25.10. Terminal Menu Editing During Boot

Menu entries can be modified and arguments passed to the kernel on boot. This is done using the menu entry editor interface, which is triggered when pressing the e key on a selected menu entry in the boot loader menu. The Esc key discards any changes and reloads the standard menu interface. The c key loads the command line interface.
The command line interface is the most basic GRUB 2 interface, but it is also the one that grants the most control. The command line makes it possible to type any relevant GRUB 2 commands followed by the Enter key to execute them. This interface features some advanced features similar to shell, including Tab key completion based on context, and Ctrl+a to move to the beginning of a line and Ctrl+e to move to the end of a line. In addition, the arrow, Home, End, and Delete keys work as they do in the bash shell.

25.10.1. Booting to Rescue Mode

Rescue mode provides a convenient single-user environment and allows you to repair your system in situations when it is unable to complete a normal booting process. In rescue mode, the system attempts to mount all local file systems and start some important system services, but it does not activate network interfaces or allow more users to be logged into the system at the same time. In Red Hat Enterprise Linux 7, rescue mode is equivalent to single user mode and requires the root password.
  1. To enter rescue mode during boot, on the GRUB 2 boot screen, press the e key for edit.
  2. Add the following parameter at the end of the linux line on 64-Bit IBM Power Series, the linux16 line on x86-64 BIOS-based systems, or the linuxefi line on UEFI systems: 
    systemd.unit=rescue.target
    Press Ctrl+a and Ctrl+e to jump to the start and end of the line, respectively. On some systems, Home and End might also work.
    Note that equivalent parameters, 1, s, and single, can be passed to the kernel as well.
  3. Press Ctrl+x to boot the system with the parameter.

25.10.2. Booting to Emergency Mode

Emergency mode provides the most minimal environment possible and allows you to repair your system even in situations when the system is unable to enter rescue mode. In emergency mode, the system mounts the root file system only for reading, does not attempt to mount any other local file systems, does not activate network interfaces, and only starts few essential services. In Red Hat Enterprise Linux 7, emergency mode requires the root password.
  1. To enter emergency mode, on the GRUB 2 boot screen, press the e key for edit.
  2. Add the following parameter at the end of the linux line on 64-Bit IBM Power Series, the linux16 line on x86-64 BIOS-based systems, or the linuxefi line on UEFI systems: 
    systemd.unit=emergency.target
    Press Ctrl+a and Ctrl+e to jump to the start and end of the line, respectively. On some systems, Home and End might also work.
    Note that equivalent parameters, emergency and -b, can be passed to the kernel as well.
  3. Press Ctrl+x to boot the system with the parameter.

25.10.3. Booting to the Debug Shell

The systemd debug shell provides a shell very early in the startup process that can be used to diagnose systemd related boot-up problems. Once in the debug shell, systemctl commands such as systemctl list-jobs, and systemctl list-units can be used to look for the cause of boot problems. In addition, the debug option can be added to the kernel command line to increase the number of log messages. For systemd, the kernel command-line option debug is now a shortcut for systemd.log_level=debug.

Procedure 25.4. Adding the Debug Shell Command

To activate the debug shell only for this session, proceed as follows:
  1. On the GRUB 2 boot screen, move the cursor to the menu entry you want to edit and press the e key for edit.
  2. Add the following parameter at the end of the linux line on 64-Bit IBM Power Series, the linux16 line on x86-64 BIOS-based systems, or the linuxefi line on UEFI systems: 
    systemd.debug-shell
    Optionally add the debug option.
    Press Ctrl+a and Ctrl+e to jump to the start and end of the line, respectively. On some systems, Home and End might also work.
  3. Press Ctrl+x to boot the system with the parameter.
If required, the debug shell can be set to start on every boot by enabling it with the systemctl enable debug-shell command. Alternatively, the grubby tool can be used to make persistent changes to the kernel command line in the GRUB 2 menu. See Section 25.4, “Making Persistent Changes to a GRUB 2 Menu Using the grubby Tool” for more information on using grubby.

Warning

Permanently enabling the debug shell is a security risk because no authentication is required to use it. Disable it when the debugging session has ended.

Procedure 25.5. Connecting to the Debug Shell

During the boot process, the systemd-debug-generator will configure the debug shell on TTY9.
  1. Press Ctrl+Alt+F9 to connect to the debug shell. If working with a virtual machine, sending this key combination requires support from the virtualization application. For example, if using Virtual Machine Manager, select Send KeyCtrl+Alt+F9 from the menu.
  2. The debug shell does not require authentication, therefore a prompt similar to the following should be seen on TTY9: [root@localhost /]#
  3. If required, to verify you are in the debug shell, enter a command as follows: 
    /]# systemctl status $$
● debug-shell.service - Early root shell on /dev/tty9 FOR DEBUGGING ONLY
   Loaded: loaded (/usr/lib/systemd/system/debug-shell.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2015-08-05 11:01:48 EDT; 2min ago
     Docs: man:sushell(8)
 Main PID: 450 (bash)
   CGroup: /system.slice/debug-shell.service
           ├─ 450 /bin/bash
           └─1791 systemctl status 450
  4. To return to the default shell, if the boot succeeded, press Ctrl+Alt+F1.
To diagnose start up problems, certain systemd units can be masked by adding systemd.mask=unit_name one or more times on the kernel command line. To start additional processes during the boot process, add systemd.wants=unit_name to the kernel command line. The systemd-debug-generator(8) manual page describes these options.

25.10.4. Changing and Resetting the Root Password

Setting up the root password is a mandatory part of the Red Hat Enterprise Linux 7 installation. If you forget or lose the root password it is possible to reset it, however users who are members of the wheel group can change the root password as follows: 
~]$ sudo passwd root
Note that in GRUB 2, resetting the password is no longer performed in single-user mode as it was in GRUB included in Red Hat Enterprise Linux 6. The root password is now required to operate in single-user mode as well as in emergency mode.
Two procedures for resetting the root password are shown here:
  • Procedure 25.6, “Resetting the Root Password Using an Installation Disk” takes you to a shell prompt, without having to edit the GRUB 2 menu. It is the shorter of the two procedures and it is also the recommended method. You can use a boot disk or a normal Red Hat Enterprise Linux 7 installation disk.
  • Procedure 25.7, “Resetting the Root Password Using rd.break” makes use of rd.break to interrupt the boot process before control is passed from initramfs to systemd. The disadvantage of this method is that it requires more steps, includes having to edit the GRUB 2 menu, and involves choosing between a possibly time consuming SELinux file relabel or changing the SELinux enforcing mode and then restoring the SELinux security context for /etc/shadow/ when the boot completes.

Procedure 25.6. Resetting the Root Password Using an Installation Disk

  1. Start the system and when BIOS information is displayed, select the option for a boot menu and select to boot from the installation disk.
  2. Choose Troubleshooting.
  3. Choose Rescue a Red Hat Enterprise Linux System.
  4. Choose Continue which is the default option. At this point you will be promoted for a passphrase if an encrypted file system is found.
  5. Press OK to acknowledge the information displayed until the shell prompt appears.
  6. Change the file system root as follows: 
    sh-4.2# chroot /mnt/sysimage
  7. Enter the passwd command and follow the instructions displayed on the command line to change the root password.
  8. Remove the autorelable file to prevent a time consuming SELinux relabel of the disk: 
    sh-4.2# rm -f /.autorelabel
  9. Enter the exit command to exit the chroot environment.
  10. Enter the exit command again to resume the initialization and finish the system boot.

Procedure 25.7. Resetting the Root Password Using rd.break

  1. Start the system and, on the GRUB 2 boot screen, press the e key for edit.
  2. Remove the rhgb and quiet parameters from the end, or near the end, of the linux16 line, or linuxefi on UEFI systems.
    Press Ctrl+a and Ctrl+e to jump to the start and end of the line, respectively. On some systems, Home and End might also work.

    Important

    The rhgb and quiet parameters must be removed in order to enable system messages.
  3. Add the following parameters at the end of the linux line on 64-Bit IBM Power Series, the linux16 line on x86-64 BIOS-based systems, or the linuxefi line on UEFI systems: 
    rd.break enforcing=0
    Adding the enforcing=0 option enables omitting the time consuming SELinux relabeling process.
    The initramfs will stop before passing control to the Linux kernel, enabling you to work with the root file system.
    Note that the initramfs prompt will appear on the last console specified on the Linux line.
  4. Press Ctrl+x to boot the system with the changed parameters.
    With an encrypted file system, a password is required at this point. However the password prompt might not appear as it is obscured by logging messages. You can press the Backspace key to see the prompt. Release the key and enter the password for the encrypted file system, while ignoring the logging messages.
    The initramfs switch_root prompt appears.
  5. The file system is mounted read-only on /sysroot/. You will not be allowed to change the password if the file system is not writable.
    Remount the file system as writable: 
    switch_root:/# mount -o remount,rw /sysroot
  6. The file system is remounted with write enabled.
    Change the file system's root as follows: 
    switch_root:/# chroot /sysroot
    The prompt changes to sh-4.2#.
  7. Enter the passwd command and follow the instructions displayed on the command line to change the root password.
    Note that if the system is not writable, the passwd tool fails with the following error: 
    Authentication token manipulation error
  8. Updating the password file results in a file with the incorrect SELinux security context. To relabel all files on next system boot, enter the following command: 
    sh-4.2# touch /.autorelabel
    Alternatively, to save the time it takes to relabel a large disk, you can omit this step provided you included the enforcing=0 option in step 3.
  9. Remount the file system as read only: 
    sh-4.2# mount -o remount,ro /
  10. Enter the exit command to exit the chroot environment.
  11. Enter the exit command again to resume the initialization and finish the system boot.
    With an encrypted file system, a pass word or phrase is required at this point. However the password prompt might not appear as it is obscured by logging messages. You can press and hold the Backspace key to see the prompt. Release the key and enter the password for the encrypted file system, while ignoring the logging messages.

    Note

    Note that the SELinux relabeling process can take a long time. A system reboot will occur automatically when the process is complete.
  12. If you added the enforcing=0 option in step 3 and omitted the touch /.autorelabel command in step 8, enter the following command to restore the /etc/shadow file's SELinux security context: 
    ~]# restorecon /etc/shadow
    Enter the following commands to turn SELinux policy enforcement back on and verify that it is on: 
    ~]# setenforce 1
~]# getenforce
Enforcing