Complete the upgrade by performing final tasks and verifying that the in-place upgrade was successful.
When performing an in-place upgrade, you must become familiar with the new operating system's services and functionality.
For example, RHEL 8 replaces the YUM package manager with DNF, which is compatible, but with some minor differences. Changes like this can be surprising or disruptive if you are not prepared for them.
Review the release notes for the new version of Red Hat Enterprise Linux that you are using, as well as for the other releases since the minor release you were previously running, for more information about the system's features. The release notes for Red Hat Enterprise Linux are available along with more detailed information on the Product Documentation for Red Hat Enterprise Linux site.
After completing an in-place upgrade, you must verify that the system upgraded successfully to the expected version. The following commands and files provide system information that you can use to verify the operating system version:
subscription-manager release
This command shows the full release of the machine's operating system.
hostnamectl
This command displays machine information, which includes the machine's operating system and kernel version.
uname -r
This command shows the full kernel version.
/etc/redhat-release
This file contains the full release of the machine's operating system.
For example, the uname -r command displays the kernel version.
The command output displays the el8 or the el9 string, which refers to Red Hat Enterprise Linux 8 and Red Hat Enterprise Linux 9, respectively.
In RHEL 8, the kernel version is 4.18.0 or later.
In RHEL 9, the kernel version is 5.14.0 or later.
In the following example, the uname -r command shows the 4.18.0-513.18.1 kernel version, which corresponds to Red Hat Enterprise Linux 8.9 (el8_9) for x86_64 CPU architecture.
[root@host ~]# uname -r
4.18.0-513.18.1.el8_9.x86_64The subscription-manager release command prints the full version of the operating system.
[root@host ~]# subscription-manager release
Release: 8.9Other verifications include ensuring that the system services function correctly.
For example, verify the systemd-journald service, the rsyslog service, and the sshd service.
You can also verify the overall status of your system and the status of system services on the Cockpit console.
After you verify the system status, you can continue with post-upgrade tasks. You must perform these tasks to complete the in-place upgrade and to prepare your system to continue standard operations.
Leapp packages are automatically added to the exclude list of the package manager to avoid package conflicts and to prevent critical files from being modified.
You can review this list in the /etc/dnf/dnf.conf file.
The following example shows the contents of a /etc/dnf/dnf.conf file.
[root@host ~]#cat /etc/dnf/dnf.conf[main] gpgcheck=1 installonly_limit=3 clean_requirements_on_remove=True best=True skip_if_unavailable=False exclude=python2-leapp,snactor,leapp-upgrade-el7toel8,leapp
The contents of the exclude directive of the /etc/dnf/dnf.conf file might vary on your organization's machines.
Make sure to review the list of packages and remove any that are added by the Leapp tool (in this example, the python2-leapp, snactor, leapp-upgrade-el7toel8, and leapp packages).
You can clear the exclude list by using the dnf config-manager command.
If there are any packages that you want to keep excluded from the system, then be sure to define those packages in the exclude list.
[root@host ~]# dnf config-manager --save --setopt exclude=''
Updating Subscription Management repositories.After clearing the exclude list, you can remove the packages by using the dnf remove command.
[root@host ~]#dnf remove python2-leapp snactor leapp-upgrade-el7toel8 leapp...output omitted... Is this ok [y/N]:yComplete!
You can remove packages from the previous system version that will no longer be used.
You can obtain a list of packages that belong to the previous version by using the rpm command.
For example, in a system that you upgraded from RHEL 8 to RHEL 9, you might want to remove any remaining RHEL 8 packages.
To do so, query all packages that contain the el8 string.
[root@host ~]# rpm -qa | grep -e '\.el[8]'
kernel-4.18.0-477.10.1.el8_8.x86_64
kernel-4.18.0-425.3.1.x86_64
...output omitted...Make sure to review the full list of packages and remove only the packages that are no longer needed.
Review the package repositories on the system and disable repositories that are no longer needed.
You can use the dnf repolist command to review the list of enabled repositories.
You can also review the /etc/yum.repos.d directory to view custom repository files.
You can disable a repository by using the dnf config-manager command with the --set-disabled option.
The following example disables the custom-app-rhel7 repository:
[root@host ~]# dnf config-manager --set-disabled custom-app-rhel7
Updating Subscription Management repositories.Red Hat recommends using activation keys to manage repository configuration. For more information about activation keys in Red Hat Satellite, refer to the Managing Activation Keys chapter of the Managing Content guide.
After the upgrade, the machine includes a new kernel and disk image to boot the system. By default, the RHEL system installation creates a rescue kernel to preserve a default configuration to operate the machine in case of an emergency. To ensure that you can rescue the system in case of an issue, update the rescue kernel and initial RAM disk to match the new version of the kernel.
You can remove existing rescue kernels and associated disks on the system by removing all entries in the /boot directory that contain the vmlinuz-*rescue* and the /boot/initramfs-*rescue* regular expressions.
[root@host ~]# rm /boot/vmlinuz-*rescue* /boot/initramfs-*rescue*
...output omitted...You can reinstall the rescue kernel and initial RAM disk by using the following command:
[root@host ~]# /usr/lib/kernel/install.d/51-dracut-rescue.install \
add "$(uname -r)" /boot "/boot/vmlinuz-$(uname -r)"During the upgrade process, the Leapp tool disables certain security policies. For example, the Leapp tool sets SELinux to permissive mode. The pre-upgrade report describes this task:
[root@host ~]# cat /var/log/leapp/leapp-report.txt
...output omitted...
Risk Factor: low
Title: SElinux will be set to permissive mode
Summary: SElinux will be set to permissive mode. Current mode: enforcing. This action is required by the upgrade process to make sure the upgraded system can boot without being blocked by SElinux rules.
Remediation: [hint] Make sure there are no SElinux related warnings after the upgrade and enable SElinux manually afterwards. Notice: You can ignore the "/root/tmp_leapp_py3" SElinux warnings.
...output omitted...Your organization might enforce the use of SELinux and system-wide cryptographic policies to make your systems more secure.
Before you enable SELinux, use the ausearch command to look for SELinux denials.
If you find SELinux denials, then review and correct them before continuing.
To enable SELinux, update the SELINUX directive to enforcing in the /etc/selinux/config file, and then reboot the system.
[root@host ~]#cat /etc/selinux/config# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing...output omitted...
After the system finishes booting, verify the SELinux status by using the getenforce command.
The output of the command shows Enforcing if SELinux is enabled.
[root@host ~]# getenforce
EnforcingSystem-wide cryptographic policies configure core cryptographic subsystems such as the TLS, IPSec, SSH, DNSSec, and Kerberos protocols.
After the in-place upgrade, the system-wide cryptographic policy is automatically set to DEFAULT.
Depending on your organization's requirements, you might want to configure more robust policies.
For example, the FUTURE policy level provides a set of policies that are designed to withstand near-term future security attacks.
You can review the current cryptographic policy by using the update-crypto-policies --show command.
[root@host ~]# update-crypto-policies --show
DEFAULTTo modify the current cryptographic policy, use the update-crypto-policies --set command.
[root@host ~]# update-crypto-policies --set FUTUREAfter you verify the upgrade, you can continue with the tasks in your upgrade plan. For example, your upgrade plan might include changing application configurations, resuming operations of configuration management tools, or resuming system monitoring.
Test your applications and confirm that they are still functioning correctly. Monitor your logs and the operation of the system to continue to validate that the conversion of your newly updated system was successful.
At this point, assuming an even newer major release of Red Hat Enterprise Linux is available, you could even repeat the upgrade process to migrate your server to the next version of RHEL.
ausearch(8), dnf(8), getenforce(8), hostnamectl(1), uname(1), update-crypto-policies(8), rpm(8), and subscription-manager(8) man pages
For more information about activation keys in Red Hat Satellite, refer to the Managing Activation Keys chapter of the Managing Content guide at https://access.redhat.com/documentation/en-us/red_hat_satellite/6.14/html-single/managing_content/index#Managing_Activation_Keys_content-management
For more information about new features in RHEL 8, refer to the 8.0 Release Notes document at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/8.0_release_notes/index
For more information about new features in RHEL 9, refer to the 9.0 Release Notes document at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/9.0_release_notes/index
For more information about required post-upgrade tasks in RHEL 8, refer to the Performing Post-upgrade Tasks chapter in the Upgrading from RHEL 7 to RHEL 8 guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/upgrading_from_rhel_7_to_rhel_8/index#performing-post-upgrade-tasks-rhel-7-to-rhel-8_upgrading-from-rhel-7-to-rhel-8
For more information about required post-upgrade tasks in RHEL 9, refer to the Performing Post-upgrade Tasks on the RHEL 9 System chapter in the Upgrading from RHEL 8 to RHEL 9 guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/upgrading_from_rhel_8_to_rhel_9/index#performing-post-upgrade-tasks-on-the-rhel-9-system_upgrading-from-rhel-8-to-rhel-9
For more information about SELinux denials, refer to the Troubleshooting Problems Related to SELinux chapter in the Using SELinux guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#troubleshooting-problems-related-to-selinux_using-selinux
For additional practice upgrading from RHEL 7 to RHEL 8, refer to the In Place Upgrade to RHEL 8 interactive lab at https://learn.spidernet.pl/en/interactive-labs/perform-in-place-upgrade-with-leapp
For additional practice upgrading to RHEL 9, refer to the Upgrade to Red Hat Enterprise Linux 9 in Place with Leapp interactive lab at https://learn.spidernet.pl/en/interactive-labs/upgrade-with-leapp