(How-To) Configure GRUB – A Password Recovery Insurance Policy
We’ve all heard of or been in the position where the only co-worker who knew an appliance password left the company or over time the password got lost in the shuffle of daily administration.
We are going to walk through a few simple steps to ensure that if any of the local user account passwords are lost, we have the ability to recover the passwords and thus avoid a complete tear down of our virtual network, firewall, etc..
VMware documentation states:
“Important If the configuration is not performed after deploying the appliance and you forget the root password, resetting the root password is not possible”NSX-T Data Center Installation Guide (pg. 39)
After installing our NSX-T manager appliance and confirming all the services are up and running, we need to modify the GRUB boot configuration.
1) Login to the NSX manager CLI with the root credentials created during the OVF deployment.
2) To change the GRUB timeout value we will need to edit line 7 in the ‘grub’ configuration file. We can make this change by first editing the configuration file with the following command.
GRUB Configuration File Output:
# If you change this file, run 'update-grub' afterwards to update # /boot/grub/grub.cfg. # For full documentation of the options in this file, see: # info -f grub -n 'Simple configuration' GRUB_DEFAULT=0 GRUB_HIDDEN_TIMEOUT= GRUB_HIDDEN_TIMEOUT_QUIET=true GRUB_TIMEOUT=0 GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian` GRUB_CMDLINE_LINUX_DEFAULT="quiet splash rootdelay=90 net.ifnames=0 biosdevname=0" GRUB_CMDLINE_LINUX="audit=1" # Uncomment to enable BadRAM filtering, modify to suit your needs # This works with Linux (no patch required) and with any kernel that obtains # the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...) #GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef" # Uncomment to disable graphical terminal (grub-pc only) #GRUB_TERMINAL=console # The resolution used on graphical terminal # note that you can use only modes which your graphic card supports via VBE # you can see them in real GRUB with the command `vbeinfo' #GRUB_GFXMODE=640x480 # Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux #GRUB_DISABLE_LINUX_UUID=true # Uncomment to disable generation of recovery mode menu entries GRUB_DISABLE_RECOVERY="true" # Uncomment to get a beep at grub start #GRUB_INIT_TUNE="480 440 1"
We need to append the number 2 at the end of the highlighted line #7 above.
Note: The GRUB_HIDDEN_TIMEOUT=<integer> — Specifies the interval, in seconds, that GRUB will wait before loading the entry designated in the default command.
To do this we will move our cursor to the end of line #7 and hit the letter ‘a’ to append and then type the number ‘2’. This will append the number 2 to the right of the cursors current location.
Next, we need to save our changes to the GRUB configuration file. To do this we need to hit the ESC key to stop editing and then type the following to save and exit our vi editor.
Here is what the line we edited looked like before and after our editing.
Now we need to update GRUB so the changes we made to the configuration file above takes effect. To do this we will run the following command from within our existing CLI session with root credentials.
root@nsxt-1:~# update-grub Generating grub configuration file ... Found linux image: /vmlinuz-4.14.74-nn3-server Found initrd image: //initrd.img-4.14.74-nn3-server done
You have now successfully setup your “password recovery insurance policy” (GRUB).
A final note with regard to the last step outlined as “optional” within the NSX-T Installation Guide, which outlines how you can change the GRUB password default value of VMware1. Changing this password will put you in the same position you were trying to avoid by configuring GRUB. This default password is well documented and known by VMware support to help you, if needed, to recover your password.
2 thoughts on “(How-To) Configure GRUB – A Password Recovery Insurance Policy”
Do you know if this still applies to NSX 3.1? On the VMware docs at https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/installation/GUID-4630C9D5-71FB-4991-AC1D-9FDBA0B86120.html it now shows GRUB_TIMEOUT instead of GRUB_HIDDEN_TIMEOUT. When I changed GRUB_TIMEOUT it doesnt seem to bring up the GRUB menu on boot so I think the VMware documentation is wrong.
Thank you for your interest in my tiny site. I want to reply to you to try and answer your GRUB questions. Yes, the GRUB article on my site still applies to all versions released up to today. The only difference with 3.1.x versions of NSX-T is the underlying OS is changed to Ubuntu 18.04 instead of what previous versions ran which was Ubuntu 16.04.
GRUB can be configured with either the ‘GRUB_TIMEOUT’ field being set with an integer or the ‘GRUB_HIDDEN_TIMEOUT’. They both achieve the same thing with slight differences.
– Determines how long a screen without the GRUB 2 menu will be displayed.
– Determines how long to wait for user interaction before booting into the default operating system.
The ‘HIDDEN’ timeout option will display a blank screen for however long you set the timer in the GRUB menu for that field. To get the GRUB menu to display simply click into the console and hit the ‘shift’ key to display the actual GRUB menu. If you want to see the GRUB menu during boot without having to hit the ‘shift’ key you can leave the ‘HIDDEN’ timeout value blank and simply configure the ‘TIMEOUT’ value as outlined in the NSX-T 3.1 documentation. I would recommend a timeout value of 15 or higher. Any lower and often the VMware console won’t open fast enough to see it at all. Also, for the ‘TIMEOUT’ value only and not the ‘HIDDEN’ you can put in ‘-1’ as the value and it will force you to go into the console on every boot and hit enter. I would not recommend this as an HA event will not work as you want in the event of a failure as the reboot won’t allow the VM to move past the GRUB menu to load the OS.
I have found it useful to have a console open on the ESXi host and not vCenter in a pop-out window (the window should survive reboots). Then update-grub and reboot and then you can watch the behavior of each option.
I hope this answers your GRUB questions!