CentOS to RHEL Migration: Practical Engineering Guide

CentOS as a downstream RHEL rebuild was a foundation for many Linux deployments—stable, free, predictable. But with CentOS Stream supplanting classic releases, production workloads face a support cliff. For teams running CentOS 7.x, the clock is ticking. Transitioning to Red Hat Enterprise Linux doesn’t demand a forklift rebuild, but it does require precision and careful system hygiene.

Rationale: Why Transition?

CentOS 7’s end of maintenance (EOL June 2024) ends the pipeline of security fixes, upstream kernel patches, and CVE backports. RHEL provides:

• Guaranteed security errata, compliance/PCI modules
• Long-term support cycles (10+ years)
• Access to certified ISV software, supported drivers
• Red Hat Insights, proactive analytics for system drift and vulnerability detection

Teams running regulated workloads (finance, healthcare) or bound by internal SLA policies can’t rely on a rolling preview like Stream.

Pre-Migration Checklist

Perform these tasks before changing anything:

• Comprehensive backups: Filesystems, /etc, custom binaries. Consider snapshots if on VMware, Proxmox, or AWS EC2 (EBS).
• Inventory:
  • All installed packages (rpm -qa --last)
  • Custom RPMs or source builds?
  • Unusual kernel modules (lsmod, rpm -qa | grep kernel)
  • Network dependencies, firewall state
• Subscription planning:
  • Decide between paid, developer, or trial RHEL entitlements.
  • Validate that all target hosts can reach Red Hat CDN (proxy/firewall!)
• Hardware audit:
  • Cross-reference output of lshw or dmidecode against RHEL Hardware Catalog.
• Cloning a sandbox:
  • Practice all steps on a VM clone first. Never first-run on production.

Step 1—Update CentOS 7.x

Out-of-date systems cause drift. Standardize before conversion.

sudo yum clean all
sudo yum -y update
cat /etc/redhat-release
# Expect: CentOS Linux release 7.9.2009 (Core)

Gotcha: If you see a mix of ELRepo, EPEL, or third-party RPMs, note potential incompatibilities.

Step 2—Purge CentOS-Specific Packages

Conflicts emerge from residual CentOS metadata.

rpm -e --nodeps centos-release centos-backgrounds centos-logos

Double-check for orphaned repo configs:

ls /etc/yum.repos.d/ | grep centos
sudo mv /etc/yum.repos.d/centos* /root/

Note: Removing these cuts off base updates from CentOS mirrors—no going back unless you restore these files.

Step 3—Attach the Red Hat Subscription

If subscription-manager is missing:

yum -y install subscription-manager

Register the host:

subscription-manager register --username={RHN_USER} --password={RHN_PASS}
# Or, with activation key:
subscription-manager register --activationkey={ACTIVATION_KEY} --org={ORG_ID}

Attach the correct subscription pool:

subscription-manager attach --auto

Repositories: Enable only what you require (avoid image bloat).

subscription-manager repos --enable=rhel-7-server-rpms
subscription-manager repos --enable=rhel-7-server-extras-rpms
subscription-manager repos --enable=rhel-7-server-optional-rpms

Production clusters may need Satellite or custom repo syncs instead—adjust accordingly.

Step 4—Repository Swap: From CentOS to RHEL

RHEL repos are prioritized via subscription-manager. Remove all old CentOS .repo files to prevent accidental package mixing.

mkdir /etc/yum.repos.d/centos_backup/
mv /etc/yum.repos.d/CentOS-*.repo /etc/yum.repos.d/centos_backup/

Common issue: Custom repo files from EPEL or neglected internal mirrors can override subscription-manager priorities. Verify with:

yum repolist

Result should show only rhel-* enabled.

Step 5—Full System Update (to RHEL Signed Packages)

Clear residual metadata and force package alignment.

yum clean all
yum repolist
yum -y distro-sync

Why distro-sync? Unlike yum update, it ensures all installed packages match the enabled repositories, downgrading/realigning as needed.

Reboot to apply any new kernel or systemd updates:

systemctl reboot

After reboot, validate:

cat /etc/redhat-release
# Should print: Red Hat Enterprise Linux Server release 7.9 (Maipo)

Step 6—Service & Configuration Validation

Focus on:

• State of mission-critical daemons: systemctl status httpd, systemctl status postfix, etc.
• Any SELinux denials (audit2why output can be insightful).
• Networking—routing, DNS, firewalls. Edge-case: persistent route configs can break if network-scripts packages realign.
• Review /var/log/yum.log for replaced/downgraded packages.

Non-obvious tip: Custom kernel modules built against CentOS headers may fail after upgrade. Rebuild or validate DKMS modules.

Optional Tool: convert2rhel (CentOS 7.x)

For large fleets or risk-averse teams, Red Hat’s convert2rhel can orchestrate much of this:

yum -y install convert2rhel
convert2rhel --username={RHN_USER} --password={RHN_PASS} --auto-reboot --log=/root/convert2rhel.log

Known issue: The process skips some obscure third-party RPMs, requiring manual reconciliation. Always review /root/convert2rhel.log post-run.

Documentation: Red Hat Convert2RHEL Guide

Final Engineering Notes

• Downtime is not always zero. Critical services can blip, especially during distro-sync.
• For clusters, stagger migrations; avoid draining all nodes simultaneously.
• Run a post-migration vulnerability scan. Not all sites mirror CVE states identically between CentOS and RHEL despite binary compatibility.
• Consider writing an Ansible playbook for reproducibility if you manage more than a handful of hosts.

At scale, automation and observability are more valuable than one-off heroics.

Example: Troubleshooting a Failed Migration

If subscription-manager reports:

This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.

or you see update errors:

Error: Package: foo-1.0-1.el7.x86_64 (installed) requires: bar >= 2.0, but none is installed

You likely have incomplete repo re-alignment. Re-run subscription-manager repos --list-enabled and ensure all CentOS repos are gone; clean metadata and retry yum distro-sync.

Summary

Migrating CentOS 7.x hosts to RHEL 7.x is a practical path to maintain continuity and gain enterprise support. Don’t expect perfection—pay close attention to custom packages, and always test the waters before diving into production. There is no one-size-fits-all; tailor each migration runbook to your site’s particulars.

Migration is a process, not a button. Plan accordingly.