Amazon Linux2 プレアップグレードアシスタントをやってみた
こんにちは オペレーション部 園部です。
今日は、アプリケーションの移植を前提に、実行環境のOSを Amazon Linux(以降、AL1) から Amazon Linux 2(以降、AL2) へ移行する際の影響を確認するプレアップグレードアシスタント(パッケージ、ライブラリ、サービス、コマンドラインオプション、設定ファイルの非互換性をチェック)を使ってみました。
Amazon Linux 2 プレアップグレードアシスタントの発表
本アシスタントは、アップグレードを行うものではありません。
また現在、AL1 から AL2 へ移行するには、インプレースアップグレードなどはサポートされておりません。 (良い方法を知っている方は、教えてください!)
Q: 既存バージョンの Amazon Linux AMI から Amazon Linux 2 へのインプレースアップグレードを実行できますか? いいえ。既存バージョンの Amazon Linux から Amazon Linux 2 へのインプレースアップグレードはサポートされていません。アプリケーションの移行前に、新しくインストールした Amazon Linux 2 でテストすることをお勧めします。
Q: Amazon Linux AMI を実行しているインスタンスから Amazon Linux 2 へのローリングアップグレードを実行できますか? いいえ。Amazon Linux を実行しているインスタンスがローリングアップデートメカニズムで Amazon Linux 2 にアップグレードされることはありません。そのため、既存のアプリケーションの中断も発生しません。詳細については、Amazon Linux のドキュメントと移行ツールを参照してください。
引用:https://aws.amazon.com/jp/amazon-linux-2/faqs/
やってみた
Githubで公開されている手順を参考にやっていきます。
動作環境
- インスタンスタイプ:t2.micro
- AMI ID:amzn-ami-hvm-2018.03.0.20181129-x86_64-gp2 (ami-00a5245b4816c38e6)
- サブネット:パブリックサブネット(外部と直接通信が可能な設定のサブネット)
モジュールインストール
以下のコマンドで、プレアップグレードアシスタントモジュール をインストールします。
$ sudo yum install -y preupgrade-assistant preupgrade-assistant-al1toal2
プレアップグレードアシスタント実行
以下のコマンドで、プレアップグレードアシスタントを実行します。 (AMIから作成して、何も変更していないインスタンスで)数分で完了しました。
$ sudo preupg The Preupgrade Assistant is a diagnostics tool and does not perform the actual upgrade. Do you want to continue? [Y/n] y Gathering logs used by the Preupgrade Assistant: All installed packages : 01/10 ...finished (time 00:00s) All changed files : 02/10 ...finished (time 00:21s) Changed config files : 03/10 ...finished (time 00:00s) All users : 04/10 ...finished (time 00:00s) All groups : 05/10 ...finished (time 00:00s) Service statuses : 06/10 ...finished (time 00:00s) All installed files : 07/10 ...finished (time 00:00s) All local files : 08/10 ...finished (time 00:00s) All executable files : 09/10 ...finished (time 00:00s) Red Hat signed packages : 10/10 ...finished (time 00:00s) Assessment of the system, running checks / SCE scripts: 001/006 ...done (Grub 2) (time: 00:00s) 002/006 ...done (mysql to mariadb) (time: 00:00s) 003/006 ...done (Extras provide packages) (time: 00:00s) 004/006 ...done (Python Native Packages) (time: 00:03s) 005/006 ...done (Release Lock) (time: 00:00s) 006/006 ...done (SoName drift) (time: 00:00s) The assessment finished (time 00:04s) Result table with checks and their results for 'main contents': -------------------------------------------------- |Grub 2 |notapplicable | |mysql to mariadb |notapplicable | |Extras provide packages |informational | |Release Lock |informational | |SoName drift |informational | |Python Native Packages |needs_inspection | -------------------------------------------------- The tarball with results is stored in '/root/preupgrade-results/preupg_results-190313025245.tar.gz' . The latest assessment is stored in the '/root/preupgrade' directory. Summary information: We have found some potential risks. Read the full report file '/root/preupgrade/result.html' for more details. Please ensure you have backed up your system and/or data before doing a system upgrade to prevent loss of data in case the upgrade fails and full re-install of the system from installation media is needed. Upload results to UI by the command: e.g. preupg -u http://example.com:8099/submit/ -r /root/preupgrade-results/preupg_results-190313025245.tar.gz .
結果
コマンドの実行結果に、以下のように出力されます。 6項目について結果が表示されており、Python に関して対応が必要だという結果が出ています。
result table with checks and their results for 'main contents': -------------------------------------------------- |Grub 2 |notapplicable | |mysql to mariadb |notapplicable | |Extras provide packages |informational | |Release Lock |informational | |SoName drift |informational | |Python Native Packages |needs_inspection | --------------------------------------------------
詳細な内容をみるには、以下に作成されたレポートを確認します。
/root/preupgrade/result.html
結果を集約するWEB-UI(preupgrade-assistant-ui)へのアップロードすることでも 結果を表示できますが、今回はファイルをローカルに転送して、ブラウザ(chrome)で開きます。
- 結果の一覧が表示されます
- 各チェック内容の詳細や理由が記載されています
プレアップグレードアシスタントについて
コマンドオプション
preupg コマンドのオプションを確認したところ、以下のようになっています。
$ sudo preupg --help
Usage: preupg [options]
Options:
--version show program's version number and exit
-h, --help Show help message and exit.
-S, --skip-common Skip generating files containing information about the
system. For assessing the system these files are
needed (by modules) but in the case the system remains
the same (the same installed packages, configuration
files not touched, etc.) they can be reused from the
previous runs of Preupgrade Assistant.
-d, --debug Turn on debugging mode.
-u, --upload Upload a system assessment result to Preupgrade
Assistant WEB-UI.
-r TARBALL, --results=TARBALL
Provide path to a system assessment result tarball
which is to be uploaded to WEB-UI. By default, the
result tarballs can be found in /root/preupgrade.
-l, --list-contents-set
List all the available sets of modules. They are
searched for in /usr/share/preupgrade.
-s MODULE_SET, --scan=MODULE_SET
Provide name of the set of modules which are to be
used for assessing the system. By default, if there is
just one set in /usr/share/preupgrade, Preupgrade
Assistant uses that one. Use --list-contents-set
option to get a list of possible values.
-c ALL_XCCDF_PATH, --contents=ALL_XCCDF_PATH
Provide path to all-xccdf.xml of the set of modules
which is to be used for assesing the system. By
default, if there is just one set in
/usr/share/preupgrade, Preupgrade Assistant uses that
one. Option --scan works similarly.
--riskcheck Return the highest reported level of risk or result
related to system upgrade. Run Preupgrade Assistant
first - assessment of the system needs to be performed
before using this option. When this option is used in
concert with --verbose option, summary of the risks
are printed to STDOUT. If the --verbose option is used
once, just HIGH and EXTREME risks are printed. If it
is used twice, all the risks are printed.
Return codes:
0 ... SLIGHT or MEDIUM risk or needs_inspection,
fixed, informational, not_applicable, not_selected,
not_checked or pass result.
1 ... HIGH risk or needs_action result.
2 ... EXTREME risk or error or fail result.
--force Suppress user interaction.
--text Generate plain text assessment report alongside XML
and HTML reports. The text report is converted from
HTML using elinks, lynx or w3m tool.
-v, --verbose Show more information during the assessment.
--cleanup Remove all the files created by previous runs of
Preupgrade Assistant.
-m MODE, --mode=MODE Select what you plan to do with the system after
performing its assessment by Preupgrate Assistant -
migration or upgrade. Both modes are selected by
default. This option may only affect behaviour of the
modules - they can provide different results when only
one mode is selected. Use one of these values:
migrate, upgrade. It may be that modules behave the
same no matter what mode is selected.
--select-rules=RULES Execute just a subset of modules out of a module set.
Multiple modules are to be separated by a comma.
--list-rules List all the modules available within a module set.
--dst-arch=ARCH Specify an architecture of the system to be migrate
to. Available option are: x86_64, ppc64. Use of the
option is expected on 32-bit systems as by the release
of RHEL 7, 32-bit hardware support has been dropped.
--old-report-style Generate report with simpler style than the default.
チェックされるルール
6項目がチェックルールとして定義されています。
$ sudo preupg --list-rules xccdf_preupg_rule_sonames_check xccdf_preupg_rule_grub2_check xccdf_preupg_rule_mariadb_check xccdf_preupg_rule_python_check xccdf_preupg_rule_move-to-extras_check xccdf_preupg_rule_releasever-lock_check
README
モジュール等と同じディレクトにREADMEがあります。 動作について、一部記載があります。
$ sudo cat /root/preupgrade/README
Preupgrade Assistant Purpose
----------------------------
The Preupgrade Assistant is a framework designed to run the Preupgrade Assistant modules, which analyze the system for possible in-place upgrade limitations. It is based on a modular system, with each module performing a separate test, checking for package removals, incompatible obsolete packages, changes in libraries, users, groups, services, or incompatibilities of command-line options or configuration files. It is able to execute post-upgrade scripts to finalize complex tasks after the system upgrade. Apart from performing the in-place upgrades, the Preupgrade Assistant is also capable of migrating the system. It then produces a report, which assists you in performing the upgrade itself by outlining potential problem areas and by offering suggestions about mitigating any possible incompatibilities. The Preupgrade Assistant utility is a Red Hat Upgrade Tool prerequisite for completing a successful in-place upgrade to the next major version of Red Hat Enterprise Linux.
Preupgrade Assistant Usage
--------------------------
At the moment, only a CLI interface and limited functionality is available.
Follow these steps to use the Preupgrade Assistant:
1) Run "preupg -l" command - it lists all available modules for
preupgrade-assistant (as the system is based on a plug-in, there might be
modules from different sources in the future). If nothing is shown,
install the preupgrade-assistant modules package.
2) If you have RHEL6_7 modules available, run "preupg -s RHEL6_7"
3) Wait until the analysis finishes (it can take several minutes)
4) Review the report stored as /root/preupgrade/result.html (and possibly
the files stored at /root/preupgrade) . Especially check for any in-place
upgrade risks (as described further in this document).
The /root/preupgrade file&directory structure
------------------------------------
This directory contains the data from the last Preupgrade Assistant run.
The files are:
result.html - a file with the final migration assessment report in a human-readable
form (the functionality is only listed)
result.xml - a file with the final migration assessment report in a machine-readable form
README - this file
results.tar.gz - a tarball with all the files in the /root/preupgrade directory
The directories are:
cleanconf - a directory with all user-modified configuration files, which were
checked for the compatibility by the Preupgrade Assistant. These files
can be safely used on Red Hat Enterprise Linux 7 system (some of these files might need
a postupgrade.d scripts execution).
dirtyconf - a directory with all user-modified configuration files, which were not
checked for the compatibility by the Preupgrade Assistant. These might
require an admin review after the Red Hat Enterprise Linux 7 installation/upgrade.
kickstart - a directory with various files needed for generating
Kickstart used to clone the system. See the README file
in the kickstart directory for the file descriptions.
postupgrade.d - contains various scripts which are supposed to be executed
AFTER the upgrade to Red Hat Enterprise Linux 7. These scripts should NEVER be used
on the Red Hat Enterprise Linux 6 system.
RHEL6_7 - just a "debugging" directory - will be removed later. Ignore, unless you see an "Error" plug-in exit status.
Possible exit codes explanation
-------------------------------------
Every single plug-in has its own exit code. The administrator needs to check
at least those with a FAIL result before starting the in-place upgrade. The FIXED results
should be checked after the in-place upgrade - to finish the Red Hat Enterprise Linux 7 upgrade
properly.
The possible exit codes are:
* PASS = everything is fine, no incompatibilities/issues detected
* FAIL = an incompatibility/issue that needs to be reviewed by the admin was detected
FAIL does not necessarily mean that the in-place upgrade will fail, but might
result in a not 100% functional system
* FIXED = an incompatibility was detected, but the Preupgrade Assistant was able
to find an automated solution. Some of the fixes may require running
postupgrade.d scripts after the upgrade. The fixed configs are available
in the /root/preupgrade/cleanconf directory. The Preupgrade Assistant does not
handle the fixes automatically at the moment.
* INFORMATIONAL = nice to have information for admins (e.g. removed options
in some common tools which could cause malfunctions of their scripts)
* NOT_APPLICABLE = the package which was to be tested by the check is not
installed on the system
* ERROR = it is not expected to occur and usually means an error in the Preupgrade Assistant
framework. All such errors should be reported to the Red Hat
Preupgrade Assistant team.
In-place upgrade risk explanations
-----------------------------------
There are several levels of in-place upgrade risks. Any level higher than
"slight" means you will get a not 100% functional upgraded system, although the
in-place upgrade tool "redhat-upgrade-tool" may pass.
The available risk assessment levels are:
* None - Default. It can be used as an indicator for some checks. It is not
necessary to enter these values.
* Slight - We assessed this field and have not found any issues. However,
there is still a risk that not all variants have been covered.
* Medium - It is likely that the area will cause a problem in the case of the in-place
upgrade. It needs to be checked by the administrator after
the in-place upgrade and after the system was monitored for
some time.
* High - The in-place upgrade cannot be used safely without the administrator's
assistance. This typically involves some known broken scenario,
existing 3rd party packages. After the administrator manually fixes
the issue, it should be possible to perform the in-place upgrade, but it
is not recommended.
* Extreme - We found an incompatibility which makes the in-place upgrade
impossible. It is recommended to install a new system with the help
of the Preupgrade Assistant remediations.
まとめ
AL1 は、最新バージョン(2018.03) のセキュリティ更新提供が2020年6月30日となっています。
引用:Amazon Linux 2 プレアップグレードアシスタントの発表
さて、どうしたものかを悩んでいる方は、まずは既存インスタンスをコピーして(モジュールをインストールするため可能であればコピーしたインスタンスへの実行をお勧めします。) 今回のプレアップグレードアシスタントを実行し、影響度を確認するのもの良いかもしれません。
![[小ネタ] Windows AMIの更新通知の購読をAWS CLIから行う](https://images.ctfassets.net/ct0aopd36mqt/wp-thumbnail-daa54df39308ec469607d6a913b81811/3c36486880ec490db06f2c3f36080c43/amazon-sns)
