RHCSA RHEL 8 - Interrupt the boot process in order to gain access to a system
Вставка
- Опубліковано 18 вер 2024
- Buy CSG Merchandise:
tee.pub/lic/csg
Patreon page: / computers_servers
This video is based on RHEL 8.
Video to cover the section 'Interrupt the boot process in order to gain access to a system' for the RHCSA (Red Hat Certified System Administrator).
More information on the required learning: bit.ly/rhcsa8
Notes from the video:
Resetting the Root Password Using an Installation Disk
Start the system and when BIOS information is displayed, select the option for a boot menu and select to boot from the installation disk.
Choose Troubleshooting.
Choose Rescue a Red Hat Enterprise Linux System.
Choose Continue which is the default option. At this point you will be promoted for a passphrase if an encrypted file system is found.
Press OK to acknowledge the information displayed until the shell prompt appears.
Change the file system root as follows:
chroot /mnt/sysimage
Enter the passwd command and follow the instructions displayed on the command line to change the root password.
passwd
Remove the autorelable file to prevent a time consuming SELinux relabel of the disk:
rm -f /.autorelabel
Enter the exit command to exit the chroot environment.
Enter the exit command again to resume the initialization and finish the system boot.
Resetting the Root Password Using rd.break
Start the system and, on the GRUB 2 boot screen, press the e key for edit.
Remove the rhgb and quiet parameters from the end, or near the end, of the linux16 line, or linuxefi on UEFI systems.
Add the following parameters at the end of the linux line on 64-Bit IBM Power Series, the linux16 line on x86-64 BIOS-based systems, or the linuxefi line on UEFI systems:
rd.break enforcing=0
Adding the enforcing=0 option enables omitting the time consuming SELinux relabeling process.
The initramfs will stop before passing control to the Linux kernel, enabling you to work with the root file system.
Note that the initramfs prompt will appear on the last console specified on the Linux line.
Press Ctrl+x to boot the system with the changed parameters.
With an encrypted file system, a password is required at this point. However the password prompt might not appear as it is obscured by logging messages. You can press the Backspace key to see the prompt. Release the key and enter the password for the encrypted file system, while ignoring the logging messages.
The initramfs switch_root prompt appears.
The file system is mounted read-only on /sysroot/. You will not be allowed to change the password if the file system is not writeable.
Remount the file system as writeable:
mount -o remount,rw /sysroot
The file system is remounted with write enabled.
Change the file system's root as follows:
chroot /sysroot
The prompt changes to sh-4.2#.
Enter the passwd command and follow the instructions displayed on the command line to change the root password.
passwd
Updating the password file results in a file with the incorrect SELinux security context. To relabel all files on next system boot, enter the following command:
touch /.autorelabel
Alternatively, to save the time it takes to relabel a large disk, you can omit this step provided you included the enforcing=0 option in step 3.
Remount the file system as read only:
mount -o remount,ro /
Enter the exit command to exit the chroot environment.
Enter the exit command again to resume the initialization and finish the system boot.
With an encrypted file system, a pass word or phrase is required at this point. However the password prompt might not appear as it is obscured by logging messages. You can press and hold the Backspace key to see the prompt. Release the key and enter the password for the encrypted file system, while ignoring the logging messages.
Note that the SELinux relabeling process can take a long time. A system reboot will occur automatically when the process is complete.
If you added the enforcing=0 option in step 3 and omitted the touch /.autorelabel command in step 8, enter the following command to restore the /etc/shadow file's SELinux security context:
restorecon /etc/shadow
Enter the following commands to turn SELinux policy enforcement back on and verify that it is on:
setenforce 1
getenforce
Enforcing
#rhcsa #rhel #linux
Things may have changed a bit due to it being almost 3 years since this video was made. In trying method 2 on RHEL 8.5 when I used 'enforcing=0' the new password wouldn't keep after a reboot. Also there wasn't an existing autorelabel file for me to remove. This could completely be a me being dumb issue, but what I had to do was
1. At GRUB menu select 'e' to edit.
2. Add 'rd.break' at the end of the line beginning in linux (like in the video just excluding the enforcing=0)
3. CTRL+x to start
4. mount -o remount,rw /sysroot/
5. chroot /sysroot
6. passwd (change root password)
7. touch /.autorelabel
8. exit
9. logout or reboot (have to wait for SELinux)
10. Login with new root password
Hope this helps if anyone else ran into a similar issue.
I beleive you may have done something wrong. This has and will continue to work to make SELINUX relabel the context of the files in your system. If it didn't keep your new password I think you may have not placed the .autorelabel (hidden file hence the . in the / directory after chroot to /sysroot). Also as mentioned the .autorelabel file is not needed if you include the enforcing=0 option in the grub edit menu so you wil then have to restorecon the /etc/shadow file and turn on enforcing mode. I perform these steps on a weekly basis at work as a Linux Sys Admin on RHEL 6-8.5 servers.
Joshua, if it makes you feel any better, I also don't feel comfortable doing "enforcing=0" and I perform the autorelabel every time.
@@MaceToDaFace Also discovered a different way that works, rather than using rd.break in the grub menu put in systemd.debug-shell and while the system is booting go to tty9 (ctrl+alt+f9) and you can reset the password there.
the both methods work for me, thanks a lot!
I have 2 questions: If you remembered to include enforcing =0, then you don't need to input "touch ./autorelabel'?
Lastly, do I have to input "mount -o remount,ro /" at the end, or not?
1) yeah that's correct no need for the touch ./autorelabel
2) It is not required, but you should reboot instead of exiting out of the console.
Hope that helps.
Your videos are helping me a lot during my studies. I am getting a "mount: /: can't find UUID=..." when I enter "mount -o remount,ro /" at the end. Is the remount,ro necessary or is it okay to ignore this? The password still got changed. TIA
It's not required. You can ignore it, you'll just need to reboot the machine at the next step rather than exit is the recommendation.
@@compsecgadgets Thank you very much. So excited to finish all your videos.
Glad to help!
Please, why in the first part of video you did rm -f /.autorelabel? Thanks
Hi there. I do that to ensure if you are using SELINUX it won't break everything as the permissions will change. Hope that helps!
If we're asked in the exam to change root password, is it a *must* to include the enforce=0 command and follow it up with the restore one etc/shadow command, or is it doable without. (Though I do plan on doing it anyway).
Hey, only if you do it within rescue mode, yes that correct. Otherwise SELinux can cause issues.
great content, thank you
Hello sir, i am facing some issue regarding 2nd method of resetting password. After entering enforcing= 0 and ctrl+x the system is rebooting but not going to next step. It's directly showing login page where is going wrong. 1st method is perfect , can you plz suggest any solution...
replace quit with rd.break (only) and press ctrl+x
it should dhow you dracut , insert this commands mount -o rw,remout /sysroot/
you should able to go switch root
*show
try only "space" and no "\"
Hi! I'm taking the RHCSA in a couple days, so I had a question about this! The rd.break method using enforcing=0 worked well for me! However, how do I know the root password has changed to the new one I set? Like what is something I can do to verify the new one works and was configured okay?
Use this method instead: access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/changing-and-resetting-the-root-password-from-the-command-line_configuring-basic-system-settings
@@compsecgadgets Thanks! Does the method would enforcing=0 not work for RHEL 8 systems anymore? Or were you referring to the step about verifying the root password was changed correctly? Another another quick question tho: I used 'su' and followed the steps on verifying the root password was configured properly using rd.break and it worked! However: When doing sudo bash or using sudo with commands, only my user account password works. Is this how it's supposed to be?
after following your steps the root password get changed but when i reboot, before that the console starts i get a black screen with a white cursor . Do you have any idea why ?
Check your grub settings are looking healthy.
this one is very hard to understand, sorry I might look at other sources, also not aware of selinux concept
Thanks for your time and effort ..however i tried the boot process exactly as mentioned in the video (from 6:00) but it did take me to 7.13 however it didn't give me the switch_root option instead it directly took me to a loginscreen ...how ever i removed the \ between rd.break and enforcing = 0 then it worked i tried in both RHEL8 and CENTOS 8...
That's odd. I'll have to take a look. The instructions used we from the official Red Hat documentation. I'll get back to you
if you like to see i can send you the screen shots ..let me know your mail id..and by the way i user RHEL 7 official documentation tough...
The \ is entered automatically when you reach the end of the screen and the current line is wrapped. There is no need to type this manually.
@@philliphiers8412 yaa this method work.. I have also tried few times using \ but didn't work
You don't want the \ to be manually added this is grub telling you the line doesn't end there