Home PageElastic Compute ServiceUser GuideImagesOperating system maintenance cycle and EOL guidanceUpgrade RHEL
Search for Help Content

Upgrade RHEL

Updated at: 2025-03-31 11:08
Product
Community

This topic describes how to upgrade from Red Hat Enterprise Linux (RHEL) 7 to RHEL 8 or from RHEL 8 to RHEL 9 on an Elastic Compute Service (ECS) instance.

Upgrade from RHEL 7 to RHEL 8

After June 30, 2024, RHEL 7 transitioned from the Maintenance Support phase to the Extended Life phase. After that, Red Hat provides limited technical support for RHEL 7. For comprehensive technical support and security updates, we recommend that you upgrade from RHEL 7 to RHEL 8.

Note

If you want to continue using RHEL 7.9, including security updates and bug fixes for this version, we recommend that you purchase an Alibaba Cloud Red Hat Enterprise Linux Extended Life Cycle Support (ELS) Add-on subscription. For more information, see the Purchase a RHEL 7 ELS Add-on subscription section of the "Red Hat Enterprise Linux" topic.

Prerequisites

  • The ECS instance that you want to upgrade can run RHEL 8. For more information, see Red Hat Enterprise Linux Technology Capabilities and Limits.

  • The ECS instance that you want to upgrade uses a RHEL 7 public image that is purchased from Alibaba Cloud and contains a RHEL 7 license or uses a RHEL 7 image that is imported to Alibaba Cloud and contains a separately purchased Alibaba Cloud RHEL 7 license.

    Note

    • An Alibaba Cloud RHEL license provides legal permissions to access RHEL software, security updates, and technical support when you use RHEL in Alibaba Cloud.

    • If you purchased a RHEL 7 operating system from Red Hat, visit the Red Hat website for information about how to upgrade from RHEL 7 to RHEL 8.

Procedure

  1. Before you upgrade from RHEL 7 to RHEL 8, we recommend that you understand the risks of the upgrade and create snapshots to back up data. This ensures that you can restore data when an upgrade issue occurs.

  2. Connect to the ECS instance that runs RHEL 7 as the root user.

    For more information, see Use Workbench to connect to a Linux instance over SSH.

    Important

    The upgrade involves modifications to system configuration and library files. Root permissions are required to ensure that the upgrade can be completed as expected.

  3. Run the following command to check whether the ECS instance has an Alibaba Cloud RHEL 7 license. 

    rpm -q client-rhel7

    • If no information is returned, the ECS instance does not have an Alibaba Cloud RHEL 7 license. In this case, purchase a license before you upgrade the operating system.

    • If the returned output is similar to client-rhel7-3.0-1.el7_9.noarch, the ECS instance has an Alibaba Cloud RHEL 7 license. You can proceed to the subsequent steps.

      image

  4. Prepare the RHEL 7 operating system for the upgrade.

    1. Run the following commands to upgrade the operating system to the latest version available in the current repository, which contains fixes for known vulnerabilities, bugs, and security risks, and restart the operating system for the upgrade to take effect: 

      yum -y update
reboot

    2. Run the following command to install the Leapp utility in the RHEL operating system: 

      yum -y install leapp leapp-rhui-alibaba --enablerepo="*"

    3. Run the following command to check whether the Leapp utility is installed: 

      leapp --version

      If the returned output is similar to leapp version xxx, the Leapp utility is installed.

  5. Perform a pre-upgrade check.

    Due to the differences among RHEL versions, you must use the Leapp utility to perform a pre-upgrade check. You can view the check results and modify the configurations as needed based on the suggestions for upgrade.

    1. Perform a pre-upgrade check.

      • Run the following command to pre-upgrade to the latest version of RHEL 8: 

        leapp preupgrade  --no-rhsm

      • Run the following command to pre-upgrade to a specific RHEL 8 version, such as an upgrade from RHEL 7 to RHEL 8.8: 

        leapp preupgrade --no-rhsm --target 8.8
        Note

        To view the supported RHEL 8 versions, run the leapp preupgrade -h command.

    2. View the pre-upgrade check results.

      Leapp pre-upgrade check logs are stored in the following log files:

      • /var/log/leapp/leapp-preupgrade.log: stores the logs of the Leapp utility.

      • /var/log/leapp/leapp-report.txt: stores the pre-upgrade check report in the text format.

      • /var/log/leapp/leapp-report.json: stores the pre-upgrade check report in the JSON format.

      If the pre-upgrade check fails, specific failed items are displayed as shown in the following figure.

      image.png

    3. (Conditionally required) Resolve pre-upgrade issues.

      Check the /var/log/leapp/leapp-report.txt log file for pre-upgrade issues and resolve the issues based on the suggestions of the Leapp utility. The following section describes some common pre-upgrade issues and their solutions by risk level.

      • high (inhibitor): high-risk inhibitors. Issues of this level directly block the upgrade and must be resolved before the upgrade can proceed.

        • Issue 1: Multiple kernel versions are installed.

           
          Risk Factor: high (inhibitor)
Title: Multiple devel kernels installed
Summary: DNF cannot produce a valid upgrade transaction when multiple kernel-devel packages are installed.
Remediation: [hint] Remove all but one kernel-devel packages before running Leapp again.
[command] yum -y remove kernel-devel-3.10.0-1160.11.1.el7

          Solution: If multiple kernel versions are installed, uninstall all kernel versions except the latest version. Run the command suggested by the Leapp utility. In this example, the yum -y remove kernel-devel-3.10.0-1160.11.1.el7 command is suggested.

        • Issue 2: Kernel modules not supported by RHEL 8 are loaded.

           
          Risk Factor: high (inhibitor)                                                                                                                                                                                         
Title: Leapp detected loaded kernel drivers which have been removed in RHEL 8. Upgrade cannot proceed.                                                                                                                
Summary: Support for the following RHEL 7 device drivers has been removed in RHEL 8:                                                                                                                                  
     - floppy

          Solution: Run commands to uninstall the unsupported kernel modules. In this example, the floppy module not supported by RHEL 8 is loaded. To uninstall the floppy module, run the following command: 

          rmmod floppy

        • Issue 3: The PermitRootLogin parameter is incorrectly configured in the sshd_config file. 

          Risk Factor: high (inhibitor)
Title: Possible problems with remote login using root account
Summary: OpenSSH configuration file does not explicitly state the option PermitRootLogin in sshd_config file, which will default in RHEL8 to "prohibit-password".
Remediation: [hint] If you depend on remote root logins using passwords, consider setting up a different user for remote administration or adding "PermitRootLogin yes" to sshd_config. 
If this change is ok for you, add explicit "PermitRootLogin prohibit-password" to your sshd_config to ignore this inhibitor

          Solution:

          1. In the /etc/ssh/sshd_config file, set the default value of PermitRootLogin to yes.

            Note

            The default values of PermitRootLogin in RHEL 7 and RHEL 8 are different.

            • In RHEL 7, the default value of PermitRootLogin is yes, which allows password-based and key pair-based logons for the root user.

            • In RHEL 8, the default value of PermitRootLogin is prohibit-password, which denies password-based logons for the root user.

          2. Run the following command to restart sshd: 

            systemctl restart sshd

        • Issue 4: Required answers are missing from the answer file.

           
          Risk Factor: high (inhibitor)
Title: Missing required answers in the answer file
Summary: One or more sections in answerfile are missing user choices: remove_pam_pkcs11_module_check.confirm
For more information consult https://leapp.readthedocs.io/en/latest/dialogs.html
Remediation: [hint] Please register user choices with leapp answer cli command or by manually editing the answerfile.
[command] leapp answer --section remove_pam_pkcs11_module_check.confirm=True

          Solution: In this example, the answer to the question about whether to remove the Pluggable Authentication Modules (PAM) module not supported by RHEL 8 is missing from the /var/log/leapp/answerfile file. Run the following command to set the confirm parameter to True to confirm the PAM module removal: 

          leapp answer --section remove_pam_pkcs11_module_check.confirm=True

          image.png

      • high: high-risk issues. Issues of this level do not directly block the upgrade. However, we recommend that you resolve the issues before or after the upgrade to prevent post-upgrade exceptions.

        • Issue 1: Specific software packages cannot be installed.

           
          Risk Factor: high
Title: Packages from unknown repositories may not be installed
Summary: 3 packages may not be installed or upgraded due to repositories unknown to leapp:
- python3-pyxattr (repoid: rhel8-CRB)
- rpcgen (repoid: rhel8-CRB)
- ustr (repoid: rhel8-CRB)
Remediation: [hint] In case the listed repositories are mirrors of official repositories for RHEL (provided by Red Hat on CDN) and their repositories IDs has been customized, you can change the configuration to use the official IDs instead of fixing the problem. You can also review the projected DNF upgrade transaction result in the logs to see what is going to happen, as this does not necessarily mean that the listed packages will not be upgraded. You can also install any missing packages after the in-place upgrade manually.

          Solution: Manually install the missing software packages after the upgrade is complete.

        • Issue 2: Specific software packages in RHEL 7 are not upgraded.

           
          Risk Factor: high
Title: Some RHEL 7 packages have not been upgraded
Summary: Following RHEL 7 packages have not been upgraded:
leapp-upgrade-el7toel8-0.18.0-1.el7_9
kernel-3.10.0-1160.92.1.el7
leapp-rhui-alibaba-1.0.0-1.el7_9
Please remove these packages to keep your system in supported state.

          Solution: Run the yum remove command to delete such software packages. For example, run the yum remove leapp-upgrade-el7toel8-0.18.0-1.el7_9 kernel-3.10.0-1160.92.1.el7 leapp-rhui-alibaba-1.0.0-1.el7_9 command.

      • medium: medium-risk issues. Issues of this level do not directly block the upgrade. However, we recommend that you resolve the issues before or after the upgrade to eliminate potential issues after the upgrade.

        Issue: The pam_pkcs11 module is removed from the PAM configuration after the upgrade.

         
        Title: Module pam_pkcs11 will be removed from PAM configuration
Summary: Module pam_pkcs11 was surpassed by SSSD and therefore it was removed from RHEL-8. Keeping it in PAM configuration may lock out the system thus it will be automatically removed from PAM configuration before upgrading to RHEL-8. Please switch to SSSD to recover the functionality of pam_pkcs11.
Remediation: [hint] Configure SSSD to replace pam_pkcs11

        Solution: To ensure that the authentication feature of the upgraded operating system can work as expected, configure System Security Services Daemon (SSSD) to replace pam_pkcs11.

      • low: low-risk issues. Issues of this level have minor impacts on the upgrade or system operation. However, we recommend that you resolve the issues before or after the upgrade to ensure stable system operation.

        Issue: SELinux is set to permissive mode after the upgrade.

         
        Risk Factor: low 
Title: SElinux will be set to permissive mode
Summary: SElinux will be set to permissive mode. Current mode: enforcing. This action is required by the upgrade process to make sure the upgraded system can boot without beinig blocked by SElinux rules.
Remediation: [hint] Make sure there are no SElinux related warnings after the upgrade and enable SElinux manually afterwards. Notice: You can ignore the "/root/tmp_leapp_py3" SElinux warnings.

        Solution: Make sure that no Security-Enhanced Linux (SELinux) related warnings are generated after the upgrade. Then, reset SELinux to enforcing mode to ensure system security and compliance.

      • info: informational prompts. In most cases, issues of this level do not affect the upgrade or system operation. You can review the prompts in the report to obtain the changes during the upgrade.

        Issue: The release version in the /etc/dnf/vars/releasever file is set to the current target version.

         
        Risk Factor: info 
Title: Release version in /etc/dnf/vars/releasever will be set to the current target release
Summary: On this system, Leapp detected "releasever" variable is either configured through DNF/YUM configuration file and/or the system is using RHUI infrastructure. In order to avoid issues with repofile URLs (when --release option is not provided) in cases where there is the previous major.minor version value in the configuration, release version will be set to the target release version (8.8). This will also ensure the system stays on the expected target version after the upgrade

        Solution: No operation is required.

  6. Upgrade from RHEL 7 to RHEL 8.

    • Run the following command to upgrade to the latest version of RHEL 8: 

      leapp upgrade  --no-rhsm

    • Run the following command to upgrade to a specific RHEL 8 version, such as an upgrade from RHEL 7 to RHEL 8.8: 

      leapp upgrade  --no-rhsm --target 8.8

    The following command output indicates that the upgrade is complete.

    image.png

  7. Run the following command to restart the ECS instance: 

    reboot

  8. Verify the upgrade result.

    • Run the cat /etc/redhat-release command to check whether the operating system version is upgraded.

    • Check the upgrade logs or report.

    • Check whether your business runs as expected on RHEL 8.

  9. (Conditionally required) Run the following commands to configure the RHEL 8 software repository.

    After the upgrade, the /etc/dnf/vars/releasever file is modified by default to specify the RHEL 8 version you used in the preceding steps. For example, the RHEL 8 repository address is set to https://xxxx/8.8/xxx, and you can access only RHEL 8.8 software packages. If you want to have automatic access to packages of the latest minor version of RHEL 8, delete the releasever configuration file and rebuild the metadata cache. This way, you can obtain the latest security patches and feature updates. 

    rm -f /etc/dnf/vars/releasever
dnf clean all && dnf makecache

    After the preceding commands are run, the RHEL 8 repository address is updated to https://xxxx/8/xxx. Then, the operating system can automatically obtain the latest RHEL 8 security patches and feature updates to ensure that it is always up-to-date.

Upgrade from RHEL 8 to RHEL 9

Although RHEL 8 is still in the Full Support phase, you can upgrade from RHEL 8 to RHEL 9 for the latest features, hardware adaptations, and long-term support.

Prerequisites

  • The ECS instance that you want to upgrade can run RHEL 9. For more information, see Red Hat Enterprise Linux Technology Capabilities and Limits.

  • The ECS instance that you want to upgrade uses a RHEL 8 public image that is purchased from Alibaba Cloud and contains a RHEL 8 license or a RHEL 8 image that is imported to Alibaba Cloud and contains a separately purchased Alibaba Cloud RHEL 8 license.

    Note

    • An Alibaba Cloud RHEL license provides legal permissions to access RHEL software, security updates, and technical support when you use RHEL in Alibaba Cloud.

    • If you purchased a RHEL 8 operating system from Red Hat, visit the Red Hat website for information about how to upgrade from RHEL 8 to RHEL 9.

Procedure

  1. Before you upgrade from RHEL 8 to RHEL 9, we recommend that you understand the risks of the upgrade and create snapshots to back up data. This ensures that you can restore data when an upgrade issue occurs.

  2. Connect to the ECS instance that runs a RHEL 8 operating system as the root user.

    For more information, see Use Workbench to connect to a Linux instance over SSH.

    Important

    The upgrade involves modifications to system configuration and library files. Root permissions are required to ensure that the upgrade can be completed as expected.

  3. Run the following command to check whether the ECS instance has an Alibaba Cloud RHEL 8 license: 

    rpm -qa |grep aliyun

    • If no information is returned, the ECS instance does not have an Alibaba Cloud RHEL 8 license. In this case, purchase a license before you upgrade the operating system.

    • If the command output contains a minor version, such as rhel8.6, submit a ticket to obtain and install the latest Red Hat Package Manager (RPM) package before you upgrade the operating system to RHEL 9.

      image

      Note

      To run a RHEL operating system in Alibaba Cloud, the operating system must access the Red Hat software repository by using Alibaba Cloud Red Hat Update Infrastructure (RHUI). If a minor version, such as aliyun_rhel8.6-2.0-1.noarch, is installed in the operating system, the operating system may fail to connect to RHUI, which prevents it from obtaining software updates or upgrading to a new version.

    • If the command output contains license information, such asaliyun_rhui_rhel8-2.0-3.x86_64, the ECS instance has an Alibaba Cloud RHEL 8 license. You can proceed to the subsequent steps.

      image

  4. Prepare the RHEL 8 operating system for the upgrade.

    1. Run the following commands to upgrade the operating system to the latest version available in the current repository, which contains fixes for known vulnerabilities, bugs, and security risk, and restart the operating system for the upgrade to take effect: 

      yum -y update
reboot

    2. Run the following command to install the Leapp utility in the RHEL operating system: 

      yum -y install leapp leapp-rhui-alibaba --enablerepo="*"

    3. Run the following command to check whether the Leapp utility is installed: 

      leapp --version

      If a command output similar to leapp version xxx is returned, the Leapp utility is installed.

  5. Perform a pre-upgrade check.

    Due to the differences among RHEL versions, you must use the Leapp utility to perform a pre-upgrade check. You can view the check results and modify the configurations as needed based on the suggestions for upgrade.

    1. Perform a pre-upgrade check.

      • Run the following command to pre-upgrade to the latest version of RHEL 9: 

        leapp preupgrade  --no-rhsm

      • Run the following command to pre-upgrade to a specific RHEL 9 version, such as an upgrade from RHEL 8 to RHEL 9.4: 

        leapp preupgrade --no-rhsm --target 9.4
        Note

        To view the supported RHEL 9 versions, run the leapp preupgrade -h command.

    2. View the pre-upgrade check results.

      Leapp pre-upgrade check logs are stored in the following log files:

      • /var/log/leapp/leapp-preupgrade.log: stores the logs of the Leapp utility.

      • /var/log/leapp/leapp-report.txt: stores the pre-upgrade check report in the text format.

      • /var/log/leapp/leapp-report.json: stores the pre-upgrade check report in the JSON format.

      If the pre-upgrade check fails, specific failed items are displayed as shown in the following figure.

      image

    3. (Conditionally required) Resolve pre-upgrade issues.

      Check the /var/log/leapp/leapp-report.txt log file for pre-upgrade issues and resolve the issues based on the suggestions of the Leapp utility. The following section describes some common pre-upgrade issues and their solutions by risk level.

      • high: high-risk issues. Issues of this level do not directly block the upgrade. However, we recommend that you resolve the issues before or after the upgrade to prevent post-upgrade exceptions.

        • Issue 1: Custom leapp actors or files are detected.

           
          Risk Factor: high 
Title: Detected custom leapp actors or files.
Summary: We have detected installed custom actors or files on the system. These can be provided e.g. by third party vendors, Red Hat consultants, or can be created by users to customize the upgrade (e.g. to migrate custom applications). This is allowed and appreciated. However Red Hat is not responsible for any issues caused by these custom leapp actors. Note that upgrade tooling is under agile development which could require more frequent update of custom actors.
The list of custom leapp actors and files:
    - /usr/share/leapp-repository/repositories/system_upgrade/common/files/rhui/alibaba/content.crt
    - /usr/share/leapp-repository/repositories/system_upgrade/common/files/rhui/alibaba/key.pem
    - /usr/share/leapp-repository/repositories/system_upgrade/common/files/rhui/alibaba/leapp-alibaba.repo
Related links:
    - Customizing your Red Hat Enterprise Linux in-place upgrade: https://red.ht/customize-rhel-upgrade
Remediation: [hint] In case of any issues connected to custom or third party actors, contact vendor of such actors. Also we suggest to ensure the installed custom leapp actors are up to date, compatible with the installed packages.

          Solution: Make sure that the custom actors are up-to-date and compatible with the Leapp utility and system environment. After the upgrade is complete, check whether the operating system can run as expected and fix the exceptions caused by custom actors at the earliest opportunity. For information about how to manage custom actors, see Customizing your Red Hat Enterprise Linux in-place upgrade.

        • Issue 2: The GRUB2 configuration is automatically updated during the upgrade.

           
          Risk Factor: high 
Title: GRUB2 core will be automatically updated during the upgrade
Summary: On legacy (BIOS) systems, GRUB2 core (located in the gap between the MBR and the first partition) cannot be updated during the rpm transaction and Leapp has to initiate the update running "grub2-install" after the transaction. No action is needed before the upgrade. After the upgrade, it is recommended to check the GRUB configuration.

          Solution: Check the GRand Unified Bootloader (GRUB) configuration after the upgrade to ensure that the operating system can start as expected.

      • low: low-risk issues. Issues of this level have minor impacts on the upgrade process or system operation. However, we recommend that you resolve the issues before or after the upgrade to ensure stable system operation.

        Issue: SELinux is set to permissive mode after the upgrade.

         
        Risk Factor: low 
Title: SElinux will be set to permissive mode
Summary: SElinux will be set to permissive mode. Current mode: enforcing. This action is required by the upgrade process to make sure the upgraded system can boot without beinig blocked by SElinux rules.
Remediation: [hint] Make sure there are no SElinux related warnings after the upgrade and enable SElinux manually afterwards. Notice: You can ignore the "/root/tmp_leapp_py3" SElinux warnings.

        Solution: Make sure that no SELinux-related warnings are generated after the upgrade. Then, reset SELinux to enforcing mode to ensure system security and compliance.

      • info: informational prompts. In most cases, issues of this level do not affect the upgrade or system operation. You can review the prompts in the report to obtain the changes during the upgrade.

        Issue: Specific target system repositories are excluded.

         
        Risk Factor: info 
Title: Excluded target system repositories
Summary: The following repositories are not supported by Red Hat and are excluded from the list of repositories used during the upgrade.
- rhui-codeready-builder-for-rhel-9-aarch64-rhui-rpms
- codeready-builder-for-rhel-9-aarch64-rpms
- codeready-builder-for-rhel-9-s390x-rpms
- codeready-builder-beta-for-rhel-9-ppc64le-rpms
- codeready-builder-for-rhel-9-x86_64-rpms
Remediation: [hint] If some of excluded repositories are still required to be used during the upgrade, execute leapp with the --enablerepo option with the repoid of the repository required to be enabled as an argument (the option can be used multiple times).

        Solution: If specific excluded repositories are still required during the upgrade, you can enable them by using the --enablerepo option.

  6. Upgrade from RHEL 8 to RHEL 9.

    • Run the following command to upgrade to the latest version of RHEL 9: 

      leapp upgrade  --no-rhsm

    • Run the following command to upgrade to a specific RHEL 9 version, such as an upgrade from RHEL 8 to RHEL 9.4: 

      leapp upgrade  --no-rhsm --target 9.4

    The following command output indicates that the upgrade is complete.

    image

  7. Run the following command to restart the ECS instance: 

    reboot

  8. Verify the upgrade result.

    • Run the cat /etc/redhat-release command to check whether the operating system version is upgraded.

    • Check the upgrade logs or report.

    • Check whether your business runs as expected in RHEL 9.

  9. (Conditionally required) Run the following commands to configure the RHEL 9 software repository.

    After the upgrade, the /etc/dnf/vars/releasever file is modified by default to specify the RHEL 9 version you used in the preceding steps. For example, the RHEL 9 repository address is set to https://xxxx/9.4/xxx, and you can access only RHEL 9.4 software packages. If you want to have automatic access to packages of the latest minor version of RHEL 9, delete the releasever configuration file and rebuild the metadata cache. This way, you can obtain the latest security patches and feature updates. 

    rm -f /etc/dnf/vars/releasever
dnf clean all && dnf makecache

    After the preceding commands are run, the RHEL 9 repository address is updated to https://xxxx/9/xxx. Then, the operating system can automatically obtain the latest RHEL 9 security patches and feature updates to ensure that it is always up-to-date.

References

  • On this page (1)
  • Upgrade from RHEL 7 to RHEL 8
  • Prerequisites
  • Procedure
  • Upgrade from RHEL 8 to RHEL 9
  • Prerequisites
  • Procedure
  • References
Feedback