Linux Notes: ELevate - leapp (migration tool)

The information presented here is intended for educational use by qualified computer technologists.
The information presented here is provided free of charge, as-is, with no warranty of any kind.

Edit: 2024-07-15
back to: my Linux Notes (index)

Migrating Linux (EL6-EL7-EL8-EL9)

Executive Summary: ELevate-leapp is the coolest tool I've seen in the past decade. If your computer is connected directly to the internet, then you probably do not need any of the following information. If your computer is behind a firewall and connects to the internet via a proxy-server, then the following information may help.
Clarification: This page started off describing the many way to migrate off CentOS-7. Since then I've come to realize that the ELevate-leeap tool from the good folks at AlmaLinux is the only reasonably safe method, so if you are in a hurry then click here
Caveat: Linux computer systems of any commercial value should (must?) be covered by a support contract. The following information is very dangerous so should only be attempted by Linux professionals working in colleges and universities, or students and hobbyists working or personal systems. And as always, make sure you have backup copies of everything before you begin.

Overview
Terminology
Manual Methods
Lateral Scripts
Orchestrated method (leapp)
ELevate - leapp (intro)
CentOS-7 to AlmaLinux-8 (or anything else)
- leaap helper script
Gotchas (checks before and after)

Overview

Linux terminology

EL (Enterprise Linux)
- a category of Linux products suitable for use by academic institutions and businesses. Here is an incomplete list: AlmaLinux, CentOS, EuroLinux, Oracle Linux, Rocky Linux, RHEL
- visit: what is Enterprise Linux ? (EL6, EL7, EL8, EL9)
update vs. upgrade vs. migrate
- any minor point change is known as an update (upgrade is the same as update with the --obsoletes flag set)
- any major point change is known as migrate

leapp

leapp is an open-source migration tool created by Red Hat for their own use. The source code is published on github
- RHEL-leapp recipes are only available to RHEL customers via their private RHEL repos enabled by their subscription manager ($$$)
  quote: Leapp is actually not an abbreviation, but a name originating in the history of this project. Originally it was meant to be a POC (Proof Of Concept) that had kind of the code name Le App, and was a short name for legacy application, which was internally at RedHat written LEAPP and we just stuck with the name.
Oracle adapted leapp for use with Oracle Linux
- Oracle-leapp recipes are only available to systems already using Oracle Linux
  - they also offer a magic script to convert from CentOS-7 to Oracle Linux-7; then you use Oracle-leapp to migrate from 7 to 8 (and optionally, 8 to 9)
  - this script failed badly on a scratch system yesterday in my lab
AlamaLinux adapted leapp for community use
- Alma-leapp recipes are available via their ELevate project: https://wiki.almalinux.org/elevate/ELevate-quickstart-guide.html
  - notice that the first two letters of ELevate are capitalized (or uppercase). This means Enterprise Linux
- ELevate-leapp is the safest way to migrate from CentOS-6 to CentOS-7
- ELevate-leapp is the safest way to migrate from CentOS-7 to any EL8 (then optionally, 8 to 9)
  
  Which is the best Linux destination? Very hard to say. While support contracts are available from all distros, many customers will only feel comfortable dealing with with large commercial corporations like these two: Red Hat (which is owned by IBM) or Oracle. However, many users who count themselves part of the open source community will only feel comfortable falling back upon a university mirror of which there are thousands. First browse this University of Waterloo mirror to see what I mean. Notice that RHEL and Oracle Linux are absent. On top of that, you will not find any new instances of CentOS past CentOS-8.5

speculation

SUSE publishes SLES (comparable to RHEL), openSUSE leap (comparable to CentOS-8.5), and openSUSE tumbleweed (comparable to CentOS Stream)
Last year they also published SUSE Liberty Linux: https://www.suse.com/products/suse-liberty-linux/ with tools to migrate from any version of RHEL to Liberty
SUSE and Oracle are now behind https://openela.org/ (some have speculated that SUSE Liberty will appear here in a new form)

Linux terminology

verb	scope	notes 1	notes 2
update	moving from CentOS-7.8 to CentOS-7.9		minor version number changes
upgrade	moving from CentOS-7.8 to CentOS-7.9	same as "update --obsoletes"	minor version number changes
migrate	moving from CentOS-7.x to CentOS-8.x (or anything else)		major version number changes

Manual Methods (less safe than leapp)

We all have seen plenty of migration procedures published by various self-help sites.
The dozen I tested all worked with systems connected to the public internet.
I did not find a single procedure which worked from behind a proxy server.
I suspect that most will not stand the test of time as various repos move, and certificates expire (I had to tweak a few URLs in order to get some of them to work)
Anyway, these procedures appear fragile (the upgrade might fail whether you made a mistake or not). Once started, there is no clean back out procedure.

Lateral scripts (less safe than leapp)

Caveats:

All these scripts are for moving laterally (keeping the same major version number)
None of these scripts are 100% safe.
None offer a clean back out so could leave your system broken if they hit an error.
If you must use them, first perform a trial run on a scratch system.
Make backup copies of everything before you begin.

lateral transfer	from	to	tested?
https://wiki.almalinux.org/documentation/migration-guide.html almalinux-deploy.sh	CentOS-8 Rocky Linux-9	AlmaLinux-8 AlmaLinux-9	yes (note-1) yes (note-1)
https://github.com/rocky-linux/rocky-tools/tree/main/migrate2rocky	CentOS-8 CentOS-9	Rocky Linux-8 Rocky Linux-9	no no
https://linux.oracle.com/switch/centos/ ( https://linux.oracle.com/switch/ ) centos2ol.sh	CentOS-6 CentOS-7 CentOS-8 Rocky Linux-8 Rocky Linux-9	Oracle Linux-6 Oracle Linux-7 Oracle Linux-8 Oracle Linux-8 Oracle Linux-9	no no no no no

In both these tests, I moved the server from the data center to a location where a public internet connection was available, then executed the script. Both migrations worked perfectly but required more than a hour to finish the job.
An alternative to note-1 would be to create alternative versions of curl and wget under /usr/local/bin which would include proxy information before calling the original versions of curl and wget under /usr/bin (caveat: this is an idea rolling around my head. I have never tested this)

Orchestrated Method (safer)

leaap is an open-source migration tool created by a Red Hat, and intended for use by paying customers wishing to migrate from anything to RHEL.
If you are considering a jump to RHEL-8, then you had better talk to Red Hat who will provide a detailed procedures for use leapp. Many of the so-called recipes are only available from a Red Hat repo which sits behind a paywall (enabled via the Red Hat subscription manager)
AlmaLinux created the ELevate project (which is based upon leapp) for moving to almost every other rpm-based Linux. AlmaLinux recipes are provided free-of-charge.
Some rpm-based Linux distros also provide a leapp-based procedure to help you migrate to their Linux offerings. Here is one for moving to Oracle Linux
- https://docs.oracle.com/en/learn/ol-linux-leapp/ (documentation is the best I've ever seen)
  - https://blogs.oracle.com/linux/post/upgrade-oracle-linux-8-to-oracle-linux-9-using-leapp
  - If you are on CentOS-7 and wish to migrate to Oracle Linux-8, then I recommend using ELevate-leapp (keep reading).

ELevate - leapp (intro)

Moving from Enterprise Linux version 7 to 8 is a very big deal. Why? Here are a few major points:
1. some version 7 system tools, like yum and firewall-cmd, depend upon python2.7 which needs to be updated to python3.6
2. part way through, yum will be replaced with dnf
3. caveat: if you own any third-party programs (or cgi scripts) which depend upon python2 then I suggest you rewrite them, or purchase python3 replacements before you migrate.
The neat thing about leapp is that it begins the upgrade in a private namespace. If anything fails in the namespace, then your system continues to work properly
- the leapp preupgrade command will allow you to do no-commitment trials
  - do as many as you like
  - all the work is loaded into a namespace which is where the replacement software is built
  - uninstalling leapp will to free up most space allocated by leapp
```
# uninstall leapp
yum erase \*leapp\*
# -----------------------------------------
# OPTIONAL: very dangerous commands so type carefully
rm -fr	/var/lib/leapp/*
rm -fr	/var/log/leapp/*
```
- the leapp upgrade command
  - may repeat some preupgrade steps but then may go further.
    - If it fails, then then "no permanent changes have been made to your system".
    - If it doesn't fail, then you are, more-or-less, committed to doing a reboot
      - the first GRUB entry on the boot menu contains hooks to continue the migration (this can fail so always pretest on a scratch server)
      - from the main console, you could still select the second entry which would take you to the your existing OS
- caveats:
  - leapp preupgrade will run at the level of the system you are migrating from (say, CentOS7)
  - leapp upgrade will run at the level of the the system you are migrating to (say, AlmaLinux8)
    - before running either of these two commands, you might wish to make backup copies of the files just under /var/log/leapp. You should also do this before the first reboot
```
cd /var/log/leapp
mkdir save0
mkdir save1
mkdir save2
mkdir save3
ll leap*         # any files here?
mv leap* save0/  # then move them to one of the archives
```
  - if you sit behind a proxy server then you will need to get that information to both layers (more on this in a moment)
General docs
- https://leapp.readthedocs.io/en/latest/
- https://leapp-to.github.io/gettingstarted

CentOS-7 to AlmaLinux-8 (or something else)

The leapp procedures documented here work with systems connected to the public internet
I wanted to migrate from CentOS-7 to AlmaLinux-8 so decided to only play with Elevate-leapp
- caveat: later on I did a trial conversion from CentOS-7 to Rocky-8 (which worked) followed by a conversion to Rocky-9 (which did not work)
The Elevate-leapp procedure from Alma did not work (as-is) from behind a proxy server on 2023-08-28, but I was able to develop a few workarounds that did work.

Playing it safe with trial converts

steps:
- grab a spare computer then do a fresh install of the OS you want to migrate from (I used CentOS-7.9)
- connect it to the public internet
- follow the Elevate procedure described here: https://wiki.almalinux.org/elevate/ELevate-quickstart-guide.html
- take notes about what you see AND how many times the system reboots (for this experiment it is important that you are physically located in front of the server's console device)
- Note: I did a dozen trial conversions before I used leapp on a working server.
repeat step-1 but on a system connected it to a network behind a proxy server
caveats:
- anyone who has ever used CentOS-7 already knows you need add 1-2 lines of additional information to file /etc/yum.conf
- anyone who has ever used CentOS-8 already knows you need add 1-2 lines of additional information to file /etc/dnf/dnf.conf
- so it should be no surprise that you may need to update various copies of dnf.conf in the leapp namespace
- but one of those files will be overwritten several times when you run leapp
  - hack-1: requires you to update this file: /etc/leapp/files/leapp_upgrade_repositories.repo
    - insert this line into every labelled stanza: proxy=http://proxy.neilrieck.net:8083
    - optionally, also add this line in every labelled stanza: sslverify=false (this could be dangerous so only use thus if you see CURL (60) error messages)
  - hack-2: requires you to add proxy information to file /var/lib/leapp/el8userspace/etc/dnf/dnf.conf then also run a little script on a second session which will monitor the file then update it whenever it is overwritten (usually 4 times)
  - hack-3: requires you to copy your organization's certificates into the namespace
  caveats:
  - hack-1 works 99% of the time
  - hack-2 (with hack-1) was twice at a remote location. "I think" this might be due to a misconfiguration of my company's proxy server.
    - hack-1 is necessary for leapp preupgrade
    - hack-2 is necessary for leapp upgrade
  - I haven't yet tried hack-3
repeat step-1 but use a backup copy of the server you wish to convert
repeat step-2 but use a backup copy of the server you wish to convert and connect it to a network behind a proxy server

Details (for use behind a proxy sever)

reference: https://wiki.almalinux.org/elevate/ELevate-quickstart-guide.html

sudo yum update -y
sudo reboot
sudo yum install -y http://repo.almalinux.org/elevate/elevate-release-latest-el$(rpm --eval %rhel).noarch.rpm
sudo yum install -y leapp-upgrade leapp-data-almalinux

tweak-1

# we we will do everything from root (so do not use sudo)
# become root like so:
su -

tweak-2a ( you should skip this step )

# changes to root's  shell
# ------------------------
#    changes for leapp
export LEAPP_PROXY_HOST=http://proxy.domain.com:8083/
#    changes for curl
export http_proxy=http://proxy.domain.com:8083/
export https_proxy=http://proxy.domain.com:8083/

tweak-2b ( recommended )

# changes to your terminal emulator
# ---------------------------------
# set width to 132
# enable autowrap
# set an ssh keepalive of 60 seconds

tweak-3

# add proxy information to the ELevate repo
vim /etc/leapp/files/leapp_upgrade_repositories.repo

```
leapp preupgrade
```
- this should work with little difficulty
- if you see errors then you will need to correct them
- if you see inhibited then you may need to edit the answer file
```
leapp upgrade     # caveat: do not do this unless to intend to upgrade right now
                  # you might wish to run my helper script (below) before starting this
```
- this works almost entirely in the target namespace
- I have never had this phase go as-is:
  - in one case I was warned about multiple kernels so needed to remove them from CentOS then start over
  - in a second case I was warned about no available update for OpenSSL-devel which was version locked to OpenSSL which was going to be replaced
    - the solution was to yum erase openssl-devel then restart leapp upgrade
  - in a third case I was warned about no available update for Make-devel which was version locked to Make which was going to be replaced
    - the solution was to yum erase make-devel then restart leapp upgrade
- If you see any "Curl (60)" errors then you will need to do the following ugly hack:
  - log into a second session; become root; execute my workaround script (see below)
  - repeat leapp upgrade on the primary session
reboot
- be patient here; you may see console messages which indicate that the whole thing could fail, but then the upgrade continues
- EL7-to-8: you will see some activity for 20 seconds followed by a 4 minute pause
- EL8-to-9: you will see some activity for 10 seconds followed by a 7 minute pause
wait 45-60 minutes then log in
- the system will upgrade (30-45 minutes) then reboot
- the system will begin an SELinux relabeling operation (5-10 minutes) then reboot
vi /etc/dnf/dnf.conf
1. comment out the exclude line
2. add a proxy line
yum erase \*leapp\*
yum erase ELevate

My Trial Conversions (EL7 to EL8 to EL9)
	EL7 to EL8				EL8 to EL9
Date	From	To	Method	score	Then To	Method	score	notes
2023-08-31	CentOS-7.9	Rocky Linux-8.8	ELevate	pass	Rocky Linux 9.2	Elevate	fails	1
2023-09-07	CentOS-7.9	AlmaLinux-8.8	ELevate	pass	AlmaLinux 9.2	Elevate	dirty pass	2
2023-09-14	CentOS-7.9	Oracle Linux-8.8	ELevate	pass	Oracle Linux 9.2	Oracle Leapp	pass	3

Notes:

Missing a file

file /usr/share/redhat-logos from install of rocky-logos-90.14-1.el9.x86_64 
conflicts with file from package rocky-logos-86.3-1.el8.x86_64
# note: you cannot yum erase rocky-logos-86.3-1.el8.x86_64 without causing damage

Rather than rebooting properly, the system comes up in Recovery Mode but no commands appear to work.
- However, the system boots properly after cycling the power (huh?)
- Checking the logs, I see a python error associated with main.cli
- On a later attempt one month later, migrating from to AlmaLinux 9.3 worked flawlessly
No drama here. This worked like a charm
YOU MIGHT NOT want to migrate all the way to EL9 at this time. Many of my employer's other systems (mostly Windows; some HP-UX) could send files via sftp to EL9, but EL9 could not send files send back. Shifting the EL9 into LEGACY mode did not help.

My workaround script (a leapp helper)

This hack was quickly written during a moment of frustration and panic
Only use this if you see failures associated with curl errors.

# ================================================================
# title  : watch_elx_file_dnf-dot-conf.sh 
# author : Neil Rieck
# created: 2023-08-28
# notes  :
# 1) to be used during the leapp upgrade:
#       el="78" for CentOS-7 to AlmaLinux-8
#       el="89: for AlmaLinux-8 to AlmaLinux-9
# 2) run this on a second session while you upgrade from the first
#    start this program before you type "leapp preupgrade" then
#    let is run until after "leapp upgrade"
# ================================================================
el="78"                           	      # choices: "78" or "89"
LINE1="sslverify=0"
LINE2="proxy=http://your-proxy-server.com:8083/"
# ================================================================
if [[ ${el} == "89" ]]
then
    echo "for use with leapp 8-to-9"
    fs="/var/lib/leapp/el9userspace/etc/dnf/dnf.conf"
else
    echo "for use with leapp 7-to-8"
    fs="/var/lib/leapp/el8userspace/etc/dnf/dnf.conf"
fi
echo "-i-config line1: "$LINE1
echo "-i-config lines: "$LINE2
echo $LINE1    >> ${fs}
echo $LINE2    >> ${fs}
n=1
c=0
prevModificationSeconds=$(date -r ${fs} +%s);           # snapshot 1
for (( ; ; ));
do
    echo "test: "${n}" changes: "${c}
    ((n=n+1));
    watchModificationSeconds=$(date -r ${fs} +%s);      # test
    if [[ ${prevModificationSeconds} != ${watchModificationSeconds} ]]
    then
        echo "-i-oops, the file changed"
        echo $LINE1        >> ${fs} 
        echo $LINE2        >> ${fs} 
        prevModificationSeconds=$(date -r ${fs} +%s);   # snapshot 2
        echo "-i-update complete"
        ((c=c+1));
    fi
    sleep 1
done
echo "-i-exited"
#

Gotchas

I mentioned previously, I performed approximately 30 trial conversions before I did a real-word conversion. I have now done seven real world conversions (six large systems employing 24 CPUs, 128 GB of RAM and 1TB of direct-connect storage) so here are a few caveats.

Check what is running properly BEFORE you do your migration
```
systemctl status 
or
systemctl status >> snapshot1.txt
```
Do your migration

Now double check if something that was running is no longer running

systemctl status 
or
systemctl status >> snapshot2.txt
vim -d snapshot1.txt snapshot2.txt # inspect the differences

It should be no surprise that a some post-tweaking was necessary

On several systems Apache (httpd) refused to start. The logs indicated a problem with http2 which I traced to the module not being loaded. Moving over to folder /etc/httpd/conf.modules.d/ I noticed several new config files with an suffix of ".rpmsave". First I copied all the files here into a subfolder named _backup then did some file renaming.
```
cd /etc/httpd/conf.d/
mv 00-base.conf         00-base.conf-old
mv 00-base.conf.rpmnew  00-base.conf
mv 00-proxy.conf        00-proxy.conf-old
mv 00-proxy.conf.rpmnew 00-proxy.conf
```
This was all I needed to get things going. I also had to remove some parameters from the config file like MinSpareServers and MaxSpareServers which are no longer supported by Apache. Those are found in file /etc/httpd/conf/httpd.conf
```
systemctl start httpd
```
On several systems, the email server (postfix) refused to start. First I navigated to /etc/postfix then executed this command to compare them:
```
vim -d main.cf main.cf.rpmnew
```
I noticed that one line contains a command to force postfix-v3 to work like postfix-v2.
```
compatibility_level = 2
```
I added this line to main.cf then did this to get things going.
```
systemctl start postfix
```
On the fifth system, MariaDB was not upgraded because we originally didn't know what we were doing on CentOS (back in 2016) so installed software directly from a MariaDB Corp repository rather than the EPEL repository (Extra Packages for Enterprise Linux). ELevate-leapp properly identified our old MariaDB as not signed by RedHat so skipped over them. Here is how that problem was dealt with:
```
to be safe, consider doing a full database dump before you begin
================================================================
sudo yum erase old-product-name
sudo clean all
sudo makecache
sudo yum list maria\*
sudo yum install mariadb-client
sudo yum install mariadb-server
sudo systemctl start mariadb-server
/usr/bin/mysql_upgrade -uroot -p
```
On the sixth system, MariaDB Server was left untouched but all the MariaDB Client software (including connectors) was missing (oops!). Apparently the new client software was not compatible with the existing server software. This FUBAR required me to:
```
sudo yum erase   mariadb-server
sudo yum install mariadb-client
sudo yum install mariadb-server
sudo systemctl start mariadb-server
/usr/bin/mysql_upgrade -uroot -p
# note: hints for mysql_upgrade are seen in /var/log/messages
```
Be sure to tail /var/log/messages for a time.
```
tail -100 /var/log/messages
```
I was seeing complaints about a problem with abrt. This required that I rename some files:
```
cd /etc/abrt
mv abrt.conf       abrt.conf-old
mv abrt.confrpmnew abrt.conf 
```
At some point in the future (when it is safe to do so) you may wish to yum erase python27
- okay so I was able to yum erase python27 on all my migrated systems except for one system where I kept getting dependency errors about a package that was not installed (something to do with leapp-EL7toEL8). I tried that trick where you delete the rpm database then rebuild it, but the problem persisted. Here was the fix for me:
```
rpm -qa | grep -i leapp
rpm -qa | grep -i elevate
rpm -qa | grep -i python2
-----------------------------
then use "rpm -e" on everything just displayed
```
On our CentOS-7 we were also running python36 (from EPEL-release) and python39 (from a private build since this was not available from EPEL-relase for EL7 ). At this point I am considering doing yum install python39 over top of the private build (but this will need to be pretested on a scratch system)

Back to Home
Neil Rieck
Waterloo, Ontario, Canada.