Suchen

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Appendix J. Kickstart commands and options reference

download PDF

This reference is a complete list of all Kickstart commands supported by the Red Hat Enterprise Linux installation program. The commands are sorted alphabetically in a few broad categories. If a command can fall under multiple categories, it is listed in all of them.

J.1. Kickstart changes

The following sections describe the changes in Kickstart commands and options in Red Hat Enterprise Linux 8.

auth or authconfig is deprecated in RHEL 8

The auth or authconfig Kickstart command is deprecated in Red Hat Enterprise Linux 8 because the authconfig tool and package have been removed.

Similarly to authconfig commands issued on command line, authconfig commands in Kickstart scripts now use the authselect-compat tool to run the new authselect tool. For a description of this compatibility layer and its known issues, see the manual page authselect-migration(7). The installation program will automatically detect use of the deprecated commands and install on the system the authselect-compat package to provide the compatibility layer.

Kickstart no longer supports Btrfs

The Btrfs file system is not supported from Red Hat Enterprise Linux 8. As a result, the Graphical User Interface (GUI) and the Kickstart commands no longer support Btrfs.

Using Kickstart files from previous RHEL releases

If you are using Kickstart files from previous RHEL releases, see the Repositories section of the Considerations in adopting RHEL 8 document for more information about the Red Hat Enterprise Linux 8 BaseOS and AppStream repositories.

J.1.1. Deprecated Kickstart commands and options

The following Kickstart commands and options have been deprecated in Red Hat Enterprise Linux 8.

Where only specific options are listed, the base command and its other options are still available and not deprecated.

  • auth or authconfig - use authselect instead
  • device
  • deviceprobe
  • dmraid
  • install - use the subcommands or methods directly as commands
  • multipath
  • bootloader --upgrade
  • ignoredisk --interactive
  • partition --active
  • reboot --kexec
  • syspurpose - use subscription-manager syspurpose instead

Except the auth or authconfig command, using the commands in Kickstart files prints a warning in the logs.

You can turn the deprecated command warnings into errors with the inst.ksstrict boot option, except for the auth or authconfig command.

J.1.2. Removed Kickstart commands and options

The following Kickstart commands and options have been completely removed in Red Hat Enterprise Linux 8. Using them in Kickstart files will cause an error.

  • device
  • deviceprobe
  • dmraid
  • install - use the subcommands or methods directly as commands
  • multipath
  • bootloader --upgrade
  • ignoredisk --interactive
  • partition --active
  • harddrive --biospart
  • upgrade (This command had already previously been deprecated.)
  • btrfs
  • part/partition btrfs
  • part --fstype btrfs or partition --fstype btrfs
  • logvol --fstype btrfs
  • raid --fstype btrfs
  • unsupported_hardware

Where only specific options and values are listed, the base command and its other options are still available and not removed.

J.2. Kickstart commands for installation program configuration and flow control

The Kickstart commands in this list control the mode and course of installation, and what happens at its end.

J.2.1. cdrom

The cdrom Kickstart command is optional. It performs the installation from the first optical drive on the system.

Syntax

cdrom

Notes

  • Previously, the cdrom command had to be used together with the install command. The install command has been deprecated and cdrom can be used on its own, because it implies install.
  • This command has no options.
  • To actually run the installation, one of cdrom, harddrive, hmc, nfs, liveimg, or url must be specified.

J.2.2. cmdline

The cmdline Kickstart command is optional. It performs the installation in a completely non-interactive command line mode. Any prompt for interaction halts the installation.

Syntax

cmdline

Notes

  • For a fully automatic installation, you must either specify one of the available modes (graphical, text, or cmdline) in the Kickstart file, or you must use the console= boot option. If no mode is specified, the system will use graphical mode if possible, or prompt you to choose from VNC and text mode.
  • This command has no options.
  • This mode is useful on 64-bit IBM Z systems with the x3270 terminal.

J.2.3. driverdisk

The driverdisk Kickstart command is optional. Use it to provide additional drivers to the installation program.

Driver disks can be used during Kickstart installations to provide additional drivers not included by default. You must copy the driver disks contents to the root directory of a partition on the system’s hard drive. Then, you must use the driverdisk command to specify that the installation program should look for a driver disk and its location.

Syntax

driverdisk [partition|--source=url|--biospart=biospart]

Options

You must specify the location of driver disk in one way out of these:

  • partition - Partition containing the driver disk. Note that the partition must be specified as a full path (for example, /dev/sdb1), not just the partition name (for example, sdb1).
  • --source= - URL for the driver disk. Examples include:

    driverdisk --source=ftp://path/to/dd.img
    driverdisk --source=http://path/to/dd.img
    driverdisk --source=nfs:host:/path/to/dd.img
  • --biospart= - BIOS partition containing the driver disk (for example, 82p2).

Notes

Driver disks can also be loaded from a hard disk drive or a similar device instead of being loaded over the network or from initrd. Follow this procedure:

  1. Load the driver disk on a hard disk drive, a USB or any similar device.
  2. Set the label, for example, DD, to this device.
  3. Add the following line to your Kickstart file:

    driverdisk LABEL=DD:/e1000.rpm

Replace DD with a specific label and replace e1000.rpm with a specific name. Use anything supported by the inst.repo command instead of LABEL to specify your hard disk drive.

J.2.4. eula

The eula Kickstart command is optional. Use this option to accept the End User License Agreement (EULA) without user interaction. Specifying this option prevents Initial Setup from prompting you to accept the license agreement after you finish the installation and reboot the system for the first time.

Syntax

eula [--agreed]

Options

  • --agreed (required) - Accept the EULA. This option must always be used, otherwise the eula command is meaningless.

J.2.5. firstboot

The firstboot Kickstart command is optional. It determines whether the Initial Setup application starts the first time the system is booted. If enabled, the initial-setup package must be installed. If not specified, this option is disabled by default.

Syntax

firstboot OPTIONS

Options

  • --enable or --enabled - Initial Setup is started the first time the system boots.
  • --disable or --disabled - Initial Setup is not started the first time the system boots.
  • --reconfig - Enable the Initial Setup to start at boot time in reconfiguration mode. This mode enables the root password, time & date, and networking & host name configuration options in addition to the default ones.

J.2.6. graphical

The graphical Kickstart command is optional. It performs the installation in graphical mode. This is the default.

Syntax

graphical [--non-interactive]

Options

  • --non-interactive - Performs the installation in a completely non-interactive mode. This mode will terminate the installation when user interaction is required.

Notes

  • For a fully automatic installation, you must either specify one of the available modes (graphical, text, or cmdline) in the Kickstart file, or you must use the console= boot option. If no mode is specified, the system will use graphical mode if possible, or prompt you to choose from VNC and text mode.

J.2.7. halt

The halt Kickstart command is optional.

Halt the system after the installation has successfully completed. This is similar to a manual installation, where Anaconda displays a message and waits for the user to press a key before rebooting. During a Kickstart installation, if no completion method is specified, this option is used as the default.

Syntax

halt

Notes

  • The halt command is equivalent to the shutdown -H command. For more details, see the shutdown(8) man page.
  • For other completion methods, see the poweroff, reboot, and shutdown commands.
  • This command has no options.

J.2.8. harddrive

The harddrive Kickstart command is optional. It performs the installation from a Red Hat installation tree or full installation ISO image on a local drive. The drive must be formatted with a file system the installation program can mount: ext2, ext3, ext4, vfat, or xfs.

Syntax

harddrive OPTIONS

Options

  • --partition= - Partition to install from (such as sdb2).
  • --dir= - Directory containing the variant directory of the installation tree, or the ISO image of the full installation DVD.

Example

harddrive --partition=hdb2 --dir=/tmp/install-tree

Notes

  • Previously, the harddrive command had to be used together with the install command. The install command has been deprecated and harddrive can be used on its own, because it implies install.
  • To actually run the installation, one of cdrom, harddrive, hmc, nfs, liveimg, or url must be specified.

J.2.9. install (deprecated)

Important

The install Kickstart command is deprecated in Red Hat Enterprise Linux 8. Use its methods as separate commands.

The install Kickstart command is optional. It specifies the default installation mode.

Syntax

install
installation_method

Notes

  • The install command must be followed by an installation method command. The installation method command must be on a separate line.
  • The methods include:

    • cdrom
    • harddrive
    • hmc
    • nfs
    • liveimg
    • url

    For details about the methods, see their separate reference pages.

J.2.10. liveimg

The liveimg Kickstart command is optional. It performs the installation from a disk image instead of packages.

Syntax

liveimg --url=SOURCE [OPTIONS]

Mandatory options

  • --url= - The location to install from. Supported protocols are HTTP, HTTPS, FTP, and file.

Optional options

  • --url= - The location to install from. Supported protocols are HTTP, HTTPS, FTP, and file.
  • --proxy= - Specify an HTTP, HTTPS or FTP proxy to use while performing the installation.
  • --checksum= - An optional argument with the SHA256 checksum of the image file, used for verification.
  • --noverifyssl - Disable SSL verification when connecting to an HTTPS server.

Example

liveimg --url=file:///images/install/squashfs.img --checksum=03825f567f17705100de3308a20354b4d81ac9d8bed4bb4692b2381045e56197 --noverifyssl

Notes

  • The image can be the squashfs.img file from a live ISO image, a compressed tar file (.tar, .tbz, .tgz, .txz, .tar.bz2, .tar.gz, or .tar.xz.), or any file system that the installation media can mount. Supported file systems are ext2, ext3, ext4, vfat, and xfs.
  • When using the liveimg installation mode with a driver disk, drivers on the disk will not automatically be included in the installed system. If necessary, these drivers should be installed manually, or in the %post section of a kickstart script.
  • To actually run the installation, one of cdrom, harddrive, hmc, nfs, liveimg, or url must be specified.
  • Previously, the liveimg command had to be used together with the install command. The install command has been deprecated and liveimg can be used on its own, because it implies install.

J.2.11. logging

The logging Kickstart command is optional. It controls the error logging of Anaconda during installation. It has no effect on the installed system.

Note

Logging is supported over TCP only. For remote logging, ensure that the port number that you specify in --port= option is open on the remote server. The default port is 514.

Syntax

logging OPTIONS

Optional options

  • --host= - Send logging information to the given remote host, which must be running a syslogd process configured to accept remote logging.
  • --port= - If the remote syslogd process uses a port other than the default, set it using this option.
  • --level= - Specify the minimum level of messages that appear on tty3. All messages are still sent to the log file regardless of this level, however. Possible values are debug, info, warning, error, or critical.

J.2.12. mediacheck

The mediacheck Kickstart command is optional. This command forces the installation program to perform a media check before starting the installation. This command requires that installations be attended, so it is disabled by default.

Syntax

mediacheck

Notes

  • This Kickstart command is equivalent to the rd.live.check boot option.
  • This command has no options.

J.2.13. nfs

The nfs Kickstart command is optional. It performs the installation from a specified NFS server.

Syntax

nfs OPTIONS

Options

  • --server= - Server from which to install (host name or IP).
  • --dir= - Directory containing the variant directory of the installation tree.
  • --opts= - Mount options to use for mounting the NFS export. (optional)

Example

nfs --server=nfsserver.example.com --dir=/tmp/install-tree

Notes

  • Previously, the nfs command had to be used together with the install command. The install command has been deprecated and nfs can be used on its own, because it implies install.
  • To actually run the installation, one of cdrom, harddrive, hmc, nfs, liveimg, or url must be specified.

J.2.14. ostreesetup

The ostreesetup Kickstart command is optional. It is used to set up OStree-based installations.

Syntax

ostreesetup --osname=OSNAME [--remote=REMOTE] --url=URL --ref=REF [--nogpg]

Mandatory options:

  • --osname=OSNAME - Management root for OS installation.
  • --url=URL - URL of the repository to install from.
  • --ref=REF - Name of the branch from the repository to be used for installation.

Optional options:

  • --remote=REMOTE - Management root for OS installation.
  • --nogpg - Disable GPG key verification.

Notes

J.2.15. poweroff

The poweroff Kickstart command is optional. It shuts down and powers off the system after the installation has successfully completed. Normally during a manual installation, Anaconda displays a message and waits for the user to press a key before rebooting.

Syntax

poweroff

Notes

  • The poweroff option is equivalent to the shutdown -P command. For more details, see the shutdown(8) man page.
  • For other completion methods, see the halt, reboot, and shutdown Kickstart commands. The halt option is the default completion method if no other methods are explicitly specified in the Kickstart file.
  • The poweroff command is highly dependent on the system hardware in use. Specifically, certain hardware components such as the BIOS, APM (advanced power management), and ACPI (advanced configuration and power interface) must be able to interact with the system kernel. Consult your hardware documentation for more information on you system’s APM/ACPI abilities.
  • This command has no options.

J.2.16. reboot

The reboot Kickstart command is optional. It instructs the installation program to reboot after the installation is successfully completed (no arguments). Normally, Kickstart displays a message and waits for the user to press a key before rebooting.

Syntax

reboot OPTIONS

Options

  • --eject - Attempt to eject the bootable media (DVD, USB, or other media) before rebooting.
  • --kexec - Uses the kexec system call instead of performing a full reboot, which immediately loads the installed system into memory, bypassing the hardware initialization normally performed by the BIOS or firmware.

    Important

    This option is deprecated and available as a Technology Preview only. For information on Red Hat scope of support for Technology Preview features, see the Technology Preview Features Support Scope document.

    When kexec is used, device registers (which would normally be cleared during a full system reboot) might stay filled with data, which could potentially create issues for some device drivers.

Notes

  • Use of the reboot option might result in an endless installation loop, depending on the installation media and method.
  • The reboot option is equivalent to the shutdown -r command. For more details, see the shutdown(8) man page.
  • Specify reboot to automate installation fully when installing in command line mode on 64-bit IBM Z.
  • For other completion methods, see the halt, poweroff, and shutdown Kickstart options. The halt option is the default completion method if no other methods are explicitly specified in the Kickstart file.

J.2.17. rhsm

The rhsm Kickstart command is optional. It instructs the installation program to register and install RHEL from the CDN.

Note

The rhsm Kickstart command removes the requirement of using custom %post scripts when registering the system.

Options

  • --organization= - Uses the organization id to register and install RHEL from the CDN.
  • --activation-key= - Uses the activation key to register and install RHEL from the CDN. Option can be used multiple times, once per activation key, as long as the activation keys used are registered to your subscription.
  • --connect-to-insights - Connects the target system to Red Hat Insights.
  • --proxy= - Sets the HTTP proxy.

J.2.18. shutdown

The shutdown Kickstart command is optional. It shuts down the system after the installation has successfully completed.

Syntax

shutdown

Notes

  • The shutdown Kickstart option is equivalent to the shutdown command. For more details, see the shutdown(8) man page.
  • For other completion methods, see the halt, poweroff, and reboot Kickstart options. The halt option is the default completion method if no other methods are explicitly specified in the Kickstart file.
  • This command has no options.

J.2.19. sshpw

The sshpw Kickstart command is optional.

During the installation, you can interact with the installation program and monitor its progress over an SSH connection. Use the sshpw command to create temporary accounts through which to log on. Each instance of the command creates a separate account that exists only in the installation environment. These accounts are not transferred to the installed system.

Syntax

sshpw --username=name [OPTIONS] password

Mandatory options

  • --username=name - Provides the name of the user. This option is required.
  • password - The password to use for the user. This option is required.

Optional options

  • --iscrypted - If this option is present, the password argument is assumed to already be encrypted. This option is mutually exclusive with --plaintext. To create an encrypted password, you can use Python:

    $ python3 -c 'import crypt,getpass;pw=getpass.getpass();print(crypt.crypt(pw) if (pw==getpass.getpass("Confirm: ")) else exit())'

    This generates a sha512 crypt-compatible hash of your password using a random salt.

  • --plaintext - If this option is present, the password argument is assumed to be in plain text. This option is mutually exclusive with --iscrypted
  • --lock - If this option is present, this account is locked by default. This means that the user will not be able to log in from the console.
  • --sshkey - If this is option is present, then the <password> string is interpreted as an ssh key value.

Notes

  • By default, the ssh server is not started during the installation. To make ssh available during the installation, boot the system with the kernel boot option inst.sshd.
  • If you want to disable root ssh access, while allowing another user ssh access, use the following:

    sshpw --username=example_username example_password --plaintext
    sshpw --username=root example_password --lock
  • To simply disable root ssh access, use the following:

    sshpw --username=root example_password --lock

J.2.20. text

The text Kickstart command is optional. It performs the Kickstart installation in text mode. Kickstart installations are performed in graphical mode by default.

Syntax

text [--non-interactive]

Options

  • --non-interactive - Performs the installation in a completely non-interactive mode. This mode will terminate the installation when user interaction is required.

Notes

  • Note that for a fully automatic installation, you must either specify one of the available modes (graphical, text, or cmdline) in the Kickstart file, or you must use the console= boot option. If no mode is specified, the system will use graphical mode if possible, or prompt you to choose from VNC and text mode.

J.2.21. url

The url Kickstart command is optional. It is used to install from an installation tree image on a remote server using the FTP, HTTP, or HTTPS protocol. You can only specify one URL.

Syntax

url --url=FROM [OPTIONS]

Mandatory options

  • --url=FROM - Specifies the HTTP, HTTPS, FTP, or file location to install from.

Optional options

  • --mirrorlist= - Specifies the mirror URL to install from.
  • --proxy= - Specifies an HTTP, HTTPS, or FTP proxy to use during the installation.
  • --noverifyssl - Disables SSL verification when connecting to an HTTPS server.
  • --metalink=URL - Specifies the metalink URL to install from. Variable substitution is done for $releasever and $basearch in the URL.

Examples

  • To install from a HTTP server:

    url --url=http://server/path
  • To install from a FTP server:

    url --url=ftp://username:password@server/path
  • To install from a local file:

    liveimg --url=file:///images/install/squashfs.img --noverifyssl

Notes

  • Previously, the url command had to be used together with the install command. The install command has been deprecated and url can be used on its own, because it implies install.
  • To actually run the installation, one of cdrom, harddrive, hmc, nfs, liveimg, or url must be specified.

J.2.22. vnc

The vnc Kickstart command is optional. It allows the graphical installation to be viewed remotely through VNC.

This method is usually preferred over text mode, as there are some size and language limitations in text installations. With no additional options, this command starts a VNC server on the installation system with no password and displays the details required to connect to it.

Syntax

vnc [--host=host_name] [--port=port] [--password=password]

Options

--host=
Connect to the VNC viewer process listening on the given host name.
--port=
Provide a port that the remote VNC viewer process is listening on. If not provided, Anaconda uses the VNC default port of 5900.
--password=
Set a password which must be provided to connect to the VNC session. This is optional, but recommended.

J.2.23. %include

The %include Kickstart command is optional.

Use the %include command to include the contents of another file in the Kickstart file as if the contents were at the location of the %include command in the Kickstart file.

This inclusion is evaluated only after the %pre script sections and can thus be used to include files generated by scripts in the %pre sections. To include files before evaluation of %pre sections, use the %ksappend command.

Syntax

%include path/to/file

J.2.24. %ksappend

The %ksappend Kickstart command is optional.

Use the %ksappend command to include the contents of another file in the Kickstart file as if the contents were at the location of the %ksappend command in the Kickstart file.

This inclusion is evaluated before the %pre script sections, unlike inclusion with the %include command.

Syntax

%ksappend path/to/file

J.3. Kickstart commands for system configuration

The Kickstart commands in this list configure further details on the resulting system such as users, repositories, or services.

J.3.1. auth or authconfig (deprecated)

Important

Use the new authselect command instead of the deprecated auth or authconfig Kickstart command. auth and authconfig are available only for limited backwards compatibility.

The auth or authconfig Kickstart command is optional. It sets up the authentication options for the system using the authconfig tool, which can also be run on the command line after the installation finishes.

Syntax

authconfig [OPTIONS]

Notes

  • Previously, the auth or authconfig Kickstart commands called the authconfig tool. This tool has been deprecated in Red Hat Enterprise Linux 8. These Kickstart commands now use the authselect-compat tool to call the new authselect tool. For a description of the compatibility layer and its known issues, see the manual page authselect-migration(7). The installation program will automatically detect use of the deprecated commands and install on the system the authselect-compat package to provide the compatibility layer.
  • Passwords are shadowed by default.
  • When using OpenLDAP with the SSL protocol for security, make sure that the SSLv2 and SSLv3 protocols are disabled in the server configuration. This is due to the POODLE SSL vulnerability (CVE-2014-3566). See https://access.redhat.com/solutions/1234843 for details.

J.3.2. authselect

The authselect Kickstart command is optional. It sets up the authentication options for the system using the authselect command, which can also be run on the command line after the installation finishes.

Syntax

authselect [OPTIONS]

Notes

  • This command passes all options to the authselect command. Refer to the authselect(8) manual page and the authselect --help command for more details.
  • This command replaces the deprecated auth or authconfig commands deprecated in Red Hat Enterprise Linux 8 together with the authconfig tool.
  • Passwords are shadowed by default.
  • When using OpenLDAP with the SSL protocol for security, make sure that the SSLv2 and SSLv3 protocols are disabled in the server configuration. This is due to the POODLE SSL vulnerability (CVE-2014-3566). See https://access.redhat.com/solutions/1234843 for details.

J.3.3. firewall

The firewall Kickstart command is optional. It specifies the firewall configuration for the installed system.

Syntax

firewall --enabled|--disabled [incoming] [OPTIONS]

Mandatory options

  • --enabled or --enable - Reject incoming connections that are not in response to outbound requests, such as DNS replies or DHCP requests. If access to services running on this machine is needed, you can choose to allow specific services through the firewall.
  • --disabled or --disable - Do not configure any iptables rules.

Optional options

  • --trust - Listing a device here, such as em1, allows all traffic coming to and from that device to go through the firewall. To list more than one device, use the option more times, such as --trust em1 --trust em2. Do not use a comma-separated format such as --trust em1, em2.
  • --remove-service - Do not allow services through the firewall.
  • incoming - Replace with one or more of the following to allow the specified services through the firewall.

    • --ssh
    • --smtp
    • --http
    • --ftp
  • --port= - You can specify that ports be allowed through the firewall using the port:protocol format. For example, to allow IMAP access through your firewall, specify imap:tcp. Numeric ports can also be specified explicitly; for example, to allow UDP packets on port 1234 through, specify 1234:udp. To specify multiple ports, separate them by commas.
  • --service= - This option provides a higher-level way to allow services through the firewall. Some services (like cups, avahi, and so on.) require multiple ports to be open or other special configuration in order for the service to work. You can specify each individual port with the --port option, or specify --service= and open them all at once.

    Valid options are anything recognized by the firewall-offline-cmd program in the firewalld package. If the firewalld service is running, firewall-cmd --get-services provides a list of known service names.

  • --use-system-defaults - Do not configure the firewall at all. This option instructs anaconda to do nothing and allows the system to rely on the defaults that were provided with the package or ostree. If this option is used with other options then all other options will be ignored.

J.3.4. group

The group Kickstart command is optional. It creates a new user group on the system.

group --name=name [--gid=gid]

Mandatory options

  • --name= - Provides the name of the group.

Optional options

  • --gid= - The group’s GID. If not provided, defaults to the next available non-system GID.

Notes

  • If a group with the given name or GID already exists, this command fails.
  • The user command can be used to create a new group for the newly created user.

J.3.5. keyboard (required)

The keyboard Kickstart command is required. It sets one or more available keyboard layouts for the system.

Syntax

keyboard --vckeymap|--xlayouts OPTIONS

Options

  • --vckeymap= - Specify a VConsole keymap which should be used. Valid names correspond to the list of files in the /usr/lib/kbd/keymaps/xkb/ directory, without the .map.gz extension.
  • --xlayouts= - Specify a list of X layouts that should be used as a comma-separated list without spaces. Accepts values in the same format as setxkbmap(1), either in the layout format (such as cz), or in the layout (variant) format (such as cz (qwerty)).

    All available layouts can be viewed on the xkeyboard-config(7) man page under Layouts.

  • --switch= - Specify a list of layout-switching options (shortcuts for switching between multiple keyboard layouts). Multiple options must be separated by commas without spaces. Accepts values in the same format as setxkbmap(1).

    Available switching options can be viewed on the xkeyboard-config(7) man page under Options.

Notes

  • Either the --vckeymap= or the --xlayouts= option must be used.

Example

The following example sets up two keyboard layouts (English (US) and Czech (qwerty)) using the --xlayouts= option, and allows to switch between them using Alt+Shift:

keyboard --xlayouts=us,'cz (qwerty)' --switch=grp:alt_shift_toggle

J.3.6. lang (required)

The lang Kickstart command is required. It sets the language to use during installation and the default language to use on the installed system.

Syntax

lang language [--addsupport=language,...]

Mandatory options

  • language - Install support for this language and set it as system default.

Optional options

  • --addsupport= - Add support for additional languages. Takes the form of comma-separated list without spaces. For example:

    lang en_US --addsupport=cs_CZ,de_DE,en_UK

Notes

  • The locale -a | grep _ or localectl list-locales | grep _ commands return a list of supported locales.
  • Certain languages (for example, Chinese, Japanese, Korean, and Indic languages) are not supported during text-mode installation. If you specify one of these languages with the lang command, the installation process continues in English, but the installed system uses your selection as its default language.

Example

To set the language to English, the Kickstart file should contain the following line:

lang en_US

J.3.7. module

The module Kickstart command is optional. Use this command to enable a package module stream within kickstart script.

Syntax

module --name=NAME [--stream=STREAM]

Mandatory options

--name=
Specifies the name of the module to enable. Replace NAME with the actual name.

Optional options

--stream=

Specifies the name of the module stream to enable. Replace STREAM with the actual name.

You do not need to specify this option for modules with a default stream defined. For modules without a default stream, this option is mandatory and leaving it out results in an error. Enabling a module multiple times with different streams is not possible.

Notes

  • Using a combination of this command and the %packages section allows you to install packages provided by the enabled module and stream combination, without specifying the module and stream explicitly. Modules must be enabled before package installation. After enabling a module with the module command, you can install the packages enabled by this module by listing them in the %packages section.
  • A single module command can enable only a single module and stream combination. To enable multiple modules, use multiple module commands. Enabling a module multiple times with different streams is not possible.
  • In Red Hat Enterprise Linux 8, modules are present only in the AppStream repository. To list available modules, use the yum module list command on an installed Red Hat Enterprise Linux 8 system with a valid subscription.

J.3.8. repo

The repo Kickstart command is optional. It configures additional yum repositories that can be used as sources for package installation. You can add multiple repo lines.

Syntax

repo --name=repoid [--baseurl=url|--mirrorlist=url|--metalink=url] [OPTIONS]

Mandatory options

  • --name= - The repository id. This option is required. If a repository has a name which conflicts with another previously added repository, it is ignored. Because the installation program uses a list of preset repositories, this means that you cannot add repositories with the same names as the preset ones.

URL options

These options are mutually exclusive and optional. The variables that can be used in yum repository configuration files are not supported here. You can use the strings $releasever and $basearch which are replaced by the respective values in the URL.

  • --baseurl= - The URL to the repository.
  • --mirrorlist= - The URL pointing at a list of mirrors for the repository.
  • --metalink= - The URL with metalink for the repository.

Optional options

  • --install - Save the provided repository configuration on the installed system in the /etc/yum.repos.d/ directory. Without using this option, a repository configured in a Kickstart file will only be available during the installation process, not on the installed system.
  • --cost= - An integer value to assign a cost to this repository. If multiple repositories provide the same packages, this number is used to prioritize which repository will be used before another. Repositories with a lower cost take priority over repositories with higher cost.
  • --excludepkgs= - A comma-separated list of package names that must not be pulled from this repository. This is useful if multiple repositories provide the same package and you want to make sure it comes from a particular repository. Both full package names (such as publican) and globs (such as gnome-*) are accepted.
  • --includepkgs= - A comma-separated list of package names and globs that are allowed to be pulled from this repository. Any other packages provided by the repository will be ignored. This is useful if you want to install just a single package or set of packages from a repository while excluding all other packages the repository provides.
  • --proxy=[protocol://][username[:password]@]host[:port] - Specify an HTTP/HTTPS/FTP proxy to use just for this repository. This setting does not affect any other repositories, nor how the install.img is fetched on HTTP installations.
  • --noverifyssl - Disable SSL verification when connecting to an HTTPS server.

Notes

  • Repositories used for installation must be stable. The installation can fail if a repository is modified before the installation concludes.

J.3.9. rootpw (required)

The rootpw Kickstart command is required. It sets the system’s root password to the password argument.

Syntax

rootpw [--iscrypted|--plaintext] [--lock] password

Mandatory options

  • password - Password specification. Either plain text or encrypted string. See --iscrypted and --plaintext below.

Options

  • --iscrypted - If this option is present, the password argument is assumed to already be encrypted. This option is mutually exclusive with --plaintext. To create an encrypted password, you can use python:

    $ python -c 'import crypt,getpass;pw=getpass.getpass();print(crypt.crypt(pw) if (pw==getpass.getpass("Confirm: ")) else exit())'

    This generates a sha512 crypt-compatible hash of your password using a random salt.

  • --plaintext - If this option is present, the password argument is assumed to be in plain text. This option is mutually exclusive with --iscrypted.
  • --lock - If this option is present, the root account is locked by default. This means that the root user will not be able to log in from the console. This option will also disable the Root Password screens in both the graphical and text-based manual installation.

J.3.10. selinux

The selinux Kickstart command is optional. It sets the state of SELinux on the installed system. The default SELinux policy is enforcing.

Syntax

selinux [--disabled|--enforcing|--permissive]

Options

--enforcing
Enables SELinux with the default targeted policy being enforcing.
--permissive
Outputs warnings based on the SELinux policy, but does not actually enforce the policy.
--disabled
Disables SELinux completely on the system.

Additional resources

J.3.11. services

The services Kickstart command is optional. It modifies the default set of services that will run under the default systemd target. The list of disabled services is processed before the list of enabled services. Therefore, if a service appears on both lists, it will be enabled.

Syntax

services [--disabled=list] [--enabled=list]

Options

  • --disabled= - Disable the services given in the comma separated list.
  • --enabled= - Enable the services given in the comma separated list.

Notes

  • Do not include spaces in the list of services. If you do, Kickstart will enable or disable only the services up to the first space. For example:

    services --disabled=auditd, cups,smartd, nfslock

    That disables only the auditd service. To disable all four services, this entry must include no spaces:

    services --disabled=auditd,cups,smartd,nfslock

J.3.12. skipx

The skipx Kickstart command is optional. If present, X is not configured on the installed system.

If you install a display manager among your package selection options, this package creates an X configuration, and the installed system defaults to graphical.target. That overrides the effect of the skipx option.

Syntax

skipx

Notes

  • This command has no options.

J.3.13. sshkey

The sshkey Kickstart command is optional. It adds a SSH key to the authorized_keys file of the specified user on the installed system.

Syntax

sshkey --username=user "ssh_key"

Mandatory options

  • --username= - The user for which the key will be installed.
  • ssh_key - The complete SSH key fingerprint. It must be wrapped with quotes.

J.3.14. syspurpose

The syspurpose Kickstart command is optional. Use it to set the system purpose which describes how the system will be used after installation. This information helps apply the correct subscription entitlement to the system.

Note

Red Hat Enterprise Linux 8.6 and later enables you to manage and display system purpose attributes with a single module by making the role, service-level, usage, and addons subcommands available under one subscription-manager syspurpose module. Previously, system administrators used one of four standalone syspurpose commands to manage each attribute. This standalone syspurpose command is deprecated starting with RHEL 8.6 and is planned to be removed in RHEL 9. Red Hat will provide bug fixes and support for this feature during the current release lifecycle, but this feature will no longer receive enhancements. Starting with RHEL 9, the single subscription-manager syspurpose command and its associated subcommands is the only way to use system purpose.

Syntax

syspurpose [OPTIONS]

Options

  • --role= - Set the intended system role. Available values are:

    • Red Hat Enterprise Linux Server
    • Red Hat Enterprise Linux Workstation
    • Red Hat Enterprise Linux Compute Node
  • --sla= - Set the Service Level Agreement. Available values are:

    • Premium
    • Standard
    • Self-Support
  • --usage= - The intended usage of the system. Available values are:

    • Production
    • Disaster Recovery
    • Development/Test
  • --addon= - Specifies additional layered products or features. You can use this option multiple times.

Notes

  • Enter the values with spaces and enclose them in double quotes:

    syspurpose --role="Red Hat Enterprise Linux Server"
  • While it is strongly recommended that you configure System Purpose, it is an optional feature of the Red Hat Enterprise Linux installation program. If you want to enable System Purpose after the installation completes, you can do so using the syspurpose command-line tool.
Note

Red Hat Enterprise Linux 8.6 and later enables you to manage and display system purpose attributes with a single module by making the role, service-level, usage, and addons subcommands available under one subscription-manager syspurpose module. Previously, system administrators used one of four standalone syspurpose commands to manage each attribute. This standalone syspurpose command is deprecated starting with RHEL 8.6 and is planned to be removed in RHEL 9. Red Hat will provide bug fixes and support for this feature during the current release lifecycle, but this feature will no longer receive enhancements. Starting with RHEL 9, the single subscription-manager syspurpose command and its associated subcommands is the only way to use system purpose.

J.3.15. timezone (required)

The timezone Kickstart command is required. It sets the system time zone.

Syntax

timezone timezone [OPTIONS]

Mandatory options

  • timezone - the time zone to set for the system.

Optional options

  • --utc - If present, the system assumes the hardware clock is set to UTC (Greenwich Mean) time.
  • --nontp - Disable the NTP service automatic starting.
  • --ntpservers= - Specify a list of NTP servers to be used as a comma-separated list without spaces.

Notes

In Red Hat Enterprise Linux 8, time zone names are validated using the pytz.all_timezones list, provided by the pytz package. In previous releases, the names were validated against pytz.common_timezones, which is a subset of the currently used list. Note that the graphical and text mode interfaces still use the more restricted pytz.common_timezones list; you must use a Kickstart file to use additional time zone definitions.

J.3.16. user

The user Kickstart command is optional. It creates a new user on the system.

Syntax

user --name=username [OPTIONS]

Mandatory options

  • --name= - Provides the name of the user. This option is required.

Optional options

  • --gecos= - Provides the GECOS information for the user. This is a string of various system-specific fields separated by a comma. It is frequently used to specify the user’s full name, office number, and so on. See the passwd(5) man page for more details.
  • --groups= - In addition to the default group, a comma separated list of group names the user should belong to. The groups must exist before the user account is created. See the group command.
  • --homedir= - The home directory for the user. If not provided, this defaults to /home/username.
  • --lock - If this option is present, this account is locked by default. This means that the user will not be able to log in from the console. This option will also disable the Create User screens in both the graphical and text-based manual installation.
  • --password= - The new user’s password. If not provided, the account will be locked by default.
  • --iscrypted - If this option is present, the password argument is assumed to already be encrypted. This option is mutually exclusive with --plaintext. To create an encrypted password, you can use python:

    $ python -c 'import crypt,getpass;pw=getpass.getpass();print(crypt.crypt(pw) if (pw==getpass.getpass("Confirm: ")) else exit())'

    This generates a sha512 crypt-compatible hash of your password using a random salt.

  • --plaintext - If this option is present, the password argument is assumed to be in plain text. This option is mutually exclusive with --iscrypted
  • --shell= - The user’s login shell. If not provided, the system default is used.
  • --uid= - The user’s UID (User ID). If not provided, this defaults to the next available non-system UID.
  • --gid= - The GID (Group ID) to be used for the user’s group. If not provided, this defaults to the next available non-system group ID.

Notes

  • Consider using the --uid and --gid options to set IDs of regular users and their default groups at range starting at 5000 instead of 1000. That is because the range reserved for system users and groups, 0-999, might increase in the future and thus overlap with IDs of regular users.

    For changing the minimum UID and GID limits after the installation, which ensures that your chosen UID and GID ranges are applied automatically on user creation, see the Setting default permissions for new files using umask section of the Configuring basic system settings document.

  • Files and directories are created with various permissions, dictated by the application used to create the file or directory. For example, the mkdir command creates directories with all permissions enabled. However, applications are prevented from granting certain permissions to newly created files, as specified by the user file-creation mask setting.

    The user file-creation mask can be controlled with the umask command. The default setting of the user file-creation mask for new users is defined by the UMASK variable in the /etc/login.defs configuration file on the installed system. If unset, it defaults to 022. This means that by default when an application creates a file, it is prevented from granting write permission to users other than the owner of the file. However, this can be overridden by other settings or scripts.

    More information can be found in the Setting default permissions for new files using umask section of the Configuring basic system settings document.

J.3.17. xconfig

The xconfig Kickstart command is optional. It configures the X Window System.

Syntax

xconfig [--startxonboot]

Options

  • --startxonboot - Use a graphical login on the installed system.

Notes

  • Because Red Hat Enterprise Linux 8 does not include the KDE Desktop Environment, do not use the --defaultdesktop= documented in upstream.

J.4. Kickstart commands for network configuration

The Kickstart commands in this list let you configure networking on the system.

J.4.1. network (optional)

Use the optional network Kickstart command to configure network information for the target system and activate the network devices in the installation environment. The device specified in the first network command is activated automatically. You can also explicitly require a device to be activated using the --activate option.

Syntax

network OPTIONS

Options

  • --activate - activate this device in the installation environment.

    If you use the --activate option on a device that has already been activated (for example, an interface you configured with boot options so that the system could retrieve the Kickstart file) the device is reactivated to use the details specified in the Kickstart file.

    Use the --nodefroute option to prevent the device from using the default route.

  • --no-activate - do not activate this device in the installation environment.

    By default, Anaconda activates the first network device in the Kickstart file regardless of the --activate option. You can disable the default setting by using the --no-activate option.

  • --bootproto= - One of dhcp, bootp, ibft, or static. The default option is dhcp; the dhcp and bootp options are treated the same. To disable ipv4 configuration of the device, use --noipv4 option.

    Note

    This option configures ipv4 configuration of the device. For ipv6 configuration use --ipv6 and --ipv6gateway options.

    The DHCP method uses a DHCP server system to obtain its networking configuration. The BOOTP method is similar, requiring a BOOTP server to supply the networking configuration. To direct a system to use DHCP:

    network --bootproto=dhcp

    To direct a machine to use BOOTP to obtain its networking configuration, use the following line in the Kickstart file:

    network --bootproto=bootp

    To direct a machine to use the configuration specified in iBFT, use:

    network --bootproto=ibft

    The static method requires that you specify at least the IP address and netmask in the Kickstart file. This information is static and is used during and after the installation.

    All static networking configuration information must be specified on one line; you cannot wrap lines using a backslash (\) as you can on a command line.

    network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver=10.0.2.1

    You can also configure multiple nameservers at the same time. To do so, use the --nameserver= option once, and specify each of their IP addresses, separated by commas:

    network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver=192.168.2.1,192.168.3.1
  • --device= - specifies the device to be configured (and eventually activated in Anaconda) with the network command.

    If the --device= option is missing on the first use of the network command, the value of the inst.ks.device= Anaconda boot option is used, if available. Note that this is considered deprecated behavior; in most cases, you should always specify a --device= for every network command.

    The behavior of any subsequent network command in the same Kickstart file is unspecified if its --device= option is missing. Verify you specify this option for any network command beyond the first.

    You can specify a device to be activated in any of the following ways:

    • the device name of the interface, for example, em1
    • the MAC address of the interface, for example, 01:23:45:67:89:ab
    • the keyword link, which specifies the first interface with its link in the up state
    • the keyword bootif, which uses the MAC address that pxelinux set in the BOOTIF variable. Set IPAPPEND 2 in your pxelinux.cfg file to have pxelinux set the BOOTIF variable.

    For example:

    network --bootproto=dhcp --device=em1
  • --ip= - IP address of the device.
  • --ipv6= - IPv6 address of the device, in the form of address[/prefix length] - for example, 3ffe:ffff:0:1::1/128. If prefix is omitted, 64 is used. You can also use auto for automatic configuration, or dhcp for DHCPv6-only configuration (no router advertisements).
  • --gateway= - Default gateway as a single IPv4 address.
  • --ipv6gateway= - Default gateway as a single IPv6 address.
  • --nodefroute - Prevents the interface being set as the default route. Use this option when you activate additional devices with the --activate= option, for example, a NIC on a separate subnet for an iSCSI target.
  • --nameserver= - DNS name server, as an IP address. To specify more than one name server, use this option once, and separate each IP address with a comma.
  • --netmask= - Network mask for the installed system.
  • --hostname= - Used to configure the target system’s host name. The host name can either be a fully qualified domain name (FQDN) in the format hostname.domainname, or a short host name without the domain. Many networks have a Dynamic Host Configuration Protocol (DHCP) service that automatically supplies connected systems with a domain name. To allow the DHCP service to assign the domain name to this machine, specify only the short host name.

    When using static IP and host name configuration, it depends on the planned system use case whether to use a short name or FQDN. Red Hat Identity Management configures FQDN during provisioning but some 3rd party software products may require short name. In either case, to ensure availability of both forms in all situations, add an entry for the host in /etc/hosts in the format IP FQDN short-alias.

    The value localhost means that no specific static host name for the target system is configured, and the actual host name of the installed system is configured during the processing of the network configuration, for example, by NetworkManager using DHCP or DNS.

    Host names can only contain alphanumeric characters and - or .. Host name should be equal to or less than 64 characters. Host names cannot start or end with - and .. To be compliant with DNS, each part of a FQDN should be equal to or less than 63 characters and the FQDN total length, including dots, should not exceed 255 characters.

    If you only want to configure the target system’s host name, use the --hostname option in the network command and do not include any other option.

    If you provide additional options when configuring the host name, the network command configures a device using the options specified. If you do not specify which device to configure using the --device option, the default --device link value is used. Additionally, if you do not specify the protocol using the --bootproto option, the device is configured to use DHCP by default.

  • --ethtool= - Specifies additional low-level settings for the network device which will be passed to the ethtool program.
  • --onboot= - Whether or not to enable the device at boot time.
  • --dhcpclass= - The DHCP class.
  • --mtu= - The MTU of the device.
  • --noipv4 - Disable IPv4 on this device.
  • --noipv6 - Disable IPv6 on this device.
  • --bondslaves= - When this option is used, the bond device specified by the --device= option is created using secondary devices defined in the --bondslaves= option. For example:

    network --device=bond0 --bondslaves=em1,em2

    The above command creates a bond device named bond0 using the em1 and em2 interfaces as its secondary devices.

  • --bondopts= - a list of optional parameters for a bonded interface, which is specified using the --bondslaves= and --device= options. Options in this list must be separated by commas (“,”) or semicolons (“;”). If an option itself contains a comma, use a semicolon to separate the options. For example:

    network --bondopts=mode=active-backup,balance-rr;primary=eth1
    Important

    The --bondopts=mode= parameter only supports full mode names such as balance-rr or broadcast, not their numerical representations such as 0 or 3. For the list of available and supported modes, see Configuring and Managing Networking Guide.

  • --vlanid= - Specifies virtual LAN (VLAN) ID number (802.1q tag) for the device created using the device specified in --device= as a parent. For example, network --device=em1 --vlanid=171 creates a virtual LAN device em1.171.
  • --interfacename= - Specify a custom interface name for a virtual LAN device. This option should be used when the default name generated by the --vlanid= option is not desirable. This option must be used along with --vlanid=. For example:

    network --device=em1 --vlanid=171 --interfacename=vlan171

    The above command creates a virtual LAN interface named vlan171 on the em1 device with an ID of 171.

    The interface name can be arbitrary (for example, my-vlan), but in specific cases, the following conventions must be followed:

    • If the name contains a dot (.), it must take the form of NAME.ID. The NAME is arbitrary, but the ID must be the VLAN ID. For example: em1.171 or my-vlan.171.
    • Names starting with vlan must take the form of vlanID - for example, vlan171.
  • --teamslaves= - Team device specified by the --device= option will be created using secondary devices specified in this option. Secondary devices are separated by commas. A secondary device can be followed by its configuration, which is a single-quoted JSON string with double quotes escaped by the \ character. For example:

    network --teamslaves="p3p1'{\"prio\": -10, \"sticky\": true}',p3p2'{\"prio\": 100}'"

    See also the --teamconfig= option.

  • --teamconfig= - Double-quoted team device configuration which is a JSON string with double quotes escaped by the \ character. The device name is specified by --device= option and its secondary devices and their configuration by --teamslaves= option. For example:

    network --device team0 --activate --bootproto static --ip=10.34.102.222 --netmask=255.255.255.0 --gateway=10.34.102.254 --nameserver=10.34.39.2 --teamslaves="p3p1'{\"prio\": -10, \"sticky\": true}',p3p2'{\"prio\": 100}'" --teamconfig="{\"runner\": {\"name\": \"activebackup\"}}"
  • --bridgeslaves= - When this option is used, the network bridge with device name specified using the --device= option will be created and devices defined in the --bridgeslaves= option will be added to the bridge. For example:

    network --device=bridge0 --bridgeslaves=em1
  • --bridgeopts= - An optional comma-separated list of parameters for the bridged interface. Available values are stp, priority, forward-delay, hello-time, max-age, and ageing-time. For information about these parameters, see the bridge setting table in the nm-settings(5) man page or at Network Configuration Setting Specification.

    Also see the Configuring and managing networking document for general information about network bridging.

  • --bindto=mac - Bind the device configuration file on the installed system to the device MAC address (HWADDR) instead of the default binding to the interface name (DEVICE). Note that this option is independent of the --device= option - --bindto=mac will be applied even if the same network command also specifies a device name, link, or bootif.

Notes

  • The ethN device names such as eth0 are no longer available in Red Hat Enterprise Linux due to changes in the naming scheme. For more information about the device naming scheme, see the upstream document Predictable Network Interface Names.
  • If you used a Kickstart option or a boot option to specify an installation repository on a network, but no network is available at the start of the installation, the installation program displays the Network Configuration window to set up a network connection prior to displaying the Installation Summary window. For more details, see the Configuring network and host name options section of the Performing a standard RHEL 8 installation document.

J.4.2. realm

The realm Kickstart command is optional. Use it to join an Active Directory or IPA domain. For more information about this command, see the join section of the realm(8) man page.

Syntax

realm join [OPTIONS] domain

Mandatory options

  • domain - The domain to join.

Options

  • --computer-ou=OU= - Provide the distinguished name of an organizational unit in order to create the computer account. The exact format of the distinguished name depends on the client software and membership software. The root DSE portion of the distinguished name can usually be left out.
  • --no-password - Join automatically without a password.
  • --one-time-password= - Join using a one-time password. This is not possible with all types of realm.
  • --client-software= - Only join realms which can run this client software. Valid values include sssd and winbind. Not all realms support all values. By default, the client software is chosen automatically.
  • --server-software= - Only join realms which can run this server software. Possible values include active-directory or freeipa.
  • --membership-software= - Use this software when joining the realm. Valid values include samba and adcli. Not all realms support all values. By default, the membership software is chosen automatically.

J.5. Kickstart commands for handling storage

The Kickstart commands in this section configure aspects of storage such as devices, disks, partitions, LVM, and filesystems.

J.5.1. device (deprecated)

The device Kickstart command is optional. Use it to load additional kernel modules.

On most PCI systems, the installation program automatically detects Ethernet and SCSI cards. However, on older systems and some PCI systems, Kickstart requires a hint to find the proper devices. The device command, which tells the installation program to install extra modules, uses the following format:

Syntax

device moduleName --opts=options

Options

  • moduleName - Replace with the name of the kernel module which should be installed.
  • --opts= - Options to pass to the kernel module. For example:

    device --opts="aic152x=0x340 io=11"

J.5.2. autopart

The autopart Kickstart command is optional. It automatically creates partitions.

The automatically created partitions are: a root (/) partition (1 GiB or larger), a swap partition, and an appropriate /boot partition for the architecture. On large enough drives (50 GiB and larger), this also creates a /home partition.

Syntax

autopart OPTIONS

Options

  • --type= - Selects one of the predefined automatic partitioning schemes you want to use. Accepts the following values:

    • lvm: The LVM partitioning scheme.
    • plain: Regular partitions with no LVM.
    • thinp: The LVM Thin Provisioning partitioning scheme.
  • --fstype= - Selects one of the available file system types. The available values are ext2, ext3, ext4, xfs, and vfat. The default file system is xfs.
  • --nohome - Disables automatic creation of the /home partition.
  • --nolvm - Do not use LVM for automatic partitioning. This option is equal to --type=plain.
  • --noboot - Do not create a /boot partition.
  • --noswap - Do not create a swap partition.
  • --encrypted - Encrypts all partitions with Linux Unified Key Setup (LUKS). This is equivalent to checking the Encrypt partitions check box on the initial partitioning screen during a manual graphical installation.

    Note

    When encrypting one or more partitions, Anaconda attempts to gather 256 bits of entropy to ensure the partitions are encrypted securely. Gathering entropy can take some time - the process will stop after a maximum of 10 minutes, regardless of whether sufficient entropy has been gathered.

    The process can be sped up by interacting with the installation system (typing on the keyboard or moving the mouse). If you are installing in a virtual machine, you can also attach a virtio-rng device (a virtual random number generator) to the guest.

  • --luks-version=LUKS_VERSION - Specifies which version of LUKS format should be used to encrypt the filesystem. This option is only meaningful if --encrypted is specified.
  • --passphrase= - Provides a default system-wide passphrase for all encrypted devices.
  • --escrowcert=URL_of_X.509_certificate - Stores data encryption keys of all encrypted volumes as files in /root, encrypted using the X.509 certificate from the URL specified with URL_of_X.509_certificate. The keys are stored as a separate file for each encrypted volume. This option is only meaningful if --encrypted is specified.
  • --backuppassphrase - Adds a randomly-generated passphrase to each encrypted volume. Store these passphrases in separate files in /root, encrypted using the X.509 certificate specified with --escrowcert. This option is only meaningful if --escrowcert is specified.
  • --cipher= - Specifies the type of encryption to use if the Anaconda default aes-xts-plain64 is not satisfactory. You must use this option together with the --encrypted option; by itself it has no effect. Available types of encryption are listed in the Security hardening document, but Red Hat strongly recommends using either aes-xts-plain64 or aes-cbc-essiv:sha256.
  • --pbkdf=PBKDF - Sets Password-Based Key Derivation Function (PBKDF) algorithm for LUKS keyslot. See also the man page cryptsetup(8). This option is only meaningful if --encrypted is specified.
  • --pbkdf-memory=PBKDF_MEMORY - Sets the memory cost for PBKDF. See also the man page cryptsetup(8). This option is only meaningful if