journal: Serialize __MONOTONIC_TIMESTAMP metadata field as well

[thirdparty/systemd.git] / man / systemd-firstboot.xml

<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->

<refentry id="systemd-firstboot" conditional='ENABLE_FIRSTBOOT'
    xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>
    <title>systemd-firstboot</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>systemd-firstboot</refentrytitle>
    <manvolnum>1</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>systemd-firstboot</refname>
    <refname>systemd-firstboot.service</refname>
    <refpurpose>Initialize basic system settings on or before the first boot-up of a system</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>systemd-firstboot</command>
      <arg choice="opt" rep="repeat">OPTIONS</arg>
    </cmdsynopsis>

    <para><filename>systemd-firstboot.service</filename></para>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>The <command>systemd-firstboot.service</command> unit is one of the units which are used to
    initialize the machine configuration during "First Boot", i.e. when the system is freshly installed or
    after a factory reset. The
    <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> manager
    itself will initialize
    <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry> and preset
    all units, enabling or disabling them according to the
    <citerefentry><refentrytitle>systemd.preset</refentrytitle><manvolnum>5</manvolnum></citerefentry>
    settings. <filename>systemd-firstboot.service</filename> is started later to interactively initialize
    basic system configuration. It is started only if <varname>ConditionFirstBoot=yes</varname> is met, which
    essentially means that <filename>/etc/</filename> is unpopulated, see
    <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
    details. System credentials may be used to inject configuration; those settings are not queried
    interactively.</para>

    <para>The <command>systemd-firstboot</command> command can also be used to non-interactively initialize
    an offline system image.</para>

    <para>The following settings may be configured:</para>

    <itemizedlist>
      <listitem><para>The machine ID of the system</para></listitem>

      <listitem><para>The system locale, more specifically the two
      locale variables <varname>LANG=</varname> and
      <varname>LC_MESSAGES</varname></para></listitem>

      <listitem><para>The system keyboard map</para></listitem>

      <listitem><para>The system time zone</para></listitem>

      <listitem><para>The system hostname</para></listitem>

      <listitem><para>The kernel command line used when installing kernel images</para></listitem>

      <listitem><para>The root user's password and shell</para></listitem>
    </itemizedlist>

    <para>Each of the fields may either be queried interactively by
    users, set non-interactively on the tool's command line, or be
    copied from a host system that is used to set up the system
    image.</para>

    <para>If a setting is already initialized, it will not be
    overwritten and the user will not be prompted for the
    setting.</para>

    <para>Note that this tool operates directly on the file system and
    does not involve any running system services, unlike
    <citerefentry project='man-pages'><refentrytitle>localectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
    <citerefentry><refentrytitle>timedatectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
    or
    <citerefentry><refentrytitle>hostnamectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
    This allows <command>systemd-firstboot</command> to operate on
    mounted but not booted disk images and in early boot. It is not
    recommended to use <command>systemd-firstboot</command> on the
    running system after it has been set up.</para>
  </refsect1>

  <refsect1>
    <title>Options</title>

    <para>The following options are understood:</para>

    <variablelist>
      <varlistentry>
        <term><option>--root=<replaceable>root</replaceable></option></term>
        <listitem><para>Takes a directory path as an argument. All
        paths will be prefixed with the given alternate
        <replaceable>root</replaceable> path, including config search
        paths. This is useful to operate on a system image mounted to
        the specified directory instead of the host system itself.
        </para>

        <xi:include href="version-info.xml" xpointer="v216"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--image=<replaceable>path</replaceable></option></term>
        <listitem><para>Takes a path to a disk image file or block device node. If specified all operations
        are applied to file system in the indicated disk image. This is similar to <option>--root=</option>
        but operates on file systems stored in disk images or block devices. The disk image should either
        contain just a file system or a set of file systems within a GPT partition table, following the
        <ulink url="https://uapi-group.org/specifications/specs/discoverable_partitions_specification">Discoverable Partitions
        Specification</ulink>. For further information on supported disk images, see
        <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
        switch of the same name.</para>

        <xi:include href="version-info.xml" xpointer="v246"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--locale=<replaceable>LOCALE</replaceable></option></term>
        <term><option>--locale-messages=<replaceable>LOCALE</replaceable></option></term>

        <listitem><para>Sets the system locale, more specifically the
        <varname>LANG=</varname> and <varname>LC_MESSAGES</varname>
        settings. The argument should be a valid locale identifier,
        such as <literal>de_DE.UTF-8</literal>. This controls the
        <citerefentry project='man-pages'><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
        configuration file.</para>

        <xi:include href="version-info.xml" xpointer="v216"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--keymap=<replaceable>KEYMAP</replaceable></option></term>

        <listitem><para>Sets the system keyboard layout. The argument should be a valid keyboard map,
        such as <literal>de-latin1</literal>. This controls the <literal>KEYMAP</literal> entry in the
        <citerefentry project='man-pages'><refentrytitle>vconsole.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
        configuration file.</para>

        <xi:include href="version-info.xml" xpointer="v236"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--timezone=<replaceable>TIMEZONE</replaceable></option></term>

        <listitem><para>Sets the system time zone. The argument should
        be a valid time zone identifier, such as
        <literal>Europe/Berlin</literal>. This controls the
        <citerefentry><refentrytitle>localtime</refentrytitle><manvolnum>5</manvolnum></citerefentry>
        symlink.</para>

        <xi:include href="version-info.xml" xpointer="v216"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--hostname=<replaceable>HOSTNAME</replaceable></option></term>

        <listitem><para>Sets the system hostname. The argument should
        be a hostname, compatible with DNS. This controls the
        <citerefentry><refentrytitle>hostname</refentrytitle><manvolnum>5</manvolnum></citerefentry>
        configuration file.</para>

        <xi:include href="version-info.xml" xpointer="v216"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--setup-machine-id</option></term>

        <listitem><para>Initialize the system's machine ID to a random ID. This controls the
        <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry> file.
        </para>

        <para>This option only works in combination with <option>--root=</option> or
        <option>--image=</option>. On a running system, <filename>machine-id</filename> is written by the
        manager with help from
        <citerefentry><refentrytitle>systemd-machine-id-commit.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
        </para>

        <xi:include href="version-info.xml" xpointer="v216"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--machine-id=<replaceable>ID</replaceable></option></term>

        <listitem><para>Set the system's machine ID to the specified value. The same restrictions apply
        as to <option>--setup-machine-id</option>.</para>

        <xi:include href="version-info.xml" xpointer="v216"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--root-password=<replaceable>PASSWORD</replaceable></option></term>
        <term><option>--root-password-file=<replaceable>PATH</replaceable></option></term>
        <term><option>--root-password-hashed=<replaceable>HASHED_PASSWORD</replaceable></option></term>

        <listitem><para>Sets the password of the system's root user. This creates/modifies the
        <citerefentry project='die-net'><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry> and
        <citerefentry project='die-net'><refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum></citerefentry>
        files. This setting exists in three forms: <option>--root-password=</option> accepts the password to
        set directly on the command line, <option>--root-password-file=</option> reads it from a file and
        <option>--root-password-hashed=</option> accepts an already hashed password on the command line. See
        <citerefentry project='die-net'><refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum></citerefentry>
        for more information on the format of the hashed password. Note that it is not recommended to specify
        plaintext passwords on the command line, as other users might be able to see them simply by invoking
        <citerefentry project='die-net'><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
        </para>

        <xi:include href="version-info.xml" xpointer="v216"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--root-shell=<replaceable>SHELL</replaceable></option></term>

        <listitem><para>Sets the shell of the system's root user. This creates/modifies the
        <citerefentry project='die-net'><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry>
        file.</para>

        <xi:include href="version-info.xml" xpointer="v246"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--kernel-command-line=<replaceable>CMDLINE</replaceable></option></term>

        <listitem><para>Sets the system's kernel command line. This controls the
        <filename>/etc/kernel/cmdline</filename> file which is used by
        <citerefentry><refentrytitle>kernel-install</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
        </para>

        <xi:include href="version-info.xml" xpointer="v246"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--prompt-locale</option></term>
        <term><option>--prompt-keymap</option></term>
        <term><option>--prompt-timezone</option></term>
        <term><option>--prompt-hostname</option></term>
        <term><option>--prompt-root-password</option></term>
        <term><option>--prompt-root-shell</option></term>

        <listitem><para>Prompt the user interactively for a specific
        basic setting. Note that any explicit configuration settings
        specified on the command line take precedence, and the user is
        not prompted for it.</para>

        <xi:include href="version-info.xml" xpointer="v216"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--prompt</option></term>

        <listitem><para>Query the user for locale, keymap, timezone, hostname,
        root's password, and root's shell. This is equivalent to specifying
        <option>--prompt-locale</option>,
        <option>--prompt-keymap</option>,
        <option>--prompt-timezone</option>,
        <option>--prompt-hostname</option>,
        <option>--prompt-root-password</option>,
        <option>--prompt-root-shell</option> in combination.</para>

        <xi:include href="version-info.xml" xpointer="v216"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--copy-locale</option></term>
        <term><option>--copy-keymap</option></term>
        <term><option>--copy-timezone</option></term>
        <term><option>--copy-root-password</option></term>
        <term><option>--copy-root-shell</option></term>

        <listitem><para>Copy a specific basic setting from the host.
        This only works in combination with <option>--root=</option> or <option>--image=</option>.
        </para>

        <xi:include href="version-info.xml" xpointer="v216"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--copy</option></term>

        <listitem><para>Copy locale, keymap, time zone, root password and shell from the host. This is
        equivalent to specifying
        <option>--copy-locale</option>,
        <option>--copy-keymap</option>,
        <option>--copy-timezone</option>,
        <option>--copy-root-password</option>,
        <option>--copy-root-shell</option> in combination.</para>

        <xi:include href="version-info.xml" xpointer="v216"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--force</option></term>

        <listitem><para>Write configuration even if the relevant files already exist. Without this option,
        <command>systemd-firstboot</command> doesn't modify or replace existing files. Note that when
        configuring the root account, even with this option, <command>systemd-firstboot</command> only
        modifies the entry of the <literal>root</literal> user, leaving other entries in
        <filename>/etc/passwd</filename> and <filename>/etc/shadow</filename> intact.</para>

        <xi:include href="version-info.xml" xpointer="v246"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--reset</option></term>

        <listitem><para>If specified, all existing files that are configured by
        <command>systemd-firstboot</command> are removed. Note that the files are removed regardless of
        whether they'll be configured with a new value or not. This operation ensures that the next boot of
        the image will be considered a first boot, and <command>systemd-firstboot</command> will prompt again
        to configure each of the removed files.</para>

        <xi:include href="version-info.xml" xpointer="v254"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--delete-root-password</option></term>

        <listitem><para>Removes the password of the system's root user, enabling login as root without a
        password unless the root account is locked. Note that this is extremely insecure and hence this
        option should not be used lightly.</para>

        <xi:include href="version-info.xml" xpointer="v246"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--welcome=</option></term>

        <listitem><para>Takes a boolean argument. By default when prompting the user for configuration
        options a brief welcome text is shown before the first question is asked. Pass false to this option
        to turn off the welcome text.</para>

        <xi:include href="version-info.xml" xpointer="v246"/></listitem>
      </varlistentry>

      <xi:include href="standard-options.xml" xpointer="help" />
      <xi:include href="standard-options.xml" xpointer="version" />
    </variablelist>
  </refsect1>

  <refsect1>
    <title>Credentials</title>

    <para><command>systemd-firstboot</command> supports the service credentials logic as implemented by
    <varname>ImportCredential=</varname>/<varname>LoadCredential=</varname>/<varname>SetCredential=</varname>
    (see <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
    details). The following credentials are used when passed in:</para>

    <variablelist class='system-credentials'>
      <varlistentry>
        <term><varname>passwd.hashed-password.root</varname></term>
        <term><varname>passwd.plaintext-password.root</varname></term>

        <listitem><para>A hashed or plaintext version of the root password to use, in place of prompting the
        user. These credentials are equivalent to the same ones defined for the
        <citerefentry><refentrytitle>systemd-sysusers.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
        service.</para>

        <xi:include href="version-info.xml" xpointer="v249"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>passwd.shell.root</varname></term>

        <listitem><para>Specifies the shell binary to use for the specified account.
        Equivalent to the credential of the same name defined for the
        <citerefentry><refentrytitle>systemd-sysusers.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
        service.</para>

        <xi:include href="version-info.xml" xpointer="v249"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>firstboot.locale</varname></term>
        <term><varname>firstboot.locale-messages</varname></term>

        <listitem><para>These credentials specify the locale settings to set during first boot, in place of
        prompting the user.</para>

        <xi:include href="version-info.xml" xpointer="v249"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>firstboot.keymap</varname></term>

        <listitem><para>This credential specifies the keyboard setting to set during first boot, in place of
        prompting the user.</para>

        <para>Note the relationship to the <varname>vconsole.keymap</varname> credential understood by
        <citerefentry><refentrytitle>systemd-vconsole-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>:
        both ultimately affect the same setting, but <varname>firstboot.keymap</varname> is written into
        <filename>/etc/vconsole.conf</filename> on first boot (if not already configured), and then read from
        there by <command>systemd-vconsole-setup</command>, while <varname>vconsole.keymap</varname> is read
        on every boot, and is not persisted to disk (but any configuration in
        <filename>vconsole.conf</filename> will take precedence if present).</para>

        <xi:include href="version-info.xml" xpointer="v249"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>firstboot.timezone</varname></term>

        <listitem><para>This credential specifies the system timezone setting to set during first boot, in
        place of prompting the user.</para>

        <xi:include href="version-info.xml" xpointer="v249"/></listitem>
      </varlistentry>
    </variablelist>

    <para>Note that by default the <filename>systemd-firstboot.service</filename> unit file is set up to
    inherit the listed credentials
    from the service manager. Thus, when invoking a container with an unpopulated <filename>/etc/</filename>
    for the first time it is possible to configure the root user's password to be <literal>systemd</literal>
    like this:</para>

    <para><programlisting># systemd-nspawn --image=… --set-credential=firstboot.locale:de_DE.UTF-8 …</programlisting></para>

    <para>Note that these credentials are only read and applied during the first boot. Once they are applied
    they remain applied for subsequent boots, and the credentials are not considered anymore.</para>
  </refsect1>

  <refsect1>
    <title>Exit status</title>

    <para>On success, 0 is returned, a non-zero failure code
    otherwise.</para>
  </refsect1>

  <refsect1>
    <title>Kernel Command Line</title>

    <variablelist class='kernel-commandline-options'>
      <varlistentry>
        <term><varname>systemd.firstboot=</varname></term>

        <listitem><para>Takes a boolean argument, defaults to on. If off, <filename>systemd-firstboot.service</filename>
        won't interactively query the user for basic settings at first boot, even if those settings are not
        initialized yet.</para>

        <xi:include href="version-info.xml" xpointer="v233"/></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para><simplelist type="inline">
      <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
      <member><citerefentry project='man-pages'><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
      <member><citerefentry project='man-pages'><refentrytitle>vconsole.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
      <member><citerefentry><refentrytitle>localtime</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
      <member><citerefentry><refentrytitle>hostname</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
      <member><citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
      <member><citerefentry project='die-net'><refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
      <member><citerefentry><refentrytitle>systemd-machine-id-setup</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
      <member><citerefentry project='man-pages'><refentrytitle>localectl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
      <member><citerefentry><refentrytitle>timedatectl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
      <member><citerefentry><refentrytitle>hostnamectl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
    </simplelist></para>
  </refsect1>

</refentry>