RHEL8 change root password now it hangs at boot

Latest response

Hi all

I am studying the RHCSA and practicing changing root password.

I got an RHEL8 VM on vmware workstation on win10.

So I reboot my vm, insert rd.break into grub, mounts the sysroot, chroot into sysroot, and passwd the new root password, and it all seems to be going fine. I got the successful password token updated message.

then I exit out the shell and reboot on the cmd line, and the VM seems to hang at the screenshot I have attached.

It is a brand new VM, I haven't done anything special to it, everything is the factory default. no selinux. and when I try to ssh into it with my user id (not the root one) it always says my password is wrong (though I think this might be more because my vm isn't fully started yet).

change root pwd and vm hangs

Even a reboot of the vm (from vmware) doesn't work, it just hangs at a different place.

change root pwd and now vm hangs 2

I don't understand why this is happening.

Responses

selinux is enabled by default when you install rhel7/8 . there isnt any option i could find that allows you to disable this. that being said, i tried to reproduce this on rhel8 but couldnt. my system came back up normally but the new root password did not take effect (because selinux is on by default). since this is a new vm, i would retry the break-in process again to see if it works, if not just reinstall the vm.

Hi, you are using Red Hat 7/8 then you can use the rd.break with space enforcing=0 for disable Linux security. after break password you can use restorecon -v /etc/shadow and then you can run stenforce 1 . I hope after that your system are not hanged.

... then you can run setenforce 1...

small error correction

rd.break enforcing=0 worked for me to see booting up then logged in with root and restorecon -v /etc/shadow.

difference was, shadow file got unlabelled after resetting root password & restoring selinux context on shadow file it labled with shadow_t.

you can also remove 'rhgb quiet' for a more verbose output on the screen

You need to perform:

touch /.autorelabel

after the password change, then restart the VM

Would be nice to know if the RHEL7 procedure works on RHEL8.

Changing and Resetting the Root Password in Red Hat Enterprise Linux 7 System Administrator's Guide.

Yes, it works on RHEL 8.

thank you

Another link (not RH) with what looks like a clear procedure to reset a lost root pass on rhel8

To the original poster Junzhe Zou, please re-read what ir. Jan Gerrit Kootstra wrote above.

Regards

RJ

Why does the the context get messed up on the /etc/shadow file?

I tried to boot with the rd.break then do a ls -lZ /sysroot/etc/shadow and received the following, ---------- 1 root root ? 925 Aug 1 02:20 /sysroot/etc/shadow

I am assuming the ? is because SELinux is disabled in this mode. Which brings up two questions, 1) why is the file context getting lost, is passwd creating a new file, then replacing the old one? 2) at what point in the boot process is SELinux enabled?

I found the answers to my questions here https://serverfault.com/questions/936174/selinux-reset-root-password

Hello, just FYI, the use case of Changing and resetting the root password is now covered in Red Hat documentation:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/managing-users-groups-permissions_configuring-basic-system-settings?lb_target=stage#changing-and-resetting-the-root-password_managing-users-groups-permissions

If your system got stuck after changing password without taking care of SELinux then you can try different approach - take care of SELinux and load policies before changing the password. The full procedure is descibed below:

First: Reboot. Before system starts - in bootloader - edit config. Change line starting with linux... you can (optionally) remove rhgb quiet at the end and you must add this at the end: rd.break then press Ctrl-X to boot. After emergency booting run following commands:

# 1. You are in initramfs filesystem so change to normal root partition which is under /sysroot
chroot /sysroot
# 2. Remount the partition as writeable. You also see options in 'man mount' , search for 'readonly'
mount -o remount,rw /
# 3. Load SELinux policies (otherwise /etc/shadow will lose SELinux security context and will be unusable on normal boot)
/usr/sbin/load_policy -i
# 4. Not really needed but it will actually show you next mount command to type
ps -Z
# 5. Mount proc filesystem - this command is shown by previous 'ps'
mount -t proc proc /proc
# 6. Finally you can change the password now
passwd
# 7. Next line is not mandatory but recommended in case you need to forcefully power-off or restart the machine later
sync; mount -o remount,ro /
# 8. Exit from chroot
exit
# 9. Reboot system to let it start normally. It may take a little while. You can also force restart with (remote) power-button if it takes too long.
reboot -f

Dear Marie Hornickova, I tried below given link but unfortunately it is not working. Showing "404 Page not found" message. Kindly help if you have any new url to get respective information.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/managing-users-groups-permissions_configuring-basic-system-settings?lb_target=stage#changing-and-resetting-the-root-password_managing-users-groups-permissions

Hi Nikhil, yes, the title Configuring basic system settings has been restructured. That's why the link stopped working. Here is the new link: Changing and resetting the root password. Hope it'll work for you. Thank you!

Dear Krzysztof Pfaff,

I followed all the steps mentioned but i am still getting same error "Failed to start User Manager for UID 42" and not able to login. Kindly help further.

Thanks, Nikhil

What user is under uid 42? Any special service? Maybe it needs additional SELinux rules? I would look in journal for error messages with services (related to uid 42 user) and search the web for "Failed to start User Manager" Check also here (further entry where someone was changing /etc/passwd permissions): https://askubuntu.com/questions/1037922/ubuntu-18-04-hangs-on-booting-with-message-started-user-manager-for-uid-120-on

Same issue as the original post happened to me today. I am practicing for RHCSA EX200 exam the lost root password recovery on a RHEL8 VM (cloned) in VBox . Link photo https://imgur.com/FEffQuH . I followed this procedure here (mentioned at the comment above on 30 November 2020 8:30 AM) https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/changing-and-resetting-the-root-password-from-the-command-line_configuring-basic-system-settings to recover lost root password (but performed step 6 and then step 5 - my guide book is like this). The thing is the first time I tried this procedure (1 month ago) it worked fine. I have another two VMs to try on, one obtained from RHEL8 ISO installation and another one obtained by cloning the first one. Would anyone have any solution to solve this?

Yener Azis,

You mentioned you cloned your system in VMware.

  • Cloning a system without changing some important things can cause issues for either or both of the systems (the one you cloned from, and it's clone). For example, the newly cloned system will have the same "host keys" under /etc/ssh/*key files.
  • If you need a second system, it's better not to clone a system but to build a fresh system from scratch.
  • You may end up with the same IP and MAC address as well, which can cause you issues.
  • Remember to do as Jan Gerrit above recommended with touch /.autorelabel
  • I realize you say in your post above that the system worked for you a month ago, however having two systems that are essentially identical can give you seriously weird issues.
  • I recommend you also register if you can at learn.redhat.com which is the learning community. They have some topics directly on this subject.

Please highly consider turning off the clone system, and build a fresh one from scratch, or at least run sys-unconfig as a minimum. I believe you're going to have some big issues with a cloned system. I recommend you build a fresh system for every system you need unless you really scrub the cloned system to make it unique from the other one.

Kind Regards,
RJ

Hi All, anyone was able to solve this issue? Apparently it is related to SELinux, but couldn't figure out how to solve it.

Regards, Łukasz

I reply to myself :)

I was able to fix it with manually chaining SELinux context: loady-policy -i chcon -t shadow_t /etc/shadow

It seems that autorelabeling didn't work in my case

There are other options listed above, such as the documentation link from a Red-Hatter, and also this:

This was provided by a Red-Hatter - yet the source and solution is no longer available.

1. At the beginning of the boot process, at the GRUB 2 menu (Kernel list), type the e key to edit the kernel 
2.Move down to the kernel line (the line starting with linux16) 
3.Remove rhgb quiet using the backspace key.
4.Add rd.break enforcing=0
NOTE: you might have to make "console=tty0" in step 4 as well depending if it's virtual or not, and other factors 
5.Press Ctrl x to resume the boot process.
NOTE: instead of doing #6 below, instead at step #3 above, change "ro" to "rw" in the grub line 

6.# mount –o remount,rw /sysroot 
7.# chroot /sysroot 
8.# passwd 
9.Retype the password 
10.Type exit twice to continue the boot process 
11.Log in as root 
12.# restorecon -Rv /etc/shadow 
13.# setenforce 1

Regards,
RJ

Unfortunately on some hw platforms (ex. thinkpad P1 with RHEL8) Ctrl+x is not working in grub editing mode. In my case, I had to upgrade P1 firmware. Pressing F10 sometimes helps to proceed with the boot process too. hth