The sysadmin AccountΒΆ

This is a local, per-host, sudo-enabled account created automatically when a new host is provisioned.

This Linux user account is used by the primary system administrator as it has extended privileges.

On controller nodes, this account is available even before ansible bootstrap playbook is executed.

The default initial password is sysadmin.

  • The initial password must be changed immediately when you log in to each host for the first time. For details, see Installation guide.

  • After each unsuccessful login attempt, a 15 second delay is imposed before making another attempt. If you attempt to login before 15 seconds the system will display a message such as:

    Account temporary locked (10 seconds left)


    On Debian-based StarlingX systems, this delay is 3 seconds.

  • After five consecutive unsuccessful login attempts, further attempts are blocked for about five minutes. On further attempts within 5 minutes, the system will display a message such as:

    Account locked due to 6 failed logins


    On Debian-based StarlingX systems, you are alerted on the 6th and subsequent attempts:

    Account locked due to 6 failed logins

    and an error message is displayed on subsequent attempts:

    Maximum number of tries exceeded (5)

    To clarify, on CentOS-based StarlingX systems, the 5 minute block is not an absolute window, but a sliding one. That is, if you keep attempting to log in within those 5 minutes, the window keeps sliding and the you remain blocked. Therefore, you should not attempt any further login attempts for 5 minutes after 5 unsuccessful login attempts.

    On Debian-based StarlingX systems, 5 mins after the account is locked, the failed attempts will be reset and failed attempts re-counted.

Subsequent password changes must be executed on the active controller in an unlocked, enabled, and available state to ensure that they propagate to all other unlocked-active hosts in the cluster. Otherwise, they remain local to the host where they were executed, and are overwritten on the next reboot or host unlock to match the password on the active controller.

From the sysadmin account, you can execute commands requiring different privileges.

  • You can execute non-root level commands as a regular Linux user directly.

    If you do not have sufficient privileges to execute a command as a regular Linux user, you may receive a permissions error, or in some cases, the command may be reported as not found.

  • You can execute root-level commands as the root user.

    To become the root user, use the sudo command to elevate your privileges, followed by the command to be executed. For example, to run the license-install command as the root user:

    $ sudo /usr/sbin/license-install license_file

    If a password is requested, provide the password for the sysadmin account.

  • You can execute StarlingX administrative commands as the Keystone admin user and Kubernetes kubectl and helm administrative commands as the Kubernetes admin user.

    To become the admin user from the Linux sysadmin account, source the script /etc/platform/openrc:

    $ source /etc/platform/openrc
    [sysadmin@controller-0 ~(keystone_admin)]$

    The system prompt changes to indicate the newly acquired privileges.


    The default Keystone prompt includes the host name and the current working path. For simplicity, this guide uses the following generic prompt instead: