Amazon Linux2 プレアップグレードアシスタントをやってみた

2019.03.13

こんにちは オペレーション部 園部です。

今日は、アプリケーションの移植を前提に、実行環境のOSを Amazon Linux(以降、AL1) から Amazon Linux 2(以降、AL2) へ移行する際の影響を確認するプレアップグレードアシスタント(パッケージ、ライブラリ、サービス、コマンドラインオプション、設定ファイルの非互換性をチェック)を使ってみました。

Amazon Linux 2 プレアップグレードアシスタントの発表

本アシスタントは、アップグレードを行うものではありません。

また現在、AL1 から AL2 へ移行するには、インプレースアップグレードなどはサポートされておりません。 (良い方法を知っている方は、教えてください!)

Q: 既存バージョンの Amazon Linux AMI から Amazon Linux 2 へのインプレースアップグレードを実行できますか? いいえ。既存バージョンの Amazon Linux から Amazon Linux 2 へのインプレースアップグレードはサポートされていません。アプリケーションの移行前に、新しくインストールした Amazon Linux 2 でテストすることをお勧めします。

Q: Amazon Linux AMI を実行しているインスタンスから Amazon Linux 2 へのローリングアップグレードを実行できますか? いいえ。Amazon Linux を実行しているインスタンスがローリングアップデートメカニズムで Amazon Linux 2 にアップグレードされることはありません。そのため、既存のアプリケーションの中断も発生しません。詳細については、Amazon Linux のドキュメントと移行ツールを参照してください。

引用:https://aws.amazon.com/jp/amazon-linux-2/faqs/

やってみた

Githubで公開されている手順を参考にやっていきます。

amazon-linux-upgrade-modules

動作環境

  • インスタンスタイプ:t2.micro
  • AMI ID:amzn-ami-hvm-2018.03.0.20181129-x86_64-gp2 (ami-00a5245b4816c38e6)
  • サブネット:パブリックサブネット(外部と直接通信が可能な設定のサブネット)

モジュールインストール

以下のコマンドで、プレアップグレードアシスタントモジュール をインストールします。

$ sudo yum install -y preupgrade-assistant preupgrade-assistant-al1toal2

プレアップグレードアシスタント実行

以下のコマンドで、プレアップグレードアシスタントを実行します。 (AMIから作成して、何も変更していないインスタンスで)数分で完了しました。

$ sudo preupg
The Preupgrade Assistant is a diagnostics tool
and does not perform the actual upgrade.
Do you want to continue? [Y/n]
y
Gathering logs used by the Preupgrade Assistant:
All installed packages : 01/10 ...finished (time 00:00s)
All changed files : 02/10 ...finished (time 00:21s)
Changed config files : 03/10 ...finished (time 00:00s)
All users : 04/10 ...finished (time 00:00s)
All groups : 05/10 ...finished (time 00:00s)
Service statuses : 06/10 ...finished (time 00:00s)
All installed files : 07/10 ...finished (time 00:00s)
All local files : 08/10 ...finished (time 00:00s)
All executable files : 09/10 ...finished (time 00:00s)
Red Hat signed packages : 10/10 ...finished (time 00:00s)
Assessment of the system, running checks / SCE scripts:
001/006 ...done (Grub 2) (time: 00:00s)
002/006 ...done (mysql to mariadb) (time: 00:00s)
003/006 ...done (Extras provide packages) (time: 00:00s)
004/006 ...done (Python Native Packages) (time: 00:03s)
005/006 ...done (Release Lock) (time: 00:00s)
006/006 ...done (SoName drift) (time: 00:00s)
The assessment finished (time 00:04s)
Result table with checks and their results for 'main contents':
--------------------------------------------------
|Grub 2 |notapplicable |
|mysql to mariadb |notapplicable |
|Extras provide packages |informational |
|Release Lock |informational |
|SoName drift |informational |
|Python Native Packages |needs_inspection |
--------------------------------------------------
The tarball with results is stored in '/root/preupgrade-results/preupg_results-190313025245.tar.gz' .
The latest assessment is stored in the '/root/preupgrade' directory.
Summary information:
We have found some potential risks.
Read the full report file '/root/preupgrade/result.html' for more details.
Please ensure you have backed up your system and/or data
before doing a system upgrade to prevent loss of data in
case the upgrade fails and full re-install of the system
from installation media is needed.
Upload results to UI by the command:
e.g. preupg -u http://example.com:8099/submit/ -r /root/preupgrade-results/preupg_results-190313025245.tar.gz .

結果

コマンドの実行結果に、以下のように出力されます。 6項目について結果が表示されており、Python に関して対応が必要だという結果が出ています。

result table with checks and their results for 'main contents':
--------------------------------------------------
|Grub 2 |notapplicable |
|mysql to mariadb |notapplicable |
|Extras provide packages |informational |
|Release Lock |informational |
|SoName drift |informational |
|Python Native Packages |needs_inspection |
--------------------------------------------------

詳細な内容をみるには、以下に作成されたレポートを確認します。

/root/preupgrade/result.html

結果を集約するWEB-UI(preupgrade-assistant-ui)へのアップロードすることでも 結果を表示できますが、今回はファイルをローカルに転送して、ブラウザ(chrome)で開きます。

  • 結果の一覧が表示されます

  • 各チェック内容の詳細や理由が記載されています

プレアップグレードアシスタントについて

コマンドオプション

preupg コマンドのオプションを確認したところ、以下のようになっています。

$ sudo preupg --help
Usage: preupg [options]

Options:
  --version             show program's version number and exit
  -h, --help            Show help message and exit.
  -S, --skip-common     Skip generating files containing information about the
                        system. For assessing the system these files are
                        needed (by modules) but in the case the system remains
                        the same (the same installed packages, configuration
                        files not touched, etc.) they can be reused from the
                        previous runs of Preupgrade Assistant.
  -d, --debug           Turn on debugging mode.
  -u, --upload          Upload a system assessment result to Preupgrade
                        Assistant WEB-UI.
  -r TARBALL, --results=TARBALL
                        Provide path to a system assessment result tarball
                        which is to be uploaded to WEB-UI. By default, the
                        result tarballs can be found in /root/preupgrade.
  -l, --list-contents-set
                        List all the available sets of modules. They are
                        searched for in /usr/share/preupgrade.
  -s MODULE_SET, --scan=MODULE_SET
                        Provide name of the set of modules which are to be
                        used for assessing the system. By default, if there is
                        just one set in /usr/share/preupgrade, Preupgrade
                        Assistant uses that one. Use --list-contents-set
                        option to get a list of possible values.
  -c ALL_XCCDF_PATH, --contents=ALL_XCCDF_PATH
                        Provide path to all-xccdf.xml of the set of modules
                        which is to be used for assesing the system. By
                        default, if there is just one set in
                        /usr/share/preupgrade, Preupgrade Assistant uses that
                        one. Option --scan works similarly.
  --riskcheck           Return the highest reported level of risk or result
                        related to system upgrade. Run Preupgrade Assistant
                        first - assessment of the system needs to be performed
                        before using this option. When this option is used in
                        concert with --verbose option, summary of the risks
                        are printed to STDOUT. If the --verbose option is used
                        once, just HIGH and EXTREME risks are printed. If it
                        is used twice, all the risks are printed.
                        Return codes:
                        0 ... SLIGHT or MEDIUM risk or needs_inspection,
                        fixed, informational, not_applicable, not_selected,
                        not_checked or pass result.
                        1 ... HIGH risk or needs_action result.
                        2 ... EXTREME risk or error or fail result.
  --force               Suppress user interaction.
  --text                Generate plain text assessment report alongside XML
                        and HTML reports. The text report is converted from
                        HTML using elinks, lynx or w3m tool.
  -v, --verbose         Show more information during the assessment.
  --cleanup             Remove all the files created by previous runs of
                        Preupgrade Assistant.
  -m MODE, --mode=MODE  Select what you plan to do with the system after
                        performing its assessment by Preupgrate Assistant -
                        migration or upgrade. Both modes are selected by
                        default. This option may only affect behaviour of the
                        modules - they can provide different results when only
                        one mode is selected. Use one of these values:
                        migrate, upgrade. It may be that modules behave the
                        same no matter what mode is selected.
  --select-rules=RULES  Execute just a subset of modules out of a module set.
                        Multiple modules are to be separated by a comma.
  --list-rules          List all the modules available within a module set.
  --dst-arch=ARCH       Specify an architecture of the system to be migrate
                        to. Available option are: x86_64, ppc64. Use of the
                        option is expected on 32-bit systems as by the release
                        of RHEL 7, 32-bit hardware support has been dropped.
  --old-report-style    Generate report with simpler style than the default.

チェックされるルール

6項目がチェックルールとして定義されています。

$ sudo preupg --list-rules
xccdf_preupg_rule_sonames_check
xccdf_preupg_rule_grub2_check
xccdf_preupg_rule_mariadb_check
xccdf_preupg_rule_python_check
xccdf_preupg_rule_move-to-extras_check
xccdf_preupg_rule_releasever-lock_check

README

モジュール等と同じディレクトにREADMEがあります。 動作について、一部記載があります。

$ sudo cat /root/preupgrade/README
Preupgrade Assistant Purpose
----------------------------
The Preupgrade Assistant is a framework designed to run the Preupgrade Assistant modules, which analyze the system for possible in-place upgrade limitations. It is based on a modular system, with each module performing a separate test, checking for package removals, incompatible obsolete packages, changes in libraries, users, groups, services, or incompatibilities of command-line options or configuration files. It is able to execute post-upgrade scripts to finalize complex tasks after the system upgrade. Apart from performing the in-place upgrades, the Preupgrade Assistant is also capable of migrating the system. It then produces a report, which assists you in performing the upgrade itself by outlining potential problem areas and by offering suggestions about mitigating any possible incompatibilities. The Preupgrade Assistant utility is a Red Hat Upgrade Tool prerequisite for completing a successful in-place upgrade to the next major version of Red Hat Enterprise Linux.

Preupgrade Assistant Usage
--------------------------
At the moment, only a CLI interface and limited functionality is available.

Follow these steps to use the Preupgrade Assistant:
1) Run "preupg -l" command - it lists all available modules for
        preupgrade-assistant (as the system is based on a plug-in, there might be
        modules from different sources in the future). If nothing is shown,
        install the preupgrade-assistant modules package.
2) If you have RHEL6_7 modules available, run "preupg -s RHEL6_7"
3) Wait until the analysis finishes (it can take several minutes)
4) Review the report stored as /root/preupgrade/result.html (and possibly
       the files stored at /root/preupgrade) . Especially check for any in-place
        upgrade risks (as described further in this document).

The /root/preupgrade file&directory structure
------------------------------------

This directory contains the data from the last Preupgrade Assistant run.
The files are:
result.html - a file with the final migration assessment report in a human-readable
         form (the functionality is only listed)
result.xml - a file with the final migration assessment report in a machine-readable form
README - this file
results.tar.gz - a tarball with all the files in the /root/preupgrade directory

The directories are:
cleanconf - a directory with all user-modified configuration files, which were
          checked for the compatibility by the Preupgrade Assistant. These files
          can be safely used on Red Hat Enterprise Linux 7 system (some of these files might need
          a postupgrade.d scripts execution).
dirtyconf - a directory with all user-modified configuration files, which were not
          checked for the compatibility by the Preupgrade Assistant. These might
          require an admin review after the Red Hat Enterprise Linux 7 installation/upgrade.
kickstart - a directory with various files needed for generating
          Kickstart used to clone the system. See the README file
          in the kickstart directory for the file descriptions.
postupgrade.d - contains various scripts which are supposed to be executed
          AFTER the upgrade to Red Hat Enterprise Linux 7. These scripts should NEVER be used
          on the Red Hat Enterprise Linux 6 system.
RHEL6_7 - just a "debugging" directory - will be removed later. Ignore, unless you see an "Error" plug-in exit status.

Possible exit codes explanation
-------------------------------------
Every single plug-in has its own exit code. The administrator needs to check
at least those with a FAIL result before starting the in-place upgrade. The FIXED results
should be checked after the in-place upgrade - to finish the Red Hat Enterprise Linux 7 upgrade
properly.

The possible exit codes are:
 * PASS = everything is fine, no incompatibilities/issues detected
 * FAIL = an incompatibility/issue that needs to be reviewed by the admin was detected
          FAIL does not necessarily mean that the in-place upgrade will fail, but might
          result in a not 100% functional system
 * FIXED = an incompatibility was detected, but the Preupgrade Assistant was able
          to find an automated solution. Some of the fixes may require running
          postupgrade.d scripts after the upgrade. The fixed configs are available
          in the /root/preupgrade/cleanconf directory. The Preupgrade Assistant does not
          handle the fixes automatically at the moment.
 * INFORMATIONAL = nice to have information for admins (e.g. removed options
          in some common tools which could cause malfunctions of their scripts)
 * NOT_APPLICABLE = the package which was to be tested by the check is not
          installed on the system
 * ERROR = it is not expected to occur and usually means an error in the Preupgrade Assistant
          framework. All such errors should be reported to the Red Hat
          Preupgrade Assistant team.

In-place upgrade risk explanations
-----------------------------------
There are several levels of in-place upgrade risks. Any level higher than
"slight" means you will get a not 100% functional upgraded system, although the
in-place upgrade tool "redhat-upgrade-tool" may pass.

The available risk assessment levels are:
 * None - Default. It can be used as an indicator for some checks. It is not
          necessary to enter these values.
 * Slight - We assessed this field and have not found any issues. However,
          there is still a risk that not all variants have been covered.
 * Medium - It is likely that the area will cause a problem in the case of the in-place
          upgrade. It needs to be checked by the administrator after
          the in-place upgrade and after the system was monitored for
          some time.
 * High - The in-place upgrade cannot be used safely without the administrator's
          assistance. This typically involves some known broken scenario,
          existing 3rd party packages. After the administrator manually fixes
          the issue, it should be possible to perform the in-place upgrade, but it
          is not recommended.
 * Extreme - We found an incompatibility which makes the in-place upgrade
          impossible. It is recommended to install a new system with the help
          of the Preupgrade Assistant remediations.

まとめ

AL1 は、最新バージョン(2018.03) のセキュリティ更新提供が2020年6月30日となっています。

引用:Amazon Linux 2 プレアップグレードアシスタントの発表

さて、どうしたものかを悩んでいる方は、まずは既存インスタンスをコピーして(モジュールをインストールするため可能であればコピーしたインスタンスへの実行をお勧めします。) 今回のプレアップグレードアシスタントを実行し、影響度を確認するのもの良いかもしれません。