How to Upgrade AlmaLinux 8 to AlmaLinux 9 Using ELevate and Leapp Print

Upgrade AlmaLinux 8 to AlmaLinux 9 Using ELevate

Applies to: AlmaLinux 8.x servers requiring an in-place upgrade to AlmaLinux 9.x.

Required access: root or sudo privileges, SSH access, and preferably console access through your VPS panel, IPMI, KVM, VMware console, or cloud console.

Overview

AlmaLinux 8 to AlmaLinux 9 in-place upgrades are performed using the AlmaLinux ELevate project, which uses the Leapp upgrade framework.

The normal process is to fully update AlmaLinux 8 first, install the ELevate and Leapp packages, run a pre-upgrade check, resolve any reported inhibitors, and then start the upgrade.

Before You Start

• Take a full VPS, VM, or server snapshot.
• Confirm you have a current backup of websites, databases, email, and configuration files.
• Confirm you have console access, not only SSH.
• Review third-party repositories before upgrading.
• Schedule downtime for the upgrade and reboot process.

Step 1: Check Current OS Version

cat /etc/os-release
hostnamectl

Confirm the server is currently running AlmaLinux 8.

Step 2: Check Disk Space

df -h
lsblk

Recommended free space:

• At least 5 GB free on /
• At least 1 GB free on /boot, if /boot is a separate partition
• More free space if the server has many packages or control panels installed

Step 3: Check Enabled Repositories

dnf repolist --enabled

Third-party repositories may block or complicate the upgrade. Review repositories such as EPEL, Remi, MariaDB, PostgreSQL, Docker, Imunify, Plesk, cPanel, DirectAdmin, or custom vendor repositories before proceeding.

Step 4: Check for Failed Services

systemctl --failed

Resolve any existing failed services before starting the upgrade.

Step 5: Update AlmaLinux 8

Update the current AlmaLinux 8 system first:

dnf clean all
dnf update -y
reboot

Step 5.1: Fix AlmaLinux 8 GPG Key Error If Required

During the AlmaLinux 8 update, you may see a GPG error similar to the following:

Public key for package-name.rpm is not installed
GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux
Error: GPG check FAILED

This can happen when the system is missing the newer AlmaLinux package signing key. To import the required key and retry the update, run:

rpm -q gpg-pubkey-ced7258b-6525146f || rpm --import https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux
dnf clean all
dnf makecache
dnf update -y

If the update still fails, refresh the AlmaLinux release package first:

rpm --import https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux
dnf clean all
dnf update -y almalinux-release
dnf update -y

To verify the key is installed, run:

rpm -q gpg-pubkey-ced7258b-6525146f

Expected output:

gpg-pubkey-ced7258b-6525146f

After the update completes successfully, reboot the server:

reboot

After the reboot, reconnect to the server and verify the system is healthy:

cat /etc/os-release
systemctl --failed
dnf check

Step 6: Install ELevate and Leapp

Install the AlmaLinux ELevate repository package:

dnf install -y http://repo.almalinux.org/elevate/elevate-release-latest-el8.noarch.rpm

Then install the Leapp upgrade packages for AlmaLinux:

dnf install -y leapp-upgrade leapp-data-almalinux

Confirm the packages are installed:

rpm -qa | grep -E 'leapp|elevate'

Step 7: Run the Pre-Upgrade Check

Run the Leapp pre-upgrade check. This does not upgrade the server yet. It only checks the system and generates a report.

leapp preupgrade

Review the generated report:

less /var/log/leapp/leapp-report.txt

To quickly check whether any inhibitors were reported, run:

grep -i inhibitor /var/log/leapp/leapp-report.txt

Step 8: Resolve Reported Inhibitors

The exact fix depends on the report. Common issues include unsupported packages, obsolete drivers, removed kernel modules, unsigned packages, third-party repositories, required confirmation answers, unsupported firewall configuration, insufficient /boot space, or SSH root login warnings.

View Full Inhibitor Details

A simple grep may only show partial inhibitor lines. To review the full report, open it with:

less /var/log/leapp/leapp-report.txt

Inside less, search for:

/inhibitor

You can also display inhibitor-related sections with:

awk '
/Risk Factor: high \(inhibitor\)/{show=1; print "----------------"; print; next}
show && /^Title:|^Summary:|^Remediation:|^Key:|^Related links:|^    - /{print}
show && /^Risk Factor:/ && $0 !~ /inhibitor/{show=0}
' /var/log/leapp/leapp-report.txt

Common Inhibitor: Firewalld AllowZoneDrifting Is Unsupported

One common AlmaLinux 8 to 9 upgrade blocker is:

Inhibitor: Firewalld Configuration AllowZoneDrifting Is Unsupported

This happens when firewalld has AllowZoneDrifting enabled. AlmaLinux 9 does not support this configuration during the upgrade. Check where the setting exists:

grep -R "AllowZoneDrifting" /etc/firewalld /usr/lib/firewalld 2>/dev/null

Most commonly, the setting is located in:

/etc/firewalld/firewalld.conf

Set AllowZoneDrifting to no:

sed -i 's/^AllowZoneDrifting=.*/AllowZoneDrifting=no/' /etc/firewalld/firewalld.conf

Restart firewalld:

systemctl restart firewalld
systemctl status firewalld --no-pager

Then rerun the Leapp pre-upgrade check:

leapp preupgrade
grep -i inhibitor /var/log/leapp/leapp-report.txt

If iptables -L -n hangs or takes too long while checking firewall rules, cancel it with CTRL+C and use the following commands instead:

iptables -L -n -v
firewall-cmd --state
firewall-cmd --get-active-zones
firewall-cmd --list-all

Common Inhibitor: Not Enough Space on /boot

Another common blocker is insufficient free space on /boot. Leapp needs enough space to create the temporary upgrade kernel and initramfs.

Check the current /boot usage:

df -h /boot
ls -lh /boot
rpm -q kernel
uname -r

Confirm the currently running kernel with uname -r. Do not remove the files for the kernel currently in use.

If an old kernel is installed, remove it with DNF. Example:

dnf remove -y kernel-4.18.0-240.el8.x86_64

If the package removal does not clean all old boot files, manually remove old leftover files for the old kernel version only. Example:

rm -f /boot/System.map-4.18.0-240.el8.x86_64
rm -f /boot/config-4.18.0-240.el8.x86_64
rm -f /boot/initramfs-4.18.0-240.el8.x86_64.img
rm -f /boot/vmlinuz-4.18.0-240.el8.x86_64

Old rescue images and kdump initramfs files can also consume significant space. If needed, remove old rescue and kdump files:

rm -f /boot/initramfs-0-rescue-*.img
rm -f /boot/vmlinuz-0-rescue-*
rm -f /boot/*kdump.img

Example files to keep when the active kernel is 4.18.0-553.123.2.el8_10.x86_64:

/boot/vmlinuz-4.18.0-553.123.2.el8_10.x86_64
/boot/initramfs-4.18.0-553.123.2.el8_10.x86_64.img
/boot/System.map-4.18.0-553.123.2.el8_10.x86_64
/boot/config-4.18.0-553.123.2.el8_10.x86_64

Check free space again:

df -h /boot
ls -lh /boot

Then rerun the pre-upgrade check:

leapp preupgrade
grep -i inhibitor /var/log/leapp/leapp-report.txt

Common Inhibitor or Warning: Remote Root Login Using Password

Leapp may warn about remote root login using password. This can become an access risk during or after the upgrade if SSH behavior changes. Make sure you have console access before continuing.

If you rely on SSH root login during the upgrade, explicitly confirm the SSH configuration before proceeding:

cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.preleapp.$(date +%F)

grep -q '^PermitRootLogin' /etc/ssh/sshd_config \
  && sed -i 's/^PermitRootLogin.*/PermitRootLogin yes # Added before Leapp upgrade to prevent lockout/' /etc/ssh/sshd_config \
  || echo 'PermitRootLogin yes # Added before Leapp upgrade to prevent lockout' >> /etc/ssh/sshd_config

sshd -t && systemctl restart sshd

Keep the current SSH session open and test a new SSH session before continuing.

After the upgrade, you can harden root SSH access again with:

sed -i 's/^PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
sshd -t && systemctl restart sshd

Common Inhibitor: Required Leapp Confirmation

Some Leapp checks require confirmation through an answer file. Example:

leapp answer --section remove_pam_pkcs11_module_check.confirm=True

Only apply a Leapp answer after confirming it matches the specific inhibitor shown in your report.

Rerun Pre-Upgrade Check

After resolving reported issues, run the pre-upgrade check again:

leapp preupgrade
less /var/log/leapp/leapp-report.txt
grep -i inhibitor /var/log/leapp/leapp-report.txt

Repeat this process until there are no remaining upgrade inhibitors.

When the report shows Inhibitors: 0, Leapp is no longer blocking the upgrade.

Reports summary:
    Errors:                      0
    Inhibitors:                  0

Some HIGH severity reports may remain as warnings, such as:

GRUB2 core will be automatically updated during the upgrade
Remote root logins globally allowed using password

These are warnings, not blockers, as long as the report shows Inhibitors: 0.

Step 9: Start the Upgrade

Before starting the upgrade, perform one final check:

df -h /boot
systemctl --failed
cat /etc/os-release

Once the pre-upgrade report shows no inhibitors, start the upgrade:

leapp upgrade

If the command completes successfully, reboot the server:

reboot

Step 10: Validate the Upgrade

After the server comes back online, confirm it is running AlmaLinux 9:

cat /etc/os-release
hostnamectl
uname -r

Check failed services:

systemctl --failed

Check networking:

ip addr
ip route
cat /etc/resolv.conf
ping -c 4 8.8.8.8
ping -c 4 almalinux.org

Check package manager health:

dnf repolist --enabled
dnf check
dnf update -y

Step 11: Check Application Services

Depending on the server role, check the relevant services:

systemctl status httpd nginx mariadb mysqld postgresql php-fpm docker sshd --no-pager

Review system logs for errors:

journalctl -p warning -b --no-pager
journalctl -p err -b --no-pager

Step 12: Cleanup After Upgrade

After confirming the server is stable, clean DNF metadata:

dnf clean all
dnf autoremove -y

Check for remaining AlmaLinux 8 packages:

rpm -qa | grep -E 'el8' | sort

Rollback Plan

If the server fails to boot, loses network access, or critical services fail after the upgrade, use the pre-upgrade snapshot or backup.

1. Access the server through console, IPMI, KVM, hypervisor console, or rescue mode.
2. Collect logs from /var/log/leapp/ and journalctl if possible.
3. If the issue cannot be corrected quickly, restore the server from the pre-upgrade snapshot.
4. Review the Leapp report and resolve blockers before attempting the upgrade again.

Quick Command Summary

# Check OS
cat /etc/os-release
hostnamectl

# Check disk space
df -h
df -h /boot
lsblk

# Check repositories and failed services
dnf repolist --enabled
systemctl --failed

# Update AlmaLinux 8
dnf clean all
dnf update -y

# If GPG key error occurs, import the newer AlmaLinux key
rpm -q gpg-pubkey-ced7258b-6525146f || rpm --import https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux
dnf clean all
dnf makecache
dnf update -y

# Reboot after successful AlmaLinux 8 update
reboot

# Install ELevate and Leapp
dnf install -y http://repo.almalinux.org/elevate/elevate-release-latest-el8.noarch.rpm
dnf install -y leapp-upgrade leapp-data-almalinux

# Run pre-upgrade check
leapp preupgrade
less /var/log/leapp/leapp-report.txt
grep -i inhibitor /var/log/leapp/leapp-report.txt

# Fix common firewalld AllowZoneDrifting inhibitor
grep -R "AllowZoneDrifting" /etc/firewalld /usr/lib/firewalld 2>/dev/null
sed -i 's/^AllowZoneDrifting=.*/AllowZoneDrifting=no/' /etc/firewalld/firewalld.conf
systemctl restart firewalld

# Check /boot space and installed kernels
df -h /boot
ls -lh /boot
rpm -q kernel
uname -r

# Example cleanup for old kernel files only; adjust version as needed
dnf remove -y kernel-4.18.0-240.el8.x86_64
rm -f /boot/System.map-4.18.0-240.el8.x86_64
rm -f /boot/config-4.18.0-240.el8.x86_64
rm -f /boot/initramfs-4.18.0-240.el8.x86_64.img
rm -f /boot/vmlinuz-4.18.0-240.el8.x86_64

# Optional /boot cleanup if still low on space
rm -f /boot/initramfs-0-rescue-*.img
rm -f /boot/vmlinuz-0-rescue-*
rm -f /boot/*kdump.img

# Confirm SSH root login behavior if required for access during upgrade
cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.preleapp.$(date +%F)
grep -q '^PermitRootLogin' /etc/ssh/sshd_config \
  && sed -i 's/^PermitRootLogin.*/PermitRootLogin yes # Added before Leapp upgrade to prevent lockout/' /etc/ssh/sshd_config \
  || echo 'PermitRootLogin yes # Added before Leapp upgrade to prevent lockout' >> /etc/ssh/sshd_config
sshd -t && systemctl restart sshd

# Rerun pre-upgrade check after fixes
leapp preupgrade
grep -i inhibitor /var/log/leapp/leapp-report.txt

# Start upgrade only after Inhibitors: 0
df -h /boot
systemctl --failed
cat /etc/os-release
leapp upgrade
reboot

# Validate after reboot
cat /etc/os-release
uname -r
systemctl --failed
dnf check
dnf update -y

# Optional: harden root SSH access after confirming access
sed -i 's/^PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
sshd -t && systemctl restart sshd

References

• AlmaLinux ELevate Quickstart Guide
• AlmaLinux ELevate Project
• AlmaLinux 8 GPG key update guidance
• Leapp pre-upgrade report: /var/log/leapp/leapp-report.txt