systemd-firstboot(1) — Linux manual page


SYSTEMD-FIRSTBOOT(1)        systemd-firstboot       SYSTEMD-FIRSTBOOT(1)

NAME         top

       systemd-firstboot, systemd-firstboot.service - Initialize basic
       system settings on or before the first boot-up of a system

SYNOPSIS         top

       systemd-firstboot [OPTIONS...]


DESCRIPTION         top

       systemd-firstboot initializes the most basic system settings
       interactively on the first boot, or optionally non-interactively
       when a system image is created. The service is started if
       ConditionFirstBoot=yes is satisfied. This essentially means that
       /etc/ is empty, see systemd.unit(5) for details.

       The following settings may be set up:

       •   The system locale, more specifically the two locale variables
           LANG= and LC_MESSAGES

       •   The system keyboard map

       •   The system time zone

       •   The system hostname

       •   The machine ID of the system

       •   The root user's password

       Each of the fields may either be queried interactively by users,
       set non-interactively on the tool's command line, or be copied
       from a host system that is used to set up the system image.

       If a setting is already initialized, it will not be overwritten
       and the user will not be prompted for the setting.

       Note that this tool operates directly on the file system and does
       not involve any running system services, unlike localectl(1),
       timedatectl(1) or hostnamectl(1). This allows systemd-firstboot
       to operate on mounted but not booted disk images and in early
       boot. It is not recommended to use systemd-firstboot on the
       running system while it is up.

OPTIONS         top

       The following options are understood:

           Takes a directory path as an argument. All paths will be
           prefixed with the given alternate root path, including config
           search paths. This is useful to operate on a system image
           mounted to the specified directory instead of the host system

           Takes a path to a disk image file or block device node. If
           specified all operations are applied to file system in the
           indicated disk image. This is similar to --root= but operates
           on file systems stored in disk images or block devices. The
           disk image should either contain just a file system or a set
           of file systems within a GPT partition table, following the
           Discoverable Partitions Specification[1]. For further
           information on supported disk images, see systemd-nspawn(1)'s
           switch of the same name.

       --locale=LOCALE, --locale-messages=LOCALE
           Sets the system locale, more specifically the LANG= and
           LC_MESSAGES settings. The argument should be a valid locale
           identifier, such as "de_DE.UTF-8". This controls the
           locale.conf(5) configuration file.

           Sets the system keyboard layout. The argument should be a
           valid keyboard map, such as "de-latin1". This controls the
           "KEYMAP" entry in the vconsole.conf(5) configuration file.

           Sets the system time zone. The argument should be a valid
           time zone identifier, such as "Europe/Berlin". This controls
           the localtime(5) symlink.

           Sets the system hostname. The argument should be a hostname,
           compatible with DNS. This controls the hostname(5)
           configuration file.

           Sets the system's machine ID. This controls the machine-id(5)

       --root-password=PASSWORD, --root-password-file=PATH,
           Sets the password of the system's root user. This
           creates/modifies the passwd(5) and shadow(5) files. This
           setting exists in three forms: --root-password= accepts the
           password to set directly on the command line,
           --root-password-file= reads it from a file and
           --root-password-hashed= accepts an already hashed password on
           the command line. See shadow(5) for more information on the
           format of the hashed password. Note that it is not
           recommended to specify plaintext passwords on the command
           line, as other users might be able to see them simply by
           invoking ps(1).

           Sets the shell of the system's root user. This
           creates/modifies the passwd(5) file.

           Sets the system's kernel command line. This controls the
           /etc/kernel/cmdline file which is used by kernel-install(8).

       --prompt-locale, --prompt-keymap, --prompt-timezone,
       --prompt-hostname, --prompt-root-password, --prompt-root-shell
           Prompt the user interactively for a specific basic setting.
           Note that any explicit configuration settings specified on
           the command line take precedence, and the user is not
           prompted for it.

           Query the user for locale, keymap, timezone, hostname, root's
           password, and root's shell. This is equivalent to specifying
           --prompt-locale, --prompt-keymap, --prompt-timezone,
           --prompt-hostname, --prompt-root-password,
           --prompt-root-shell in combination.

       --copy-locale, --copy-keymap, --copy-timezone,
       --copy-root-password, --copy-root-shell
           Copy a specific basic setting from the host. This only works
           in combination with --root= (see above).

           Copy locale, keymap, time zone, root password and shell from
           the host. This is equivalent to specifying --copy-locale,
           --copy-keymap, --copy-timezone, --copy-root-password,
           --copy-root-shell in combination.

           Initialize the system's machine ID to a random ID. This only
           works in combination with --root=.

           systemd-firstboot doesn't modify existing files unless
           --force is specified. For modifications to /etc/passwd and
           /etc/shadow, systemd-firstboot only modifies the entry of the
           "root" user instead of overwriting the entire file.

           Removes the password of the system's root user, enabling
           login as root without a password unless the root account is
           locked. Note that this is extremely insecure and hence this
           option should not be used lightly.

           Takes a boolean argument. By default when prompting the user
           for configuration options a brief welcome text is shown
           before the first question is asked. Pass false to this option
           to turn off the welcome text.

       -h, --help
           Print a short help text and exit.

           Print a short version string and exit.

CREDENTIALS         top

       systemd-firstboot supports the service credentials logic as
       implemented by LoadCredential=/SetCredential= (see
       systemd.exec(1) for details). The following credentials are used
       when passed in:

       "passwd.hashed-password.root", "passwd.plaintext-password.root"
           A hashed or plaintext version of the root password to use, in
           place of prompting the user. These credentials are equivalent
           to the same ones defined for the systemd-sysusers.service(8)

           Specifies the shell binary to use for the specified account.
           Equivalent to the credential of the same name defined for the
           systemd-sysusers.service(8) service.

       "firstboot.locale", "firstboot.locale-messages"
           These credentials specify the locale settings to set during
           first boot, in place of prompting the user.

           This credential specifies the keyboard setting to set during
           first boot, in place of prompting the user.

           This credential specifies the system timezone setting to set
           during first boot, in place of prompting the user.

       Note that by default the systemd-firstboot.service unit file is
       set up to inherit the listed credentials from the service
       manager. Thus, when invoking a container with an unpopulated
       /etc/ for the first time it is possible to configure the root
       user's password to be "systemd" like this:

           # systemd-nspawn --image=... --set-credential=firstboot.locale:de_DE.UTF-8 ...

       Note that these credentials are only read and applied during the
       first boot process. Once they are applied they remain applied for
       subsequent boots, and the credentials are not considered anymore.

EXIT STATUS         top

       On success, 0 is returned, a non-zero failure code otherwise.


           Takes a boolean argument, defaults to on. If off,
           systemd-firstboot.service won't interactively query the user
           for basic settings at first boot, even if those settings are
           not initialized yet.

SEE ALSO         top

       systemd(1), locale.conf(5), vconsole.conf(5), localtime(5),
       hostname(5), machine-id(5), shadow(5),
       systemd-machine-id-setup(1), localectl(1), timedatectl(1),

NOTES         top

        1. Discoverable Partitions Specification

COLOPHON         top

       This page is part of the systemd (systemd system and service
       manager) project.  Information about the project can be found at
       ⟨⟩.  If you have
       a bug report for this manual page, see
       This page was obtained from the project's upstream Git repository
       ⟨⟩ on 2022-12-17.  (At that
       time, the date of the most recent commit that was found in the
       repository was 2022-12-16.)  If you discover any rendering
       problems in this HTML version of the page, or you believe there
       is a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to

systemd 252                                         SYSTEMD-FIRSTBOOT(1)

Pages that refer to this page: hostnamectl(1)localectl(1)systemd-machine-id-setup(1)systemd-nspawn(1)timedatectl(1)hostname(5)locale.conf(5)localtime(5)machine-id(5)systemd.directives(7)systemd.index(7)systemd.system-credentials(7)systemd-machine-id-commit.service(8)