(How-To) Configure GRUB – A Password Recovery Insurance Policy

We’ve all heard of or been in the position where the only co-worker who knew an appliance password left the company or over time the password got lost in the shuffle of daily administration.

We are going to walk through a few simple steps to ensure that if any of the local user account passwords are lost, we have the ability to recover the passwords and thus avoid a complete tear down of our virtual network, firewall, etc..

VMware documentation states:

“Important If the configuration is not performed after deploying the appliance and you forget the root password, resetting the root password is not possible”

NSX-T Data Center Installation Guide (pg. 39)

After installing our NSX-T manager appliance and confirming all the services are up and running, we need to modify the GRUB boot configuration.

1) Login to the NSX manager CLI with the root credentials created during the OVF deployment.

2) To change the GRUB timeout value we will need to edit line 7 in the ‘grub’ configuration file. We can make this change by first editing the configuration file with the following command.

vi /etc/default/grub

GRUB Configuration File Output:

# If you change this file, run 'update-grub' afterwards to update
# /boot/grub/grub.cfg.
# For full documentation of the options in this file, see:
#   info -f grub -n 'Simple configuration'

GRUB_DEFAULT=0
GRUB_HIDDEN_TIMEOUT=
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT=0
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash rootdelay=90 net.ifnames=0 biosdevname=0"
GRUB_CMDLINE_LINUX="audit=1"

# Uncomment to enable BadRAM filtering, modify to suit your needs
# This works with Linux (no patch required) and with any kernel that obtains
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"

# Uncomment to disable graphical terminal (grub-pc only)
#GRUB_TERMINAL=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
#GRUB_GFXMODE=640x480

# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY="true"

# Uncomment to get a beep at grub start
#GRUB_INIT_TUNE="480 440 1"

We need to append the number 2 at the end of the highlighted line #7 above.

Note: The GRUB_HIDDEN_TIMEOUT=<integer> — Specifies the interval, in seconds, that GRUB will wait before loading the entry designated in the default command.

To do this we will move our cursor to the end of line #7 and hit the letter ‘a’ to append and then type the number ‘2’. This will append the number 2 to the right of the cursors current location.

Next, we need to save our changes to the GRUB configuration file. To do this we need to hit the ESC key to stop editing and then type the following to save and exit our vi editor.

:wq

Here is what the line we edited looked like before and after our editing.

Original Line:

GRUB_HIDDEN_TIMEOUT=

New Line:

GRUB_HIDDEN_TIMEOUT=2

Now we need to update GRUB so the changes we made to the configuration file above takes effect. To do this we will run the following command from within our existing CLI session with root credentials.

update-grub

Command Output:

root@nsxt-1:~# update-grub
Generating grub configuration file ...
Found linux image: /vmlinuz-4.14.74-nn3-server
Found initrd image: //initrd.img-4.14.74-nn3-server
done

You have now successfully setup your “password recovery insurance policy” (GRUB).

A final note with regard to the last step outlined as “optional” within the NSX-T Installation Guide, which outlines how you can change the GRUB password default value of VMware1. Changing this password will put you in the same position you were trying to avoid by configuring GRUB. This default password is well documented and known by VMware support to help you, if needed, to recover your password.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s