CentOS Stream 9 在 2027年5月31号 EOL停止更新,这里提前做一下准备。
更新stream-release和epel-release 需要去镜像网站上查看rpm 版本号,确保路径正确。
由于目前系统上线不久,很多源的release 没有追加更新 ,需要确认是否已经对 10 支持, 否则需要移除才能升级,
例如当前升级时候就只能先卸载remi-release才能执行升级,升级前务必备份重要数据,如果安装的rpm 比较多需要确认新系统兼容。
VERSION=10.0-0.20
dnf install -y https://mirror.stream.centos.org/10-stream/BaseOS/x86_64/os/Packages/centos-{stream-release,stream-repos,gpg-keys}-${VERSION}.el10.noarch.rpm --allowerasing
#dnf install -y https://dl.fedoraproject.org/pub/epel/epel-{next-release,release}-latest-10.noarch.rpm #epel官方暂时还没有出
dnf install -y https://dl.fedoraproject.org/pub/epel/10/Everything/x86_64/Packages/e/epel-release-10-1.el10_0.noarch.rpm #临时用这个
sed -e 's|^#baseurl=https://download.example/|baseurl=https://dl.fedoraproject.org/|' -e 's|^metalink=|#metalink=|' -e 's|^gpgkey=.*|gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$releasever|' -i.bak /etc/yum.repos.d/epel.repo # 更新epel.repo设置,官方暂时还没更新 metalink 和 GPG key 的地址
dnf -y --releasever=10 --allowerasing --setopt=deltarpm=false distro-sync
rpm -qa | grep '\.el9' | xargs xargs rpm -e #强制卸载el9的残留rpm
grub2-mkconfig -o /boot/grub2/grub.cfg #重新生成 grub引导
grubby --default-kernel # 查看确认默认启动内核
dnf upgrade -y #最后再更新一下
kernel=$(grubby --default-kernel | sed 's|/boot/vmlinuz-||')
parameter=$(sed 's|.*vmlinuz-[^ ]* ||' /proc/cmdline)
kexec -l /boot/vmlinuz-$kernel --initrd=/boot/initramfs-$kernel.img --append=\"$parameter\"
kexec -e
kexec是在当前运行的系统和内核下切换内核, 重启是让主板重新走grub引导内核。
切换内核和重启风险都很大,需要谨慎,提前做好准备。
检查grub和kernel 后有条件的可以安排时间进行尝试重启系统。
升级完成后查看内核和发新版本信息
# cat /etc/redhat-release
CentOS Stream release 10 (Coughlan)
# rpm -qa|grep kernel |grep el10
kernel-headers-6.11.0-25.el10.x86_64
kernel-tools-libs-6.11.0-25.el10.x86_64
kernel-modules-core-6.11.0-25.el10.x86_64
kernel-core-6.11.0-25.el10.x86_64
kernel-modules-6.11.0-25.el10.x86_64
kernel-6.11.0-25.el10.x86_64
kernel-tools-6.11.0-25.el10.x86_64
# uname -a
Linux XXXXXXX 6.11.0-25.el10.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Sep 16 20:35:26 UTC 2024 x86_64 GNU/Linux
升级完 rpm -qa 查询出错
error: Verifying a signature using certificate 99DB70FAE1D7CE227FB6488205B555B38483C65D (CentOS (CentOS Official Signing Key) <security@centos.org>):
1. Certificate 05B555B38483C65D invalid: policy violation
because: No binding signature at time 2024-09-03T17:32:14Z
because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
because: SHA1 is not considered secure
2. Certificate 05B555B38483C65D invalid: policy violation
because: No binding signature at time 2024-10-04T09:48:41Z
because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
because: SHA1 is not considered secure
解决办法卸载 epel9 的 pubkey, 如果 rpm -qa报错, 可以将查询文本保存到文件查看
rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' #查看所有gpg key
rpm -e gpg-pubkey-3228467c-613798eb #移除epel9的SHA1 pubkey
运行 dnf提示dnf modules 报错, 可能是之前的升级不支持的遗留,再确定后对/etc/dnf/modules.d/*目录进行清理即可
rm -rf /etc/dnf/modules.d/*