RHEV-H: How to change root password

Latest response

How do I change the root password on a RHEV hypervisor?

Responses

you change the admin password, log in as admin, and press F2 to get a root shell. 

I know that I have done this on my other hypervisors.
However, running passwd as root and entering the password doesn't work.
The error I get:

passwd: Authentication token manipulation error

Something might have changed between RHEV-H versions?

again, you are not supposed to work as the root user in RHEV-H, only as the admin, with the option to get a root shell when you need it. Direct root acces sis not supported, if you need to work as root, you can use a full RHEL host as the hypervisor

I understand that it's not supported. But not being able to change root password seems wrong, even if using the root account isn't supported.

I am not sure I understand, really. We do not support using a root account, and the account is limited specifically because of that. RHEV-H is not a complete Linux distribution, but an appliance-like bundle, that does not and should not behave like a normal Linux distribution. RHEV-H is supposed to work with a RHEV-Manager, and run VMs, nothing else, so any additional functionality that it is missing (like the yum command, or the way the root account works) is quite normal for RHEV-H

I do understand the reasons why root account shouldn't be used.
But I don't understand the logic of being able to set a password for root, but not change it, that's all.

thing is, you're not setting a password for root, you're setting a password for "admin" (in the TUI interface), and the admin user can access a root shell

But I am able to login as root via SSH with password, so something sets the root password.
I used an old RHEV-H iso, and then I did an upgrade the the newest one. It might be a bug in the older version that caused the root password to be set from the TUI?

Login as admin. In the TUI, go to RHEV-M and set the password in there. That is your root password.

Hi Pär, It certainly can be done from the console, and I can certainly understand why, especially if you have security policies that say it must be done every X days. Just remember that ssh'ing into the hypervisor (except to access the text menu as the admin user) isn't generally recommended. The kicker is that in the hypervisor/LiveOS environment, it isn't trivial to change the passwords with chpasswd or passwd, as the method that PAM uses to update /etc/shadow, creates a file /etc/nshadow, then moves /etc/nshadow to /etc/shadow (this is to try and prevent corruption if you happen to lose power at the exactly wrong moment). What we need to do is sync the filesystems, unpersist, make the changes, and then repersist the /etc/shadow file, so it survives a reboot. The following code is an example of how you could do it as a script:

#!/bin/bash
. /usr/libexec/ovirt-functions

sync
unmount_config /etc/shadow
echo 'admin:mynewpassword | chpasswd
ovirt_store_config /etc/shadow
sync

From at the console point of view, the equivalent should be:

# sync
# unpersist /etc/shadow
# passwd 
# persist /etc/shadow
# sync

Let us know how you go.

If you need to change/set the root password, you can drop to a shell and run /usr/libexec/ovirt-config-password.  It's a slightly cleaner solution than following the steps that Nigel proposes, which will work, but a simpler option.

There are a few ways that the root password can be set.

1.  Run the ovirt-config-password script

2.  Install/Boot with the rootpw=<hashed password> option

3.  Fill in the password on the RHEV-M configuration screen.

 

As for password based ssh, that is disabled by default, unless you set the password on the RHEV-M screen or enable it manually on the Security screen.  

 

If you simply fill out the RHEV-M hostname and port and ignore the password entry, then the root password won't be set and password is only allowed with ssh keys.

 

Mike

Thank you, this was the information I was looking for.

[root@rhev-h ~]# ovirt-node-config-password

Password Configuration

Possible commands:
admin Set the password of the user 'admin'
help Show this help. [help --all to show all available functions]
q Quit this tool
quit Quit this tool
root Set the password of the user 'root'
ssh Enable or disable the SSH password authentication

[INFO] SSH password authentication is currently enabled

root

Password Configuration

System Administrator (root):

Changing password for user 'root'.
New password:
Retype new Password:
[WARNING] File already persisted: /etc/shadow
[WARNING] /etc/shadow Already persisted
[INFO] Password updated successfully.

q

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.