AlmaLinux 新功能 ELevate将服务器CentOS 7.x系统迁移到 AlmaLinux 8.x

AlmaLinux 今天宣布推出他们的新功能 ELevate,它允许您在基于 RHEL 的发行版的主要版本之间从 7.x 迁移到 8.x。这以前在 CentOS 下是不可能的,并且在 CentOS 6.x 生命周期结束时出现,并且在 2024 年将在 CentOS 7.x 生命周期结束时再次出现。在 ELevate 之前,迁移到基于 RHEL 的最新版本的发行版的唯一方法是部署具有所需版本的新服务器,然后配置所有内容并将其迁移到新服务器。

AlmaLinux ELevate 如何实现这一壮举是通过利用红帽的 Leapp 框架以及社区创建的库和服务来实现它所需的迁移集。ELevate 依赖于包演化服务 (PES),它允许您下载、自定义和提交包的新数据集。这将使维护人员和用户都能够顺利和轻松地进行迁移。ELevate 目前正在开发中,建议您在尝试之前测试您的迁移方案。话虽如此,让我们快速浏览一下将库存 CentOS 7.x 云计算迁移到 AlmaLinux 8.x

升级过程的第一步是确保我们有一个完全升级的系统,目前拥有:

[root@el7conversion ~]# uname -rv
3.10.0-1160.45.1.el7.x86_64 #1 SMP Wed Oct 13 17:20:51 UTC 2021
[root@el7conversion ~]# cat /etc/redhat-release 
CentOS Linux release 7.9.2009 (Core)
[root@el7conversion ~]# 

现在是时候使用项目存储库和 GPG 密钥安装 elevate-release 包了:

yum install -y http://repo.almalinux.org/elevate/elevate-release-latest-el7.noarch.rpm

下一步是安装所需的包,在我们的例子中,我们希望升级到 AlmaLinux 8.x:

yum install -y leapp-upgrade leapp-data-almalinux

然后我们从这里开始进行升级前检查,看看我们是否满足执行升级的最低要求:

leapp preupgrade

完成后,我被告知以下几点:

============================================================
                     UPGRADE INHIBITED                      
============================================================

Upgrade has been inhibited due to the following problems:
    1. Inhibitor: Possible problems with remote login using root account
    2. Inhibitor: Detected loaded kernel drivers which have been removed in RHEL 8. Upgrade cannot proceed.
    3. Inhibitor: Missing required answers in the answer file
Consult the pre-upgrade report for details and possible remediation.

============================================================
                     UPGRADE INHIBITED                      
============================================================


Debug output written to /var/log/leapp/leapp-preupgrade.log

============================================================
                           REPORT                           
============================================================

A report has been generated at /var/log/leapp/leapp-report.json
A report has been generated at /var/log/leapp/leapp-report.txt

============================================================
                       END OF REPORT                        
============================================================

Answerfile has been generated at /var/log/leapp/answerfile

不幸的是,基础系统不兼容,需要几个步骤才能继续升级。这可以在 /var/log/leapp/leapp-report.txt 中检查,在我们的例子中它包含以下项目:

Risk Factor: high (inhibitor)
Title: Possible problems with remote login using root account
Summary: OpenSSH configuration file does not explicitly state the option PermitRootLogin in sshd_config file, which will default in RHEL8 to "prohibit-password".
Remediation: [hint] If you depend on remote root logins using passwords, consider setting up a different user for remote administration or adding "PermitRootLogin yes" to sshd_config.
Key: 3d21e8cc9e1c09dc60429de7716165787e99515f

我们可以通过运行以下命令来解决这个问题:

echo PermitRootLogin yes | sudo tee -a /etc/ssh/sshd_config
Risk Factor: high (inhibitor)
Title: Detected loaded kernel drivers which have been removed in RHEL 8. Upgrade cannot proceed.
Summary: Support for the following RHEL 7 device drivers has been removed in RHEL 8: 
     - floppy
     - pata_acpi
Please see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/considerations_in_adopting_rhel_8/index#removed-device-drivers_hardware-enablement for details.
Remediation: [hint] Please disable detected kernel drivers in order to proceed with the upgrade process using the rmmod or modprobe -r.
Key: b6fd580136aaf67fa42d68fb75b27f6e13f47c2d

我们有两个不兼容的驱动程序,在我们的计算机上我们不需要它们,因此我们可以运行以下命令:

rmmod floppy
rmmod pata_acpi
Risk Factor: high (inhibitor)
Title: Missing required answers in the answer file
Summary: One or more sections in answerfile are missing user choices: remove_pam_pkcs11_module_check.confirm
For more information consult https://leapp.readthedocs.io/en/latest/dialogs.html
Remediation: [hint] Please register user choices with leapp answer cli command or by manually editing the answerfile.
[command] leapp answer --section remove_pam_pkcs11_module_check.confirm=True
Key: d35f6c6b1b1fa6924ef442e3670d90fa92f0d54b

这需要一个我们可以接受的跳跃答案,因此我们可以运行以下命令:

leapp answer --section remove_pam_pkcs11_module_check.confirm=True
Risk Factor: high
Title: Packages from unknown repositories may not be installed
Summary: 1 packages may not be installed or upgraded due to repositories unknown to leapp:
- kernel-uek (repoid: ol8-uek)
Remediation: [hint] Please file a bug in http://bugzilla.redhat.com/ for leapp-repository component of the Red Hat Enterprise Linux product.
Key: 9a2b05abf8f45fd7915e52542887bb334bb218ea

在我们的案例中,虽然评级很高,但对我们的升级没有影响。

Risk Factor: high
Title: Difference in Python versions and support in RHEL 8
Summary: In RHEL 8, there is no 'python' command. Python 3 (backward incompatible) is the primary Python version and Python 2 is available with limited support and limited set of packages. Read more here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/configuring_basic_system_settings/#using-python3
Remediation: [hint] Please run "alternatives --set python /usr/bin/python3" after upgrade
Key: 0c98585b1d8d252eb540bf61560094f3495351f5

我们可以放心地忽略它,因为它是一个基础镜像,而且我们自己没有使用 Python 2 或 Python 3。

Risk Factor: high
Title: Leapp could not identify where GRUB core is located
Summary: We assume GRUB core is located on the same device as /boot. Leapp needs to update GRUB core as it is not done automatically on legacy (BIOS) systems. 
Remediation: [hint] Please run "grub2-install <GRUB_DEVICE> command manually after upgrade

升级完成后,我们将按照 grub2-install 说明进行操作。

Title: Packages not signed by Red Hat found on the system
Summary: The following packages have not been signed by Red Hat and may be removed during the upgrade process in case Red Hat-signed packages to be removed during the upgrade depend on them:
- elevate-release
- gpg-pubkey
- leapp
- leapp-data-almalinux
- leapp-deps
- leapp-upgrade-el7toel8
- leapp-upgrade-el7toel8-deps
- python2-leapp
Key: 13f0791ae5f19f50e7d0d606fb6501f91b1efb2c

在我们的例子中,这可以被忽略,因为这些是与跳跃相关的包。

Risk Factor: medium
Title: chrony using default configuration
Summary: default chrony configuration in RHEL8 uses leapsectz directive, which cannot be used with leap smearing NTP servers, and uses a single pool directive instead of four server directives
Key: c4222ebd18730a76f6bc7b3b66df898b106e6554

这纯粹是提供信息,在我们的例子中可以安全地忽略。

Risk Factor: low
Title: Grep has incompatible changes in the next major version
Summary: If a file contains data improperly encoded for the current locale, and this is discovered before any of the file's contents are output, grep now treats the file as binary.
The 'grep -P' no longer reports an error and exits when given invalid UTF-8 data. Instead, it considers the data to be non-matching.
In locales with multibyte character encodings other than UTF-8, grep -P now reports an error and exits instead of misbehaving.
When searching binary data, grep now may treat non-text bytes as line terminators. This can boost performance significantly.
The 'grep -z' no longer automatically treats the byte '\200' as binary data.
Context no longer excludes selected lines omitted because of -m. For example, 'grep "^" -m1 -A1' now outputs the first two input lines, not just the first line.

Remediation: [hint] Please update your scripts to be compatible with the changes.
Key: 94665a499e2eeee35eca3e7093a7abe183384b16

另一个需要了解的好信息的情况,但如果我们在服务器上有使用 grep 的脚本,这会更重要。

Risk Factor: low
Title: Postfix has incompatible changes in the next major version
Summary: Postfix 3.x has so called "compatibility safety net" that runs Postfix programs with backwards-compatible default settings. It will log a warning whenever backwards-compatible default setting may be required for continuity of service. Based on this logging the system administrator can decide if any backwards-compatible settings need to be made permanent in main.cf or master.cf, before turning off the backwards-compatibility safety net.
The backward compatibility safety net is by default turned off in Red Hat Enterprise Linux 8.
It can be turned on by running:  "postconf -e compatibility_level=0
It can be turned off by running: "postconf -e compatibility_level=2

In the Postfix MySQL database client, the default "option_group" value has changed to "client", i.e. it now reads options from the [client] group from the MySQL configuration file. To disable it, set "option_group" to the empty string.

The postqueue command no longer forces all message arrival times to be reported in UTC. To get the old behavior, set TZ=UTC in main.cf:import_environment.

Postfix 3.2 enables elliptic curve negotiation. This changes the default smtpd_tls_eecdh_grade setting to "auto", and introduces a new parameter "tls_eecdh_auto_curves" with the names of curves that may be negotiated.

The "master.cf" chroot default value has changed from "y" (yes) to "n" (no). This applies to master.cf services where chroot field is not explicitly specified.

The "append_dot_mydomain" default value has changed from "yes" to "no". You may need changing it to "yes" if senders cannot use complete domain names in e-mail addresses.

The "relay_domains" default value has changed from "$mydestination" to the empty value. This could result in unexpected "Relay access denied" errors or ETRN errors, because now will postfix by default relay only for the localhost.

The "mynetworks_style" default value has changed from "subnet" to "host". This parameter is used to implement the "permit_mynetworks" feature. The change could result in unexpected "access denied" errors, because postfix will now by default trust only the local machine, not the remote SMTP clients on the same IP subnetwork.

Postfix now supports dynamically loaded database plugins. Plugins are shipped in individual RPM sub-packages. Correct database plugins have to be installed, otherwise the specific database client will not work. For example for PostgreSQL map to work, the postfix-pgsql RPM package has to be installed.

Key: 5721e0a07a67d82cf7e5ea6f17662cd4f82e0a33

在我们的例子中,我们可以忽略这一点,因为我们有一个库存的 CentOS 7.x 服务器,不需要担心这个。

Risk Factor: info
Title: SElinux disabled
Summary: SElinux disabled, continuing...
Key: 4f25fea9b15b9d1d07d52cc1de02073f295dac3

另一个纯粹的信息性消息让我们知道我们已经禁用了 SElinux。

Risk Factor: info
Title: Current PAM and nsswitch.conf configuration will be kept.
Summary: There is a new tool called authselect in RHEL8 that replaced authconfig. The upgrade process was unable to find an authselect profile that would be equivalent to your current configuration. Therefore your configuration will be left intact.
Key: 40c4ab1da4a30dc1ca40e543f6385e1336d8810c

这是另一个需要了解的有用信息的案例,但我们可以忽略我们的案例。至此,我们终于完成了所有工作,现在是运行实际升级的时候了。

leapp upgrade

在我们的例子中,根据警告,我们需要在重新启动之前运行以下命令:

grub2-mkconfig -o /boot/grub2/grub.cfg

我们现在可以执行重新启动并使用我们客户区中可用的控制台,我们可以观察升级过程。就我而言,我们需要将内核切换到 Leap 创建的升级版本。启动后,升级过程开始,完成后服务器重新启动。再次登录后,我们可以确认它现在正在使用 AlmaLinux 8:

[root@el7conversion ~]# uname -rv
4.18.0-305.19.1.el8_4.x86_64 #1 SMP Wed Sep 15 11:28:53 EDT 2021
[root@el7conversion ~]# cat /etc/redhat-release 
AlmaLinux release 8.4 (Electric Cheetah)

在我们的例子中,它运行得很好,但我们正在从基本的服务器CentOS 7.x 升级到基本的 AlmaLinux 8.x 安装。这在我们的案例中是不必要的,因为我们已经提供了AlmaLinux 8 操作系统映像。但是,如果您希望从 CentOS 7.x 迁移到 AlmaLinux 8,这对您来说绝对是一个不错的选择。根据他们的建议,请务必在升级前进行测试,并在升级过程对您不起作用时进行备份。

发表评论