Red Hat Certified System Administrator (RHCSA) #4: Boot and the system — systemd, target, GRUB2, password recovery

10 min read

If #3 Shell scripting gave you the tools to automate work with conditionals and loops, this post steps into the area of managing the system itself: the flow from a RHEL system powering on to its services coming up — that is, boot and systemd. This area is asked very frequently in RHCSA, and root password recovery in particular is a regular task that shows up on nearly every exam.

In this post we’ll work command by command through what systemd is and how you control services with systemctl, how to switch the boot target, how to edit kernel parameters in GRUB2, and how to recover the root password when you’ve forgotten it. If you grasped the concepts in the systemd post of the RHEL hands-on track, this post is where you drill those same tasks back into your hands in exam form.

What is systemd #

systemd is the init system and service manager that became the standard from RHEL 7 onward. Once the kernel finishes booting, systemd comes up first as PID 1, and from there systemd starts, stops, and watches every service. Unlike the old SysVinit script approach, systemd manages services declaratively in units called units and brings them up in parallel according to their dependencies.

systemd’s core concepts are these two.

  • unit. The basic entity systemd manages. Services, mounts, sockets, targets — all of these are units.
  • target. A group that bundles several units. It represents a state the system needs to reach (e.g., a multi-user console, a graphical desktop).

Types of units #

A unit’s type is distinguished by its extension. The types you’ll see often in RHCSA are these.

ExtensionTypeDescription
.serviceserviceDefines a daemon (sshd, httpd, etc.)
.targettargetA group of units. Represents a boot state
.mountmountDefines a file system mount
.socketsocketDefines socket-based activation
.timertimerScheduled execution that replaces cron

Unit files live in two places. The default units installed by packages are in /usr/lib/systemd/system/, and the units an administrator modifies or adds are in /etc/systemd/system/. For the same name, the /etc/ side wins.

Controlling services with systemctl #

systemctl is the single command for working with systemd. Since it’s the command you most need to drill in RHCSA, let’s organize it by operation.

Start, stop, restart #

# Start a service
sudo systemctl start sshd

# Stop a service
sudo systemctl stop sshd

# Restart a service
sudo systemctl restart sshd

# Reload only the configuration (for services that support it)
sudo systemctl reload sshd

The .service after the service name can be omitted. systemctl start sshd and systemctl start sshd.service behave identically.

Whether to start automatically at boot #

The difference between start and enable is a key trap in RHCSA. start starts it now, while enable registers it to start automatically at every boot. The two are separate, so if you only start and forget to enable, the service disappears after a reboot and you lose points.

# Register to start automatically at boot
sudo systemctl enable sshd

# Cancel automatic start
sudo systemctl disable sshd

# Start now + register for automatic start in one go
sudo systemctl enable --now httpd

enable --now performs enable and start at the same time. When the exam gives you a task like “start the service and make it run at boot too,” this one line is the safest.

Checking status #

# View detailed service status
systemctl status sshd

# Check only whether it's running (active/inactive)
systemctl is-active sshd

# Check whether it's registered for automatic start (enabled/disabled)
systemctl is-enabled sshd

In the output of systemctl status, keep an eye on two lines. The enabled/disabled in the Loaded: line is whether it starts automatically at boot, and the active (running)/inactive (dead) in the Active: line is the current run state.

Completely blocking a service with mask #

disable only blocks automatic start; another service can still wake it through a dependency, and a manual start is still possible. To block the start itself entirely, use mask. mask symlinks the unit to /dev/null so it cannot be started by any means.

# Block a service completely
sudo systemctl mask firewalld

# Lift the block
sudo systemctl unmask firewalld

In the masked state, even attempting start is refused. To lift the block, you must unmask first.

Boot targets #

A target is a unit that bundles a state the system will reach. It replaces the old SysVinit runlevels, and the targets RHCSA deals with often are these two.

targetOld runlevelDescription
multi-user.target3Text console, networking included. The server standard
graphical.target5multi-user plus a graphical desktop

Beyond these, rescue.target (single-user recovery) and emergency.target (minimal environment) are also used in recovery situations.

Checking and changing the default target #

# Check the current default target
systemctl get-default

# Change the default target to multi-user (text)
sudo systemctl set-default multi-user.target

# Change the default target to graphical
sudo systemctl set-default graphical.target

set-default is a permanent setting that applies from the next boot. A task like “make it come up in text mode without graphics at boot” is solved with set-default multi-user.target.

Switching the target right now #

To change only the state of the currently running system without a reboot, use isolate.

# Switch to multi-user mode right now
sudo systemctl isolate multi-user.target

# Switch to graphical mode right now
sudo systemctl isolate graphical.target

Distinguish that set-default applies at the next boot while isolate applies right now. If you want a permanent change, use set-default; if you want a temporary check, use isolate.

Analyzing services with systemctl #

In operations and troubleshooting, you need to see which units are up and what they depend on.

# List loaded units
systemctl list-units

# Service type only, including failed ones
systemctl list-units --type=service --all

# Pick out only failed units
systemctl --failed

# All installed unit files and their automatic-start state
systemctl list-unit-files

systemctl --failed shows at a glance what failed to come up after boot, making it the starting point for quickly finding a problem service.

Tracing dependencies #

# The unit tree a particular target pulls in
systemctl list-dependencies graphical.target

# What a particular service depends on
systemctl list-dependencies sshd

list-dependencies shows as a tree which services a target bundles and what a service requires. You can also confirm the structure where graphical.target includes multi-user.target with this command.

The GRUB2 bootloader #

GRUB2 is RHEL’s bootloader. It loads the kernel into memory and passes kernel parameters to it, and in RHCSA the task of temporarily editing kernel parameters at boot is important because it ties directly into password recovery.

Temporary editing at boot #

When the GRUB2 menu appears as the system powers on, move the cursor onto the entry you want to boot and press e. That lets you edit the boot settings for that entry. Find the line starting with linux, add or modify a kernel parameter, then boot with Ctrl+x, and it applies only to that one boot. It reverts on the next reboot, so you can try it safely.

This temporary edit is the heart of root password recovery. If you add rd.break to the end of the linux line and boot, you drop into a root shell.

Permanent changes #

To change a kernel parameter permanently, edit /etc/default/grub and then regenerate the configuration.

# Generate the configuration after editing /etc/default/grub
sudo grub2-mkconfig -o /boot/grub2/grub.cfg

On RHEL 9, there’s also the grubby command for easily adding individual parameters only.

# Add a parameter to all kernels
sudo grubby --update-kernel=ALL --args="quiet"

# Remove a parameter
sudo grubby --update-kernel=ALL --remove-args="quiet"

Root password recovery (the most frequent task) #

This is a task that comes up almost every time in RHCSA. When you don’t know the root password, you stop at the initial ramdisk stage with rd.break, remount the root file system as writable, and change the password. Memorizing the whole sequence is the fastest way through.

Step 1: Boot with rd.break #

  1. Reboot the system, put the cursor on the boot entry in the GRUB2 menu, and press e.
  2. Find the line starting with linux and add rd.break at the end.
  3. Boot with Ctrl+x, and you drop into a root shell with a switch_root prompt.

Step 2: Remount the root file system #

At this stage the actual root is mounted read-only at /sysroot. To change the password, you have to remount it as writable.

# Remount /sysroot as read/write
mount -o remount,rw /sysroot

# chroot into the actual root
chroot /sysroot

Step 3: Change the password #

# Change the root password
passwd root

Step 4: Schedule an SELinux relabel #

This is the step people skip most often. Because /etc/shadow was modified by the password change, the SELinux context may have drifted. Create a schedule file so that a full relabel is performed on the next boot.

# Schedule a full relabel on the next boot
touch /.autorelabel

If you don’t create this file, the SELinux context drifts and you may be unable to log in or the boot may be blocked. Be sure to do it.

Step 5: Exit and reboot #

# Exit chroot
exit

# Exit the switch_root shell (resume booting)
exit

When booting resumes after the second exit, /.autorelabel triggers a full relabel. The relabel takes a few minutes depending on the system size, and once it finishes the system reboots again automatically. After that you can log in as root with the new password.

If you’d rather not wait for the relabel, there’s also the option of restoring the context of just that file with restorecon -v /etc/shadow inside chroot, instead of /.autorelabel. To play it safe, though, /.autorelabel is recommended.

Exam points #

  • start and enable are separate. start is to start now, enable is for automatic start at boot, and when you need both, use enable --now.
  • mask is stronger than disable. disable only blocks automatic start, while mask blocks both manual start and dependency-driven start.
  • Distinguish set-default and isolate. Changing the boot default is set-default (permanent); switching right now is isolate (temporary).
  • The e edit at boot applies only temporarily. It takes effect for only that one boot and disappears on reboot, so it’s safe for recovery work.
  • Memorize the root password recovery sequence whole. Add rd.breakmount -o remount,rw /sysrootchroot /sysrootpasswd roottouch /.autorelabelexit twice.
  • Never skip /.autorelabel. Forgetting this step and getting locked out by SELinux is a regular way to lose points in RHCSA.

Wrap-up #

What this post locked in:

  • systemd is the PID 1 init process and service manager. It handles everything as units and groups them into targets.
  • systemctl’s core operations. We drilled start/stop/restart, enable/disable, status, and mask, distinguishing them by operation.
  • Boot targets. We change multi-user and graphical permanently with get-default and set-default, and switch immediately with isolate.
  • Service analysis. With list-units, –failed, and list-dependencies we read what’s up and what it depends on.
  • GRUB2. We temporarily edit kernel parameters with e at boot and make them permanent with grub2-mkconfig and grubby.
  • Root password recovery. Memorizing the whole sequence from rd.break to /.autorelabel is the best approach.

Next: Local storage 1 #

With boot and systemd we’ve laid the foundation for system operation. Now we move into the area with the most tasks in RHCSA — the one that decides whether you pass — storage.

In #5 Local storage 1: partitions, swap, LVM basics, we’ll create partitions on a disk, add swap space, and build out the LVM concepts of physical volume, volume group, and logical volume firsthand.

X