GRUB2 – Resetting the root password on CentOS/RHEL 7

If you have forgotten what your CentOS/RHEL system’s root password is, then you need to reset your machine’s root password. Resetting the root password requires rebooting your CentOS 7 machine, and then edit the GRUB parameters during boot time.

During machine boot, you might think that you would need to edit the grub parameters just so to enter the rescue/emergency targets. However that approach doesn’t work because you still need to enter the root password as part of entering the rescue/emergency targets.

That’s why we take a different approach to reset the root password. When you machine is booting up:

  1. Press down then up arrow keys as soon as the kernel selection menu appears. This will pause the boot process
  2. press “e” in order to edit your grub parameter settings.
  3. Scroll down to the linux16 line, then press the “end” key to reach the end of that line.
  4. add rd.break at the end of the “linux16” line.

rd.break

The rd.break setting instructs the boot process to stop at a specific point during the initramfs process. This is a point where just the main core filesystem has been mounted, but none of the other filesystems have been mounted.

Tip: also good idea to remove the “rhgb quiet” flags from the grub parameter list so that you can monitor what is happening.

Then do “ctrl+x” (as prompted on the screen), to resume the boot process with the modified grub parameter input.

After that you’ll see:

At this stage, we’ve managed to access a terminal before the system fully booted up. Also at this very early stage of the boot process we have the following situation:

  • The root directory isn’t ‘/’ as you would normally expect, instead it’s ‘/sysroot’
  • The ‘/sysroot’ directory is sitting on a filesystem that is readonly

So first we need to make the root filesystem writable:

switch_root:/# mount -o remount,rw /sysroot

Next we need to tell our system to treat ‘/sysroot’ as our root directory:

switch_root:/# chroot /sysroot

This has the affect of changing the command prompt to:

Now we can set the new password by running the following command:

sh-4.2# echo NewPassword | passwd --stdin root

Here my new root password will become “NewPassword”

Note: rather than running the above command. You can instead use the passwd command in the normal way.

These commands we’ve ran so far may have made changes to the machine (e.g. created/deleted files behind the scenes) without SELinux knowing about them, so we need tell SELinux to do a restorecon of the entire machine during the next boot, we do this by creating the following file:

sh-4.2# touch /.autorelabel

Now we exit out of chroot:

$ exit

You should now see something like this:

Then exit again:

$ exit

This will end up rebooting the system. The reboot may take about 2 minutes, which is normal. That is why you should remove the “rhgb quiet” as suggested so that you can monitor the boot process. Now the machine should reboot and you should then be able to login using your root user’s new password.

See also:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Terminal_Menu_Editing_During_Boot.html#proc-Resetting_the_Root_Password_Using_rd.break

Take the RHCSA Quiz

This article is part of our RHCSA Study guide (click on the yellow tab on the far left). By the end of this article you should be able to answer the following questions:


Assume you don't have the root password and you reboot your machine. What is the first thing you need to do while the machine is booting up?

Wait until the grub menu appears and then hit either up/down arrow, in order to disable the timeout.

Then what do you do?

press “e”

Then what do you do?

Scroll down to the line begining with “linux16”

Then what do you do?

Hit the “end” key
optional: delete the “rhgb quiet” in order to enable the verbose mode.

Then what do you do?

type “rd.break”

Then what do you do?

then press “ctrl+x”

You are now logged. Then what command do you run?

$ mount -o remount,rw /sysroot

Then what command do you run?

$ chroot /sysroot

Then what command do you run?

$ echo NewPassword | passwd -stdin root

Then what command do you run?

$ touch /.autorelabel

Then what command do you run?

# run exit twice
$ exit
$ exit

Then what do you do?

Wait for about 2 minutes

Then what do you do?

The machine will have restarted, now you can try logging in as root with the new password.