RHEL 7 / CentOS 7 : Single User Mode / Recovering / Reset Root Password

Setting up the root password is a mandatory part of the Red Hat Enterprise Linux 7 / CentOS 7installation.
If you forget or lose your password, it is possible to reset it. Now it is known as Rescue Mode / Emergency mode in CentOS / RHEL 7, Previously in RHEL / CentOS 5/6 It was “Single User Mode”.
Note: In GRUB 2, resetting the password is no longer performed in single-user mode as it was in GRUB included in Red Hat Enterprise Linux 6. The root password is now required to operate in single-user mode as well as in emergency mode.
Process: Resetting the Root Password
  1. Please follow this procedure carefully, any mistake can make your system / Linux unstable, Perform this own your on risk.
  2. Start the system and, on the GRUB 2 boot screen, press the e key for edit.
  3. Add the following parameter at the end of the linux line, or linuxefi on UEFI systems (In case of  VMWare like KVM or VirtualBox use rb.break instead of init=/bin/sh):
    The Linux kernel will run the /bin/sh shell rather than the system init daemon. Therefore, some functions may be limited or missing.


    The rhgb and quiet parameters must be disables in order to enable system messages.
  4. Press Ctrl+x to boot the system with the parameter.
    The shell prompt appears.
  5. The file system is mounted read-only. You will not be allowed to change the password if the file system is not writable.
    To remount the file system as writable, run the mount -o remount, rw / command.
  6. Run the passwd command and follow the instructions displayed on the command line to change the root password.
    Note that if the system is not writable, the passwd tool fails with the following error:
    Authentication token manipulation error
  7. To make sure that SELinux context of the files that were modified is restored properly after boot, run
    touch /.autorelabel
  8. Run the exec /sbin/init command to resume the initialization and finish the system boot.
    Running the exec command with another command specified replaces the shell and creates a new process; init in this case.
    Alternatively, if you wish to reboot the system, run the exec /sbin/reboot command instead.

Enjoy RHEL 7 🙂 Enjoy CentOS 7 🙂 Enjoy Linux 🙂 Enjoy Open Source 🙂

Please Keep in Touch with Social Networking :- 
Facebook Page :- https://www.facebook.com/AllLinuxUsersBlog

RHEL 7 / CentOS 7: How to get started with Firewalld

Hello All,

Today I was trying to learn and know about Systemd. I have found one of the great Article about firewalld, Sharing with you guys, It will help you to understand this biggest and major change in RHEL and CentOS 7.

This article is not mine, I found on internet and felt that this is wonderful Article so Sharing with you all, Thanks to Original author, Given credit to him at the end of article.



Firewalld is the new userland interface in RHEL 7. It replaces the iptables interface and connects to the netfilter kernel code. It mainly improves the security rules management by allowing configuration changes without stopping the current connections.

To know if Firewalld is running, type:

# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
   Active: active (running) since Tue 2014-06-17 11:14:49 CEST; 5 days ago

or alternatively:

# firewall-cmd --state

Note: If Firewalld is not running, the command displays not running.

If you’ve got several network interfaces in IPv4, you will have to activate ip_forwarding.
To do that, paste the following line in the /etc/sysctl.conf file:


Then, activate the configuration:

# sysctl -p

Although Firewalld is the RHEL 7 way to deal with firewalls and provides many improvements, iptables can still be used.

Zone management

Also, a new concept of zone appears : all network interfaces can be located in the same default zone or divided into different ones according to the levels of trust defined.

To get the default zone, type:

# firewall-cmd --get-default-zone

To get the list of zones where you’ve got network interfaces assigned to, type:

# firewall-cmd --get-active-zones
interfaces: eth0

To get the list of all the available zones, type:

# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

To get all the details about the public zone, type:

# firewall-cmd --zone=public --list-all
public (default, active)
  interfaces: eth0
  services: dhcpv6-client ssh
  masquerade: no
  rich rules: 

To change the default zone to home permanently, type:

# firewall-cmd --set-default-zone=home

Network interfaces can be assigned to a zone in a temporary (until the next reboot or reload) or permanent way.

To assign the eth0 network interface temporary to the internal zone, type:

# firewall-cmd --zone=internal --change-interface=eth0

To assign the eth0 network interface permanently to the internal zone (a file called internal.xml is created in the /etc/firewalld/zones directory), type:

# firewall-cmd --permanent --zone=internal --change-interface=eth0

To know which zone is associated with the eth0 interface, type:

# firewall-cmd --get-zone-of-interface=eth0

Service management

After assigning each network interface to a zone, it is now possible to add services to each zone.
To allow the http service permanently in the internal zone, type:

# firewall-cmd --permanent --zone=internal --add-service=http
# firewall-cmd --reload

Note1: Type –remove-service=http to deny the http service.
Note2: The firewall-cmd –reload command is necessary to activate the change. Contrary to the –complete-reload option, current connections are not stopped.

To get the list of services in the default zone, type:

# firewall-cmd --list-services
dhcpv6-client ssh

Note: To get the list of the services in a particular zone, add the –zone= option.

Service firewall configuration

With the Firewalld package, the firewall configuration of the main services (ftp, httpd, etc) comes in the /usr/lib/firewalld/services directory. But it is still possible to add new ones in the /etc/firewalld/services directory. Also, if files exist at both locations for the same service, the file in the /etc/firewalld/services directory takes precedence.

For example, it is the case of the HAProxy service. There is no firewall configuration associated.
Create the /etc/firewalld/services/haproxy.xml and paste the following lines:

<?xml version="1.0" encoding="utf-8"?>
 <description>HAProxy load-balancer</description>
 <port protocol="tcp" port="80"/>

Assign the correct SELinux context and file permissions to the haproxy.xml file:

# cd /etc/firewalld/services
# restorecon haproxy.xml
# chmod 640 haproxy.xml

Add the HAProxy service to the default zone permanently and reload the firewall configuration:

# firewall-cmd --permanent --add-service=haproxy
# firewall-cmd --reload

Port management

Port management follows the same model as service management.

To allow the 443/tcp port temporary in the internal zone, type:

# firewall-cmd --zone=internal --add-port=443/tcp
# firewall-cmd --reload

Note: type –remove-port=443/tcp to deny the port.

To get the list of ports open in the internal zone, type:

# firewall-cmd --zone=internal --list-ports


If your firewall is your network gateway and you don’t want everybody to know your internal addresses, you can set up two zones, one called internal, the other external, and configure masquerading on the external zone. This way, all packets will get your firewall ip address as source address.

To set up masquerading on the external zone, type:

# firewall-cmd --zone=external --add-masquerade

Note1: To remove masquerading, use the –remove-masquerade option.
Note2: To know if masquerading is active in a zone, use the –query-masquerade option.

Port forwarding

In addition to the masquerading, you can want to use port forwarding.
If you want all packets intended for port 22 to be now forwarded to port 3753, type:

# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3753

Note1: To remove port forwarding, use the –remove-forward-port option.
Note2: To know if port forwarding is active in a zone, use the –query-forward-port option.
Also, if you want to define the destination ip address, type:

# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3753:toaddr=

Direct rules

It is still possible to set specific rules by using the direct mode (here to open the tcp port 9000) that by-passes the Firewalld interface:

# firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 9000 -j ACCEPT
# firewall-cmd --reload

Note: This last example has been borrowed from Khosro Taraghi’s blog.

To display all the direct rules added, type:

# firewall-cmd --direct --get-all-rules

In addition, you can read this very good article about Firewalld by Sander van Vugt.

Thanks to Original Author for explaining it very nicely.

Source : http://www.certdepot.net/rhel7-get-started-firewalld/

Enjoy Firewalld 🙂 Enjoy Systemd 🙂 Enjoy RHEL 7 🙂 Enjoy CentOS 7 🙂 Enjoy Open Source 🙂

Please Keep in Touch with Social Networking :- 
Facebook Page :- https://www.facebook.com/AllLinuxUsersBlog

[Video] [HowTo] CentOS / RHEL 7 Installation with GUI / Custom Partition


Today I have tried to Install CentOS 7 on my Virtual Machine. Sharing video of CentOS 7 Installation with GUI and Custom Partition with LVM.

Hope this video will help to those who wants to Install and Looking for easy guide for CentOS 7 Installation.

CentOS / RHEL 7 Installation Video

Enjoy CentOS 7 🙂 Enjoy RHEL 7 🙂 Enjoy Linux 🙂 Enjoy Open Source 🙂

Please Keep in Touch with Social Networking :- 
Facebook Page :- https://www.facebook.com/AllLinuxUsersBlog