How to reset forgotten root password for Linux KVM qcow2 image/vm

I have Debian Linux VM running on KVM. I think I forgotten the password for the root account and I am no longer able to run ‘su -‘ command. How do I reset the password for the root account for KVM VM which is in qcow2 format?

You can modify images with guestfish. It is a shell and command-line tool for examining and editing virtual machine filesystems. It uses libguestfs and exposes all of the functionality of the guestfs API. This page shows how to use guestfish to change the root account password.

How to install guestfish

If you are using CentOS/RHEL use yum command:
$ sudo yum install libguestfs-tools
Fedora Linux user run dnf command:
$ sudo dnf install libguestfs-tools
Debian/Ubuntu Linux user run apt command/apt-get command:
$ sudo apt install libguestfs-tools

Step 1 – Shutdown guest VM

Run the following virsh command:
# virsh list
Sample outputs:

 Id    Name                           State
 2     debian9-vm1                    running

To shutdown the VM named debian9-vm1:
# virsh shutdown 2
# virsh shutdown debian9-vm1
Sample outputs:

Domain debian9-vm1 is being shutdown

Step 2 – Find location of KVM VM image

Type the following command to get location of qcow2 image:
# virsh dumpxml debian9-vm1 | grep 'source file'
Sample outputs:

<source file='/var/lib/libvirt/images/debian9-vm1.qcow2'/>

Step 3 – Reset/change the root password using guestfish

First generate new root user account password by typing the following command:
# openssl passwd -1 mySecretRootAccountPasswordHere

Please copy $1$M1bf5Y3T$p2CYEz8vlUD2R.fXydTLt. password. You need to use this one in next few steps.

How to reset forgotten root password for Linux KVM vm

Let us start the procedure by running the following guestfish command:
# guestfish --rw -a /var/lib/libvirt/images/debian9-vm1.qcow2
You will see a prompt as follows:


To launch the backend either type ‘run’ or ‘launch’ command:

><fs> launch

To list partitions type:

><fs> list-filesystems

Now mount whatever disk you found it. For example, I found /dev/sda1, so I run the following mount command:

><fs> mount /dev/sda1 /

Edit the /etc/shadow file using a text editor such as vi command or emacs command:

><fs> vi /etc/shadow

Find root account entry and delete encrypted password. From:


To (replace as follows from above openssl command):


Save and close the file in vi/vim. Run sync command:

><fs> flush

Finally, quit guestfish:

><fs> quit

Step 4 – Start VM

It is time to test your new root password. So start the VM:
# virsh start debian9-vm1
Sample outputs:

Domain debian9-vm1 started

You can now login using console or ssh:
# ssh vivek@debian9-vm1
$ su -

OR use console command:
# virsh list
# virsh console debian9-vm1

A note about virt-customize command

If you find above method difficult try the following simple command:
# virsh shutdown debian9-vm1
# virt-customize -a /var/lib/libvirt/images/debian9-vm1.qcow2 --root-password password:NewRootUserPasswordHere --uninstall cloud-init

Sample outputs:

Start the VM and test new root password with ssh/console command:
# virsh start debian9-vm1
For more info read man page of guestfish:
$ man guestfish
$ man virt-customize

See also

🐧 Please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
0 comments… add one

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Problem posting comment? Email me @