Note: This is a critical RHCSA 7 exam objective (if you can’t take control of a VM through a reboot at the beginning of the exam, you will fail it entirely).
In RHEL 7, the procedure to get access to a system during the boot process and modify the root password has changed because of the adoption of Systemd.
There were several procedures floating around to recover the root password. Some were working with physical servers but not with virtual machines, some the other way around.
The following procedure works all the time.
At the beginning of the boot process, at the GRUB 2 menu, type the e key to edit.
Then, go to the kernel line (the line starting with linux16) and add the following statements at the end:
Caution: The keys to press are those of a US keyboard (querty).
Note: rd.break asks for a break at an early stage of the boot process. enforcing=0 puts the system into SELinux Permissive mode. Don’t confuse with selinux=0 that completely disables SELinux.
Press Ctrl x to resume the boot process.
Then, mount the /sysroot partition as read/write:
switch_root:/# mount –o remount,rw /sysroot
Execute the chroot command on the /sysroot partition:
switch_root:/# chroot /sysroot
Change the root password:
sh-4.2# passwd root Changing password for user root. New passwd:
mypasswordRetype new password: mypasswordpasswd: all authentication token updated successfully. sh-4.2# exit exit switch_root:/# exit logout
Connect to your server at the console (don’t reboot now!) with the root user and the new password:
... [ OK ] Started Network Manager Script Dispatcher Service. [ OK ] Started Crash recovery kernel arming. [ OK ] Reached target Multi-User System. CentOS Linux 7 (Core) Kernel 3.10.0-229.14.1.el7.x86_64 on an x86_64 vm login: root Password:
# restorecon /etc/shadow # reboot
If you strictly follow this procedure, you don’t need to force a SELinux relabel (# touch /.autorelabel or # fixfiles onboot) or load the SELinux policy (# /usr/sbin/load_policy -i).
You don’t even need to reboot at the end! In this case, type # setenforce enforcing
For the RHCSA exam, you need to intensely practice this procedure.
Thanks to salvador and hunter86_bg for their precious comments.
Note: When dealing with boot problems, the following options can be added to the kernel command line, bringing additional information:
rd.debug rd.udev.debug systems.log_level=debug
Ralph Nyberg‘s video about recovering root access (15min/2015) explains the procedure very well.
Fedora Documentation‘s got a page about Resetting the root password.
There is also a documentation available for the Anaconda Boot Options.
As there is more than one way to do it, a page describes several ways to reset the root password.
Also, there is a Serverfault question discussing SELinux problems that may happen when resetting the root password.