Table of Contents
Password Recovery on BIG-IP 11.x–14.0
Applies to: BIG-IP 11.x, 12.x, 13.x, 14.0
Bootloader: GRUB 0.97 or GRUB2
Reboot into Single-User Mode
- Reboot the system via console.
- At the GRUB menu:
- GRUB2 platforms: highlight your kernel entry, press e, append
single
(orsingle fastboot
to skip fsck), then Ctrl-x to boot. - GRUB0.97 platforms: press e twice to edit the
kernel
line, appendsingle
, then press b to boot.
- GRUB2 platforms: highlight your kernel entry, press e, append
Note: If you’re uncertain which GRUB version your appliance uses, refer to F5’s K14658 KB article.
Reset the Root Password
Once you reach a prompt like switch_root:/#
:
shell
mount -a
passwd root
mount -a
ensures all filesystems from/etc/fstab
are mounted (including/
as read-write).passwd root
invokes the password-set utility—enter and confirm your new strong password.- Type
exit
orreboot
to continue normal boot.
After reboot, you can log in with your new root
password.
Password Recovery on BIG-IP 14.0 and Later
F5 revised its architecture in 14.x, leveraging RD.BREAK to interrupt the boot process more cleanly.
Enter RD.BREAK Mode
- Reboot and, at the GRUB menu, highlight the kernel entry.
- Press e to edit; on the kernel line, append
rd.break
. - Press Ctrl-x (or b) to boot into the minimal shell.
Identify Your Logical Volumes
shell
mount | grep /dev/mapper/vg–db
Typical output:
bash
/dev/mapper/vg–db–sda-set.2.root on /sysroot
/dev/mapper/vg–db–sda-set.2._usr on /sysroot/usr
If you see
vda
instead ofsda
, substitute accordingly.
Remount Filesystems Read-Write
shell
mount -o remount,rw /sysroot
mount -o remount,rw /sysroot/usr
Mount Config & Var Volumes
Based on your “set” number (e.g., set.2):
shell
mount /dev/mapper/vg–db–sda-set.2._config /sysroot/config
mount /dev/mapper/vg–db–sda-set.2._var /sysroot/var
Verify all are rw:
shell
mount | grep /dev/mapper/vg–db
Chroot & Reset
shell
chroot /sysroot
passwd root
Set your new root
password when prompted.
Ensure SELinux Relabeling
shell
touch /.autorelabel
This flags the filesystem for relabel on next boot.
Exit & Reboot
shell
exit # from chroot
exit # from switch_root shell
System boots normally, and you can log in as root
with your new password.
VIPRION Multi-Blade Note: On chassis with multiple blades, repeat the password change on the primary blade. After reboot, log into secondary and SSH via
ssh primary
(key-auth) to propagate the change.
Special Cases & Considerations
RAID vs. Non-RAID on 14.1.0+
- Non-RAID platforms (14.1+): refer to KB K35811337.
- RAID-capable platforms (14.1+): refer to KB K23220345.
These outline slight variations in volume mappings when using hardware RAID controllers.
vCMP Guests
For BIG-IP instances running as vCMP guests, follow KB K14581 for single-user mode nuances.
Skipping FSCK
If forced filesystem checks prompt for passwords, append single fastboot
instead of single
for GRUB2 boots to skip checks.
Admin/User Password Recovery on rSeries
On F5 rSeries appliances (F5OS), “root” and “admin” reside in separate partitions and use a systemd-based boot:
- Reboot to the F5OS bootloader; at the boot menu, press e on the default image.
- On the
linuxefi
line, appendrd.break
. - Press Ctrl-x to continue into the maintenance shell.
- Remount overlays as read-write: bash
mount -o remount,rw /sysroot && mount -o remount,rw /sysroot/sysroot
chroot /sysroot
- Change the
admin
(orroot
) password:
passwd admin # or passwd root
- Reload SELinux policy & restore contexts:
load_policy -i
restorecon -v /etc/shadow
- Update shadow tracker if needed (rSeries-specific):
awk -F: '/^admin:/{print "admin admin", $2, $3}' /etc/shadow >> /etc/libnss-udr/shadow.tracker
- Exit twice to continue boot; log in with your new credentials.
Comments