000035688 - Failure to boot after using the restore script on an RSA NetWitness appliance

Document created by RSA Customer Support Employee on Nov 3, 2017Last modified by RSA Customer Support Employee on Apr 17, 2019
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000035688
Applies ToRSA Product Set: NetWitness Logs & Packets, Security Analytics
RSA Product/Service Type: All Appliances
RSA Version/Condition: 10.6.0, 10.6.1,10.6.2, 10.6.3
Platform: CentOS
O/S Version: EL6
IssueSome customers have experienced issues with the 2.0 restore script after receiving a newly RMA-ed appliance that may result with the device failing to boot, leaving the system in single-user/maintenance mode.
CauseThe issue occurs because the following files are restored when they should actually be ignored by the restore script:
  • /etc/passwd
  • /etc/group
  • /etc/fstab
  • /etc/shadow
When you are restoring an appliance that was recently RMA-ed using the restore script, you will find that this may cause your system not to boot as the boot mount has a different UUID.
ResolutionBefore running the restore script, take a copy of these 4 files that exist on your newly RMA-ed box and store them somewhere you can easily access after a reboot.

CAUTION: You may have to restore attributes of these four files manually while in maintenance mode if the appliance fails to boot.

  1.  A backup can be done to the /root directory, as an example, like the following:

    [root@ldec1 ~]# cp /etc/passwd /root/passwd-backup
    [root@ldec1 ~]# cp /etc/group /root/group-backup
    [root@ldec1 ~]# cp /etc/fstab /root/fstab-backup
    [root@ldec1 ~]# cp /etc/shadow /root/shadow-backup

  2. Once you have taken your backups, you can proceed with running the restore script normally.
  3. Once complete, you can begin copying back your four files EXCEPT fstab as shown below.

    [root@ldec1 ~]# cp /root/group-backup /etc/group
    [root@ldec1 ~]# cp /root/passwd-backup /etc/passwd
    [root@ldec1 ~]# cp /root/shadow-backup /etc/shadow

  4. Take a copy of your current /etc/fstab for reference. You will need to take the entries referencing any external mount points (such as a DAC) and copy those into your new fstab (/root/fstab-backup).
  5. Once you add those entries, you can copy the new fstab over the /etc/fstab.

    [root@ldec1 ~]# cp /root/fstab-backup /etc/fstab

  6. Once you feel confident with your reapplication of these files and you are sure that you have either direct access to the appliance or by use of an iDRAC, you can reboot the box to ensure that it will boot properly.
NOTE: If you find yourself booting into maintenance mode despite these changes, run the following command after logging in as root to allow you to edit files in the /etc directory:

mount -o remount,rw /

If you are unsure of any of the steps above or experience any issues, contact RSA Customer Support and quote this article number for further assistance.