Red Hat Summit22.3. Kickstart commands for system configuration
The Kickstart commands in this list configure further details on the resulting system such as users, repositories, or services.
22.3.1. authselect
The authselect Kickstart command is optional. It sets up the authentication options for the system using the authselect command, which can also be run on the command line after the installation finishes. Use this command only once.
- Syntax
authselect [OPTIONS]- Notes
-
This command passes all options to the
authselectcommand. Refer to the authselect(8) manual page and theauthselect --helpcommand for more details. - Passwords are shadowed by default.
-
When using OpenLDAP with the
SSLprotocol for security, ensure that theSSLv2andSSLv3protocols are disabled in the server configuration. This is due to the POODLE SSL vulnerability (CVE-2014-3566). For more information, see the Red Hat Knowledgebase solution Resolution for POODLE SSLv3.0 vulnerability.
-
This command passes all options to the
22.3.2. firewall
The firewall Kickstart command is optional. It specifies the firewall configuration for the installed system.
- Syntax
firewall --enabled|--disabled [incoming] [OPTIONS]- Mandatory options
-
--enabledor--enable- Reject incoming connections that are not in response to outbound requests, such as DNS replies or DHCP requests. If access to services running on this machine is needed, you can choose to allow specific services through the firewall. -
--disabledor--disable- Do not configure any iptables rules.
-
- Optional options
-
--trust- Listing a device here, such asem1, allows all traffic coming to and from that device to go through the firewall. To list more than one device, use the option more times, such as--trust em1 --trust em2. Do not use a comma-separated format such as--trust em1, em2. -
--remove-service- Close ports for comma-separated list of services. incoming - Replace with one or more of the following to allow the specified services through the firewall.
-
--ssh -
--smtp -
--http -
--ftp
-
-
--port=- You can specify that ports be allowed through the firewall using the port:protocol format. For example, to allow IMAP access through your firewall, specifyimap:tcp. Numeric ports can also be specified explicitly; for example, to allow UDP packets on port 1234 through, specify1234:udp. To specify multiple ports, separate them by commas. --service=- This option provides a higher-level way to allow services through the firewall. Some services (such ascups,avahi, and so on) require multiple ports to be open or other special configuration in order for the service to work. You can specify each individual port with the--portoption, or specify--service=and open them all at once.Valid options are anything recognized by the
firewall-offline-cmdprogram in the firewalld package. If thefirewalldservice is running,firewall-cmd --get-servicesprovides a list of known service names.-
--use-system-defaults- Do not configure the firewall at all. This option instructs anaconda to do nothing and allows the system to rely on the defaults that were provided with the package or ostree. If this option is used with other options then all other options will be ignored.
-
22.3.3. group
The group Kickstart command is optional. It creates a new user group on the system.
- Syntax
group --name=name [--gid=gid]- Mandatory options
-
--name=- Provides the name of the group.
-
- Optional options
-
--gid=- The group’s GID. If not provided, defaults to the next available non-system GID.
-
- Notes
- If a group with the given name or GID already exists, this command fails.
-
The
usercommand can be used to create a new group for the newly created user.
22.3.4. keyboard
The keyboard Kickstart command is required. It sets one or more available keyboard layouts for the system. Use this command only once.
- Syntax
keyboard --vckeymap|--xlayouts OPTIONS- Options
-
--vckeymap=- Specify aVConsolekeymap which should be used. Valid names correspond to the list of files in the/usr/lib/kbd/keymaps/xkb/directory, without the.map.gzextension. --xlayouts=- Specify a list of X layouts that should be used as a comma-separated list without spaces. Accepts values in the same format assetxkbmap(1), either in thelayoutformat (such ascz), or in thelayout (variant)format (such ascz (qwerty)).All available layouts can be viewed on the
xkeyboard-config(7)man page underLayouts.--switch=- Specify a list of layout-switching options (shortcuts for switching between multiple keyboard layouts). Multiple options must be separated by commas without spaces. Accepts values in the same format assetxkbmap(1).Available switching options can be viewed on the
xkeyboard-config(7)man page underOptions.
-
- Example
The following example sets up two keyboard layouts (
English (US)andCzech (qwerty)) using the--xlayouts=option, and allows to switch between them using Alt+Shift:keyboard --xlayouts=us,'cz (qwerty)' --switch=grp:alt_shift_toggle- Note
-
Either the
--vckeymap=or the--xlayouts=option must be used.
-
Either the
22.3.5. lang
The lang Kickstart command is required. It sets the language to use during installation and the default language to use on the installed system. Use this command only once.
- Syntax
lang language [--addsupport=language,...]- Mandatory options
-
language- Install support for this language and set it as system default.
-
- Optional options
-
--addsupport=- Add support for additional languages. Takes the form of comma-separated list without spaces. For example:
lang en_US --addsupport=cs_CZ,de_DE,en_UK-
- Notes
-
The
locale -a | grep _orlocalectl list-locales | grep _commands return a list of supported locales. -
Certain languages (for example, Chinese, Japanese, Korean, and Indic languages) are not supported during text-mode installation. If you specify one of these languages with the
langcommand, the installation process continues in English, but the installed system uses your selection as its default language.
-
The
- Example
To set the language to English, the Kickstart file should contain the following line:
lang en_US
22.3.6. module
The module Kickstart command is optional. Use this command to enable a package module stream within the kickstart script.
- Syntax
module --name=NAME [--stream=STREAM]- Mandatory options
-
--name=: Specifies the name of the module to enable. Replace NAME with the actual name.
-
- Optional options
-
--stream=: Specifies the name of the module stream to enable. Replace STREAM with the actual name.
You do not need to specify this option for modules with a default stream defined. For modules without a default stream, this option is mandatory and leaving it out results in an error. Enabling a module multiple times with different streams is not possible.
-
- Notes
-
Using a combination of this command and the
%packagessection allows you to install packages provided by the enabled module and stream combination, without specifying the module and stream explicitly. Modules must be enabled before package installation. After enabling a module with themodulecommand, you can install the packages enabled by this module by listing them in the%packagessection. -
A single
modulecommand can enable only a single module and stream combination. To enable multiple modules, use multiplemodulecommands. Enabling a module multiple times with different streams is not possible. -
In Red Hat Enterprise Linux 10, modules are present only in the AppStream repository. To list available modules, use the
dnf module listcommand on an installed Red Hat Enterprise Linux Red Hat Enterprise Linux system with a valid subscription.
-
Using a combination of this command and the
22.3.7. repo
The repo Kickstart command is optional. It configures additional dnf repositories that can be used as sources for package installation. You can add multiple repo lines.
- Syntax
repo --name=repoid [--baseurl=url|--mirrorlist=url|--metalink=url] [OPTIONS]- Mandatory options
-
--name=- The repository id. This option is required. If a repository has a name which conflicts with another previously added repository, it is ignored. Because the installation program uses a list of preset repositories, this means that you cannot add repositories with the same names as the preset ones.
-
- URL options
These options are mutually exclusive and optional. The variables that can be used in dnf repository configuration files are not supported here. You can use the strings
$releaseverand$basearchwhich are replaced by the respective values in the URL.-
--baseurl=- The URL to the repository. -
--mirrorlist=- The URL pointing at a list of mirrors for the repository. -
--metalink=- The URL with metalink for the repository.
-
- Optional options
-
--install- Save the provided repository configuration on the installed system in the/etc/yum.repos.d/directory. Without using this option, a repository configured in a Kickstart file will only be available during the installation process, not on the installed system. -
--cost=- An integer value to assign a cost to this repository. If multiple repositories provide the same packages, this number is used to prioritize which repository will be used before another. Repositories with a lower cost take priority over repositories with higher cost. -
--excludepkgs=- A comma-separated list of package names that must not be pulled from this repository. This is useful if multiple repositories provide the same package and you want to make sure it comes from a particular repository. Both full package names (such aspublican) and globs (such asgnome-*) are accepted. -
--includepkgs=- A comma-separated list of package names and globs that are allowed to be pulled from this repository. Any other packages provided by the repository will be ignored. This is useful if you want to install just a single package or set of packages from a repository while excluding all other packages the repository provides. -
--proxy=[protocol://][username[:password]@]host[:port]- Specify an HTTP/HTTPS/FTP proxy to use just for this repository. This setting does not affect any other repositories, nor how theinstall.imgis fetched on HTTP installations. -
--noverifyssl- Disable SSL verification when connecting to anHTTPSserver.
-
- Note
- Repositories used for installation must be stable. The installation can fail if a repository is modified before the installation concludes.
22.3.8. rootpw
The rootpw Kickstart command is required. It sets the system’s root password to the password argument. Use this command only once.
- Syntax
rootpw [--iscrypted|--plaintext] [--lock] password- Mandatory options
-
password - Password specification. Either plain text or encrypted string. See
--iscryptedand--plaintextbelow.
-
password - Password specification. Either plain text or encrypted string. See
- Optional options
-
--iscrypted- If this option is present, the password argument is assumed to already be encrypted. This option is mutually exclusive with--plaintext. To create an encrypted password, you can use python:
$ python -c 'import crypt,getpass;pw=getpass.getpass();print(crypt.crypt(pw) if (pw==getpass.getpass("Confirm: ")) else exit())'This generates a sha512 crypt-compatible hash of your password by using a random salt.
-
--plaintext- If this option is present, the password argument is assumed to be in plain text. This option is mutually exclusive with--iscrypted. -
--lock- If this option is present, the root account is locked by default. This means that the root user will not be able to log in from the console. This option will also disable the Root Password screens in both the graphical and text-based manual installation. -
--allow-ssh- If this option is present, the root user can login to the system by using SSH with a password.
-
22.3.9. selinux
The selinux Kickstart command is optional. It sets the state of SELinux on the installed system. The default SELinux policy is enforcing. Use this command only once.
- Syntax
selinux [--disabled|--enforcing|--permissive]- Options
-
--enforcing- Enables SELinux with the default targeted policy beingenforcing. -
--permissive- Outputs warnings based on the SELinux policy, but does not actually enforce the policy. -
--disabled- Disables SELinux completely on the system.
-
22.3.10. services
The services Kickstart command is optional. It modifies the default set of services that will run under the default systemd target. The list of disabled services is processed before the list of enabled services. Therefore, if a service appears on both lists, it will be enabled.
- Syntax
services [--disabled=list] [--enabled=list]- Options
-
--disabled=- Disable the services given in the comma separated list. -
--enabled=- Enable the services given in the comma separated list.
-
- Notes
-
When using the
serviceselement to enablesystemdservices, ensure you include packages containing the specified service file in the%packagessection. Multiple services should be included separated by comma, without any spaces. For example, to disable four services, enter:
services --disabled=auditd,cups,smartd,nfslockIf you include any spaces, Kickstart enables or disables only the services up to the first space. For example:
services --disabled=auditd, cups, smartd, nfslockThat disables only the
auditdservice. To disable all four services, this entry must include no spaces.
-
When using the
22.3.11. skipx
The skipx Kickstart command is optional. If present, the system is configured to boot in text mode. Use this command only once. This command has no options.
- Syntax
skipx
22.3.12. sshkey
The sshkey Kickstart command is optional. It adds a SSH public key to the authorized_keys file of the specified user on the installed system.
- Syntax
sshkey --username=user "ssh_key"- Mandatory options
-
--username=- The user for which the key will be installed. -
ssh_key- The complete SSH public key. It must be wrapped with quotes.
-
22.3.13. syspurpose
The syspurpose Kickstart command is optional. Use it to set the system purpose which describes how the system will be used after installation. This information helps apply the correct subscription entitlement to the system. Use this command only once.
Red Hat Enterprise Linux 9.0 and later enables you to manage and display system purpose attributes with a single module by making the role, service-level, usage, and addons subcommands available under one subscription-manager syspurpose module. Previously, system administrators used one of four standalone syspurpose commands to manage each attribute. This standalone syspurpose command is deprecated starting with RHEL 9.0 and is planned to be removed in post RHEL 9. Red Hat will provide bug fixes and support for this feature during the current release lifecycle, but this feature will no longer receive enhancements. Starting with RHEL 9, the single subscription-manager syspurpose command and its associated subcommands is the only way to use system purpose. Note that these changes only apply to the command line tools for system purpose configuration used on installed systems and do not influence the functionality of the syspurpose kickstart command.
- Syntax
syspurpose [OPTIONS]- Options
--role=- Set the intended system role. Available values are:- Red Hat Enterprise Linux Server
- Red Hat Enterprise Linux Workstation
- Red Hat Enterprise Linux Compute Node
--sla=- Set the Service Level Agreement. Available values are:- Premium
- Standard
- Self-Support
--usage=- The intended usage of the system. Available values are:- Production
- Disaster Recovery
- Development/Test
- Notes
- Enter the values with spaces and enclose them in double quotes:
syspurpose --role="Red Hat Enterprise Linux Server"- While it is strongly recommended that you configure System Purpose, it is an optional feature of the Red Hat Enterprise Linux installation program.
- Additional values might be used based on how subscriptions are configured for the given account
22.3.14. timezone
The timezone Kickstart command is required. It sets the system time zone. Use this command only once.
- Syntax
timezone timezone [OPTIONS]- Mandatory options
- timezone - the time zone to set for the system.
- Optional options
-
--utc- If present, the system assumes the hardware clock is set to UTC (Greenwich Mean) time.
-
- Note
-
In Red Hat Enterprise Linux 10, time zone names are validated using the
pytz.all_timezoneslist, provided by the pytz package. In previous releases, the names were validated againstpytz.common_timezones, which is a subset of the currently used list. Note that the graphical and text mode interfaces still use the more restrictedpytz.common_timezoneslist; you must use a Kickstart file to use additional time zone definitions.
22.3.15. timesource
The timesource kickstart command is optional. Use it to set NTP, NTS servers, and pools that provide time data, as well as control whether NTP services are enabled or disabled on the system.
- Syntax
timesource [--ntp-server NTP_SERVER | --ntp-pool NTP_POOL | --ntp-disable] [--nts]- Mandatory options
It is mandatory to specify one of the following options when you use the
timesourcecommand:-
--ntp-server- adds one NTP server as a time source. This option can be added only once to a single command in order to add a one NTP time source server. To add multiple sources, add multiple timesource commands each with a single --ntp-server or --ntp-pool option each time. For example, to add multiple sources for Europe timezone
timezone Europe timesource --ntp-server 0.rhel.pool.ntp.org timesource --ntp-server 1.rhel.pool.ntp.org timesource --ntp-server 2.rhel.pool.ntp.org-
--ntp-pool- adds a NTP server pool as a time source. This option can be added only once to add a single NTP time source pool. Repeat the timesource command to add multiple sources. -
--ntp-disable- disables NTP time sources for the installed system.
-
- Optional options
-
--nts- the server or pool added with this command uses the NTS protocol. Note that this option can be added even with --ntp-disable, but it has no effect.
-
22.3.16. user
The user Kickstart command is optional. It creates a new user on the system.
- Syntax
user --name=username [OPTIONS]- Mandatory options
-
--name=- Provides the name of the user. This option is required.
-
- Optional options
-
--gecos=- Provides the GECOS information for the user. This is a string of various system-specific fields separated by a comma. It is frequently used to specify the user’s full name, office number, and so on. See thepasswd(5)man page for more details. -
--groups=- In addition to the default group, a comma separated list of group names the user should belong to. The groups must exist before the user account is created. See thegroupcommand. -
--homedir=- The home directory for the user. If not provided, this defaults to/home/username. -
--lock- If this option is present, this account is locked by default. This means that the user will not be able to log in from the console. This option will also disable the Create User screens in both the graphical and text-based manual installation. -
--password=- The new user’s password. If not provided, the account will be locked by default. --iscrypted- If this option is present, the password argument is assumed to already be encrypted. This option is mutually exclusive with--plaintext. To create an encrypted password, you can use python:$ python -c 'import crypt,getpass;pw=getpass.getpass();print(crypt.crypt(pw) if (pw==getpass.getpass("Confirm: ")) else exit())'This generates a sha512 crypt-compatible hash of your password by using a random salt.
-
--plaintext- If this option is present, the password argument is assumed to be in plain text. This option is mutually exclusive with--iscrypted -
--shell=- The user’s login shell. If not provided, the system default is used. -
--uid=- The user’s UID (User ID). If not provided, this defaults to the next available non-system UID. -
--gid=- The GID (Group ID) to be used for the user’s group. If not provided, this defaults to the next available non-system group ID.
-
- Notes
-
Consider using the
--uidand--gidoptions to set IDs of regular users and their default groups at range starting at5000instead of1000. That is because the range reserved for system users and groups,0-999, might increase in the future and thus overlap with IDs of regular users. Files and directories are created with various permissions, dictated by the application used to create the file or directory. For example, the
mkdircommand creates directories with all permissions enabled. However, applications are prevented from granting certain permissions to newly created files, as specified by theuser file-creation masksetting.The
user file-creation maskcan be controlled with theumaskcommand. The default setting of theuser file-creation maskfor new users is defined by theUMASKvariable in the/etc/login.defsconfiguration file on the installed system. If unset, it defaults to022. This means that by default when an application creates a file, it is prevented from granting write permission to users other than the owner of the file. However, this can be overridden by other settings or scripts.
-
Consider using the
22.3.17. xconfig
The xconfig Kickstart command is optional. If used with the --startxonboot option it configures the installed system to start in graphical mode. Use this command only once.
- Syntax
xconfig [--startxonboot]- Options
-
--startxonboot- Use a graphical login on the installed system.
-
- Note
-
Because Red Hat Enterprise Linux 10 does not include the KDE Desktop Environment, do not use the
--defaultdesktop=documented upstream.
-
Because Red Hat Enterprise Linux 10 does not include the KDE Desktop Environment, do not use the
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}