In-place Upgrade RHEL 7.9 to RHEL 8.9
Have you been curious about RHEL 7 upgrade and found yourself searching the internet for instructions like “How to perform an in-place upgrade from RHEL 7 to RHEL 8?
I recently upgraded the RHEL operating system on AWS EC2 instances. It can be done using the Leapp utility provided by Red Hat. This tool is designed to facilitate the in-place upgrade. First, make sure RHEL-supported upgrade paths at the Redhat website. I would suggest you have a free Redhat account for technical help.
Before starting the upgrade process, back up all data and configurations in case to recover if something goes wrong. Create a full backup of an EC2 instance with an AMI or take a snapshot of an individual volume. It is good to have a Red Hat subscription active and that you have access to RHEL 8 repositories. Red Hat instances on EC2 come with an active subscription, it may not be available if you use your own AMI. Fortunately, we can still upgrade without a subscription.
To check repositories available through subscriptions using:
subscription-manager repos — list-enabled
Check the current version and install the Leapp utility.
uname -r
cat /etc/redhat-release
Ensure that your existing RHEL 7 system is fully updated to the latest available patches and updates.
sudo yum update
Reboot your server.
Install the Leapp tool using the command. This command should also install all the required dependencies.
Sudo yum install -y leapp leapp-rhui-aws leapp-repository-deps lvm2-python-boom — enablerepo=*
After installing Leapp, you must make sure you have access to the latest version of additional required data files. You can download leapp-data-22.tar.gz file and extract the files to /etc/leapp/files directory.
Check the installation using, sudo yum list installed | grep leapp
Before proceeding, run the following preupgrade command to check for any potential inhibitors or errors:
sudo leapp preupgrade
To run without subscription manager use, sudo leapp preupgrade — no-rhsm
Please note that the no-rhsm option is to not use the RHEL subscription manager.
Please make sure RHEL runs on the latest kernel version. If not, leapp doesn’t let you proceed with the upgrade.
At this moment you must address any issues that are reported before proceeding further. In my case, it reported the following inhibitors and errors.
Upgrade has been inhibited due to the following problems:
1. Automated upgrades from RHEL 7 to RHEL 8 in FIPS mode are not supported
2. Missing required answers in the answer file
HIGH and MEDIUM severity reports:
1. Packages available in excluded repositories will not be installed
2. Difference in Python versions and support in RHEL 8
3. GRUB2 core will be automatically updated during the upgrade
You can check the full report under /var/log/leapp/leapp-report.json and txt files.
Note: Red Hat recommends performing a fresh installation of RHEL 8 if you need to operate in FIPS mode. An in-place upgrade from RHEL 7 to RHEL 8 while in FIPS mode is not supported.
I upgraded from RHEL 7 to RHEL 8 and enabled FIPS mode afterward. However, you will need to disable FIPS mode in RHEL 7 before upgrading, and then re-enable FIPS mode in RHEL 8 after the upgrade is complete.
To disable FIPS mode in RHEL 7 (For more info, refer Red Hat knowledgebase site 2422061):
sudo yum remove dracut-fips\*
sudo mv -v /boot/initramfs-$(uname -r).img{,.FIPS-bak}
sudo dracut
grubby — update-kernel=ALL — remove-args=fips=1
[[ -f /etc/default/grub ]] && sed -i ‘s/ fips=1//’ /etc/default/grub
sudo reboot
Now, confirm the FIPS mode using sysctl crypto.fips_enabled it should report 0.
To fix the second inhibitor run the following command.
sudo leapp answer — section remove_pam_pkcs11_module_check.confirm=True
or edit the answerfile under /var/log/leapp/answerfile
You must fix all the inhibitors and you can run the following command to start the in-place upgrade.
sudo leapp upgrade — no-rhsm
You may see an error like
Actor: dnf_transaction_check Message: DNF execution failed with non zero exit code.
In this case, add a proxy entry in the yum.conf
cat /etc/yum.conf
export LEAPP_PROXY_HOST=http://x.x.x.x:80
echo “proxy=http://x.x.x.x:80" >> /ect/yum.conf
Edit and add dnf entry in, vi /use/share/leapp-repository/system_upgrade/common/actors/scanfilesfortargetuserspace/libraries/scanfilesfortargetuserspace.py
FILES_TO_COPY_IF_PRESENT = {
‘/etc/dnf/dnf.conf’: ‘/ect/dnf/dnf.conf’
}
The Leapp tool will analyze your system, create a report, and suggest any actions that need to be taken during the upgrade process. Now, reboot your server to complete the upgrade process.
Post-upgrade: After rebooting into RHEL 8, you may need to perform post-upgrade tasks such as enabling FIPS mode, or addressing any issues that may have arisen during the upgrade. Make sure old kernels are not present in the bootloader.
To enable FIPS mode back:
sudo su -
cd /lib/modules && ls -d *.el7*
Run the following command for each module
[ -x /usr/sbin/weak-modules ] && /usr/sbin/weak-modules — remove-kernel 3.10.0–1160.31.1.el7.x86_64
ls -d *.el7*
grubby — info=ALL | grep “\.el7” || echo “Old kernels are not present in the bootloader.”Run the following command for each kernel version
/bin/kernel-install remove 3.10.0–1160.114.2.el7.x86_64 /lib/modules/3.10.0–1160.114.2.el7.x86_64/vmlinuzgrubby — info=ALL | grep “\.el7” || echo “Old kernels are not present in the bootloader.”
rm /boot/vmlinuz-*rescue* /boot/initramfs-*rescue*
/usr/lib/kernel/install.d/51-dracut-rescue.install add “$(uname -r)” /boot “/boot/vmlinuz-$(uname -r)”
grubby — info=ALL | grep “\.el7” || echo “Old kernels are not present in the bootloader.”
ls /boot/vmlinuz-*rescue* /boot/initramfs-*rescue*
lsinitrd /boot/initramfs-*rescue*.img | grep -qm1 “$(uname -r)/kernel/” && echo “OK” || echo “FAIL”
— Make sure the above command returns OK
grubby — info $(ls /boot/vmlinuz-*rescue*)
You can remove any RHEL 7-specific packages and repositories that are no longer needed:
sudo yum remove $(rpm -q — queryformat=”%{NAME}\n” -l ‘7.*’)
Verification: Verify that all your services and applications are functioning correctly in RHEL 8.
To apply Security Technical Implementation Guides (STIG) for RHEL 8 using an Ansible playbook, use the official RHEL GitHub repository. You might not want to enable all STIGs as SELinux context, and fapolicyd controls the execution of applications like your systemd services.
Make sure no SELinix denials.
sudo ausearch -m AVC,USER_AVC -ts boot
sudo sudo ausearch -m avc -ts recent
sudo grep “denied” /var/log/audit/audit.log | tail
In my case, systemd service was not working after the upgrade. I created a custom policy.
sudo grep AVC /var/log/audit/audit.log | audit2allow -M myselpolicy
sudo semodule -i myselpolicy.pp
If any reboot issue from the SSH client, check var/log/messages or EC2 Get System log or generate ec2 screenshots when crashes. You might notice kernel panic, search the error RedHat documentation should have a solution. Remember, RedHat 8.9 EOSL is May 31, 2024.