to set during first boot, in | |
335 | place of prompting the user.</para></listitem> | |
336 | </varlistentry> | |
337 | </variablelist> | |
338 | ||
339 | <para>Note that by default the <filename>systemd-firstboot.service</filename> unit file is set up to | |
340 | inherit the listed credentials | |
341 | from the service manager. Thus, when invoking a container with an unpopulated <filename>/etc/</filename> | |
342 | for the first time it is possible to configure the root user's password to be <literal>systemd</literal> | |
343 | like this:</para> | |
344 | ||
345 | <para><programlisting># systemd-nspawn --image=… --set-credential=firstboot.locale:de_DE.UTF-8 …</programlisting></para> | |
798d3a52 | 346 | |
416f7b3a LP |
347 | <para>Note that these credentials are only read and applied during the first boot process. Once they are |
348 | applied they remain applied for subsequent boots, and the credentials are not considered anymore.</para> | |
798d3a52 ZJS |
349 | </refsect1> |
350 | ||
351 | <refsect1> | |
352 | <title>Exit status</title> | |
353 | ||
354 | <para>On success, 0 is returned, a non-zero failure code | |
355 | otherwise.</para> | |
356 | </refsect1> | |
357 | ||
f582cbca LP |
358 | <refsect1> |
359 | <title>Kernel Command Line</title> | |
360 | ||
361 | <variablelist class='kernel-commandline-options'> | |
362 | <varlistentry> | |
363 | <term><varname>systemd.firstboot=</varname></term> | |
364 | ||
6b3d3783 ZJS |
365 | <listitem><para>Takes a boolean argument, defaults to on. If off, <filename>systemd-firstboot.service</filename> |
366 | won't interactively query the user for basic settings at first boot, even if those settings are not | |
f582cbca LP |
367 | initialized yet.</para></listitem> |
368 | </varlistentry> | |
369 | </variablelist> | |
370 | </refsect1> | |
371 | ||
798d3a52 ZJS |
372 | <refsect1> |
373 | <title>See Also</title> | |
374 | <para> | |
375 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
3ba3a79d | 376 | <citerefentry project='man-pages'><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
ed457f13 | 377 | <citerefentry project='man-pages'><refentrytitle>vconsole.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
798d3a52 ZJS |
378 | <citerefentry><refentrytitle>localtime</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
379 | <citerefentry><refentrytitle>hostname</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
380 | <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
3ba3a79d | 381 | <citerefentry project='die-net'><refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
798d3a52 | 382 | <citerefentry><refentrytitle>systemd-machine-id-setup</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
3ba3a79d | 383 | <citerefentry project='man-pages'><refentrytitle>localectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
798d3a52 ZJS |
384 | <citerefentry><refentrytitle>timedatectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
385 | <citerefentry><refentrytitle>hostnamectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
386 | </para> | |
387 | </refsect1> | |
30f10abf LP |
388 | |
389 | </refentry> |