How do I install the QCOW2 image provided in the RHEL downloads?

Solution Verified - Updated -


  • Red Hat Enterprise Linux QCOW2 image
  • Red Hat OpenStack Platform
  • Red Hat Enterprise Linux 6, 7 or 8 KVM Hypervisor


  • What is a QCOW2 image and what is it used for?
  • How do Red Hat products support importing of QCOW2 images?
  • I don't know what the root password is for the image provided, and I'd like to change it.


What is QCOW2?

QCOW2 is a storage format for virtual disks. QCOW stands for QEMU copy-on-write. The QCOW2 format decouples the physical storage layer from the virtual layer by adding a mapping between logical and physical blocks. Each logical block is mapped to its physical offset, which enables storage over-commitment and virtual machine snapshots, where each QCOW volume only represents changes made to an underlying virtual disk.

The initial mapping points all logical blocks to the offsets in the backing file or volume. When a virtual machine writes data to a QCOW2 volume after a snapshot, the relevant block is read from the backing volume, modified with the new information and written into a new snapshot QCOW2 volume. Then the map is updated to point to the new place.

How can I use the Red Hat Enterprise Linux QCOW2 image?

The Red Hat Enterprise Linux QCOW2 images (example:  RHEL 7 QCOW2 image) are for use with Red Hat Enterprise Linux OpenStack Platform, or Red Hat Enterprise Linux 6, 7 or 8 KVM hypervisors.  The images are configured with cloud-init to take advantage of ec2-compatible metadata services for provisioning ssh keys in order to function properly.

Red Hat Enterprise Linux OpenStack Platform is the preferred cloud environment for utilizing QCOW2 images.

Red Hat OpenStack Platform

How do I change/update the root password of the QCOW2 image?

  • The root account in the image is locked.  The image's /etc/shadow file has "!!" in the root user's second field.
  • Sudo access is granted to a special user named cloud-user.

For an OpenStack instance, we recommend that one generates a ssh keypair from the OpenStack dashboard or command line and use that key combination to perform a ssh public authentication to the instance as root.

When the instance is launched, this public key will be injected to it.  One can then authenticate using the private key downloaded while creating the keypair.

Hard requirements on root passwords

If one still needs to set a root password, please execute:

# virt-customize -a <qcow2 image file name> --root-password password:<password>
[   0.0] Examining the guest ...
[  13.8] Setting a random seed
[  13.8] Setting passwords
[  14.5] Finishing off

Alternatively, one can use guestfish to edit the disk image's /etc/shadow file, directly.  Note in the below example, the file system containing /etc/shadow is /dev/vda1.  This may be different, depending on the image file being edited.

# guestfish --rw -a <qcow2 image file name>
><fs> run
><fs> list-filesystems
><fs> mount /dev/vda1 /
><fs> vi /etc/shadow
><fs> umount /
><fs> exit

To modify the image and insert different root passwords for different instances when they are launched, use cloudinit to apply a password to an instance when they are launched.  For more information, please refer to the upstream documentation: Administration Guide.

Red Hat Enterprise Linux KVM

For use in a KVM/QEMU hypervisor on a Red Hat Enterprise Linux machine, one must set a root password and disable the cloud-init service.

# virt-customize -a <qcow2 image file name> --root-password password:<password> --uninstall cloud-init
[   0.0] Examining the guest ...
[  11.5] Setting a random seed
[  11.5] Uninstalling packages: cloud-init
[  13.9] Setting passwords
[  15.6] Finishing off

One then may import the QCOW2 image using the virt-manager graphical user interface or the virt-install text command.

Virt-manager will have an "Import existing disk image" option in the first window when creating a new virtual machine.  If one does not see it, one may have to update to a newer version of virt-manager.  Also, virt-manager assumes the storage format is whatever was last used.  Thus, one should Customize configuration before install and edit the disk's advanced options to ensure the storage format is set to "QCOW2".

An example virt-install command might be:

# virt-install \
  --name guest1-rhel7 \
  --memory 2048 \
  --vcpus 2 \
  --disk /path/to/imported/disk.qcow2 \
  --import \
  --os-variant rhel7

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.


what's d password of cloud-user account?

well, noticed that the cloud-user account too is disabled.

Thanks redhat team for "rhel-guest-image-7.0-20140506.1.x86_64.qcow2"

  1. set root passwd in "RHEL6 KVM", follow the exact same steps describe in

Hard requirements on root passwords
If you need to set the root password, please use the following guidelines.
To permanently modify the image to set a root password, perform the following steps with guestfish:
# guestfish --rw -a <.qcow2 image path>

mount /dev/vda1 / -> this /dev/vda1 may vary in your system
vi /etc/shadow

and just remove the !! from the second field of root from /etc/shadow file, and save the file.

  1. Create a new hyperV from virt-manager, and boot the guest, then from login prompt issue/type root and press ENTER and wait till next prompt (three times), as a result of fail login, then the login shell will allow you to set a new passwd for root, after set the new password check #chage -l root

  2. you can create more users like simple useradd

localhost login: root

How can I import this image on RHEV 3.2?

Hey Leonardo can you open a support case to help you on this issue at . Thanks

Would love to see instructions for virt-manager in RHEL7. Even if it can't be done, it would be good to mention that in this article.

Bruce, and others, I made a discussion with instructions for changing the password with guestfish at Red Hat at: I made those instructions for a physical host with rhel 6, and the RHEL 7 qcow2 image using guestfish to change the password.

I'll update that bit in the next week or so, yet the instructions for the rhel 7 guest I made should still work.

Me too!

No love for RHEV?

RHEV 3.4+ has cloud-init that can set the root password when launching the image.

Instead of using guestfish, I find it easier to use virt-customize which comes in the same RPM. Also, I occasionally use the image in an environment that doesn't provide cloud-init data. In those cases, I just remove cloud-init.

Example for RHEL7

$ virt-customize -a rhel-guest-image-7.2-20160302.0.x86_64.qcow2 --root-password password:PASSW0RD --uninstall cloud-init
[   0.0] Examining the guest ...
[  12.1] Setting a random seed
[  12.1] Uninstalling packages: cloud-init
[  14.5] Setting passwords
[  15.9] Finishing off

It also works for RHEL6

$ virt-customize -a rhel-guest-image-6.8-20160425.0.x86_64.qcow2 --root-password password:PASSW0RD --uninstall cloud-init
[   0.0] Examining the guest ...
[  14.5] Setting a random seed
[  14.5] Uninstalling packages: cloud-init
[  17.0] Setting passwords
[  18.1] Finishing off

We have used the qcow2 images for Rhel7 in Openstack ubuntu setup, I am able to ping the IP's assigned but not able to ssh to it. There are few more instances in the same project i'm able to access those. ~$ ssh -vvvv cloud-user@ OpenSSH_7.2p2 Ubuntu-4ubuntu2.2, OpenSSL 1.0.2g 1 Mar 2016 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: resolving "" port 22 debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to [] port 22. debug1: Connection established. debug1: identity file /home/maasadmin/.ssh/id_rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/maasadmin/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/maasadmin/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/maasadmin/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/maasadmin/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/maasadmin/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/maasadmin/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/maasadmin/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.4 debug1: match: OpenSSH_6.4 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to as 'cloud-user' debug3: hostkeys_foreach: reading file "/home/maasadmin/.ssh/known_hosts" debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent

From where can I get RHEL 7.3 qcow2 image for deploying on RHOSP 10

Working well with RHEL 8 :)

For RHEL8, the following kbase article is also worth mentioning:

In RHEL7 kvm host, running virt-customize/virt-sysprep command against a RHEL8 KVM image fails.

How do I connect to the qcow2 image once started?

I assume you mean how do you access the terminal for your virtual machine running on a RHEL host.  (A virtual machine whose virtual disk is the qcow2 image.)

I have found the easiest way is to use virt-viewer or virt-manager.  Please refer to RHEL 7's Virtualization Deployment and Administration Guide's Chapter 22. Graphical User Interface Tools for Guest Virtual Machine Management for details.

virt-manager doesn't work for me - but using qemu-system-x86_64 works fine.

qcow2 image for rhel77 images takes 10mins to boot!

Hi Darren, if you are using the image for a KVM host, this might be due to cloud-init. Check the instructions (virt-customize) in the "Red Hat Enterprise Linux KVM" section above to remove it from the image if you don't need it.

After running virt-customize on a disk image, newly created files will be unlabelled. Remember to relabel once a VM is created from the disk image!

Adding --selinux-relabel to the virt-customize command will also relabel files and, if necessary, touch /.autorelabel on the image.

A note about SELinux would be good to add to the article.

I have created a VM from rhel-8.3-update-2-x86_64-kvm.qcow2, but i am not able to ping/SSH from same network. I am using RHOSP16. please suggest

Ram, please open a support case for this problem so we can examine the situation and give you an accurate answer.

No luck with the virt-customize command on the rhel-8.3-update-2-x86_64-kvm.qcow2 image. I'm getting the following error message --

[admin@myhost tmp]# virt-customize -a test.rhel-8.3-kvm.qcow2 --root-password password:monkey@123
[   0.0] Examining the guest ...
virt-customize: warning: mount: mount exited with status 32: mount: wrong
fs type, bad option, bad superblock on /dev/sda3,
       missing codepage or helper program, or other error

       In some cases useful info is found in syslog - try
       dmesg | tail or so. (ignored)
virt-customize: warning: mount: mount: /boot/efi: mount point is not a
directory (ignored)
virt-customize: error: libguestfs error: is_dir: is_dir_stub: you must call
'mount' first to mount the root filesystem

If reporting bugs, run virt-customize with debugging enabled and include
the complete output:

  virt-customize -v -x [...]

Any suggestions?

It seems you are trying to customize a RHEL 8 image from a RHEL 7 node. Had the same issue and these instructions helped working it around:

Thank you for your quick response, Ramon. You are correct: My sourceing VM is RHEL 7.x :( I will try it on an RHEL8.x VM and provide feedback.

Woot, woot! It worked. Thank you, Ramon!