Add some troubleshooting steps for access recovery #48
Conversation
|
@jlebon can we maybe remove all the password-setting references and just stick to show the SSH flow? I'm worried users could end with forgotten weak temporary passwords. Also, I'm somehow surprised that init=sh still manages to boot into rootfs given all the missing things from systemd and rpm-ostree. Did you try this on a recent FCOS? |
I think the only places it's showing up right now are where it makes sense. Once in the specifications for FCC, and once about migrating from AH: https://docs.fedoraproject.org/en-US/fedora-coreos/migrate-ah/. Hmm, I guess we should probably add a warning there though about SSH password logins being disabled by default and discouraged?
Bash doesn't need systemd nor rpm-ostree though :) It's functional enough to at least reset passwords and do other basic things. (Edit: and yup, tried this before posting it!). |
|
I just tried init=/bin/sh with FCOS 31 and it just hangs at boot. Possibly I am not following the correct procedure...
|
|
@austinnichols101 What message does it hang on? I'll admit I tested it on a local build. Will sanity-check against the latest release. |
|
@jlebon Here's the last of the boot log (running VMware Workstation 15).
|
|
@jlebon - here's an MP4 video of the boot failure. |
|
@austinnichols101 Ahhh, you're doing this over tty0, right? Try adding |
|
@jlebon - Adding
However, after I reboot I'm unable to log on as either
Note that I did make a first attempt WITHOUT loading the SELinux policy so that might have screwed things up. |
Yeah, judging from the AVC denials, that seems to be the issue. You can fix it using |
jlebon
force-pushed the
jlebon:pr/pw-recovery
branch
2 times, most recently
from
64d146f
to
779fec5
|
That solved the problem. Thanks! @jamescassell - I think the |
|
I added a bit about |
|
Looks good to me. I've never tried restorecon without a loaded policy... |
The `init=/bin/sh` trick is known, but let's give a clear step-by-step to make this easier. (The SELinux step in particular is easy to miss.) See related user question: https://discussion.fedoraproject.org/t/recommended-password-recovery-procedure/17034
|
Maybe we need a "intro to sysadmin" link we assume folks have already read, though. |
|
|
||
| If you've lost the private key of an SSH keypair used to log into Fedora CoreOS, and do not have any password logins set up to use at the console, you can gain access back to the machine using the `init=/bin/sh` trick: | ||
|
|
||
| . When booting the system, intercept the GRUB menu and edit the entry to append `init=/bin/sh` to the kernel argument list, then press Ctrl-X to resume booting. |
jamescassell
Feb 20, 2020
By holding the left shift key or sequentially pressing the up and down arrows to interrupt the grub timeout, then press e to edit the selected entry, entering the grub user (usually root) and password if necessary. (Do we support grub passwords?)
By holding the left shift key or sequentially pressing the up and down arrows to interrupt the grub timeout, then press e to edit the selected entry, entering the grub user (usually root) and password if necessary. (Do we support grub passwords?)
jlebon
Feb 21, 2020
Author
Member
Maybe let's keep further tweaks as follow-ups and just get this one in? It does more good as is on the docs site, than not-quite-perfect sitting here. :)
Maybe let's keep further tweaks as follow-ups and just get this one in? It does more good as is on the docs site, than not-quite-perfect sitting here. :)
|
Yup, let's get this in! |
The
init=/bin/shtrick is known, but let's give a clear step-by-stepto make this easier. (The SELinux step in particular is easy to miss.)
See related user question:
https://discussion.fedoraproject.org/t/recommended-password-recovery-procedure/17034