Centos6/Centos7 implementation: After deleting the grub configuration file, the system is repaired, the single user mode is entered to restore the user password, and the GRUB encryption is implemented

12 FAQ steps in the system startup process

12.1 Delete grub.conf, then restart the system to repair

Centos7 system

The Centos7 system uses the Grub2 version to boot the system. The boot menu is automatically generated from /boot instead of manual configuration in menu.lst. For specific content, refer to the configuration file: /boot/grub2/grub.cfg This file is automatically generated every time grub2-mkconfig is executed, so modifying this file will become invalid after the kernel is upgraded.

1. Record system related parameters

[root@ ~ 06:12:14]#df
Filesystem     1K-blocks    Used Available Use% Mounted on
/dev/sda2       10190100 5330036   4319392  56% /     #重点记录根目录路径
...
[root@ ~ 06:08:30]#cat /etc/fstab                     #记录根分区和boot分区的UUID
#
# /etc/fstab
# Created by anaconda on Mon Jun 22 18:51:04 2020
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=ea1d8d1c-3e80-4a6f-98cc-c83d8897ff86 /                       ext4    defaults        1 1
UUID=35521718-2203-497c-b690-d44622dc6704 /boot                   ext4    defaults        1 2
...

2. Move /boot/grub2/grub.cfg out of this directory, then restart the system, the host enters the following interface

mv /boot/grub2/grub.cfg /root
init 6 #重启

3. View current disk information
   

4. Variable settings (completing the path through the tab key)

grub> set root=(hd0,msdos1)  #设置boot分区
grub> linux /vmlinuz-3.10.0-862.e17.x86_64 ro root=/dev/sda2#root=系统根分区路径或UUID=？
grub> initrd /initramfs-3.10.0-862.e17.x86_64.img #内核初始化环境变量设置
grub> boot #启动系统

5. Log in to the system successfully and regenerate the grub.cfg file

grub2-mkconfig -o /boot/grub2/grub.cfg

If you don’t know the root partition path in grub mode, then the above method cannot be carried out. At this time, you need to use the CD-ROM boot method to enter

rescue mode.

After entering rescue mode, execute the following command:
chroot /mnt/sysimage # temporarily change the system root directory

grub2-mkconfig -o /boot/grub2/grub.cfg #The current directory is already the system root directory

Centos6 system

Configuration file *: /boot/grub/grub.conf, to ensure that grub and the kernel are in the same directory; in addition, it creates a link file /etc/grub.conf to point to the configuration file to ensure that users use the configuration file consistency*

1. Record system related parameters (emphasis: the root partition mount point, some are logical volumes, my system is /dev/sda3)
   

2. Move grub.conf out of the directory

3. Restart the system init 6, and pop up the grub startup command line
   

4. After executing the parameter configuration command, execute boot to restart
   

5. Re-login the system and restore grub.conf to the /boot/grub directory (if it is moved, use the mv command to move the file back)
   

12.2 Enter single user mode to restore user password

The operating level of the Linux system consists of six levels, and the single-user mode is level 1. The single-user mode login system is mainly used to modify the system root password. Not everyone can enter the single-user mode. We can only log in to the single-user mode system through the local computer, but cannot log in remotely (many ssh services will not provide 1 run level).

Centos7 system

1. init 6 Restart the system, press the letter e in the countdown interface to enter the edit mode
   

2. Find the line where the ro string is located, change ro to'rw init=/sysroot/bin/sh', press ctrl+x to enter user mode after modification
   

3. After entering single user mode, enter the following command to change the password
   

4. Remaining steps

touch /.autorelabel #修改完密码后要创建的文件以让selinux生效（无创建则无法重启）
exit #退出chroot
reboot #重启系统，生效

Centos6 system

1. Start the system, when booting, press any key (e) to enter the grub menu interface, as follows
   
2. According to the help prompt at the bottom of the grub menu interface, press the letter a to modify the kernel parameters before system boot, add +space+single at the end of the kernel line, and press Enter
   
3. Start the system, that is, enter the single user mode, and start to change the password
   

12.3 Encrypt grub

Centos7 system

Why encrypt grub? Because if grub is not encrypted, other users can enter single-user mode at will to modify the system account password, which poses a security risk.

• View the current centos version
  

• Set password (save it)

[root@ ~ 11:13:00]#grub2-mkpasswd-pbkdf2
Enter password: 
Reenter password: 
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.216202CEB237E45256DD02E80D7FAC425A4CAEEEED8850541CAB02D19A138DF224AEB2603A7CE9A7C0BE6C3FA94015AA95091B8DFE67F308AA00972FA43C0EA6.50165007B8DC1514BF95859DD8852B0AF922E0BF60773382D721A33D1A1F6C308B53C81821A850074162A3DAC95A4D087298A2EF1C61B7232E7CC431DF2CBE58

• Modify the configuration file

[root@ ~ 11:13:27]#vim /etc/grub.d/00_header
cat <<EOF
set superusers='root'  #单用户使用的用户名
password_pbkdf2 root grub.pbkdf2.sha512.10000.216202CEB237E45256DD02E80D7F    AC425A4CAEEEED8850541CAB02D19A138DF224AEB2603A7CE9A7C0BE6C3FA94015AA95091B    8DFE67F308AA00972FA43C0EA6.50165007B8DC1514BF95859DD8852B0AF922E0BF6077338    2D721A33D1A1F6C308B53C81821A850074162A3DAC95A4D087298A2EF1C61B7232E7CC431D
F2CBE58   			   #尾部是加密密码，一定要加上，用于输入密码判定
EOF

• Recompile the grub.cfg file

[root@ ~ 11:22:38]#grub2-mkconfig -o /boot/grub2/grub.cfg 
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-862.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-862.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-09726f1d0db4408cbc2fe751f0b185ea
Found initrd image: /boot/initramfs-0-rescue-09726f1d0db4408cbc2fe751f0b185ea.img
done

• init 6 restart the system, press the letter e in the countdown interface, the grub login interface will pop up (grub encryption is effective), enter the user name and password, and press the enter key;

Centos6 system

1. Generate encrypted password based on MD5 algorithm

[root@lin ~]# grub-md5-crypt
Password: 
Retype password: 
$1$mgqu/1$5vcAFwFSL4Xtb574S2.U30

2. Add the password string in the /boot/grub/grub.conf file

[root@lin ~]# vi /boot/grub/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/sda3
#          initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
password --md5 $1$mgqu/1$5vcAFwFSL4Xtb574S2.U30  #添加在这里是对grub菜单整体加密，锁定编辑模式
title CentOS 6 (2.6.32-696.el6.x86_64)
#添加在这里是对某个菜单进行加密，不能锁定编辑模式
        root (hd0,0)
        kernel /vmlinuz-2.6.32-696.el6.x86_64 ro root=UUID=56*****3a-6**4-**4b-adb7-d40********e01 rd_NO_LUKS rd_NO_LVM LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
        initrd /initramfs-2.6.32-696.el6.x86_64.img
~

3. Press init 6 to start the system, press any key to enter the grub menu interface, the following prompt requires you to press the p key to enter the password to enter the grub editing mode (the prompt information at the end changes)