| <?xml version='1.0'?> <!--*-nxml-*--> |
| <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" |
| "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> |
| <!-- SPDX-License-Identifier: LGPL-2.1-or-later --> |
| |
| <refentry id="systemd-firstboot" conditional='ENABLE_FIRSTBOOT' |
| xmlns:xi="http://www.w3.org/2001/XInclude"> |
| |
| <refentryinfo> |
| <title>systemd-firstboot</title> |
| <productname>systemd</productname> |
| </refentryinfo> |
| |
| <refmeta> |
| <refentrytitle>systemd-firstboot</refentrytitle> |
| <manvolnum>1</manvolnum> |
| </refmeta> |
| |
| <refnamediv> |
| <refname>systemd-firstboot</refname> |
| <refname>systemd-firstboot.service</refname> |
| <refpurpose>Initialize basic system settings on or before the first boot-up of a system</refpurpose> |
| </refnamediv> |
| |
| <refsynopsisdiv> |
| <cmdsynopsis> |
| <command>systemd-firstboot</command> |
| <arg choice="opt" rep="repeat">OPTIONS</arg> |
| </cmdsynopsis> |
| |
| <para><filename>systemd-firstboot.service</filename></para> |
| </refsynopsisdiv> |
| |
| <refsect1> |
| <title>Description</title> |
| |
| <para><command>systemd-firstboot</command> initializes the most |
| basic system settings interactively on the first boot, or |
| optionally non-interactively when a system image is created. |
| The service is started if <varname>ConditionFirstBoot=yes</varname> |
| is satisfied. This essentially means that <filename>/etc/</filename> |
| is empty, see |
| <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
| for details.</para> |
| |
| <para>The following settings may be set up:</para> |
| |
| <itemizedlist> |
| <listitem><para>The system locale, more specifically the two |
| locale variables <varname>LANG=</varname> and |
| <varname>LC_MESSAGES</varname></para></listitem> |
| |
| <listitem><para>The system keyboard map</para></listitem> |
| |
| <listitem><para>The system time zone</para></listitem> |
| |
| <listitem><para>The system hostname</para></listitem> |
| |
| <listitem><para>The machine ID of the system</para></listitem> |
| |
| <listitem><para>The root user's password</para></listitem> |
| </itemizedlist> |
| |
| <para>Each of the fields may either be queried interactively by |
| users, set non-interactively on the tool's command line, or be |
| copied from a host system that is used to set up the system |
| image.</para> |
| |
| <para>If a setting is already initialized, it will not be |
| overwritten and the user will not be prompted for the |
| setting.</para> |
| |
| <para>Note that this tool operates directly on the file system and |
| does not involve any running system services, unlike |
| <citerefentry project='man-pages'><refentrytitle>localectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
| <citerefentry><refentrytitle>timedatectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> |
| or |
| <citerefentry><refentrytitle>hostnamectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>. |
| This allows <command>systemd-firstboot</command> to operate on |
| mounted but not booted disk images and in early boot. It is not |
| recommended to use <command>systemd-firstboot</command> on the |
| running system while it is up.</para> |
| </refsect1> |
| |
| <refsect1> |
| <title>Options</title> |
| |
| <para>The following options are understood:</para> |
| |
| <variablelist> |
| <varlistentry> |
| <term><option>--root=<replaceable>root</replaceable></option></term> |
| <listitem><para>Takes a directory path as an argument. All |
| paths will be prefixed with the given alternate |
| <replaceable>root</replaceable> path, including config search |
| paths. This is useful to operate on a system image mounted to |
| the specified directory instead of the host system itself. |
| </para></listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>--image=<replaceable>path</replaceable></option></term> |
| <listitem><para>Takes a path to a disk image file or block device node. If specified all operations |
| are applied to file system in the indicated disk image. This is similar to <option>--root=</option> |
| but operates on file systems stored in disk images or block devices. The disk image should either |
| contain just a file system or a set of file systems within a GPT partition table, following the |
| <ulink url="https://systemd.io/DISCOVERABLE_PARTITIONS">Discoverable Partitions |
| Specification</ulink>. For further information on supported disk images, see |
| <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s |
| switch of the same name.</para></listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>--locale=<replaceable>LOCALE</replaceable></option></term> |
| <term><option>--locale-messages=<replaceable>LOCALE</replaceable></option></term> |
| |
| <listitem><para>Sets the system locale, more specifically the |
| <varname>LANG=</varname> and <varname>LC_MESSAGES</varname> |
| settings. The argument should be a valid locale identifier, |
| such as <literal>de_DE.UTF-8</literal>. This controls the |
| <citerefentry project='man-pages'><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
| configuration file.</para></listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>--keymap=<replaceable>KEYMAP</replaceable></option></term> |
| |
| <listitem><para>Sets the system keyboard layout. The argument should be a valid keyboard map, |
| such as <literal>de-latin1</literal>. This controls the <literal>KEYMAP</literal> entry in the |
| <citerefentry project='man-pages'><refentrytitle>vconsole.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
| configuration file.</para></listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>--timezone=<replaceable>TIMEZONE</replaceable></option></term> |
| |
| <listitem><para>Sets the system time zone. The argument should |
| be a valid time zone identifier, such as |
| <literal>Europe/Berlin</literal>. This controls the |
| <citerefentry><refentrytitle>localtime</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
| symlink.</para></listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>--hostname=<replaceable>HOSTNAME</replaceable></option></term> |
| |
| <listitem><para>Sets the system hostname. The argument should |
| be a hostname, compatible with DNS. This controls the |
| <citerefentry><refentrytitle>hostname</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
| configuration file.</para></listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>--machine-id=<replaceable>ID</replaceable></option></term> |
| |
| <listitem><para>Sets the system's machine ID. This controls |
| the |
| <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
| file.</para></listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>--root-password=<replaceable>PASSWORD</replaceable></option></term> |
| <term><option>--root-password-file=<replaceable>PATH</replaceable></option></term> |
| <term><option>--root-password-hashed=<replaceable>HASHED_PASSWORD</replaceable></option></term> |
| |
| <listitem><para>Sets the password of the system's root user. This creates/modifies the |
| <citerefentry project='die-net'><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry> and |
| <citerefentry project='die-net'><refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
| files. This setting exists in three forms: <option>--root-password=</option> accepts the password to |
| set directly on the command line, <option>--root-password-file=</option> reads it from a file and |
| <option>--root-password-hashed=</option> accepts an already hashed password on the command line. See |
| <citerefentry project='die-net'><refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
| for more information on the format of the hashed password. Note that it is not recommended to specify |
| plaintext passwords on the command line, as other users might be able to see them simply by invoking |
| <citerefentry project='die-net'><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>. |
| </para></listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>--root-shell=<replaceable>SHELL</replaceable></option></term> |
| |
| <listitem><para>Sets the shell of the system's root user. This creates/modifies the |
| <citerefentry project='die-net'><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
| file.</para></listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>--kernel-command-line=<replaceable>CMDLINE</replaceable></option></term> |
| |
| <listitem><para>Sets the system's kernel command line. This controls the |
| <filename>/etc/kernel/cmdline</filename> file which is used by |
| <citerefentry><refentrytitle>kernel-install</refentrytitle><manvolnum>8</manvolnum></citerefentry>. |
| </para></listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>--prompt-locale</option></term> |
| <term><option>--prompt-keymap</option></term> |
| <term><option>--prompt-timezone</option></term> |
| <term><option>--prompt-hostname</option></term> |
| <term><option>--prompt-root-password</option></term> |
| <term><option>--prompt-root-shell</option></term> |
| |
| <listitem><para>Prompt the user interactively for a specific |
| basic setting. Note that any explicit configuration settings |
| specified on the command line take precedence, and the user is |
| not prompted for it.</para></listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>--prompt</option></term> |
| |
| <listitem><para>Query the user for locale, keymap, timezone, hostname, |
| root's password, and root's shell. This is equivalent to specifying |
| <option>--prompt-locale</option>, |
| <option>--prompt-keymap</option>, |
| <option>--prompt-timezone</option>, |
| <option>--prompt-hostname</option>, |
| <option>--prompt-root-password</option>, |
| <option>--prompt-root-shell</option> in combination.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>--copy-locale</option></term> |
| <term><option>--copy-keymap</option></term> |
| <term><option>--copy-timezone</option></term> |
| <term><option>--copy-root-password</option></term> |
| <term><option>--copy-root-shell</option></term> |
| |
| <listitem><para>Copy a specific basic setting from the host. |
| This only works in combination with <option>--root=</option> |
| (see above).</para></listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>--copy</option></term> |
| |
| <listitem><para>Copy locale, keymap, time zone, root password and shell from the host. This is |
| equivalent to specifying |
| <option>--copy-locale</option>, |
| <option>--copy-keymap</option>, |
| <option>--copy-timezone</option>, |
| <option>--copy-root-password</option>, |
| <option>--copy-root-shell</option> in combination.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>--setup-machine-id</option></term> |
| |
| <listitem><para>Initialize the system's machine ID to a random |
| ID. This only works in combination with |
| <option>--root=</option>.</para></listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>--force</option></term> |
| |
| <listitem><para>systemd-firstboot doesn't modify existing files unless <option>--force</option> |
| is specified. For modifications to <filename>/etc/passwd</filename> and |
| <filename>/etc/shadow</filename>, systemd-firstboot only modifies the entry of the |
| <literal>root</literal> user instead of overwriting the entire file.</para></listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>--delete-root-password</option></term> |
| |
| <listitem><para>Removes the password of the system's root user, enabling login as root without a |
| password unless the root account is locked. Note that this is extremely insecure and hence this |
| option should not be used lightly.</para></listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><option>--welcome=</option></term> |
| |
| <listitem><para>Takes a boolean argument. By default when prompting the user for configuration |
| options a brief welcome text is shown before the first question is asked. Pass false to this option |
| to turn off the welcome text.</para></listitem> |
| </varlistentry> |
| |
| <xi:include href="standard-options.xml" xpointer="help" /> |
| <xi:include href="standard-options.xml" xpointer="version" /> |
| </variablelist> |
| </refsect1> |
| |
| <refsect1> |
| <title>Credentials</title> |
| |
| <para><command>systemd-firstboot</command> supports the service credentials logic as implemented by |
| <varname>LoadCredential=</varname>/<varname>SetCredential=</varname> (see |
| <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>1</manvolnum></citerefentry> for |
| details). The following credentials are used when passed in:</para> |
| |
| <variablelist> |
| <varlistentry> |
| <term><literal>passwd.hashed-password.root</literal></term> |
| <term><literal>passwd.plaintext-password.root</literal></term> |
| |
| <listitem><para>A hashed or plaintext version of the root password to use, in place of prompting the |
| user. These credentials are equivalent to the same ones defined for the |
| <citerefentry><refentrytitle>systemd-sysusers.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
| service.</para></listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><literal>passwd.shell.root</literal></term> |
| |
| <listitem><para>Specifies the shell binary to use for the specified account. |
| Equivalent to the credential of the same name defined for the |
| <citerefentry><refentrytitle>systemd-sysusers.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
| service.</para></listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><literal>firstboot.locale</literal></term> |
| <term><literal>firstboot.locale-messages</literal></term> |
| |
| <listitem><para>These credentials specify the locale settings to set during first boot, in place of |
| prompting the user.</para></listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><literal>firstboot.keymap</literal></term> |
| |
| <listitem><para>This credential specifies the keyboard setting to set during first boot, in place of |
| prompting the user.</para></listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><literal>firstboot.timezone</literal></term> |
| |
| <listitem><para>This credential specifies the system timezone setting to set during first boot, in |
| place of prompting the user.</para></listitem> |
| </varlistentry> |
| </variablelist> |
| |
| <para>Note that by default the <filename>systemd-firstboot.service</filename> unit file is set up to |
| inherit the listed credentials |
| from the service manager. Thus, when invoking a container with an unpopulated <filename>/etc/</filename> |
| for the first time it is possible to configure the root user's password to be <literal>systemd</literal> |
| like this:</para> |
| |
| <para><programlisting># systemd-nspawn --image=… --set-credential=firstboot.locale:de_DE.UTF-8 …</programlisting></para> |
| |
| <para>Note that these credentials are only read and applied during the first boot process. Once they are |
| applied they remain applied for subsequent boots, and the credentials are not considered anymore.</para> |
| </refsect1> |
| |
| <refsect1> |
| <title>Exit status</title> |
| |
| <para>On success, 0 is returned, a non-zero failure code |
| otherwise.</para> |
| </refsect1> |
| |
| <refsect1> |
| <title>Kernel Command Line</title> |
| |
| <variablelist class='kernel-commandline-options'> |
| <varlistentry> |
| <term><varname>systemd.firstboot=</varname></term> |
| |
| <listitem><para>Takes a boolean argument, defaults to on. If off, <filename>systemd-firstboot.service</filename> |
| won't interactively query the user for basic settings at first boot, even if those settings are not |
| initialized yet.</para></listitem> |
| </varlistentry> |
| </variablelist> |
| </refsect1> |
| |
| <refsect1> |
| <title>See Also</title> |
| <para> |
| <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
| <citerefentry project='man-pages'><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
| <citerefentry project='man-pages'><refentrytitle>vconsole.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
| <citerefentry><refentrytitle>localtime</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
| <citerefentry><refentrytitle>hostname</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
| <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
| <citerefentry project='die-net'><refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
| <citerefentry><refentrytitle>systemd-machine-id-setup</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
| <citerefentry project='man-pages'><refentrytitle>localectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
| <citerefentry><refentrytitle>timedatectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
| <citerefentry><refentrytitle>hostnamectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> |
| </para> |
| </refsect1> |
| |
| </refentry> |