Risk Factor: high Title: Packages from unknown repositories may not be installed Summary: 1 packages may not be installed or upgraded due to repositories unknown to leapp: - kernel-uek (repoid: ol8-uek) Remediation: [hint] Please file a bug in http://bugzilla.redhat.com/ for leapp-repository component of the Red Hat Enterprise Linux product. Key: 9a2b05abf8f45fd7915e52542887bb334bb218ea ---------------------------------------- Risk Factor: high Title: Difference in Python versions and support in RHEL 8 Summary: In RHEL 8, there is no 'python' command. Python 3 (backward incompatible) is the primary Python version and Python 2 is available with limited support and limited set of packages. Read more here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/configuring_basic_system_settings/#using-python3 Remediation: [hint] Please run "alternatives --set python /usr/bin/python3" after upgrade Key: 0c98585b1d8d252eb540bf61560094f3495351f5 ---------------------------------------- Risk Factor: high Title: Packages not signed by Red Hat found on the system Summary: The following packages have not been signed by Red Hat and may be removed during the upgrade process in case Red Hat-signed packages to be removed during the upgrade depend on them: - activemq-cpp - cloudflared - colordiff - duplicity - duply - dynflow-utils - foreman - foreman-cli - foreman-debug - foreman-dynflow-sidekiq - foreman-ec2 - foreman-installer - foreman-ovirt - foreman-postgresql - foreman-proxy - foreman-release - foreman-selinux - foreman-service - glances - gpg-pubkey - hiera - leapp - leapp-data-rocky - leapp-deps - leapp-upgrade-el7toel8 - leapp-upgrade-el7toel8-deps - libeio - librsync - lyx-fonts - mod_passenger - nagios-common - nagios-plugins - nagios-plugins-disk - nagios-plugins-http - nagios-plugins-load - nagios-plugins-ntp - nagios-plugins-ping - nagios-plugins-procs - nagios-plugins-ssh - nagios-plugins-swap - nagios-plugins-tcp - nagios-plugins-users - ncftp - passenger - puppet-agent - puppet-agent-oauth - puppetlabs-release - puppetlabs-release-pc1 - puppetserver - python-GnuPGInterface - python-monotonic - python-pep8 - python2-PyDrive - python2-boto - python2-crypto - python2-ecdsa - python2-fasteners - python2-gflags - python2-google-api-client - python2-httplib2 - python2-keyring - python2-leapp - python2-lockfile - python2-oauth2client - python2-paramiko - python2-psutil - python2-rsa - python2-six - python2-uritemplate - python36-rpm - python36-rpmconf - rpmconf - rpmconf-base - ruby-augeas - ruby-shadow - rubygem-ansi - rubygem-apipie-bindings - rubygem-awesome_print - rubygem-bundler_ext - rubygem-clamp - rubygem-concurrent-ruby - rubygem-daemon_controller - rubygem-fast_gettext - rubygem-fastercsv - rubygem-ffi - rubygem-foreman_maintain - rubygem-gssapi - rubygem-hashie - rubygem-highline - rubygem-jwt - rubygem-little-plugger - rubygem-locale - rubygem-logging - rubygem-mime-types - rubygem-multi_json - rubygem-netrc - rubygem-oauth - rubygem-powerbar - rubygem-rack - rubygem-rack-protection - rubygem-rb-inotify - rubygem-rb-readline - rubygem-rest-client - rubygem-rkerberos - rubygem-rsec - rubygem-rubyipmi - rubygem-sinatra - rubygem-table_print - rubygem-tilt - syslinux - tfm-rubygem-actioncable - tfm-rubygem-actionmailbox - tfm-rubygem-actionmailer - tfm-rubygem-actionpack - tfm-rubygem-actiontext - tfm-rubygem-actionview - tfm-rubygem-activejob - tfm-rubygem-activemodel - tfm-rubygem-activerecord - tfm-rubygem-activerecord-session_store - tfm-rubygem-activestorage - tfm-rubygem-activesupport - tfm-rubygem-addressable - tfm-rubygem-algebrick - tfm-rubygem-amazing_print - tfm-rubygem-ancestry - tfm-rubygem-ansi - tfm-rubygem-apipie-bindings - tfm-rubygem-apipie-dsl - tfm-rubygem-apipie-params - tfm-rubygem-apipie-rails - tfm-rubygem-audited - tfm-rubygem-awesome_print - tfm-rubygem-bcrypt - tfm-rubygem-bcrypt_pbkdf - tfm-rubygem-builder - tfm-rubygem-bundler_ext - tfm-rubygem-clamp - tfm-rubygem-coffee-rails - tfm-rubygem-coffee-script - tfm-rubygem-coffee-script-source - tfm-rubygem-colorize - tfm-rubygem-concurrent-ruby - tfm-rubygem-concurrent-ruby-edge - tfm-rubygem-connection_pool - tfm-rubygem-crass - tfm-rubygem-css_parser - tfm-rubygem-daemons - tfm-rubygem-deacon - tfm-rubygem-declarative - tfm-rubygem-declarative-option - tfm-rubygem-deep_cloneable - tfm-rubygem-deface - tfm-rubygem-diffy - tfm-rubygem-domain_name - tfm-rubygem-dynflow - tfm-rubygem-ed25519 - tfm-rubygem-erubi - tfm-rubygem-excon - tfm-rubygem-execjs - tfm-rubygem-facter - tfm-rubygem-faraday - tfm-rubygem-fast_gettext - tfm-rubygem-ffi - tfm-rubygem-fog-aws - tfm-rubygem-fog-core - tfm-rubygem-fog-digitalocean - tfm-rubygem-fog-google - tfm-rubygem-fog-json - tfm-rubygem-fog-openstack - tfm-rubygem-fog-ovirt - tfm-rubygem-fog-vsphere - tfm-rubygem-fog-xenserver - tfm-rubygem-fog-xml - tfm-rubygem-foreman-tasks - tfm-rubygem-foreman-tasks-core - tfm-rubygem-foreman_bootdisk - tfm-rubygem-foreman_discovery - tfm-rubygem-foreman_puppet - tfm-rubygem-foreman_remote_execution - tfm-rubygem-foreman_remote_execution_core - tfm-rubygem-foreman_setup - tfm-rubygem-formatador - tfm-rubygem-friendly_id - tfm-rubygem-get_process_mem - tfm-rubygem-gettext_i18n_rails - tfm-rubygem-git - tfm-rubygem-gitlab-sidekiq-fetcher - tfm-rubygem-globalid - tfm-rubygem-google-api-client - tfm-rubygem-google-cloud-env - tfm-rubygem-googleauth - tfm-rubygem-graphql - tfm-rubygem-graphql-batch - tfm-rubygem-gssapi - tfm-rubygem-hammer_cli - tfm-rubygem-hammer_cli_foreman - tfm-rubygem-hammer_cli_foreman_puppet - tfm-rubygem-hashie - tfm-rubygem-highline - tfm-rubygem-hocon - tfm-rubygem-http-cookie - tfm-rubygem-httpclient - tfm-rubygem-i18n - tfm-rubygem-ipaddress - tfm-rubygem-jwt - tfm-rubygem-kafo - tfm-rubygem-kafo_parsers - tfm-rubygem-kafo_wizards - tfm-rubygem-ldap_fluff - tfm-rubygem-little-plugger - tfm-rubygem-locale - tfm-rubygem-logging - tfm-rubygem-loofah - tfm-rubygem-mail - tfm-rubygem-marcel - tfm-rubygem-memoist - tfm-rubygem-method_source - tfm-rubygem-mime-types - tfm-rubygem-mime-types-data - tfm-rubygem-mini_mime - tfm-rubygem-mini_portile2 - tfm-rubygem-mqtt - tfm-rubygem-msgpack - tfm-rubygem-multi_json - tfm-rubygem-multipart-post - tfm-rubygem-mustermann - tfm-rubygem-net-ldap - tfm-rubygem-net-ping - tfm-rubygem-net-scp - tfm-rubygem-net-ssh - tfm-rubygem-net_http_unix - tfm-rubygem-netrc - tfm-rubygem-nio4r - tfm-rubygem-nokogiri - tfm-rubygem-oauth - tfm-rubygem-optimist - tfm-rubygem-os - tfm-rubygem-ovirt-engine-sdk - tfm-rubygem-parallel - tfm-rubygem-parse-cron - tfm-rubygem-pg - tfm-rubygem-polyglot - tfm-rubygem-powerbar - tfm-rubygem-promise.rb - tfm-rubygem-public_suffix - tfm-rubygem-puma - tfm-rubygem-puma-status - tfm-rubygem-rabl - tfm-rubygem-racc - tfm-rubygem-rack - tfm-rubygem-rack-cors - tfm-rubygem-rack-jsonp - tfm-rubygem-rack-protection - tfm-rubygem-rack-test - tfm-rubygem-rails - tfm-rubygem-rails-dom-testing - tfm-rubygem-rails-html-sanitizer - tfm-rubygem-rails-i18n - tfm-rubygem-railties - tfm-rubygem-rainbow - tfm-rubygem-rake-compiler - tfm-rubygem-rb-inotify - tfm-rubygem-rbvmomi - tfm-rubygem-redfish_client - tfm-rubygem-redis - tfm-rubygem-representable - tfm-rubygem-responders - tfm-rubygem-rest-client - tfm-rubygem-retriable - tfm-rubygem-rkerberos - tfm-rubygem-roadie - tfm-rubygem-roadie-rails - tfm-rubygem-rsec - tfm-rubygem-ruby-libvirt - tfm-rubygem-ruby2_keywords - tfm-rubygem-ruby2ruby - tfm-rubygem-ruby_parser - tfm-rubygem-rubyipmi - tfm-rubygem-safemode - tfm-rubygem-scoped_search - tfm-rubygem-sd_notify - tfm-rubygem-secure_headers - tfm-rubygem-sequel - tfm-rubygem-server_sent_events - tfm-rubygem-sexp_processor - tfm-rubygem-sidekiq - tfm-rubygem-signet - tfm-rubygem-sinatra - tfm-rubygem-smart_proxy_discovery - tfm-rubygem-smart_proxy_dynflow - tfm-rubygem-smart_proxy_remote_execution_ssh - tfm-rubygem-sprockets - tfm-rubygem-sprockets-rails - tfm-rubygem-sqlite3 - tfm-rubygem-sshkey - tfm-rubygem-statsd-instrument - tfm-rubygem-thor - tfm-rubygem-thread_safe - tfm-rubygem-tilt - tfm-rubygem-tzinfo - tfm-rubygem-uber - tfm-rubygem-unf - tfm-rubygem-unf_ext - tfm-rubygem-unicode - tfm-rubygem-unicode-display_width - tfm-rubygem-validates_lengths_from_database - tfm-rubygem-webpack-rails - tfm-rubygem-websocket-driver - tfm-rubygem-websocket-extensions - tfm-rubygem-will_paginate - tfm-rubygem-xmlrpc - tfm-rubygem-zeitwerk - tfm-runtime Key: 13f0791ae5f19f50e7d0d606fb6501f91b1efb2c ---------------------------------------- Risk Factor: high Title: GRUB core will be updated during upgrade Summary: On legacy (BIOS) systems, GRUB core (located in the gap between the MBR and the first partition) does not get automatically updated when GRUB is upgraded. Key: baa75fad370c42fd037481909201cde9495dacf4 ---------------------------------------- Risk Factor: high Title: DNF execution failed with non zero exit code. STDOUT: Last metadata expiration check: 0:00:42 ago on Wed Jul 26 12:48:11 2023. Package rubygem-foreman_maintain-1:1.1.10-1.el7.noarch is already installed. Package python2-six-1.9.0-0.el7.noarch is already installed. Package tfm-rubygem-smart_proxy_remote_execution_ssh-0.7.2-1.fm3_3.el7.noarch is already installed. Package foreman-installer-1:3.3.1-2.el7.noarch is already installed. STDERR: No matches found for the following disable plugin patterns: subscription-manager Repository extras is listed more than once in the configuration Warning: Package marked by Leapp to install not found in repositories metadata: rubygem-foreman-tasks-core python3-javapackages ivy-local rubygem-foreman_remote_execution_core Warning: Package marked by Leapp to upgrade not found in repositories metadata: gpg-pubkey Transaction check: Problem: package foreman-3.3.1-1.el8.noarch requires rubygem(facter), but none of the providers can be installed - package rubygem-foreman_remote_execution-7.2.2-1.fm3_3.el8.noarch requires foreman >= 3.3.1, but none of the providers can be installed - package rubygem-facter-4.0.51-2.el8.x86_64 requires rubygem(thor) < 2.0, but none of the providers can be installed - cannot install the best candidate for the job - foreman-3.3.1-1.el7.noarch does not belong to a distupgrade repository - conflicting requests Summary: Key: 604dff77e3ac5bd3c60e8e7c2507e442a570afc9 ---------------------------------------- Risk Factor: medium Title: Module pam_pkcs11 will be removed from PAM configuration Summary: Module pam_pkcs11 was surpassed by SSSD and therefore it was removed from RHEL-8. Keeping it in PAM configuration may lock out the system thus it will be automatically removed from PAM configuration before upgrading to RHEL-8. Please switch to SSSD to recover the functionality of pam_pkcs11. Remediation: [hint] Configure SSSD to replace pam_pkcs11 Key: bf47e7305d6805e8bbeaa7593cf01e38030c23f3 ---------------------------------------- Risk Factor: medium Title: Satellite PostgreSQL data migration Summary: Your PostgreSQL data will be automatically migrated. Key: 66a150516fb9a6fac8a6297cfe3f7751185b0a14 ---------------------------------------- Risk Factor: low Title: SElinux will be set to permissive mode Summary: SElinux will be set to permissive mode. Current mode: enforcing. This action is required by the upgrade process to make sure the upgraded system can boot without beinig blocked by SElinux rules. Remediation: [hint] Make sure there are no SElinux related warnings after the upgrade and enable SElinux manually afterwards. Notice: You can ignore the "/root/tmp_leapp_py3" SElinux warnings. Key: 39d7183dafba798aa4bbb1e70b0ef2bbe5b1772f ---------------------------------------- Risk Factor: low Title: chrony using non-default configuration Summary: chrony behavior will not change in RHEL8 Key: 9acbfcce3d310a70b602c7ab0a9c2cb94eb6b63f ---------------------------------------- Risk Factor: low Title: Postfix has incompatible changes in the next major version Summary: Postfix 3.x has so called "compatibility safety net" that runs Postfix programs with backwards-compatible default settings. It will log a warning whenever backwards-compatible default setting may be required for continuity of service. Based on this logging the system administrator can decide if any backwards-compatible settings need to be made permanent in main.cf or master.cf, before turning off the backwards-compatibility safety net. The backward compatibility safety net is by default turned off in Red Hat Enterprise Linux 8. It can be turned on by running: "postconf -e compatibility_level=0 It can be turned off by running: "postconf -e compatibility_level=2 In the Postfix MySQL database client, the default "option_group" value has changed to "client", i.e. it now reads options from the [client] group from the MySQL configuration file. To disable it, set "option_group" to the empty string. The postqueue command no longer forces all message arrival times to be reported in UTC. To get the old behavior, set TZ=UTC in main.cf:import_environment. Postfix 3.2 enables elliptic curve negotiation. This changes the default smtpd_tls_eecdh_grade setting to "auto", and introduces a new parameter "tls_eecdh_auto_curves" with the names of curves that may be negotiated. The "master.cf" chroot default value has changed from "y" (yes) to "n" (no). This applies to master.cf services where chroot field is not explicitly specified. The "append_dot_mydomain" default value has changed from "yes" to "no". You may need changing it to "yes" if senders cannot use complete domain names in e-mail addresses. The "relay_domains" default value has changed from "$mydestination" to the empty value. This could result in unexpected "Relay access denied" errors or ETRN errors, because now will postfix by default relay only for the localhost. The "mynetworks_style" default value has changed from "subnet" to "host". This parameter is used to implement the "permit_mynetworks" feature. The change could result in unexpected "access denied" errors, because postfix will now by default trust only the local machine, not the remote SMTP clients on the same IP subnetwork. Postfix now supports dynamically loaded database plugins. Plugins are shipped in individual RPM sub-packages. Correct database plugins have to be installed, otherwise the specific database client will not work. For example for PostgreSQL map to work, the postfix-pgsql RPM package has to be installed. Key: 5721e0a07a67d82cf7e5ea6f17662cd4f82e0a33 ---------------------------------------- Risk Factor: low Title: Grep has incompatible changes in the next major version Summary: If a file contains data improperly encoded for the current locale, and this is discovered before any of the file's contents are output, grep now treats the file as binary. The 'grep -P' no longer reports an error and exits when given invalid UTF-8 data. Instead, it considers the data to be non-matching. In locales with multibyte character encodings other than UTF-8, grep -P now reports an error and exits instead of misbehaving. When searching binary data, grep now may treat non-text bytes as line terminators. This can boost performance significantly. The 'grep -z' no longer automatically treats the byte '\200' as binary data. Context no longer excludes selected lines omitted because of -m. For example, 'grep "^" -m1 -A1' now outputs the first two input lines, not just the first line. Remediation: [hint] Please update your scripts to be compatible with the changes. Key: 94665a499e2eeee35eca3e7093a7abe183384b16 ---------------------------------------- Risk Factor: low Title: Dosfstools incompatible changes in the next major version Summary: The automatic alignment of data clusters that was added in 3.0.8 and broken for FAT32 starting with 3.0.20 has been reinstated. If you need to create file systems for finicky devices that have broken FAT implementations use the option -a to disable alignment. The fsck.fat now defaults to interactive repair mode which previously had to be selected with the -r option. Remediation: [hint] Please update your scripts to be compatible with the changes. Key: c75fe5e06c70d9e764703fa2611f917c75946226 ---------------------------------------- Risk Factor: low Title: sendmail configuration will be migrated Summary: IPv6 addresses will be uncompressed, check all IPv6 addresses in all sendmail configuration files for correctness. Key: 643a4e9cf1c19cc7da903f70a0cb0dfe1f5be29b ---------------------------------------- Risk Factor: low Title: OpenSSH configured not to use privilege separation sandbox Summary: OpenSSH is configured to disable privilege separation sandbox, which is decreasing security and is no longer supported in RHEL 8 Key: 5119f0f1a821ed28a36bd84e86271e1cd4cc9cba ---------------------------------------- Risk Factor: low Title: OpenSSH configured with removed configuration Protocol Summary: OpenSSH is configured with removed configuration option Protocol. If this used to be for enabling SSHv1, this is no longer supported in RHEL 8. Otherwise this option can be simply removed. Key: 5744a935aab15fe2386ea52849d21edd6525e4d7 ---------------------------------------- Risk Factor: low Title: The subscription-manager release is going to be kept as it is during the upgrade Summary: The upgrade is executed with the --no-rhsm option (or with the LEAPP_NO_RHSM environment variable). In this case, the subscription-manager will not be configured during the upgrade. If the system is subscribed and release is set already, you could encounter issues to get RHEL content using DNF/YUM after the upgrade. Remediation: [hint] Set the new release (or unset it) after the upgrade using subscription-manager: subscription-manager release --set 8.6 Key: 01986584e27e85ea18929586faf614eee011a121 ---------------------------------------- Risk Factor: info Title: SElinux relabeling will be scheduled Summary: SElinux relabeling will be scheduled as the status is permissive/enforcing. Key: 8fb81863f8413bd617c2a55b69b8e10ff03d7c72 ---------------------------------------- Risk Factor: info Title: Current PAM and nsswitch.conf configuration will be kept. Summary: There is a new tool called authselect in RHEL8 that replaced authconfig. The upgrade process was unable to find an authselect profile that would be equivalent to your current configuration. Therefore your configuration will be left intact. Key: 40c4ab1da4a30dc1ca40e543f6385e1336d8810c ----------------------------------------