Migrating from CentOS7 to RHEL7

There are various reasons why to migrate from CentOS to RHEL. Quicker access to bugfixes and new minor releases as well as having a fully commercially supported system.

There are different tutorial on the net how to migrate from RHEL to CentOS but almost no information about the other way round. It is quite simple and at the end of the day you have only Red Hat Packages installed.

In 2012 I wrote an article about Migrating from CentOS6 to RHEL6. Now its time for an update.

Disclaimer

Some of the procedures can be destructive for your system and/or your data. I’m not taking any responsibility for any damage casue. Take a full backup of your system before even thinking about trying this procedure!

Also import to note is that such a procedure is not supported by Redhat.

Requirements

There are only two things you need

  • A valid RHEL subscription obtained from Redhats online store
  • A RHEL7 ISO-Image which corresponds with your current CentOS minor release (or newer) which can be downloaded at Redhat downloads

Preparations

Be sure you activated your subscription.

Mount the ISO image on your CentOS7 machine:

[root@centos7 ~]# mount /dev/cdrom /mnt -o loop

Go to /mnt/Packages and install the packages we need:

[root@centos7 Packages]# yum -y localinstall subscription-manager-1.15.9-15.el7.x86_64.rpm

(Re)Move your CentOS repos
To avoid conflicts between CentOS and Redhat Repositories you need to get rid of them. Remove them or just keep a copy.

[root@centos7 Packages]# mkdir /etc/yum.repos.d.centos
[root@centos7 Packages]# mv /etc/yum.repos.d/CentOS-* /etc/yum.repos.d.centos

Force-remove the centos-release and yum RPMs

[root@centos7 Packages]# rpm -e yum --nodeps
[root@centos7 Packages]# rpm -ihv yum-3.4.3-132.el7.noarch.rpm
[root@centos7 Packages]# rpm -e centos-release --nodeps
[root@centos7 Packages]# yum localinstall redhat-release-server-7.2-9.el7.x86_64.rpm

Register your system

To get access to RHEL repositories, you need to register your system. The username “example@example.com” must be replaced with your username. The ID is a randomly generated UUID.

[root@centos7 ~]# subscription-manager register
Registering to: subscription.rhn.redhat.com:443/subscription
Username: example@example.com
Password: 
The system has been registered with ID: e61bd536-854c-4f32-a1fa-7f75c37046a5  
[root@centos7 ~]# 

Attach the system to a subscription

Usually it is just good enough to auto-attach the subscription needed.

[root@centos7 ~]# subscription-manager attach --auto


Installed Product Current Status:
Product Name: Red Hat Enterprise Linux Server
Status:       Subscribed

[root@centos7 ~]# s

Review enabled repositories

Sometimes you dont want to use all the repos provided. The simplest way is just to disable all and re-enable those you need.

[root@centos7 ~]# subscription-manager repos --list
[root@centos7 ~]# subscription-manager repos --disable "*"
[root@centos7 ~]# subscription-manager repos --enable rhel-7-server-rpms --enable rhel-7-server-optional-rpms --enable whatever-else-you-need
[root@centos7 ~]# yum clean all

Changing the Distribution

Now we have all requirements met, lets reinstall the packages.

[root@centos7 ~]# yum reinstall "*" --exclude=filesystem
[ommited output]
 zlib                     x86_64 1.2.7-15.el7           rhel-7-server-rpms  90 k
Not available:
 dhclient                 x86_64 12:4.2.5-42.el7.centos -                  0.0  
 plymouth                 x86_64 0.8.9-0.24.20140113.el7.centos
                                                        -                  0.0  
 curl                     x86_64 7.29.0-25.el7.centos   -                  0.0  
 grub2-tools              x86_64 1:2.02-0.29.el7.centos -                  0.0  
 basesystem               noarch 10.0-7.el7.centos      -                  0.0  
 plymouth-core-libs       x86_64 0.8.9-0.24.20140113.el7.centos
                                                        -                  0.0  
 mariadb-libs             x86_64 1:5.5.44-2.el7.centos  -                  0.0  
 libcurl                  x86_64 7.29.0-25.el7.centos   -                  0.0  
 dhcp-libs                x86_64 12:4.2.5-42.el7.centos -                  0.0  
 plymouth-scripts         x86_64 0.8.9-0.24.20140113.el7.centos
                                                        -                  0.0  
 dhcp-common              x86_64 12:4.2.5-42.el7.centos -                  0.0  
 grub2                    x86_64 1:2.02-0.29.el7.centos -                  0.0  
 centos-logos             noarch 70.0.6-3.el7.centos    -                  0.0  

Transaction Summary
=================================================================================
Reinstall      291 Packages
Not available   13 Packages

Total download size: 154 M
Installed size: 577 M
Is this ok [y/d/N]:

Here you can see the Centos specific packages, we need to take care about them later. Proceed and acknowledge with Y.

Cleanup

Now we need to manually clean up the CentOS specific packages with are named [package-name-and-version]-centos.

[root@centos7 ~]# rpm -qa --queryformat "%{NAME} %{VENDOR}\n" | grep -i centos | cut -d' ' -f1
filesystem
centos-logos
mariadb-libs
libcurl
dhcp-common
plymouth-scripts
dhclient
basesystem
plymouth-core-libs
curl
dhcp-libs
plymouth
[root@centos7 ~]#

With some of the packages you need to proceed very careful, the i.e. the filesystem package is awful. If you remove it, you will reinstall your system.

Luckily there is the rpm parameter –justdb which only does changes to the RPM-Database but not on the actual file system.

Some more critical packages need to be replaced as well.

[root@centos7 Packages]# rpm -e centos-logos plymouth plymouth-scripts plymouth-core-libs grub2 grub2-tools dhcp-common dhclient dhcp-libs curl libcurl --nodeps
[root@centos7 Packages]# rpm -i curl-7.29.0-25.el7.x86_64.rpm libcurl-7.29.0-25.el7.x86_64.rpm
[root@centos7 Packages]#  yum -y install plymouth plymouth-scripts plymouth-core-libs grub2 grub2-tools dhcp-common dhclient dhcp-libs
[root@centos7 ~]# yum remove basesystem
[root@centos7 ~]# yum -y install basesystem

Dirty Hardcore Hack, please be careful, use the –justdb parameter

[root@centos7 Packages]# rpm -e filesystem --nodeps --justdb
[root@centos7 Packages]# cp filesystem-3.2-20.el7.x86_64.rpm /root/
[root@centos7 Packages]# cd
[root@centos7 ~]# umount /mnt
[root@centos7 ~]# rpm -ihv filesystem-3.2-20.el7.x86_64.rpm 

Aftermath

Now update your system, reboot and check if all is working as expected. There may be more cleanup work to do.

[root@centos7 ~]# umount /mnt
[root@centos7 ~]# yum -y update && reboot

rhel-centos

Check if there are still RPMs of vendor “Centos” installed:

[root@centos7 ~]# rpm -qa --queryformat "%{NAME} %{VENDOR}\n" | grep -i centos | cut -d' ' -f1

This should return nothing, almost all is now RHEL7. The only traces left are the previously install Kernels. They will get deleted over time when installing (updating) new Kernels.

In my case I just used CentOS7 minimal installation. The CentOS distribution comes with a total of 231 packages which need to be manually replaced if installed. If you plan to go down this road, please clone the system first for testing before migrating the actual system.

Support by Redhat

Will the converted machine be supported after this procedure? Well, officially it is not supported, but if there are no traces of CentOS left on the machine…

Better install RHEL in the first place 🙂

Migrating from CentOS6 to RHEL6

There are different tutorial on the net how to migrate from RHEL to CentOS but almost no information about the other way round. It is quite simple and at the end of the day you have only Red Hat Packages installed.

you need to copy the following packages from a Red Hat medium and install them:

yum localinstall \
rhn-check-1.0.0-87.el6.noarch.rpm \
rhn-client-tools-1.0.0-87.el6.noarch.rpm \
rhnlib-2.5.22-12.el6.noarch.rpm \
rhnsd-4.9.3-2.el6.x86_64.rpm \
rhn-setup-1.0.0-87.el6.noarch.rpm \
yum-3.2.29-30.el6.noarch.rpm \
yum-metadata-parser-1.1.2-16.el6.x86_64.rpm \
yum-rhn-plugin-0.9.1-40.el6.noarch.rpm \
yum-utils-1.1.30-14.el6.noarch.rpm \
sos-2.2-29.el6.noarch.rpm \

Then you need to remove the centos release package and install the Red Hat release package:

rpm -e centos-release-6-3.el6.centos.9.x86_64 --nodeps
yum localinstall redhat-release-server-6Server-6.3.0.3.el6.x86_64.rpm

Now it is time to register your system at RHN with rhn_register

After the successful registration you need to replace all CentOS packages by the RPMs provided by Red Hat:

yum reinstall "*"

To be sure there are no new configuration files to take care of run the following:

yum install mlocate.x86_64
updatedb
locate rpmnew

Go through the list and check if there is some configuration work to do

Update your machine to the latest and greatest versions of packages and reboot your machine

yum -y update && reboot

Query the RPM database for leftovers from CentOS:

rpm -qa --queryformat "%{NAME} %{VENDOR}\n" | grep -i centos | cut -d' ' -f1

There are some problematic packages which has “centos” in its name, i.e yum and dhcp

rpm -e yum --nodeps
rpm -ihv yum-3.2.29-30.el6.noarch.rpm

At the end, you have the previously installed kernel packages left. Keep them as a backup, they will be automatically uninstalled after two more kernel updates.

Is the procedure supported by Red Hat? No it is not supported.

Will the converted machine be supported after this procedure? Well, officially it is not supported, but if there are no traces of CentOS on the machine…

Have fun 🙂

CentOS6 to be released in the next few weeks

According to an interview with Karanbir Singh – a major contributor to the project – it is just a question of a few weeks until we can expect CentOS6 to be released.

CentOS is extremely important for the RHEL community, it is a playground for trying out new stuff before getting into an engineering phase with the Red Hat supported RHEL.

Lets have fun with it…

Set up a Red Hat Directory Server and Kerberos Part I

Kerberos and LDAP are today’s way of single sign on. It is platform independent and supported by a wide range of applications.

Together with the Red Hat Directory Server (also available as CentOS Directory Server and 389 Directory Server from Fedora) you can build a neat identity management infrastructure.

Setting up the Directory Server
However there are some pitfalls when installing such a integrated solution. Installing redhat-ds is quite easy, just ensure you define your planned LDAP Namespace and default LDAP Suffix before running setup-ds-admin.pl. If you plan to setup a replica, run the script with the -k parameter: setup-ds-admin.pl -k. The servers configuration will be saved as /tmp/setup*.inf and can be used to setup the replica after changing the FullMachineName and ServerIdentifier.

In my example I used the DN “cn=Directory Manager. As base I used dc=ldap,dc=example,dc=com. This is the Internet Domain Suffix style of naming an LDAP space. The older X500 style should not be used anymore.

Have a look to man openldap.conf to see how to shorten your CLI entries such as ldapsearch -x.

Setting up Kerberos
After setting the right configurations in your /etc/krb5.conf (the sample content is self-explanatory) and its distribution, you need to initialize your key store database. This is to be done with kdb_util as follows:

[root@server]# kdb5_util create -r EXAMPLE.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
[root@server]#

Keep in mind! Kerberos Realms are all uppercase to distinguish them from DNS names!

In the config file for the Key Distribution Center /var/kerberos/krb5kd/kdc.conf add the following in Realm Stanza: default_principal_flags =+ preauth. This will enhance security or your Kerberos Infrastructure. Also change the example Realm to what you are going to plan to use. In /var/kerberos/krb5kd/ kadm5.acl you can define the ACLs for e.g. admins or service desk employees etc. Also check the correctness of the Realm.

Feed the keystore

Now it is time to feed the database with the first principal: root. We also can create our first host principal at the same time.
Fire up kadmin.local. The kadmin.local app accesses directly the DB files on the server. Its should only be used on initial setup. Later on you will have kadmin which also works on the net, of course with Kerberos authentication.

[root@server ~]# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local:  addprinc root/admin
WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "root/admin@EXAMPLE.COM":
Re-enter password for principal "root/admin@EXAMPLE.COM":
Principal "root/admin@EXAMPLE.COM" created.
kadmin.local:  addprinc -randkey host/server1.example.com
WARNING: no policy specified for host/server1.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/server1.example.com@EXAMPLE.COM" created.
kadmin.local:  q
[root@server ~]#

After starting the kadmin and kdc services you can access the admin server with the normal kamin tool.

service kadmin start
chkconfig kadmin on
service krb5kdc start
chkconfig krb5kdc on

Now we need to create a host principal for each to be kerberized host and store it in its keytab.

End of Part I

What comes in Part II?

  • LDAP Service Principal
  • Getting Kerberos and LDAP working together
  • Migrating users from /etc/passwd to LDAP
  • Playing with PAM

Have fun!