Learn › RHCSA (EX200) › Operate Running Systems
rd.break - a hands-on Linux lab on a real virtual machine.
Recover a lost root password on RHEL 10 with rd.break. Interrupt GRUB, append rd.break to the kernel line, boot with Ctrl-x, then at switch_root run mount -o remount,rw /sysroot, chroot /sysroot, passwd, and touch /.autorelabel (SELinux is Enforcing) before exiting and rebooting. Serves EX200 operating-systems task 10: interrupt the boot process to gain access to a system. The flagship boot skill.
You sit down at a RHEL 10 machine to start work, and it asks for the root password. Nobody knows it. The admin who set it up left. There is no password manager entry, no sticky note, no SSH key that lets you in as root. The normal login is a locked door, and you do not have the key.
You are not stuck. On a machine you can physically reach, the root password is never truly a barrier. There is a documented, supported way to reset it, and it starts before the operating system even finishes loading. This is EX200 operating-systems task 10, interrupt the boot process to gain access to a system, and it is very often the FIRST task on the exam. Every task after it needs root, so if you cannot do this, you cannot start.
This lesson is different from the others in this module. The reset happens at the boot menu and a tiny rescue console, not in a normal shell over SSH. So most of it is a numbered sequence you follow at the console, not a live practice terminal. The two black boxes below ARE live: they check facts on a running RHEL 10 machine (AlmaLinux 10.2) that explain WHY the sequence has the shape it does. The real hands-on is the rd.break boot lab at the end.
When a Linux machine powers on, the bootloader called GRUB loads the kernel. The kernel first mounts a tiny temporary system in memory called the initramfs, whose only job is to find and mount your REAL disk. rd.break is a kernel option that says: stop right there, in the initramfs, before you hand control to the real system. It drops you at a rescue shell with a switch_root:/# prompt.
That early stop is the whole trick. The normal login has not loaded yet, so nothing asks you for a password. Your real disk is sitting right there, mounted read-only at a folder called /sysroot. You make it writable, step into it, and change the root password directly in the files that store it. Then you undo one side effect and reboot.
There is one catch that fails more exam candidates than any other single mistake, and it comes from SELinux. SELinux is a security layer that labels every file with a context and refuses access when the label is wrong. On RHEL 10 it ships in Enforcing mode, which means those labels are actively enforced, not just logged.
When you change the password from the rescue shell, the password file /etc/shadow can come out with the wrong SELinux label. On the next boot, SELinux sees the bad label on /etc/shadow and blocks reading it, so your brand-new, correct password is rejected with Login incorrect. The fix is to create an empty file named /.autorelabel. Its presence tells SELinux to relabel every file on the next boot, which corrects /etc/shadow. Prove the machine really is Enforcing so you see why the step matters:
getenforce
prompt: student@servera:~$ answer: getenforce output: Enforcing hint: One word, all lowercase, that prints the current SELinux mode: getenforce
Enforcing. That single word is the reason touch /.autorelabel is mandatory and not just a nicety. Because SELinux is actively enforcing labels, a wrongly labelled /etc/shadow will silently block the correct password. If this said Permissive, SELinux would only log the mismatch and let you in, and the relabel step would not matter. On RHEL 10 the default is Enforcing, so you always relabel after a reset.
In the boot flow you interrupt GRUB, press e to edit the boot entry, and add rd.break to the end of the long line that begins with linux. That line is the kernel command line: the kernel and every option it boots with. You cannot edit it from a running system, but you CAN read the one your machine booted with right now, which shows you the exact line you will be appending to. It lives in /proc/cmdline:
cat /proc/cmdline
prompt: student@servera:~$ answer: cat /proc/cmdline output: BOOT_IMAGE=(hd0,gpt2)/vmlinuz-6.12.0-211.7.3.el10_2.x86_64 root=/dev/mapper/rhel-root ro crashkernel=2G-64G:256M,64G-:512M resume=UUID=4a9b785d-a4f8-4650-81a6-2390c8a55031 rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap console=ttyS0,115200 console=tty0 hint: Print the contents of the special file /proc/cmdline: cat /proc/cmdline
The exact kernel version (6.12.0-...), the root device (/dev/mapper/rhel-root), and the UUIDs on your machine will differ. What matters is the SHAPE: this is the linux line you edit in GRUB, and rd.break goes at the very END of it, after everything you see here, with a single space before it.
That is the line. In the GRUB editor it starts with linux instead of BOOT_IMAGE, but it is the same kernel command line, and it may wrap across several rows on screen. You press End (or arrow down to the true end) and type a space then rd.break, so the tail reads ...console=tty0 rd.break. You do NOT press Enter to boot the edit, because Enter just inserts a newline into the config. You press Ctrl-x, which boots the entry with your change. That one option is what stops the machine in the initramfs.
Here is the entire recovery, start to finish. On the exam this should take under five minutes, so the goal is to know the ORDER cold, not to look it up.
1. Reboot the machine and watch for the GRUB menu. Press any key to stop the countdown, then press e to edit the default entry. 2. Find the line starting with linux, go to its end, add a space and rd.break, then press Ctrl-x to boot (never Enter). 3. At the switch_root:/# prompt, make the real disk writable: mount -o remount,rw /sysroot. 4. Step into the real system: chroot /sysroot. 5. Set the new password: passwd, then type it twice (the screen shows nothing as you type, which is normal). 6. Schedule the SELinux relabel: touch /.autorelabel. 7. Leave both shells: exit to leave the chroot, exit again to leave the initramfs, and the machine reboots. 8. The reboot runs the relabel (one to three minutes), then reboots itself once more. Log in as root with the new password.
Read those two commands in the middle again, because the pair is the heart of it. mount -o remount,rw /sysroot flips the real disk from read-only to read-write, and chroot /sysroot makes that disk your / so passwd edits the real /etc/shadow and not the throwaway one in memory.
The single most common failure on this task is skipping step 6, touch /.autorelabel. Everything appears to work, you reboot, you type the correct password, and login is refused with Login incorrect. That is SELinux blocking the mislabelled /etc/shadow. If it happens, you do not re-do the password: boot back into rd.break, chroot /sysroot, run touch /.autorelabel, and reboot.
The one place beginners stumble in the sequence is the middle: which comes first, remount or chroot? The answer follows from what each does. You must make the disk writable BEFORE you enter it, because once you chroot into /sysroot, that path becomes your / and you can no longer remount it by that name. So it is always remount, then chroot.
You will type the remount as mount -o remount,rw /sysroot. Read it once as words, because reading it is how you will remember it under pressure:
mount -o remount,rw /sysroot
prompt: student@servera:~$ answer: echo mount -o remount,rw /sysroot output: mount -o remount,rw /sysroot hint: Prefix the line with echo so it just prints the command as text: echo mount -o remount,rw /sysroot
You cannot actually remount /sysroot on a normal running machine, because /sysroot only exists inside the initramfs during boot. This box just echoes the line so you rehearse the exact spelling: -o for options, then remount,rw with a comma and no spaces, then the target /sysroot. In the real rescue shell you type it without the leading echo.
That comma-joined remount,rw is one argument to -o, two options at once: remount says re-apply the mount in place, and rw says do it read-write. Together they lift the read-only lock on the real disk. Get this before the chroot and the rest of the sequence just works. Get the order backwards and passwd would write into the temporary in-memory copy that vanishes at reboot, so your change would not stick.
Scaffolding off. This time the recall is the ORDER, not one command. You are already at the switch_root:/# rescue prompt, the disk is still read-only, and the root password is not yet changed. In one line, chain the FIRST two recovery commands you must run, in the correct order, joined so the second runs only after the first. Think about which must happen before you can enter the real system.
prompt: switch_root:/# answer: mount -o remount,rw /sysroot && chroot /sysroot output: hint: Make the disk writable first, then step into it. Join the remount and the chroot with && so the chroot runs only if the remount succeeds.
Remount, then chroot. mount -o remount,rw /sysroot unlocks the real disk for writing, and && runs chroot /sysroot only if that succeeded, which makes the real disk your /. From here passwd sets the real root password, touch /.autorelabel schedules the SELinux fix, and two exit commands reboot the machine. You recalled the order under pressure, which is exactly what the exam and a 3 a.m. recovery both ask of you. There is no output because these run in the rescue console, not this sandbox.
You earned this cheat sheet. Read it top to bottom; that IS the order you run it in.
Two facts anchor the whole thing. rd.break stops the boot in the initramfs, so no login stands in your way. And SELinux is Enforcing, so touch /.autorelabel is what keeps your new password from being rejected.
The kernel command line you edit is the same one you can read any time with cat /proc/cmdline. Peek at it on a healthy machine before exam day so the long linux line in the GRUB editor looks familiar instead of alarming, and you know exactly where the end of it is.
You now hold the flagship boot skill of EX200: interrupt GRUB, append rd.break, drop to the switch_root prompt, mount -o remount,rw /sysroot, chroot /sysroot, passwd, touch /.autorelabel, then exit and reboot. You proved to yourself WHY each piece is there: getenforce showed the Enforcing mode that makes the relabel mandatory, and cat /proc/cmdline showed the exact line where rd.break goes.
The operating-systems module ends on a real RHEL 10 machine, the capstone mission, and this is the one lesson whose hands-on truly needs it. A full VM boots for you with a root password you do not know, and you interrupt its boot and recover access for real, at the console, no commands shown. That is the difference from here: you read the objective, recall the sequence, and type it under the clock. Recovering root on a machine that locked you out is the moment this skill stops being theory.
Finish the other operating-systems lessons, then go take back a machine that will not let you in.
Practice Reset the Root Password in a real Linux terminal at The Linux Camp. Progress is verified automatically as you type commands on the machine.