How to Migrate From CentOS 7.9 to Rocky Linux 8.10 with Leapp

Howard Van Der Wal
Sr. Customer Support Engineer

Apr 17, 2025

Introduction

CentOS 7 became End of Life on June 30th, 2024 and is now no longer supported with any security updates of any kind. In order to make sure that your systems are up-to-date, switching to Rocky Linux is an excellent choice for security and peace of mind.

If you need more time before starting the migration over to Rocky Linux, then CIQ Bridge is the recommended solution for you.

Prerequisites

A CentOS 7.9 node to perform the migration on.

⚠️ WARNING Make sure you are on the latest minor version of CentOS 7 (7.9), before attempting the migration.

⚠️ WARNING You are not able to directly go from CentOS 7.9 to Rocky Linux 9.x. You must upgrade to Rocky Linux 8.10. Upgrades between major version of Rocky Linux (8.x to 9.x) using Leapp are not recommended and it is better to perform a fresh install.

⚠️ WARNING Ensure that all data is safely backed up in at least three locations, before the migration begins.

⚠️ WARNING While Leapp is the tool being championed in this article, the best method for migration that CIQ recommends is to set up a new node with Rocky Linux 9.5, move your data and applications over to that node, and then perform a cut off when the CentOS 7.9 node is no longer required. Even in a basic CentOS 7.9 migration without any specific applications installed, many blockers can occur during the migration process.

Run the below commands as either root or a user with sudo privileges:

Updating the CentOS 7.9 repositories to point towards CentOS Vault

Overwrite the CentOS-Base repo file in /etc/yum.repos.d/CentOS-Base.repo with the following:

cat << "EOF" | sudo tee /etc/yum.repos.d/CentOS-Base.repo
[base]
name=CentOS-$releasever - Base
baseurl=http://vault.centos.org/7.9.2009/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

[updates]
name=CentOS-$releasever - Updates
baseurl=http://vault.centos.org/7.9.2009/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

[extras]
name=CentOS-$releasever - Extras
baseurl=http://vault.centos.org/7.9.2009/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

[centosplus]
name=CentOS-$releasever - Plus
baseurl=http://vault.centos.org/7.9.2009/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
EOF

Upgrade all packages:

yum upgrade -y

Reboot:

reboot

Leapp installation

Set up the ELevate repository:

yum install -y http://repo.almalinux.org/elevate/elevate-release-latest-el$(rpm --eval %rhel).noarch.rpm

Install the leapp packages:

yum install -y leapp-upgrade leapp-data-rocky

Run pre-upgrade checks:

leapp preupgrade

In the event the preupgrade process highlights any issues, check the /var/log/leapp/leapp-report.txt file for a list of all issues and /var/log/leapp/leapp-preupgrade.log for a full log from the preupgrade process.
In leapp-report.txt, what you want to look for is Upgrade has been inhibited due to the following problems. The items listed underneath that will prevent the upgrade from starting, even if you run the leapp upgrade command.

The following section presents examples of blockers and how they can be addressed:

Example blockers

Missing required answers in the answer file

Risk Factor: high (inhibitor)
Title: Missing required answers in the answer file
Summary: One or more sections in answerfile are missing user choices: remove_pam_pkcs11_module_check.confirm
For more information consult https://red.ht/leapp-dialogs.
Related links:
    - Leapp upgrade fail with error "Inhibitor: Missing required answers in the answer file.": https://access.redhat.com/solutions/7035321
Remediation: [hint] Please register user choices with leapp answer cli command or by manually editing the answerfile.
[command] leapp answer --section remove_pam_pkcs11_module_check.confirm=True

Solution

The remove_pam_pkcs11_module_check check in the /var/log/leapp/answerfile file has to be set to True:

leapp answer --section remove_pam_pkcs11_module_check.confirm=True

Once done, run the leapp preupgrade command again and if there are no other inhibitors found, the end summary will become either yellow or green, indicating that the upgrade can proceed.

Detected custom leapp actors or files

Risk Factor: high 
Title: Detected custom leapp actors or files.
Summary: We have detected installed custom actors or files on the system. These can be provided e.g. by third party vendors, Red Hat consultants, or can be created by users to customize the upgrade (e.g. to migrate custom applications). This is allowed and appreciated. However Red Hat is not responsible for any issues caused by these custom leapp actors. Note that upgrade tooling is under agile development which could require more frequent update of custom actors.
The list of custom leapp actors and files:
    - /usr/share/leapp-repository/repositories/system_upgrade/common/files/rpm-gpg/8/RPM-GPG-KEY-Rocky-8
Related links:
    - Customizing your Red Hat Enterprise Linux in-place upgrade: https://red.ht/customize-rhel-upgrade
Remediation: [hint] In case of any issues connected to custom or third party actors, contact vendor of such actors. Also we suggest to ensure the installed custom leapp actors are up to date, compatible with the installed packages.

Solution

This can be safely ignored.

GRUB2 core will be automatically updated during the upgrade

Risk Factor: high 
Title: GRUB2 core will be automatically updated during the upgrade
Summary: On legacy (BIOS) systems, GRUB2 core (located in the gap between the MBR and the first partition) cannot be updated during the rpm transaction and Leapp has to initiate the update running "grub2-install" after the transaction. No action is needed before the upgrade. After the upgrade, it is recommended to check the GRUB configuration.

Solution

This can also safely be ignored if you are on an UEFI system.

Difference in Python versions and support in RHEL 8

Risk Factor: high 
Title: Difference in Python versions and support in RHEL 8
Summary: In RHEL 8, there is no 'python' command. Python 3 (backward incompatible) is the primary Python version and Python 2 is available with limited support and limited set 
of packages. If you no longer require Python 2 packages following the upgrade, please remove them. Read more here: https://red.ht/rhel-8-python
Related links:
    - Difference in Python versions and support in RHEL 8: https://red.ht/rhel-8-python
Remediation: [hint] Please run "alternatives --set python /usr/bin/python3" after upgrade

Solution

Move your applications over to using Python 3.
The Python 2 packages have many other packages that depend on them. The recommendation is to not remove these packages, unless absolutely required.

Risk factor: low warnings

Go through all of these, however usually these can be ignored (one of the warnings, is that SELinux will be set to permissive mode, so make sure to change that back to enforcing if needed):

sed -i 's/SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/config

setenforce 1

Start the upgrade

Once the above inhibitor issues have been sorted, run this command to start the upgrade process:

leapp upgrade

Once completed, reboot the machine:

reboot

At the GRUB menu, select the ELevate-Upgrade-Initramfs option.
When that section of the installation is complete, the system will reboot into Rocky Linux (you will see the grub menu populated with the Rocky Linux kernels).
SELinux will then perform a relabel upon first boot.
Once the relabel is complete, the system will reboot a second time.
If all is successful, you will be presented with a login prompt and at the top you will see Rocky Linux 8.10 (Green Obsidian).
Check for any leftover packages from the migration:

rpm -qa | grep "el7\."

Remove these with the dnf remove command.

References & related articles

Rocky Linux Forum User's Experience Upgrading from Rocky Linux 8 to Rocky Linux 9 Rocky Linux 9.5 Release Documentation