Interrupt the Boot
Process to Gain Access

Interrupt the boot process in order to gain access to a system

CIS126RH | RHEL System Administration 1
Mesa Community College

Every administrator eventually faces a system they cannot log into — a forgotten root password, a misconfigured service that blocks login, or a filesystem error that prevents the OS from completing its boot sequence. This module covers the techniques for interrupting the RHEL boot process to gain an administrative shell without normal credentials, with the root password reset procedure as the primary use case. This skill is tested directly on the RHCSA exam.

Learning Objectives

  1. Explain when and why boot interruption is used — Identify scenarios where normal login is not possible and boot-level access is the appropriate recovery technique
  2. Interrupt the boot at the GRUB2 menu — Pause the boot countdown, access the kernel parameter editor, and add the rd.break parameter
  3. Navigate the initramfs recovery environment — Remount the root filesystem read-write, use chroot to enter the real OS installation, and perform repairs
  4. Complete the root password reset procedure — Reset the password, correct the SELinux file context, and return the system to normal operation

When Boot Interruption is Needed

Boot interruption is the appropriate recovery technique when the system cannot be accessed through normal login channels.

Scenario Why normal login fails Recovery technique
Root password forgotten or unknown Cannot authenticate to the root account rd.break — reset password in initramfs
Service prevents normal boot completion System hangs before presenting a login prompt Boot to rescue.target or emergency.target
Corrupted /etc/fstab or failed mount Boot fails at filesystem mounting stage Boot to emergency.target, fix fstab
Misconfigured PAM or /etc/sudoers Authentication modules fail for all users rd.break or rescue.target
SSH keys lost and no password set Remote access impossible, console requires password rd.break — set a password then log in
RHCSA Exam Scenario

The exam typically presents a system with an unknown root password and asks the student to regain access. The rd.break method is the standard tested solution.

The Boot Sequence and Where to Interrupt

The boot process has multiple stages. Different recovery techniques interrupt the boot at different points.

  1. BIOS/UEFI — firmware initialises hardware
  2. GRUB2 menupress a key here to pause and edit ← first interrupt point
  3. Kernel loads — the kernel decompresses and starts
  4. initramfs — minimal filesystem; mounts the real root
    rd.break stops here and gives a shell ← second interrupt point
  5. systemd (PID 1) — real OS init process starts
  6. Target activation — services start in dependency order
    rescue/emergency targets activate here ← third interrupt point
  7. Login prompt — normal operation
Earlier = more powerful but more work

Interrupting earlier in the boot gives more access but requires more manual steps to reach a usable environment. rd.break is the earliest interrupt and requires remounting and chrooting before anything can be changed.

Step 1: Reach the GRUB2 Menu

The GRUB2 menu appears briefly during every boot. You must pause it before the countdown expires to access the kernel editor.

  • Reboot or power on the system
  • Watch for the GRUB2 menu — it may appear for only 5 seconds
  • Press any key immediately to pause the countdown
  • On UEFI systems, hold Shift during power-on to force the menu
  • The menu lists available kernels — the top entry is the default
Red Hat Enterprise Linux (5.14.0-362.el9.x86_64) 9.4 (Plow)
Red Hat Enterprise Linux (5.14.0-284.el9.x86_64) 9.3 (Plow)
Red Hat Enterprise Linux (0-rescue-...) 9.4 (Plow)

Use the ↑ and ↓ keys to change the selection.
Press 'e' to edit the selected item, or 'c' for a command prompt.
Practice the timing before exam day

The GRUB2 countdown can be as short as 1–5 seconds. In the exam VM environment, start pressing keys as soon as the VM console comes up. If you miss it, the system boots normally — reboot and try again.

Step 2: Edit the Kernel Command Line

With the GRUB2 menu paused, press e to open the boot parameter editor for the selected kernel entry.

  • The editor shows the full boot configuration for the selected kernel
  • Use the arrow keys to navigate — find the line beginning with linux
  • This line contains the kernel image path and all kernel boot parameters
  • Navigate to the end of this line (use the End key or Ctrl+E)
  • The line may be wrapped across multiple display lines — it is one logical line
# The linux line looks something like this (truncated for display)
linux ($root)/vmlinuz-5.14.0-362.el9.x86_64 \
  root=/dev/mapper/rhel-root ro crashkernel=auto \
  resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root \
  rd.lvm.lv=rhel/swap rhgb quiet

# Find this line, go to the end, and add rd.break:
... rhgb quiet rd.break
Remove rhgb and quiet too

Removing rhgb (Red Hat graphical boot) and quiet from the kernel line shows detailed boot messages, which helps confirm that the system has reached the rd.break shell and not stalled.

Step 3: Boot with rd.break

After appending rd.break to the kernel command line, press Ctrl+X to boot with the modified parameters.

  • The kernel loads and the initramfs initialises
  • Device detection and basic filesystem setup runs normally
  • Just before handing control to the real OS, the boot stops
  • A shell prompt appears — no password is required
# After booting with rd.break, you see:
Generating "/run/initramfs/rdsosreport.txt"

[  OK  ] Reached target Initrd Default Target.
         Starting dracut emergency shell...

Warning: /dev/disk/by-uuid/... does not exist

Entering emergency mode. Exit the shell to continue.
Type "journalctl" to view system logs.
You might want to save "/run/initramfs/rdsosreport.txt" to USB.

switch_root:/# _
The switch_root prompt

The switch_root:/# prompt confirms you are in the initramfs environment running as root. The real RHEL installation is mounted read-only at /sysroot.

Understanding the initramfs Environment

When rd.break stops the boot, you are inside the initramfs — a minimal temporary filesystem, not the real RHEL installation.

What is available in the initramfs

  • A root shell — no password required
  • Basic utilities: ls, cat, mount, chroot
  • The real RHEL root filesystem mounted at /sysroot
  • The real filesystem is mounted read-only by default

What is NOT available

  • Full RHEL tools (vim, dnf, systemctl)
  • Network connectivity
  • SELinux enforcement (not running in this environment)
# Confirm /sysroot contains the real OS
switch_root:/# ls /sysroot
bin  boot  dev  etc  home  lib  lib64  media  mnt  opt
proc  root  run  sbin  srv  sys  tmp  usr  var

Step 4: Remount /sysroot Read-Write

Before making any changes to the installed system, the root filesystem at /sysroot must be remounted with write permission.

# Confirm /sysroot is currently mounted read-only
switch_root:/# mount | grep sysroot
/dev/mapper/rhel-root on /sysroot type xfs (ro,relatime,...)
#                                            ^^ read-only

# Remount /sysroot read-write
switch_root:/# mount -o remount,rw /sysroot

# Confirm the remount succeeded
switch_root:/# mount | grep sysroot
/dev/mapper/rhel-root on /sysroot type xfs (rw,relatime,...)
#                                            ^^ now read-write
This step is required — do not skip it

If you run chroot /sysroot before remounting, any attempt to write files (including passwd) will fail with "Read-only file system". Always remount first, then chroot.

Step 5: chroot into /sysroot

chroot — change root — makes /sysroot the apparent root directory for all subsequent commands. After chrooting, you are effectively running commands inside the real RHEL installation.

# chroot into the real OS installation
switch_root:/# chroot /sysroot

# The prompt changes — you are now inside the RHEL installation
sh-5.1# _

# Commands now operate on the real filesystem
sh-5.1# cat /etc/redhat-release
Red Hat Enterprise Linux release 9.4 (Plow)

# The /etc/shadow file is now writable (via the real filesystem)
sh-5.1# ls -l /etc/shadow
----------. 1 root root 1234 May 25 07:00 /etc/shadow
After chroot, paths refer to the real OS

Before chroot, /etc is the initramfs's /etc. After chroot, /etc is the real OS's /etc at what was /sysroot/etc. All commands run with the real RHEL binaries.

Step 6: Reset the Root Password

With the chroot active, the standard passwd command modifies the real /etc/shadow file on the installed system.

# Inside the chroot — reset the root password
sh-5.1# passwd root
Changing password for user root.
New password:
(type the new password — no characters appear)
Retype new password:
(retype the new password)
passwd: all authentication tokens updated successfully.

# Confirm the shadow file was modified (timestamp changed)
sh-5.1# ls -l /etc/shadow
----------. 1 root root 1278 May 25 10:15 /etc/shadow
#                           ^^^^ size changed — new hash written
Choose a password you will remember

On the RHCSA exam, you may be asked to set the root password to a specific value. Read the task carefully before running passwd. On a real recovery, choose a strong password and document it in your password manager immediately.

Step 7: Fix the SELinux Context

The passwd command ran inside the initramfs chroot where SELinux policy is not enforced. The resulting /etc/shadow entry has the wrong SELinux security context — this must be corrected before rebooting.

Option A — Full filesystem relabel (simpler)

sh-5.1# touch /.autorelabel
# This file triggers a full relabel of all filesystems on next boot
# The relabel boot takes a few minutes — do not interrupt it

Option B — Targeted relabel (faster)

sh-5.1# restorecon -v /etc/shadow
Relabeled /etc/shadow from system_u:object_r:unlabeled_t:s0
                     to system_u:object_r:shadow_t:s0
# Only /etc/shadow is relabeled — no extra boot time needed
Skipping this step is the most common exam failure

If you skip the SELinux context fix, the password reset appears to succeed, but the new password will not work at login. SELinux enforces correct file contexts on /etc/shadow and blocks access if they are wrong.

Step 8: Exit and Resume Boot

Two exits are required: one to leave the chroot environment, and one to leave the initramfs shell and allow the boot to continue.

# Exit the chroot — returns to the initramfs shell
sh-5.1# exit
switch_root:/# _     # back in the initramfs

# Exit the initramfs shell — boot resumes
switch_root:/# exit
# OR send Ctrl+D to signal end of input
# The system continues the boot sequence
What happens after the second exit

The initramfs hands control back to the real OS init process (systemd). If you used touch /.autorelabel, the boot pauses to relabel all filesystems before completing — this takes several minutes and is normal. If you used restorecon, the boot continues to the login prompt without the extra relabelling pause.

The Autorelabel Boot

When /.autorelabel exists, the first boot after the rd.break recovery performs a full SELinux filesystem relabelling before completing.

  • The system detects /.autorelabel early in the boot
  • SELinux relabels every file on every mounted filesystem
  • Progress appears on the console — do not interrupt or power off
  • The /.autorelabel file is deleted when relabelling completes
  • The system reboots automatically a second time to complete the process
  • After the second reboot, the system reaches the normal login prompt
The autorelabel boot may take several minutes

On a system with many files, the relabelling scan takes 2–5 minutes or longer. The console shows progress. This is normal — do not interrupt the power. Interrupting will leave the filesystem partially relabelled and may cause SELinux to deny access to many system files.

Complete Procedure at a Glance

The eight steps from reboot to recovered system.

  1. Reboot and press a key to pause the GRUB2 countdown
  2. Press e on the default kernel entry
  3. Find the linux line; navigate to its end; append rd.break
  4. Press Ctrl+X to boot — wait for the switch_root:/# prompt
  5. mount -o remount,rw /sysroot
  6. chroot /sysroot
  7. passwd root (enter new password twice)
  8. Fix SELinux: touch /.autorelabel or restorecon /etc/shadow
  9. exit (leave chroot) then exit again (leave initramfs)
  10. Wait for the system to boot to the login prompt and log in with the new password
Memorise this sequence

On the RHCSA exam, you will not have notes. Practice writing out these steps from memory until you can reproduce them without hesitation. Then practice the full procedure in your lab environment at least three times.

Common Mistakes

Mistake Symptom Fix
Missing the GRUB2 countdown System boots normally Reboot and start pressing keys immediately when the console appears
Appending rd.break to the wrong line System boots normally or with a kernel error Append to the linux line only — not initrd or set
Chrooting before remounting read-write passwd fails: "Read-only file system" mount -o remount,rw /sysroot before chroot /sysroot
Skipping the SELinux fix step Password reset appears to succeed; login still denied Run touch /.autorelabel or restorecon /etc/shadow before exiting
Only one exit after the password reset Back at a prompt — system does not resume booting Two exits needed: first exits chroot, second exits initramfs shell
Interrupting the autorelabel boot SELinux contexts partially relabelled — files may be inaccessible Wait patiently — the relabelling and second reboot take several minutes

Knowledge Check

Answer these before moving to the next slide.

  1. What parameter do you append to the GRUB2 linux kernel line to interrupt the boot and gain an initramfs shell?
  2. After reaching the switch_root:/# prompt, what are the first two commands you run, and why must they be in that order?
  3. You run passwd root inside the chroot and get "Read-only file system". What went wrong and how do you fix it?
  4. Why must you run either touch /.autorelabel or restorecon /etc/shadow before exiting the chroot?
  5. After running touch /.autorelabel and both exit commands, the system reboots but takes several minutes and reboots a second time. What is happening and should you interrupt it?
  6. How many exit commands are needed to resume normal boot from the rd.break environment, and what does each one do?

Knowledge Check — Answers

  1. Append rd.break to the end of the line beginning with linux in the GRUB2 editor.
  2. First: mount -o remount,rw /sysroot to make the real OS filesystem writable. Second: chroot /sysroot to make /sysroot the working root so subsequent commands affect the real installation. The remount must come first — if you chroot into a read-only filesystem, passwd will fail with a read-only error.
  3. The remount step was skipped or failed — /sysroot is still mounted read-only. Exit the chroot with exit, run mount -o remount,rw /sysroot, then chroot /sysroot again, and re-run passwd.
  4. The passwd command ran outside SELinux enforcement. The new /etc/shadow entry has the wrong SELinux file context. When the system boots normally with SELinux enforcing, it denies access to a file with the wrong context — login fails even though the password was changed. The autorelabel or restorecon step corrects the context before SELinux runs.
  5. SELinux is performing a full filesystem relabelling, triggered by /.autorelabel. This is expected and correct — do not interrupt it. After relabelling completes, the system automatically reboots a second time and then presents the normal login prompt.
  6. Two exits are required. The first exit leaves the chroot /sysroot environment, returning to the initramfs shell at switch_root:/#. The second exit leaves the initramfs shell, allowing the kernel to resume the boot process.

Key Takeaways

  1. rd.break interrupts the boot in the initramfs — no password required. Append rd.break to the linux line in the GRUB2 editor. Press Ctrl+X to boot. The change is one-time — not saved.
  2. The procedure is: remount, chroot, passwd, fix SELinux, exit, exit. mount -o remount,rw /sysroot then chroot /sysroot then passwd root then touch /.autorelabel or restorecon /etc/shadow then two exits.
  3. The SELinux fix is mandatory — it is the most commonly missed step. Without it the password is changed but SELinux blocks login because /etc/shadow has the wrong context. Use touch /.autorelabel (full relabel, slower) or restorecon /etc/shadow (targeted, faster).
  4. Two exits are required, and the autorelabel boot must not be interrupted. The first exit leaves the chroot. The second exit resumes the boot. If /.autorelabel was used, the relabelling boot takes several minutes and is followed by an automatic second reboot — both are normal.

Graded Lab

  • Reboot your lab virtual machine and successfully pause the GRUB2 menu. Practice pressing the key at the right moment until you can reach the menu reliably on the first try.
  • From the GRUB2 menu, press e and locate the linux line. Append rd.break to the end of the line and boot. Confirm you reach the switch_root:/# prompt.
  • At the initramfs prompt: run mount | grep sysroot to confirm read-only, then remount read-write. Verify with mount | grep sysroot again.
  • Chroot into /sysroot. Verify by running cat /etc/redhat-release to confirm you are in the real OS.
  • Reset the root password to redhat using passwd root. Run restorecon -v /etc/shadow to fix the SELinux context. Then exit twice to resume boot.
  • After the system boots, log in as root with the new password to confirm the procedure succeeded. Run id to verify root access.
RHCSA Objective

"Interrupt the boot process in order to gain access to a system." Repeat this lab until you can complete the full procedure — GRUB2 interruption to confirmed root login — in under 5 minutes without consulting notes.

Next: Identify CPU/memory intensive processes and kill processes