I have Debian Linux VM running on KVM. I think I forgotten the password for the root account and I am no longer able to run ‘su -‘ command. How do I reset the password for the root account for KVM VM which is in qcow2 format?

You can modify images with guestfish. It is a shell and command-line tool for examining and editing virtual machine filesystems. It uses libguestfs and exposes all of the functionality of the guestfs API. This page shows how to use guestfish to change the root account password.

How to install guestfish

If you are using CentOS/RHEL use yum command:
$ sudo yum install libguestfs-tools
Fedora Linux user run dnf command:
$ sudo dnf install libguestfs-tools
Debian/Ubuntu Linux user run apt command/apt-get command:
$ sudo apt install libguestfs-tools

Step 1 – Shutdown guest VM

Run the following virsh command:
# virsh list
Sample outputs:

 Id    Name                           State
----------------------------------------------------
 2     debian9-vm1                    running

To shutdown the VM named debian9-vm1:
# virsh shutdown 2
OR
# virsh shutdown debian9-vm1
Sample outputs:

Domain debian9-vm1 is being shutdown

Step 2 – Find location of KVM VM image

Type the following command to get location of qcow2 image:
# virsh dumpxml debian9-vm1 | grep 'source file'
Sample outputs:

<source file='/var/lib/libvirt/images/debian9-vm1.qcow2'/>

Step 3 – Reset/change the root password using guestfish

First generate new root user account password by typing the following command:
# openssl passwd -1 mySecretRootAccountPasswordHere
$1$M1bf5Y3T$p2CYEz8vlUD2R.fXydTLt.
Please copy $1$M1bf5Y3T$p2CYEz8vlUD2R.fXydTLt. password. You need to use this one in next few steps.

How to reset forgotten root password for Linux KVM vm

Let us start the procedure by running the following guestfish command:
# guestfish --rw -a /var/lib/libvirt/images/debian9-vm1.qcow2
You will see a prompt as follows:

><fs>

To launch the backend either type ‘run’ or ‘launch’ command:

><fs> launch

To list partitions type:

><fs> list-filesystems

Now mount whatever disk you found it. For example, I found /dev/sda1, so I run the following mount command:

><fs> mount /dev/sda1 /

Edit the /etc/shadow file using a text editor such as vi command or emacs command:

><fs> vi /etc/shadow

Find root account entry and delete encrypted password. From:

root:$6$FU5Nl9oxxxx:17572:0:99999:7:::

To (replace as follows from above openssl command):

root:$1$M1bf5Y3T$p2CYEz8vlUD2R.fXydTLt.:17572:0:99999:7:::

Save and close the file in vi/vim. Run sync command:

><fs> flush

Finally, quit guestfish:

><fs> quit

Step 4 – Start VM

It is time to test your new root password. So start the VM:
# virsh start debian9-vm1
Sample outputs:

Domain debian9-vm1 started

You can now login using console or ssh:
# ssh vivek@debian9-vm1
$ su -
OR use console command:
# virsh list
# virsh console debian9-vm1

A note about virt-customize command

If you find above method difficult try the following simple command:
# virsh shutdown debian9-vm1
# virt-customize -a /var/lib/libvirt/images/debian9-vm1.qcow2 --root-password password:NewRootUserPasswordHere --uninstall cloud-init
Sample outputs:

Start the VM and test new root password with ssh/console command:
# virsh start debian9-vm1
For more info read man page of guestfish:
$ man guestfish
$ man virt-customize

See also

• Linux reset forgotten root password
• FreeBSD Reset or Recover Root Password
• How to: OpenBSD reset root password
• MySQL Reset Root Password
• How To Recover Linux Grub Boot Loader Password