Successfully resetting the root password of a CentOS 7 VM in OpenStack

Even in a cloud world, sometimes you need to find a way to get inside your VM when SSH doesn’t work. Maybe your Ansible script broke the SSH configuration and you need to debug it, or you lost the key you used when creating the VM, or <insert random reason here>.

The good news is that OpenStack environments give you a connection to the VM console. However, CentOS 7 (and RHEL 7) images are a bit tricky when you want to boot in single user mode, as they request the root password, which we don’t have. There is a well documented procedure to boot using rd.break, but there are some little quirks to adapt it for OpenStack images. But fear not, I have summarized them in this post.

First, we start by interrupting the VM boot process and going to the GRUB menu. That’s sometimes easier said than done if the console connection has some lag, but it is doable.

Then, select the kernel and press e to edit the kernel command-line arguments.

The documentation tells us we should add rd.break enforcing=0 to the kernel command line (the one starting with linux16…). However, cloud images redirect console to ttyS0, which is the serial console, and not the graphical console we have in the OpenStack dashboard. So remove the console=ttyS0… parameters (there are two in this example), and make sure we have console=tty0 in the command line.

When finished, press Ctrl-x to boot. You’ll see the kernel boot messages, and get a root prompt. The root file system is mounted read-only under /sysroot, but you can remount it read-write and then chroot to it.

From there on, you can check what went wrong, update any SSH keys if needed, anything you want. Just make sure you do touch /.autorelabel before exiting, or you may have SELinux troubles after a reboot.

And that’s all! There is an alternative way for this, using Nova rescue mode, but that involves starting a new instance using the same image, attaching the existing disk as secondary… and if something goes wrong there, it might be even harder to recover your VM.

Leave a Reply

Your email address will not be published. Required fields are marked *