This issue has happened to me quite some times now. I’ve had multiple VCD environments where the root account magically closed up and/or the account simply expired. This resulted in a boat load of issues that were not easy to understand at first, until I had a look at the root account password expiration, or simply by the fact that I was not able to login to the VCD Cells anymore. Just for this issue here I wanted to create a really quick blogpost that captures the essentials in this and explains it in just a couple of steps what you need to do to either unlock the VCD cell root account and make sure it doesn’t happen anytime soon.
So usually the root account needs to have it’s password changed each year. You can check this on your own environment by running the chage -l root
command. This will display the following in normal circumstances:
root@vcd-cell02 [ ~ ]# chage -l root Last password change : Feb 26, 2021 Password expires : Feb 26, 2022 Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 365 Number of days of warning before password expires : 7
Now you can see that the root user will need to have the password changes each year. Personally I agree with this since it makes the environment more secure, however changing the root password, also means you have to update the appliance certificate private key which is a hassle. If you don’t want to do this each year, you can just simply disable the root account password expiration, by entering the following command:
chage -I -1 -m 0 -M 99999 -E -1 root
This will make sure you only need to change the password each 99999 days (273 years). This will be sufficient. Once you did this re-enter chage -l root
and see the results:
root@vcd-cell02 [ ~ ]# chage -l root Last password change : Feb 26, 2021 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
Another pro tip. If you find yourself in the situation that you cannot login to the VCD Cells anymore and you wish to change this, execute the following steps:
- Reboot the VCD Appliance(s).
- Press e during boot to enter the GRUB Loader.
- Behind the line that starts with
linux /$photon
enterrw init=/bin/bash
. Press F10 to start the environment. - Once this is booted you can use the
pam_tally2
command set to unlock the user and reset it. - Enter
pam_tally2 --reset --user root
- Once this is done you can check if the account is still locked with
pam_tally2 --user root
root@vcd-cell02 [ ~ ]# pam_tally2 --user root Login Failures Latest failure From root 0
Now reboot the appliance with reboot -f
and once the VCD Cell comes back up you have succesfully unlocked your VCD Cell root account.
I hope this quick blogpost helps everybody when they have issues with their VCD Cells.
1 Comment
PJL · August 9, 2023 at 12:41 pm
Many thanks for this very helpful article.