All Products
Search

This Product

    Elastic Compute Service:Red Hat Enterprise Linux upgrade

    Document Center

    Elastic Compute Service:Red Hat Enterprise Linux upgrade

    Last Updated:Mar 13, 2025

    This topic describes how to upgrade Red Hat Enterprise Linux (RHEL) 7 to RHEL 8 or RHEL 8 to RHEL 9 on an ECS instance.

    RHEL 7 upgrade to RHEL 8

    After June 30, 2024, RHEL 7 transitions from the Maintenance Support phase to the Extended Life phase. Red Hat provides limited technical support. To obtain comprehensive technical support and security updates, it is recommended to upgrade RHEL 7 to RHEL 8.

    Note

    If you are using the RHEL 7.9 system and your current business must remain on the RHEL 7.9 version, it is recommended to first purchase an Alibaba Cloud Red Hat Enterprise Linux Extended Life Cycle Support (ELS) Add-On subscription to continue receiving security updates and bug fixes. For more information, see purchase extended life cycle support (ELS) subscription.

    Prerequisites

    • Ensure that the RHEL instance to be upgraded meets the system operation requirements. For specific requirements, see Red Hat Enterprise Linux capabilities and limitations.

    • Ensure that your RHEL instance is purchased as a RHEL 7 system through Alibaba Cloud public image (with RHEL 7 subscription included) or imported to Alibaba Cloud as a RHEL 7 system with an Alibaba Cloud RHEL 7 subscription purchased.

      Note

      • The Alibaba Cloud RHEL subscription provides legal software access, security updates, and technical support for using the RHEL operating system on Alibaba Cloud.

      • If you have purchased a Red Hat RHEL system independently, refer to the official Red Hat documentation Upgrading from RHEL 7 to RHEL 8 for upgrade instructions.

    Procedure

    1. Before upgrading, it is recommended to understand the upgrade risks and create a snapshot to back up data, so you can quickly recover if any issues occur during the upgrade.

    2. Remotely connect to the ECS instance of the RHEL system using the root user.

      For specific operations, see log on to a Linux instance using the Workbench tool with the SSH protocol.

      Important

      The upgrade operation involves modifying system configuration files, library files, etc., and requires root privileges to ensure the upgrade process is completed smoothly.

    3. Run the following command to confirm whether your RHEL instance is using an Alibaba Cloud RHEL subscription.

      rpm -q client-rhel7

      • If there is no echo information, it indicates that your system is not using an Alibaba Cloud RHEL subscription. Please purchase a subscription before performing the upgrade operation.

      • If there is echo information similar to client-rhel7-3.0-1.el7_9.noarch, it indicates that your system is using an Alibaba Cloud RHEL subscription, and you can continue with the upgrade operation described in this topic.

        image

    4. Prepare the upgrade environment.

      1. Run the following command to upgrade the RHEL system to the latest version, which usually includes fixes for known vulnerabilities, bugs, and security issues, and restart the system to apply the changes.

        yum -y update
reboot

      2. Run the following command to install the Leapp upgrade tool on the RHEL system.

        yum -y install leapp leapp-rhui-alibaba --enablerepo="*"

      3. Run the following command to confirm whether Leapp is installed successfully.

        leapp --version

        If there is echo information similar to leapp version xxx, it indicates that Leapp is installed successfully.

    5. Perform a pre-upgrade check.

      Due to the significant differences between RHEL systems, a pre-upgrade check must be performed using the Leapp tool before upgrading. You can view the Leapp check results and modify the configurations based on suggestions to meet upgrade requirements.

      1. Run the following command to perform a pre-upgrade check.

        • Pre-upgrade to the latest version of RHEL 8.

          leapp preupgrade  --no-rhsm

        • Pre-upgrade to a specific target version, such as upgrading RHEL 7 to RHEL 8.8.

          leapp preupgrade --no-rhsm --target 8.8
          Note

          You can view the target versions supported for upgrade by running the leapp preupgrade -h command.

      2. View the pre-upgrade check results.

        The Leapp pre-upgrade check logs are stored in the following log files:

        • /var/log/leapp/leapp-preupgrade.log: stores the logs of the Leapp utility.

        • /var/log/leapp/leapp-report.txt: stores the pre-upgrade check report in the text format.

        • /var/log/leapp/leapp-report.json: stores the pre-upgrade check report in the JSON format.

        If the pre-upgrade check fails, specific failed items (inhibitors) are displayed as shown in the following figure.

        image.png

      3. (Conditionally required) Handle pre-upgrade errors.

        Check the /var/log/leapp/leapp-report.txt log file for any error messages during the pre-upgrade. You can fix the issues based on the suggestions provided by the Leapp tool. The following lists some common pre-upgrade check errors and solutions by risk level.

        • high (inhibitor): High risk (inhibitor). These issues will directly block the upgrade process and must be resolved before continuing with the upgrade.

          • Issue 1: Multiple kernel versions are installed

            Risk Factor: high (inhibitor)
Title: Multiple devel kernels installed
Summary: DNF cannot produce a valid upgrade transaction when multiple kernel-devel packages are installed.
Remediation: [hint] Remove all but one kernel-devel packages before running Leapp again.
[command] yum -y remove kernel-devel-3.10.0-1160.11.1.el7

            Solution: If multiple kernel versions are installed, uninstall all kernel versions except the latest version. You can uninstall the old kernel based on the command suggested by the Leapp tool, such as yum -y remove kernel-devel-3.10.0-1160.11.1.el7 in this example.

          • Issue 2: Kernel modules that are not supported by RHEL 8 are loaded

            Risk Factor: high (inhibitor)                                                                                                                                                                                         
Title: Leapp detected loaded kernel drivers which have been removed in RHEL 8. Upgrade cannot proceed.                                                                                                                
Summary: Support for the following RHEL 7 device drivers has been removed in RHEL 8:                                                                                                                                  
     - floppy

            Solution: If kernel modules that are not supported by RHEL 8 are loaded, run commands to uninstall the modules. In this example, the floppy module that is not supported by RHEL 8 is loaded. To uninstall the floppy module, run the following command:

            rmmod floppy

          • Issue 3: The PermitRootLogin option is incorrectly configured in the sshd_config file

            Risk Factor: high (inhibitor)
Title: Possible problems with remote login using root account
Summary: OpenSSH configuration file does not explicitly state the option PermitRootLogin in sshd_config file, which will default in RHEL8 to "prohibit-password".
Remediation: [hint] If you depend on remote root logins using passwords, consider setting up a different user for remote administration or adding "PermitRootLogin yes" to sshd_config. 
If this change is ok for you, add explicit "PermitRootLogin prohibit-password" to your sshd_config to ignore this inhibitor

            Solution:

            1. Set the default value of PermitRootLogin in the /etc/ssh/sshd_config configuration file to yes.

              Note

              The default values of PermitRootLogin differ between RHEL 7 and RHEL 8:

              • In RHEL 7, the default value of PermitRootLogin is yes to enable password-based and key-based logons for the root user.

              • In RHEL 8, the default value of PermitRootLogin is prohibit-password to disable password-based logons for the root user.

            2. Run the following command to restart sshd:

              systemctl restart sshd

          • Issue 4: Required answers are missing from the answer file

            Risk Factor: high (inhibitor)
Title: Missing required answers in the answer file
Summary: One or more sections in answerfile are missing user choices: remove_pam_pkcs11_module_check.confirm
For more information consult https://leapp.readthedocs.io/en/latest/dialogs.html
Remediation: [hint] Please register user choices with leapp answer cli command or by manually editing the answerfile.
[command] leapp answer --section remove_pam_pkcs11_module_check.confirm=True

            Solution: In this example, the pam module that is not supported by RHEL 8 needs to be removed. You can confirm this by setting confirm to True in the answer file /var/log/leapp/answerfile. Run the following command to confirm:

            leapp answer --section remove_pam_pkcs11_module_check.confirm=True

            image.png

        • high: High risk. These issues will not directly block the upgrade, but it is recommended to resolve them before or after the upgrade to avoid problems after the upgrade.

          • Issue 1: Some packages cannot be installed

            Risk Factor: high
Title: Packages from unknown repositories may not be installed
Summary: 3 packages may not be installed or upgraded due to repositories unknown to leapp:
- python3-pyxattr (repoid: rhel8-CRB)
- rpcgen (repoid: rhel8-CRB)
- ustr (repoid: rhel8-CRB)
Remediation: [hint] In case the listed repositories are mirrors of official repositories for RHEL (provided by Red Hat on CDN) and their repositories IDs has been customized, you can change the configuration to use the official IDs instead of fixing the problem. You can also review the projected DNF upgrade transaction result in the logs to see what is going to happen, as this does not necessarily mean that the listed packages will not be upgraded. You can also install any missing packages after the in-place upgrade manually.

            Solution: You can manually install the missing packages after the upgrade.

          • Issue 2: Some RHEL 7 packages have not been upgraded

            Risk Factor: high
Title: Some RHEL 7 packages have not been upgraded
Summary: Following RHEL 7 packages have not been upgraded:
leapp-upgrade-el7toel8-0.18.0-1.el7_9
kernel-3.10.0-1160.92.1.el7
leapp-rhui-alibaba-1.0.0-1.el7_9
Please remove these packages to keep your system in supported state.

            Solution: Run the yum remove leapp-upgrade-el7toel8-0.18.0-1.el7_9 kernel-3.10.0-1160.92.1.el7 leapp-rhui-alibaba-1.0.0-1.el7_9 command to remove these packages.

        • medium: Medium risk. These issues will not directly block the upgrade, but it is recommended to resolve them before or after the upgrade to avoid potential issues after the upgrade.

          Issue: The pam_pkcs11 module in the PAM configuration will be removed

          Title: Module pam_pkcs11 will be removed from PAM configuration
Summary: Module pam_pkcs11 was surpassed by SSSD and therefore it was removed from RHEL-8. Keeping it in PAM configuration may lock out the system thus it will be automatically removed from PAM configuration before upgrading to RHEL-8. Please switch to SSSD to recover the functionality of pam_pkcs11.
Remediation: [hint] Configure SSSD to replace pam_pkcs11

          Solution: To ensure the authentication function of the system runs normally after the upgrade, configure SSSD to replace the functionality of pam_pkcs11.

        • low: Low risk. These issues have little impact on the upgrade process or system operation, but it is recommended to resolve them before or after the upgrade to ensure stable system operation.

          Issue: SELinux will be set to permissive mode

          Risk Factor: low 
Title: SElinux will be set to permissive mode
Summary: SElinux will be set to permissive mode. Current mode: enforcing. This action is required by the upgrade process to make sure the upgraded system can boot without beinig blocked by SElinux rules.
Remediation: [hint] Make sure there are no SElinux related warnings after the upgrade and enable SElinux manually afterwards. Notice: You can ignore the "/root/tmp_leapp_py3" SElinux warnings.

          Solution: After the upgrade, ensure there are no SELinux-related warnings, and then reset SELinux to enforcing mode to ensure system security compliance.

        • info: Information. These issues are usually informational and do not affect the upgrade process or system operation. You can view the specific prompts in the report to understand the changes that will occur during the upgrade.

          Issue: The release version in /etc/dnf/vars/releasever will be set to the current target release

          Risk Factor: info 
Title: Release version in /etc/dnf/vars/releasever will be set to the current target release
Summary: On this system, Leapp detected "releasever" variable is either configured through DNF/YUM configuration file and/or the system is using RHUI infrastructure. To avoid issues with repofile URLs (when --release option is not provided) in cases where there is the previous major.minor version value in the configuration, release version will be set to the target release version (8.8). This will also ensure the system stays on the expected target version after the upgrade

          Solution: No action is required.

    6. Run the following command to upgrade.

      • Upgrade to the latest version of RHEL 8.

        leapp upgrade  --no-rhsm

      • Upgrade to a specific target version, such as upgrading RHEL 7 to RHEL 8.8.

        leapp upgrade  --no-rhsm --target 8.8

      The following command output indicates that the upgrade is complete.

      image.png

    7. Run the following command to restart the instance:

      reboot

    8. Verify the upgrade results.

      • Run the cat /etc/redhat-release command to check whether the system version has been updated.

      • Check the upgrade logs or report.

      • Observe whether your business runs normally on the RHEL 8 system.

    9. (Conditionally required) Run the following command to configure the RHEL source.

      After the upgrade using the Leapp upgrade tool is complete, the /etc/dnf/vars/releasever file will be modified by default to limit the system upgrade to a specific version of RHEL. For example, for RHEL 8.8, the repo source information is https://xxxx/8.8/xxx, and you can only access packages under the RHEL 8.8 version. If you want to automatically access the latest version of RHEL 8 packages to ensure you obtain the latest security patches and feature updates, you can delete the releasever configuration file and rebuild the metadata cache to achieve this.

      rm -f /etc/dnf/vars/releasever
dnf clean all && dnf makecache

      After the execution is complete, the repo source information for RHEL 8 will be updated to https://xxxx/8/xxx, and the system will be able to automatically obtain the latest security patches and feature updates for the latest version of RHEL 8, ensuring the system is always up to date.

    RHEL 8 upgrade to RHEL 9

    Although RHEL 8 is currently in the Full Support phase, you can upgrade the system to RHEL 9 as needed to obtain the latest features, hardware adaptation, and long-term support.

    Prerequisites

    • Ensure that the RHEL instance to be upgraded meets the system operation requirements. For specific requirements, see Red Hat Enterprise Linux capabilities and limitations.

    • Ensure that your RHEL instance is purchased as a RHEL 8 system through Alibaba Cloud public image (with RHEL 8 subscription included) or imported to Alibaba Cloud as a RHEL 8 system with an Alibaba Cloud RHEL 8 subscription purchased.

      Note

      • The Alibaba Cloud RHEL subscription provides legal software access, security updates, and technical support for using the RHEL operating system on Alibaba Cloud.

      • If you have purchased a Red Hat RHEL system independently, refer to the official Red Hat documentation Upgrading from RHEL 8 to RHEL 9 for upgrade instructions.

    Procedure

    1. Before upgrading, it is recommended to understand the upgrade risks and create a snapshot to back up data, so you can quickly recover if any issues occur during the upgrade.

    2. Remotely connect to the ECS instance of the RHEL system using the root user.

      For specific operations, see log on to a Linux instance using the Workbench tool with the SSH protocol.

      Important

      The upgrade operation involves modifying system configuration files, library files, etc., and requires root privileges to ensure the upgrade process is completed smoothly.

    3. Run the following command to confirm whether your RHEL instance is using an Alibaba Cloud RHEL subscription.

      rpm -qa |grep aliyun

      • If there is no echo information, it indicates that your system is not using an Alibaba Cloud RHEL subscription. Please purchase a subscription before performing the upgrade operation.

      • If there is echo information similar to the following containing the minor version rhel8.6, please first submit a ticket to obtain and install the latest rpm package before performing the upgrade operation.

        image

        Note

        When running RHEL on Alibaba Cloud, the system needs to access Red Hat's software repository through Alibaba Cloud's RHUI service. If a minor version package (such as aliyun_rhel8.6-2.0-1.noarch) is installed in the system, the system may not be able to connect to RHUI correctly, resulting in the inability to obtain software updates or upgrade to a new version.

      • If there is echo information similar to the subscription package aliyun_rhui_rhel8-2.0-3.x86_64, it indicates that your system is using an Alibaba Cloud RHEL subscription, and you can continue with the upgrade operation described in this topic.

        image

    4. Prepare the upgrade environment.

      1. Run the following command to upgrade the RHEL system to the latest version, which usually includes fixes for known vulnerabilities, bugs, and security issues, and restart the system to apply the changes.

        yum -y update
reboot

      2. Run the following command to install the Leapp upgrade tool on the RHEL system.

        yum -y install leapp leapp-rhui-alibaba --enablerepo="*"

      3. Run the following command to confirm whether Leapp is installed successfully.

        leapp --version

        If there is echo information similar to leapp version xxx, it confirms that Leapp is successfully installed.

    5. Perform a pre-upgrade check.

      Due to significant differences between RHEL systems, a pre-upgrade check using the Leapp tool is necessary before upgrading. Review the Leapp check results and adjust configurations as recommended to fulfill upgrade prerequisites.

      1. Execute the following command to initiate a pre-upgrade check.

        • Pre-upgrade to the latest version of RHEL 9.

          leapp preupgrade  --no-rhsm

        • Pre-upgrade to a specific target version, such as RHEL 8 to RHEL 9.4.

          leapp preupgrade --no-rhsm --target 9.4
          Note

          To see which target versions are supported for the upgrade, run the leapp preupgrade -h command.

      2. Examine the pre-upgrade check results.

        Leapp pre-upgrade check logs are saved in the following files:

        • /var/log/leapp/leapp-preupgrade.log: contains logs from the Leapp utility.

        • /var/log/leapp/leapp-report.txt: presents the pre-upgrade check report in text format.

        • /var/log/leapp/leapp-report.json: provides the pre-upgrade check report in JSON format.

        If the pre-upgrade check identifies any inhibitors, they will be displayed as shown in the figure below.

        image

      3. (Conditionally required) Address pre-upgrade errors.

        Inspect the /var/log/leapp/leapp-report.txt for error messages from the pre-upgrade check. Resolve any issues according to the Leapp tool's recommendations. Below are common pre-upgrade errors and their solutions, categorized by risk level.

        • high: High risk. These issues may not block the upgrade directly, but resolving them is advised either before or after the upgrade to prevent post-upgrade problems.

          • Issue 1: Detected custom Leapp actors or files

            Risk Factor: high 
Title: Detected custom leapp actors or files.
Summary: We have detected installed custom actors or files on the system. These can be provided e.g. by third party vendors, Red Hat consultants, or can be created by users to customize the upgrade (e.g. to migrate custom applications). This is allowed and appreciated. However Red Hat is not responsible for any issues caused by these custom leapp actors. Note that upgrade tooling is under agile development which could require more frequent update of custom actors.
The list of custom leapp actors and files:
    - /usr/share/leapp-repository/repositories/system_upgrade/common/files/rhui/alibaba/content.crt
    - /usr/share/leapp-repository/repositories/system_upgrade/common/files/rhui/alibaba/key.pem
    - /usr/share/leapp-repository/repositories/system_upgrade/common/files/rhui/alibaba/leapp-alibaba.repo
Related links:
    - Customizing your Red Hat Enterprise Linux in-place upgrade: https://red.ht/customize-rhel-upgrade
Remediation: [hint] In case of any issues connected to custom or third party actors, contact vendor of such actors. Also we suggest to ensure the installed custom leapp actors are up to date, compatible with the installed packages.

            Solution: Verify that custom actors are up-to-date and compatible with both the Leapp tool and the system environment. Post-upgrade, ensure the system functions correctly and address any issues caused by custom actors promptly. For guidance on managing custom actors, see Customizing your Red Hat Enterprise Linux in-place upgrade.

          • Issue 2: Automatic GRUB2 configuration update during the upgrade

            Risk Factor: high 
Title: GRUB2 core will be automatically updated during the upgrade
Summary: On legacy (BIOS) systems, GRUB2 core (located in the gap between the MBR and the first partition) cannot be updated during the rpm transaction and Leapp has to initiate the update running "grub2-install" after the transaction. No action is needed before the upgrade. After the upgrade, it is recommended to check the GRUB configuration.

            Solution: After the upgrade, review the GRUB configuration to ensure the system boots correctly.

        • low: Low risk. These issues may have minimal impact on the upgrade process or system operation, but addressing them is recommended either before or after the upgrade for stable system performance.

          Issue: SELinux will be set to permissive mode

          Risk Factor: low 
Title: SElinux will be set to permissive mode
Summary: SElinux will be set to permissive mode. Current mode: enforcing. This action is required by the upgrade process to make sure the upgraded system can boot without beinig blocked by SElinux rules.
Remediation: [hint] Make sure there are no SElinux related warnings after the upgrade and enable SElinux manually afterwards. Notice: You can ignore the "/root/tmp_leapp_py3" SElinux warnings.

          Solution: Post-upgrade, confirm there are no SELinux warnings, then switch SELinux back to enforcing mode to maintain security compliance.

        • info: Informational. These issues typically do not impact the upgrade process or system operation. Review the prompts in the report for insights into changes that will occur during the upgrade.

          Issue: Excluded target system repositories

          Risk Factor: info 
Title: Excluded target system repositories
Summary: The following repositories are not supported by Red Hat and are excluded from the list of repositories used during the upgrade.
- rhui-codeready-builder-for-rhel-9-aarch64-rhui-rpms
- codeready-builder-for-rhel-9-aarch64-rpms
- codeready-builder-for-rhel-9-s390x-rpms
- codeready-builder-beta-for-rhel-9-ppc64le-rpms
- codeready-builder-for-rhel-9-x86_64-rpms
Remediation: [hint] If some of excluded repositories are still required to be used during the upgrade, execute leapp with the --enablerepo option with the repoid of the repository required to be enabled as an argument (the option can be used multiple times).

          Solution: If you need to enable certain excluded repositories during the upgrade, use the --enablerepo option.

    6. Execute the following command to upgrade.

      • Upgrade to the latest version of RHEL 9.

        leapp upgrade  --no-rhsm

      • Upgrade to a specific target version, such as RHEL 8 to RHEL 9.4.

        leapp upgrade  --no-rhsm --target 9.4

      The output of the following command indicates that the upgrade is complete.

      image

    7. Run the following command to restart the instance:

      reboot

    8. Verify the upgrade results.

      • Execute the cat /etc/redhat-release command to confirm the system version update.

      • Review the upgrade logs or report.

      • Monitor your business operations on the RHEL 9 system for normal functionality.

    9. (Conditionally required) Execute the following command to configure the RHEL source.

      After completing the upgrade with the Leapp tool, the /etc/dnf/vars/releasever file will by default restrict system upgrades to a specific RHEL version. For instance, for RHEL 9.4, the repository source will be https://xxxx/9.4/xxx, limiting access to RHEL 9.4 packages only. To automatically access the latest RHEL 9 packages and ensure receipt of the most recent security patches and feature updates, delete the releasever configuration file and refresh the metadata cache.

      rm -f /etc/dnf/vars/releasever
dnf clean all && dnf makecache

      Once completed, the repository source for RHEL 9 will be updated to https://xxxx/9/xxx, allowing the system to automatically receive the latest updates for RHEL 9, keeping it up-to-date.

    References

    • You can also upgrade Red Hat 8 to Red Hat 9 through the Server Migration Center (SMC). For details, see operating system migration (Linux).

    • For more information about Red Hat, visit the official Red Hat documentation Red Hat Enterprise Linux.

    • For frequently asked questions about RHEL 7 entering the Extended Life phase, refer to the official Red Hat FAQ document.