Today I was faced with a challenge, I have had an old CentOS 7 machine tucked well behind a secure enclave seeing out its days for a while now and sadly it has surpassed the life expectancy a few times so it was time to do something about it.
The machine itself is a simple beast, the only exposed port is SSH (non-standard port, for a bit of security through obscurity), that only allows access via a valid user, SSH key, and finally a physical Yubikey dongle to provide a OTP. This in turn then allows for a non-interactive session to be established that offers the opportunity to access an internally hosted (on 127.0.0.1) web service via an SSH tunnel.
Anyway, I recently carried out a DR Drill with the machine in question restoring it in its entirety and pondered whether to just rebuild a new OS and migrate everything over which of course is the cleanest solution.
For a little challenge I wondered whether the RedHat leapp tool could take my little CentOS 7 box and upgrade it to something supported like Rocky Linux 8.
I hit a couple of roadbumps along the way, nothing insurmountable though…
The first one was that the leapp tool doesn’t like the use of LUKS but that was OK – I was able to unmount it (it’s another layer of security that even if the machine was compromised physically, the data is encrypted within) and the tool continued happily enough.
It also quite rightly pointed out I was using an older CentOS 7 machine but relying on the openssl11-libs package from EPEL that conflicted with the Rocky Linux 8 native OpenSSL 1.x package. I removed openssl11-libs which uninstalled my nginx instance but that was OK I could easily put it back after.
It pointed out that I had some unsupported kernel modules – floppy and pata – a quick rmmod floppy and I was able to re-run the leapp preupgrade again and this time it completed quite happily.
Amazingly, it pointed out that my current Postfix configuration wouldn’t work in the new world order, but offered a helpful command to enable compatibility within Postfix.
I then ran leapp upgrade which took 5-10 minutes, then informed me a reboot was needed – and before I knew it I was running Rocky Linux 8.
I quickly popped nginx back in (original config worked fine), and confirmed everything was behaving how I expected.
I was rather surprised to be honest, I had psyched myself up to need to install a new OS and migrate everything over.