Changing the root password in Triton

Modified: 26 Sep 2019 21:20 UTC

Because of the way that Triton boots (from USB key for the head node, and via PXE boot for the compute nodes), the following steps must be taken when changing the root password to ensure that the change persists across a reboot.

Password strength

Joyent recommends the use of strong passwords in order to assist in securing Triton. However, please be aware that passwords alone do not replace the need for other effective security controls, such as two factor authorization and restricted access to key systems, such as the Triton head node and compute nodes.

Changing the root password on the head node

Changing the root password is a two step process; you first change the password on the running head node, then you will use an Triton utility to synchronize the password back to the config file on the USB key.

Changing the root password for the running head node

To change the root password on the head node, first log in to the global zone of the head node as root. Then use the passwd(1) command without arguments to change the root password.

headnode# passwd
New Password: xxxxxxx
Re-enter new Password: xxxxxxx
passwd: password successfully changed for root

Updating the USB key config file on the head node

Run the sdc-image-sync command to write the change back to the USB key.

headnode# sdc-image-sync
Updating root password in the config file

This password will now persist across a reboot.

Note: If you have a version of gz-tools prior to TRITON-1415 you will need to manually update the root_shadow parameter in /usbkey/extra/joysetup/node.config. Use the same value as in /usbkey/config.

Changing the root password for the compute nodes

Since compute nodes PXE boot from the head node, the process of changing the root password is simply refreshing the configuration data from the headnode by restarting the smartdc/init SMF service.

computenode# svcadm restart smartdc/init

You can also update the password on all compute nodes simultaneously.

headnode# sdc-oneachnode -c 'svcadm restart smartdc/init'