From d48cf146f49e3494502088dadf265ea686f7c810 Mon Sep 17 00:00:00 2001 From: josh Date: Sat, 18 Apr 2026 15:41:46 -0400 Subject: [PATCH] live-image: mask systemd-firstboot at image-build time MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Belt-and-braces for the kernel-cmdline systemd.firstboot=off fix. mkosi ships /etc/machine-id empty, which triggers firstboot's interactive locale/timezone/root-password prompt on every PXE boot; with the agent running unattended there's nobody to answer and sysinit.target blocks indefinitely. Mask via a /dev/null symlink in /etc/systemd/system so the service is unstartable regardless of cmdline — rules out the failure mode where an older orchestrator binary serves an iPXE script without the off-switch arg. --- live-image/mkosi.postinst | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/live-image/mkosi.postinst b/live-image/mkosi.postinst index e301a0e..316805f 100755 --- a/live-image/mkosi.postinst +++ b/live-image/mkosi.postinst @@ -9,6 +9,15 @@ mkdir -p "$BUILDROOT/etc/systemd/system/multi-user.target.wants" ln -sf /etc/systemd/system/vetting-agent.service \ "$BUILDROOT/etc/systemd/system/multi-user.target.wants/vetting-agent.service" +# Mask systemd-firstboot.service so the image never prompts for +# locale/timezone/root-password on boot, regardless of kernel cmdline. +# mkosi ships /etc/machine-id empty, which is what triggers the +# wizard; without this mask the service blocks sysinit.target +# indefinitely and nothing downstream (agent, ssh, network-online) +# ever starts. Kernel-cmdline systemd.firstboot=off is belt; this +# is braces. +ln -sf /dev/null "$BUILDROOT/etc/systemd/system/systemd-firstboot.service" + # Bootable=no means mkosi won't run update-initramfs for us, and the # deferred initramfs-tools trigger inside the chroot doesn't actually # generate /boot/initrd.img-. Do it explicitly so the top-level