从Centos 9 Stream 版本切换到 Rocky Linux 9

迁移前重要提示

1. 数据备份：

2. 风险说明：

3. • 迁移过程不可逆
   • 生产环境务必在测试环境验证
   • 确保有物理或带外管理访问权限

4. 系统要求：

5. • CentOS 9 Stream 系统
   • 至少 2GB 空闲内存
   • 稳定的网络连接

1. 准备系统环境

更新所有软件包

yum update -y

安装必要工具

yum install -y curl wget tar gzip

2. 清理原有软件源

可选：备份现有源配置

mkdir /root/yum.repos.backup

cp -a /etc/yum.repos.d/* /root/yum.repos.backup/

删除CentOS Stream官方源

rm -rf /etc/yum.repos.d/CentOS-Stream*

3. 获取迁移脚本

下载迁移脚本（USTC镜像版）

curl -O https://raw.githubusercontent.com/rocky-linux/rocky-tools/main/migrate2rocky/migrate2rocky.sh

验证脚本完整性

echo “ead288baa8daad12d6f340f1a392d47413f8614425673fe310e82d4ead94ca15eb2e1329b30389e6a7f93dd406da255df410306cffd7a1a24f0dfb4c8e23fbfe migrate2rocky.sh” | sha512sum -c

脚本国内源优化（看网络环境使用）

#!/bin/bash
# 
# migrate2rocky9 - Migrate another EL9 distribution to RockyLinux 9.
# By: Peter Ajamian <peter@pajamian.dhs.org>
# Adapted from centos2rocky.sh by label <label@rockylinux.org>
#
# The latest version of this script can be found at:
# https://github.com/rocky-linux/rocky-tools
#
# Copyright (c) 2022 Rocky Enterprise Software Foundation
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice (including the next
# paragraph) shall be included in all copies or substantial portions of the
# Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
### Using this script means you accept all risks of system instability.# These checks need to be right at the top because we start with bash-isms right
# away in this script.
if [ -n "$POSIXLY_CORRECT" ] || [ -z "$BASH_VERSION" ]; thenprintf '%s\n' "bash >= 4.2 is required for this script." >&2exit 1
fi# We need bash version >= 4.2 for associative arrays and other features.
if (( BASH_VERSINFO[0]*100 + BASH_VERSINFO[1] < 402 )); thenprintf '%s\n' "bash >= 4.2 is required for this script." >&2exit 1
fishopt -s extglob# Make sure we're root.
if (( EUID != 0 )); thenprintf '%s\n' \"You must run this script as root.  Either use sudo or 'su -c ${0}'" >&2exit 1
fi# Path to logfile
logfile=/var/log/migrate2rocky.log# Rotate old logs
numlogs=5
if [[ -e $logfile ]]; then# Here we use mv before bin_check, so simply check the exit status to see if# it worked.if ! mv -f "$logfile" "$logfile.0"; thenprintf '%s\n' "Unable to rotate logfiles, continuing without rotation." >&2elsefor ((i=numlogs;i>0;i--)); doif [[ -e "$logfile.$((i-1))" ]]; thenif ! mv -f "$logfile.$((i-1))" "$logfile.$i"; thenprintf '%s\n' \
"Unable to rotate logfiles, continuing without rotation."breakfifidonefi
fi# Send all output to the logfile as well as stdout.
# After the following we get:
# Output to 1 goes to stdout and the logfile.
# Output to 2 goes to stderr and the logfile.
# Output to 3 just goes to stdout.
# Output to 4 just goes to stderr.
# Output to 5 just goes to the logfile.# shellcheck disable=SC2094
exec \3>&1 \4>&2 \5>> "$logfile" \> >(tee -a "$logfile") \2> >(tee -a "$logfile" >&2)# List nocolor last here so that -x doesn't bork the display.
errcolor=$(tput setaf 1)
infocolor=$(tput setaf 6)
nocolor=$(tput op)# Single arg just gets returned verbatim, multi arg gets formatted via printf.
# First arg is the name of a variable to store the results.
msg_format () {local _var_var="$1"shiftif (( $# > 1 )); then# shellcheck disable=SC2059printf -v "$_var" "$@"elseprintf -v "$_var" "%s" "$1"fi
}# Send an info message to the log file and stdout (with color)
infomsg () {local msgmsg_format msg "$@"printf '%s' "$msg" >&5printf '%s%s%s' "$infocolor" "$msg" "$nocolor" >&3
}# Send an error message to the log file and stderr (with color)
errmsg () {local msgmsg_format msg "$@"printf '%s' "$msg" >&5printf '%s%s%s' "$errcolor" "$msg" "$nocolor" >&4
}infomsg 'migrate2rocky9 - Begin logging at %(%c)T.\n\n' -1export LC_ALL=C.UTF-8
unset LANGUAGE
shopt -s nullglobSUPPORTED_MAJOR="9"
SUPPORTED_PLATFORM="platform:el$SUPPORTED_MAJOR"
ARCH=$(arch)gpg_key_url="https://mirrors.ustc.edu.cn/rocky/RPM-GPG-KEY-Rocky-9"
gpg_key_sha512="ead288baa8daad12d6f340f1a392d47413f8614425673fe310e82d4ead94ca15eb2e1329b30389e6a7f93dd406da255df410306cffd7a1a24f0dfb4c8e23fbfe"sm_ca_dir=/etc/rhsm/ca
unset tmp_sm_ca_dir# all repos must be signed with the same key given in $gpg_key_url
declare -A repo_urls
repo_urls=([rockybaseos]="https://mirrors.ustc.edu.cn/rocky/${SUPPORTED_MAJOR}/BaseOS/$ARCH/os/"[rockyappstream]="https://mirrors.ustc.edu.cn/rocky/${SUPPORTED_MAJOR}/AppStream/$ARCH/os/"
)# These are additional packages that should always be installed.
# (currently blank, but we add to it for an EFI boot system).
always_install=()# The repos package for CentOS stream requires special handling.
declare -g -A stream_repos_pkgs
stream_repos_pkgs=([rocky-repos]=centos-stream-repos[epel-release]=epel-next-release
)# Map for package name suffix for shim/grub2-efi
# on x86_64: grub2-efi-x64, shim-x64
# on aarch64: grub2-efi-aa64, shim-aa64
declare -A cpu_arch_suffix_map=([x86_64]=x64[aarch64]=aa64
)# Prefix to add to CentOS stream repo names when renaming them.
stream_prefix=stream-# Always replace these stream packages with their Rocky Linux equivalents.
stream_always_replace=(fwupdate\*grub2-\*shim-\*kernelkernel-\*
)# Directory to required space in MiB
# Note this is based on Rocky Linux 8 numbers.  We will use these until we can
# get realistic numbers for Rocky 9.
declare -A dir_space_map
dir_space_map=([/usr]=250[/var]=1536[/boot]=50
)unset CDPATHexit_message() {errmsg $'\n'"$1"$'\n\n'final_messageexit 1
}final_message() {errmsg '%s ' \"An error occurred while we were attempting to convert your system to" \"Rocky Linux. Your system may be unstable. Script will now exit to" \"prevent possible damage."$'\n\n'logmessage
}logmessage(){printf '%s%s%s\n' "$infocolor" \"A log of this installation can be found at $logfile" \"$nocolor" >&3
}# This just grabs a field from os-release and returns it.
os-release () (# shellcheck source=/dev/null. /etc/os-releaseif ! [[ ${!1} ]]; thenreturn 1fiprintf '%s\n' "${!1}"
)# Check the version of a package against a supplied version number.  Note that
# this uses sort -V to compare the versions which isn't perfect for rpm package
# versions, but to do a proper comparison we would need to use rpmdev-vercmp in
# the rpmdevtools package which we don't want to force-install.  sort -V should
# be adequate for our needs here.
pkg_ver() (ver=$(rpm -q --qf '%{VERSION}\n' "$1") || return 2if [[ $(sort -V <<<"$ver"$'\n'"$2" | head -1) != "$2" ]]; thenreturn 1fireturn 0
)# Set up a temporary directory.
pre_setup () {if ! tmp_dir=$(mktemp -d) || [[ ! -d "$tmp_dir" ]]; thenexit_message "Error creating temp dir"fi# failglob makes pathname expansion fail if empty, dotglob adds files# starting with . to pathname expansionif ( shopt -s failglob dotglob; : "$tmp_dir"/* ) 2>/dev/null ; thenexit_message "Temp dir not empty"fi
}# Cleanup function gets rid of the temporary directory.
exit_clean () {if [[ -d "$tmp_dir" ]]; thenrm -rf "$tmp_dir"fiif [[ -f "$container_macros" ]]; thenrm -f "$container_macros"fi
}pre_check () {if [[ -e /etc/rhsm/ca/katello-server-ca.pem ]]; then
# shellcheck disable=SC2026exit_message \
'Migration from Katello-modified systems is not supported by migrate2rocky9. '\
'See the README file for details.'fiif [[ -e /etc/salt/minion.d/susemanager.conf ]]; then
# shellcheck disable=SC2026exit_message \
'Migration from Uyuni/SUSE Manager-modified systems is not supported by '\
'migrate2rocky9. See the README file for details.'fidnf -y check || exit_message \
'Errors found in dnf/rpm database.  Please correct before running '\
'migrate2rocky9.'# Get available space to compare to requirements.# If the stock kernel is not installed we don't require space in /bootif ! rpm -q --quiet kernel; then 
dir_space_map[/boot]=0filocal -a errs dirs=("${!dir_space_map[@]}")local dir mount avail i=0local -A mount_avail_map mount_space_mapwhile read -r mount avail; do 
if [[ $mount == 'Filesystem' ]]; thencontinue
fidir=${dirs[$((i++))]}mount_avail_map[$mount]=${avail%M}
(( mount_space_map[$mount]+=dir_space_map[$dir] ))done < <(df -BM --output=source,avail "${dirs[@]}")for mount in "${!mount_space_map[@]}"; do
(( avail = mount_avail_map[$mount]*95/100 ))
if (( avail < mount_space_map[$mount] )); thenerrs+=("Not enough space in $mount, ${mount_space_map[$mount]}M required, ${avail}M available.")
fidoneif (( ${#errs[@]} )); then
IFS=$'\n'
exit_message "${errs[*]}"fi
}# All of the binaries used by this script are available in a EL9 minimal install
# and are in /bin, so we should not encounter a system where the script doesn't
# work unless it's severely broken.  This is just a simple check that will cause
# the script to bail if any expected system utilities are missing.
bin_check() {# Check the platform.if [[ $(os-release PLATFORM_ID) != "$SUPPORTED_PLATFORM" ]]; then
# shellcheck disable=SC2026exit_message \
'This script must be run on an EL9 distribution.  Migration from other '\
'distributions is not supported.'filocal -a missing binsbins=(rpm dnf awk column tee tput mkdir cat arch sort uniq rmdir dfrm head curl sha512sum mktemp systemd-detect-virt sed grep)if [[ $update_efi ]]; thenbins+=(findmnt grub2-mkconfig efibootmgr mokutil lsblk)fifor bin in "${bins[@]}"; doif ! type "$bin" >/dev/null 2>&1; thenmissing+=("$bin")fidonelocal -A pkgspkgs=([dnf]=4.2[dnf-plugins-core]=0)for pkg in "${!pkgs[@]}"; dover=${pkgs[$pkg]}if ! pkg_ver "$pkg" "$ver"; then# shellcheck disable=SC2140exit_message \
"$pkg >= $ver is required for this script.  Please run "\
"\"dnf install $pkg; dnf update\" first."fidone;if (( ${#missing[@]} )); then
# shellcheck disable=SC2140exit_message \
"Commands not found: ${missing[*]}.  Possible bad PATH setting or corrupt "\
"installation."fi
}# This function will overwrite the repoquery_results associative array with the
# info for the resulting package.  Note that we explicitly disable the epel repo
# as a special-case below to avoid having the extras repository map to epel.
repoquery () {local name val prev resultresult=$(safednf -y -q "${dist_repourl_swaps[@]}" \
--setopt=epel.excludepkgs=epel-release repoquery -i "$1") ||exit_message "Failed to fetch info for package $1."if ! [[ $result ]]; then# We didn't match this package, the repo could be disabled.return 1fideclare -gA repoquery_results=()while IFS=" :" read -r name val; doif [[ -z $name ]]; thenrepoquery_results[$prev]+=" $val"elseprev=$namerepoquery_results[$name]=$valfidone <<<"$result"
}# This function will overwrite the repoinfo_results associative array with the
# info for the resulting repository.
_repoinfo () {local name val resultresult=$(
safednf -y -q --repo="$1" "${dist_repourl_swaps[@]}" repoinfo "$1") || returnif [[ $result == 'Total packages: 0' ]]; then# We didn't match this repo.return 1fideclare -gA repoinfo_results=()while IFS=" :" read -r name val; doif [[ ! ( $name || $val) ]]; thencontinuefiif [[ -z $name ]]; thenrepoinfo_results[$prev]+=" $val"elseprev=$namerepoinfo_results[$name]=$valfidone <<<"$result"# Set the enabled stateif [[ ! ${enabled_repo_check[$1]} ]]; then
repoinfo_results[Repo-status]=disabledfi# dnf repoinfo doesn't return the gpgkey, but we need that so we have to get# it from the repo file itself.# "end_of_file" is a hack here.  Since it is not a valid dnf setting we know# it won't appear in a .repo file on a line by itself, so it's safe to# search for the string to make the awk parser look all the way to the end# of the file.# shellcheck disable=SC2154repoinfo_results[Repo-gpgkey]=$(awk '$0=="['"${repoinfo_results[Repo-id]}"']",$0=="end_of_file" {if (l++ < 1) {next}else if (/^\[.*\]$/) {nextfile}else if (sub(/^gpgkey\s*=\s*file:\/\//,"")) {print; nextfile}else {next}}' < "${repoinfo_results[Repo-filename]}")# Add an indicator of whether this is a subscription-manager managed# repository.# shellcheck disable=SC2154repoinfo_results[Repo-managed]=$(awk 'BEGIN {FS="[)(]"}/^# Managed by \(.*\) subscription-manager$/ {print $2}' < "${repoinfo_results[Repo-filename]}")
}# We now store the repoinfo results in a cache.
declare -g -A repoinfo_results_cache=()
repoinfo () {local kif [[ ! ${repoinfo_results_cache[$1]} ]]; then
_repoinfo "$@" || return
repoinfo_results_cache[$1]=1
for k in "${!repoinfo_results[@]}"; dorepoinfo_results_cache[$1:$k]=${repoinfo_results[$k]}
doneelse
repoinfo_results=()
for k in "${!repoinfo_results_cache[@]}"; dolocal repo=${k%%:*} key=${k#*:}if [[ $repo != "$1" ]]; then
continuefirepoinfo_results[$key]=${repoinfo_results_cache[$k]}
donefi
}provides_pkg () (if [[ ! $1 ]]; thenreturn 0fiset -o pipefailprovides=$(
safednf -y -q "${dist_repourl_swaps[@]}" provides "$1" |
awk '{print $1; nextfile}') ||return 1set +o pipefailpkg=$(rpm -q --queryformat '%{NAME}\n' "$provides") ||pkg=$(
safednf -y -q "${dist_repourl_swaps[@]}" repoquery \--queryformat '%{NAME}\n' "$provides") || exit_message "Can't get package name for $provides."printf '%s\n' "$pkg"
)# If you pass an empty arg as one of the package specs to rpm it will match
# every package on the system.  This function simply strips out any empty args
# and passes the rest to rpm to avoid this side-effect.
saferpm () (args=()for a in "$@"; doif [[ $a ]]; thenargs+=("$a")fidonerpm "${args[@]}"
)# And a similar function for dnf
safednf () (args=()for a in "$@"; doif [[ $a ]]; thenargs+=("$a")fidonednf "${args[@]}"
)#
# Three ways we check the repourl.  If dnf repoinfo fails then we assume the URL
# is bad.  A missing URL is also considered bad.  Lastly we check to see if we
# can fetch the repomd.xml file from the repository, and if not then the repourl
# is considered bad.  In any of these cases we'll end up replacing the repourl
# with a good one from our mirror of CentOS vault.
#
check_repourl () {repoinfo "$1" || returnif [[ ! ${repoinfo_results[Repo-baseurl]} ]]; then
return 1filocal -a urls;IFS=, read -r -a urls <<<"${repoinfo_results[Repo-baseurl]}"local ufor u in "${urls[@]##*( )}"; do
curl -sfLI "${u%% *}repodata/repomd.xml" > /dev/null && returndonereturn "$(( $? ? $? : 1 ))"
}collect_system_info () {# Dump the DNF cache first so we start with a clean slate.infomsg $'\nRemoving dnf cache\n'rm -rf /var/cache/{yum,dnf}# Check the efi mount first, so we can bail before wasting time on all these# other checks if it's not there.if [[ $update_efi ]]; thenlocal efi_mount knamedeclare -g -a efi_disk efi_partitionefi_mount=$(findmnt --mountpoint /boot/efi --output SOURCE \--noheadings) ||exit_message "Can't find EFI mount.  No EFI  boot detected."kname=$(lsblk -dno kname "$efi_mount")efi_disk=("$(lsblk -dno pkname "/dev/$kname")")if [[ ${efi_disk[0]} ]]; thenefi_partition=("$(<"/sys/block/${efi_disk[0]}/$kname/partition")")else# This is likely an md-raid or other type of virtual disk, we need# to dig a little deeper to find the actual physical disks and# partitions.kname=$(lsblk -dno kname "$efi_mount")cd "/sys/block/$kname/slaves" || exit_message \
"Unable to gather EFI data: Can't cd to /sys/block/$kname/slaves."if ! (shopt -s failglob; : ./*) 2>/dev/null; thenexit_message \
"Unable to gather EFI data: No slaves found in /sys/block/$kname/slaves."fiefi_disk=()for d in *; doefi_disk+=("$(lsblk -dno pkname "/dev/$d")")efi_partition+=("$(<"$d/partition")")if [[ ! ${efi_disk[-1]} || ! ${efi_partition[-1]} ]]; thenexit_message \
"Unable to gather EFI data: Can't find disk name or partition number for $d."fidonecd -fi# We need to make sure that these packages are always installed in an# EFI system.always_install+=("shim-${cpu_arch_suffix_map[$ARCH]}""grub2-efi-${cpu_arch_suffix_map[$ARCH]}")fi# Don't enable these module streams, even if they are enabled in the source# distro.declare -g -a module_excludesmodule_excludes=()# Some OracleLinux modules have stream names of ol9 instead of rhel9 and ol# instead of rhel.  This is a map that does a glob match and replacement.local -A module_glob_mapmodule_glob_map=(['%:ol9']=:rhel9['%:ol']=:rhel);# We need to map rockylinux repository names to the equivalent repositories# in the source distro.  To do that we look for known packages in each# repository and see what repo they came from.  We need to use repoquery for# this which requires downloading the package, so we pick relatively small# packages for this.declare -g -A repo_map pkg_repo_mapdeclare -g -a managed_repospkg_repo_map=([baseos]=rootfiles.noarch[appstream]=apr-util-ldap.$ARCH[highavailability]=pacemaker-doc.noarch[crb]=python3-mpich.$ARCH[extras]=epel-release.noarch
#        [devel]=quota-devel.$ARCH)dist_id=$(os-release ID)# We need a different dist ID for CentOS Linux vs CentOS Streamif [[ $dist_id == centos ]] && rpm --quiet -q centos-stream-release; then
dist_id+=-streamfiPRETTY_NAME=$(os-release PRETTY_NAME)infomsg '%s' \"Preparing to migrate $PRETTY_NAME to Rocky Linux 9."$'\n\n'# Check to see if we need to change the repourl on any system repositorieslocal -A dist_repourl_mapdist_repourl_map=()# We need a list of enabled repositorieslocal -a enabled_repos=()declare -g -A enabled_repo_check=()declare -g -a dist_repourl_swaps=()readarray -s 1 -t enabled_repos < <(dnf -q -y repolist --enabled)for r in "${enabled_repos[@]}"; do
enabled_repo_check[${r%% *}]=1done# ...and finally set a number of dnf options to replace the baseurl of these# reposlocal kfor k in "${!dist_repourl_map[@]}"; do
local d=${k%%:*} r=${k#*:}
if [[ $d != "$dist_id" || ! ${enabled_repo_check[$r]} ]] ||check_repourl "$r"; thencontinue
fidist_repourl_swaps+=("--setopt=$r.mirrorlist=""--setopt=$r.metalink=""--setopt=$r.baseurl=""--setopt=$r.baseurl=${dist_repourl_map[$k]}"
)infomsg 'Baseurl for %s is invalid, setting to %s.\n' \"$r" "${dist_repourl_map[$k]}"doneinfomsg '%s' "Determining repository names for $PRETTY_NAME"for r in "${!pkg_repo_map[@]}"; doprintf '.'p=${pkg_repo_map[$r]}repoquery "$p" || continuerepo_map[$r]=${repoquery_results[Repository]}doneprintf '%s\n' '' '' \
"Found the following repositories which map from $PRETTY_NAME to Rocky Linux 9:"column -t -s $'\t' -N "$PRETTY_NAME,Rocky Linux 9" < <(for r in "${!repo_map[@]}"; doprintf '%s\t%s\n' "${repo_map[$r]}" "$r"done)infomsg $'\n'"Getting system package names for $PRETTY_NAME"# We don't know what the names of these packages are, we have to discover# them via various means. The most common means is to look for either a# distro-agnostic provides or a filename.  In a couple of cases we need to# jump through hoops to get a filename that is provided specifically by the# source distro.# Get info for each repository to determine which ones are subscription# managed.# system-release here is a bit of a hack, but it ensures that the# rocky-repos package will get installed.for r in "${!repo_map[@]}"; dorepoinfo "${repo_map[$r]}" ||exit_message "Failed to fetch info for repository ${repo_map[$r]}."if [[ $r == "baseos" ]]; thenlocal baseos_filename=system-releaseif [[ ! ${repoinfo_results[Repo-managed]} ]]; thenbaseos_filename="${repoinfo_results[Repo-filename]}"filocal baseos_gpgkey="${repoinfo_results[Repo-gpgkey]}"fiif [[ ${repoinfo_results[Repo-managed]} ]]; thenmanaged_repos+=("${repo_map[$r]}")fidone# First get info for the baseos reporepoinfo "${repo_map[baseos]}" ||exit_message "Failed to fetch info for repository ${repo_map[baseos]}."declare -g -A pkg_map provides_pkg_mapdeclare -g -a addl_provide_removes addl_pkg_removesprovides_pkg_map=([rocky-backgrounds]=system-backgrounds[rocky-indexhtml]=redhat-indexhtml[rocky-repos]="$baseos_filename"[rocky-logos]=system-logos[rocky-logos-httpd]=system-logos-httpd[rocky-logos-ipa]=system-logos-ipa[rocky-gpg-keys]="$baseos_gpgkey"[rocky-release]=system-release)addl_provide_removes=(redhat-releaseredhat-release-eula)# Check to make sure that we don't already have a full or partial# RockyLinux install.if [[ $(rpm -qa "${!provides_pkg_map[@]}") ]]; thenexit_message \
$'Found a full or partial RockyLinux install already in place.  Aborting\n'
$'because continuing with the migration could cause further damage to system.'fifor pkg in "${!provides_pkg_map[@]}"; doprintf '.'prov=${provides_pkg_map[$pkg]}pkg_map[$pkg]=$(provides_pkg "$prov") ||exit_message "Can't get package that provides $prov."donefor prov in "${addl_provide_removes[@]}"; doprintf '.'local pkg;pkg=$(provides_pkg "$prov") || continueaddl_pkg_removes+=("$pkg")done# shellcheck disable=SC2140printf '%s\n' '' '' \
"Found the following system packages which map from $PRETTY_NAME to Rocky "\
"Linux 9:"column -t -s $'\t' -N "$PRETTY_NAME,Rocky Linux 9" < <(for p in "${!pkg_map[@]}"; doprintf '%s\t%s\n' "${pkg_map[$p]}" "$p"done)infomsg $'\n'"Getting list of installed system packages."$'\n'readarray -t installed_packages < <(saferpm -qa --queryformat="%{NAME}\n" "${pkg_map[@]}")declare -g -A installed_pkg_check installed_pkg_mapfor p in "${installed_packages[@]}"; doinstalled_pkg_check[$p]=1donefor p in "${!pkg_map[@]}"; doif [[ ${pkg_map[$p]} && ${installed_pkg_check[${pkg_map[$p]}]} ]]; theninstalled_pkg_map[$p]=${pkg_map[$p]}fidone;# Special Handling for CentOS Stream Reposinstalled_sys_stream_repos_pkgs=()installed_stream_repos_pkgs=()for p in "${!stream_repos_pkgs[@]}"; doif [[ ${installed_pkg_map[$p]} &&${installed_pkg_map[$p]} == "${stream_repos_pkgs[$p]}" ]]then# System package that needs to be swapped / disabledinstalled_pkg_map[$p]=installed_sys_stream_repos_pkgs+=( "${stream_repos_pkgs[$p]}" )elif rpm --quiet -q "${stream_repos_pkgs[$p]}"; then# Non-system package, repos just need to be disabled.installed_stream_repos_pkgs+=( "${stream_repos_pkgs[$p]}" )fidone# shellcheck disable=SC2140printf '%s\n' '' \
"We will replace the following $PRETTY_NAME packages with their Rocky Linux 9 "\
"equivalents"column -t -s $'\t' -N "Packages to be Removed,Packages to be Installed" < <(for p in "${!installed_pkg_map[@]}"; doprintf '%s\t%s\n' "${installed_pkg_map[$p]}" "$p"done)if (( ${#installed_sys_stream_repos_pkgs[@]} )); then
# shellcheck disable=SC2026printf '%s\n' '' \
'Also to aid the transition from CentOS Stream the following packages will be '\
'removed from the rpm database but the included repos will be renamed and '\
'retained but disabled:' \"${installed_sys_stream_repos_pkgs[@]}"fiif (( ${#installed_stream_repos_pkgs[@]} )); then
# shellcheck disable=SC2026printf '%s\n' '' \
'Also to aid the transition from CentOS Stream the repos included in the '\
'following packages will be renamed and retained but disabled:' \"${installed_stream_repos_pkgs[@]}"fiif (( ${#addl_pkg_removes[@]} )); thenprintf '%s\n' '' \
"In addition to the above the following system packages will be removed:" \"${addl_pkg_removes[@]}"fi# Release packages that are part of SIG's should be listed below when they# are available.# UPDATE: We may or may not do something with SIG's here, it could just be# left as a separate exercise to swap out the sig repos.#sigs_to_swap=()infomsg '%s' $'\n' \$'Getting a list of enabled modules for the system repositories.\n'# Get a list of system enabled modules.readarray -t enabled_modules < <(set -e -o pipefailsafednf -y -q "${repo_map[@]/#/--repo=}" "${dist_repourl_swaps[@]}" \module list --enabled |awk '$1 == "@modulefailsafe", /^$/ {next}$1 == "Name", /^$/ {if ($1!="Name" && !/^$/) print $1":"$2}' | sort -uset +e +o pipefail)# Map the known module name differences.disable_modules=()local i gl repl modfor i in "${!enabled_modules[@]}"; domod=${enabled_modules[$i]}for gl in "${!module_glob_map[@]}"; dorepl=${module_glob_map[$gl]}mod=${mod/$gl/$repl}doneif [[ $mod != "${enabled_modules[$i]}" ]]; thendisable_modules+=("${enabled_modules[$i]}")enabled_modules[$i]=$modfidone# Remove entries matching any excluded modules.if (( ${#module_excludes[@]} )); thenprintf '%s\n' '' "Excluding modules:" "${module_excludes[@]}"local -A module_check='()'local -a tmparr='()'for m in "${module_excludes[@]}"; domodule_check[$m]=1donefor m in "${enabled_modules[@]}"; doif [[ ! ${module_check[$m]} ]]; thentmparr+=("$m")fidoneenabled_modules=("${tmparr[@]}")fiprintf '%s\n' '' "Found the following modules to re-enable at completion:" \"${enabled_modules[@]}" ''if (( ${#managed_repos[@]} )); then
# shellcheck disable=SC2026printf '%s\n' '' \
'In addition, since this system uses subscription-manager the following '\
'managed repos will be disabled:' \"${managed_repos[@]}"fi
}convert_info_dir=/root/convert
unset convert_to_rocky reinstall_all_rpms verify_all_rpms update_efi \container_macrosusage() {printf '%s\n' \"Usage: ${0##*/} [OPTIONS]" \'' \'Options:' \'-h Display this help' \'-r Convert to rocky' \'-V Verify switch' \'   !! USE WITH CAUTION !!'exit 1
} >&2generate_rpm_info() {mkdir -p "$convert_info_dir"infomsg  "Creating a list of RPMs installed: $1"$'\n'
# shellcheck disable=SC2140rpm -qa --qf \
"%{NAME}|%{VERSION}|%{RELEASE}|%{INSTALLTIME}|%{VENDOR}|%{BUILDTIME}|"\
"%{BUILDHOST}|%{SOURCERPM}|%{LICENSE}|%{PACKAGER}\n" |sort > "${convert_info_dir}/$HOSTNAME-rpm-list-$1.log"infomsg "Verifying RPMs installed against RPM database: $1"$'\n\n'rpm -Va | sort -k3 > \"${convert_info_dir}/$HOSTNAME-rpm-list-verified-$1.log"
}# Run a dnf update before the actual migration.
pre_update() {infomsg '%s\n' "Running dnf update before we attempt the migration."safednf -y "${dist_repourl_swaps[@]}" update || exit_message \
$'Error running pre-update.  Stopping now to avoid putting the system in an\n'\
$'unstable state.  Please correct the issues shown here and try again.'
}package_swaps() {# Save off any subscription-manager keys, just in case.if ( shopt -s failglob dotglob; : "$sm_ca_dir"/* ) 2>/dev/null ; thentmp_sm_ca_dir=$tmp_dir/sm-certsmkdir "$tmp_sm_ca_dir" ||exit_message "Could not create directory: $tmp_sm_ca_dir"cp -f -dR --preserve=all "$sm_ca_dir"/* "$tmp_sm_ca_dir/" ||exit_message "Could not copy certs to $tmp_sm_ca_dir"fi# prepare repo parameterslocal -a dnfparametersfor repo in "${!repo_urls[@]}"; dodnfparameters+=( "--repofrompath=${repo},${repo_urls[${repo}]}" )dnfparameters+=( "--setopt=${repo}.gpgcheck=1" )dnfparameters+=( "--setopt=${repo}.gpgkey=file://${gpg_key_file}" )done# CentOS Stream specific processingif (( ${#installed_stream_repos_pkgs[@]} ||${#installed_sys_stream_repos_pkgs[@]} )); then# Get a list of the repo files.local -a repos_filesreadarray -t repos_files < <(saferpm -ql "${installed_sys_stream_repos_pkgs[@]}" \"${installed_stream_repos_pkgs[@]}" |grep '^/etc/yum\.repos\.d/.\+\.repo$')if (( ${#installed_sys_stream_repos_pkgs[@]} )); then# Remove the package from the rpm db.saferpm -e --justdb --nodeps -a \"${installed_sys_stream_repos_pkgs[@]}" ||exit_message \
"Could not remove packages from the rpm db: ${installed_sys_stream_repos_pkgs[*]}"fi# Rename the stream repos with a prefix and fix the baseurl.# shellcheck disable=SC2016sed -i \-e 's/^\[/['"$stream_prefix"'/' \-e 's|^mirrorlist=|#mirrorlist=|' \-e 's|^#baseurl=http://mirror.centos.org/$contentdir/$stream/|baseurl=http://mirror.centos.org/centos/9-stream/|' \-e 's|^baseurl=http://vault.centos.org/$contentdir/$stream/|baseurl=https://vault.centos.org/centos/9-stream/|' \"${repos_files[@]}"fi# Use dnf shell to swap the system packages out.safednf -y shell --disablerepo=\* --noautoremove \
"${dist_repourl_swaps[@]}" \--setopt=protected_packages= --setopt=keepcache=True \"${dnfparameters[@]}" \<<EOFremove ${installed_pkg_map[@]} ${addl_pkg_removes[@]}install ${!installed_pkg_map[@]}runexit
EOF# rocky-repos and rocky-gpg-keys are now installed, so we don't need the# key file anymorerm -rf "$gpg_tmp_dir"# We need to check to make sure that all of the original system packages# have been removed and all of the new ones have been added. If a package# was supposed to be removed and one with the same name added back then# we're kind of screwed for this check, as we can't be certain, but all the# packages we're adding start with "rocky-*" so this really shouldn't happen# and we can safely not check for it.  The worst that will happen is a rocky# linux package will be removed and then installed again.local -a check_removed check_installedreadarray -t check_removed < <(saferpm -qa --qf '%{NAME}\n' "${installed_pkg_map[@]}" \"${addl_pkg_removes[@]}" | sort -u)if (( ${#check_removed[@]} )); theninfomsg '%s' $'\n' \"Packages found on system that should still be removed.  Forcibly" \" removing them with rpm:"$'\n'# Removed packages still found on the system.  Forcibly remove them.for pkg in "${check_removed[@]}"; do# Extra safety measure, skip if empty stringif [[ -z $pkg ]]; thencontinuefiprintf '%s\n' "$pkg"saferpm -e --allmatches --nodeps "$pkg" ||saferpm -e --allmatches --nodeps --noscripts --notriggers "$pkg"donefi# Check to make sure we installed everything we were supposed to.readarray -t check_installed < <({printf '%s\n' "${!installed_pkg_map[@]}" | sort -usaferpm -qa --qf '%{NAME}\n' "${!installed_pkg_map[@]}" | sort -u} | sort | uniq -u)if (( ${#check_installed[@]} )); theninfomsg '%s' $'\n' \"Some required packages were not installed by dnf.  Attempting to" \" force with rpm:"$'\n'# Get a list of rpm packages to package nameslocal -A rpm_maplocal -a file_listfor rpm in /var/cache/dnf/{rockybaseos,rockyappstream}-*/packages/*.rpmdorpm_map[$(rpm -q --qf '%{NAME}\n' --nodigest "$rpm" 2>/dev/null)]=$rpmdone# Attempt to install.for pkg in "${check_installed[@]}"; doprintf '%s\n' "$pkg"if ! rpm -i --force --nodeps --nodigest "${rpm_map[$pkg]}" \2>/dev/null; then# Try to install the package in just the db, then clean it up.rpm -i --force --justdb --nodeps --nodigest "${rpm_map[$pkg]}" \2>/dev/null# Get list of files that are still causing problems and donk# them.readarray -t file_list < <(rpm -V "$pkg" 2>/dev/null | awk '$1!="missing" {print $2}')for file in "${file_list[@]}"; dormdir "$file" ||rm -f "$file" ||rm -rf "$file"done# Now try re-installing the package to replace the missing# files.  Regardless of the outcome here we just accept it and# move on and hope for the best.rpm -i --reinstall --force --nodeps --nodigest \"${rpm_map[$pkg]}" 2>/dev/nullfidonefi# 运行前换源sed -e 's|^mirrorlist=|#mirrorlist=|g' \-e 's|^#baseurl=http://dl.rockylinux.org/$contentdir|baseurl=https://mirrors.aliyun.com/rockylinux|g' \-i.bak \/etc/yum.repos.d/[Rr]ocky*.repo# Distrosyncinfomsg $'Ensuring repos are enabled before the package swap\n'safednf -y --enableplugin=config_manager config-manager \--set-enabled "${!repo_map[@]}" || {printf '%s\n' 'Repo name missing?'exit 25}if (( ${#managed_repos[@]} )); then# Filter the managed repos for ones still in the system.readarray -t managed_repos < <(safednf -y -q repolist "${managed_repos[@]}" |awk '$1!="repo" {print $1}')if (( ${#managed_repos[@]} )); theninfomsg $'\nDisabling subscription managed repos\n'safednf -y --enableplugin=config_manager config-manager \--disable "${managed_repos[@]}"fifiif (( ${#disable_modules[@]} )); theninfomsg $'Disabling modules\n\n'safednf -y module disable "${disable_modules[@]}" ||exit_message "Can't disable modules ${disable_modules[*]}"fiif (( ${#enabled_modules[@]} )); theninfomsg $'Enabling modules\n\n'safednf -y module enable "${enabled_modules[@]}" ||exit_message "Can't enable modules ${enabled_modules[*]}"fi# Make sure that excluded modules are disabled.if (( ${#module_excludes[@]} )); then
infomsg $'Disabling excluded modules\n\n'
safednf -y module disable "${module_excludes[@]}" ||exit_message "Can't disable modules ${module_excludes[*]}"fiinfomsg $'\nSyncing packages\n\n'dnf -y --allowerasing distro-sync ||exit_message "Error during distro-sync."# Disable Stream repos.if (( ${#installed_sys_stream_repos_pkgs[@]} ||${#installed_stream_repos_pkgs[@]} )); thendnf -y --enableplugin=config_manager config-manager --set-disabled \"$stream_prefix*" ||errmsg \
$'Failed to disable CentOS Stream repos, please check and disable manually.\n'if (( ${#stream_always_replace[@]} )) &&[[ $(saferpm -qa "${stream_always_replace[@]}") ]]; thensafednf -y distro-sync "${stream_always_replace[@]}" ||exit_message "Error during distro-sync."fiinfomsg $'\nCentOS Stream Migration Notes:\n\n'cat <<EOF
Because CentOS Stream leads RockyLinux by the next point release many packages
in Stream will have higher version numbers than those in RockyLinux, some will
even be rebased to a new upstream version.  Downgrading these packages to the
versions in RockyLinux carries the risk that the older version may not
recognize config files, data or other files generated by the newer version in
Stream.To avoid issues with this the newer package versions from CentOS Stream have
been retained.  Also the CentOS Stream repositories have been retained but
renamed with a prefix of "stream-" to avoid clashing with RockyLinux
repositories, but these same repos have also been disabled so that future
package installs will come from the stock RockyLinux repositories.If you do nothing except update to the next point release of RockyLinux when it
becomes available then the packages retained from Stream should be replaced at
that time.  If you need to update a package from Stream (eg: to fix a bug or
security issue) then you will need to enable the appropriate repository to do
so.
EOFfiif rpm --quiet -q subscription-manager; theninfomsg $'Subscription Manager found on system.\n\n'cat <<EOF
If you're converting from a subscription-managed distribution such as RHEL then
you may no longer need subscription-manager or dnf-plugin-subscription-manager.
While it won't hurt anything to have it on your system you may be able to safely
remove it with:"dnf remove subscription-manager dnf-plugin-subscription-manager".Take care that it doesn't remove something that you want to keep.The subscription-manager dnf plugin may be enabled for the benefit of
Subscription Management. If no longer desired, you can use
"subscription-manager config --rhsm.auto_enable_yum_plugins=0" to block this
behavior.
EOFfiif (( ${#always_install[@]} )); thensafednf -y install "${always_install[@]}" || exit_message \"Error installing required packages: ${always_install[*]}"fiif [[ $tmp_sm_ca_dir ]]; then# Check to see if there's Subscription Manager certs which have been# removedlocal -a removed_certsreadarray -t removed_certs < <((shopt -s nullglob dotgloblocal -a certscd "$sm_ca_dir" && certs=(*)cd "$tmp_sm_ca_dir" && certs+=(*)IFS=$'\n'printf '%s' "${certs[*]}") | sort | uniq -u)if (( ${#removed_certs[@]} )); thencp -n -dR --preserve=all "$tmp_sm_ca_dir"/* "$sm_ca_dir/" ||exit_message "Could not copy certs back to $sm_ca_dir"infomsg '%s' \$'Some Subscription Manager certificates ' \"were restored to $sm_ca_dir after"$'\n' \$'migration so that the subscription-manager ' \$'command will continue to work:\n\n'printf '%s\n' "${removed_certs[@]}" ''cat <<EOF
If you no longer need to use the subscription-manager command then you may
safely remove these files.
EOFfifi
}# Check if this system is running on EFI
# If yes, we'll need to run fix_efi() at the end of the conversion
efi_check () {# Check if we have /sys mounted and it is looking saneif ! [[ -d /sys/class/block ]]; thenexit_message "/sys is not accessible."fi# Now that we know /sys is reliable, use it to check if we are running on# EFI or notif systemd-detect-virt --quiet --container; thendeclare -g container_macroscontainer_macros=$(mktemp /etc/rpm/macros.zXXXXXX)printf '%s\n' '%_netsharedpath /sys:/proc' > "$container_macros"elif [[ -d /sys/firmware/efi/ ]]; thendeclare -g update_efiupdate_efi=truefi
}# Called to update the EFI boot.
fix_efi () (grub2-mkconfig -o /boot/efi/EFI/rocky/grub.cfg ||exit_message "Error updating the grub config."for i in "${!efi_disk[@]}"; doefibootmgr -c -d "/dev/${efi_disk[$i]}" -p "${efi_partition[$i]}" \-L "Rocky Linux" -l "/EFI/rocky/shim${cpu_arch_suffix_map[$ARCH]}.efi" ||exit_message "Error updating uEFI firmware."done
)# Download and verify the Rocky Linux package signing key
establish_gpg_trust () {# create temp dir and verify it is really created and empty, so we are sure# deleting it afterwards won't cause any harmdeclare -g gpg_tmp_dirgpg_tmp_dir=$tmp_dir/gpgif ! mkdir "$gpg_tmp_dir" || [[ ! -d "$gpg_tmp_dir" ]]; thenexit_message "Error creating temp dir"fi# failglob makes pathname expansion fail if empty, dotglob adds files# starting with . to pathname expansionif ( shopt -s failglob dotglob; : "$gpg_tmp_dir"/* ) 2>/dev/null ; thenexit_message "Temp dir not empty"fi# extract the filename from the url, use the temp dir just createddeclare -g gpg_key_file="$gpg_tmp_dir/${gpg_key_url##*/}"if ! curl -L -o "$gpg_key_file" --silent --show-error "$gpg_key_url"; thenrm -rf "$gpg_tmp_dir"exit_message "Error downloading the Rocky Linux signing key."fiif ! sha512sum --quiet -c <<<"$gpg_key_sha512 $gpg_key_file"; thenrm -rf "$gpg_tmp_dir"exit_message "Error validating the signing key."fi
}## End actual worknoopts=0
while getopts "hrVR" option; do(( noopts++ ))case "$option" inh)usage;;r)convert_to_rocky=true;;V)verify_all_rpms=true;;*)errmsg $'Invalid switch\n'usage;;esac
done
if (( ! noopts )); thenusage
fipre_setup
trap exit_clean EXIT
pre_check
efi_check
bin_checkif [[ $verify_all_rpms ]]; thengenerate_rpm_info begin
fiif [[ $convert_to_rocky ]]; thencollect_system_infoestablish_gpg_trustpre_updatepackage_swaps
fiif [[ $verify_all_rpms && $convert_to_rocky ]]; thengenerate_rpm_info finishinfomsg $'You may review the following files:\n'printf '%s\n' "$convert_info_dir/$HOSTNAME-rpm-list-"*.log
fiif [[ $update_efi && $convert_to_rocky ]]; thenfix_efi
fiprintf '\n\n\n'
if [[ $convert_to_rocky ]]; theninfomsg $'\nDone, please reboot your system.\n'
fi
logmessage

4. 执行迁移

添加执行权限

chmod +x migrate2rocky.sh

开始迁移（使用-r参数指定Rocky Linux）

./migrate2rocky.sh -r

监控迁移过程（要打开新终端）

tail -f /var/log/migrate2rocky.log

迁移过程说明：

1. 系统将自动完成以下操作：

2. • 验证系统兼容性
   • 安装Rocky Linux GPG密钥
   • 替换核心软件包
   • 更新GRUB引导配置
   • 重建RPM数据库

3. 整个过程约需15-30分钟，取决于网络速度和系统配置

4. 出现 “Complete!” 提示表示迁移成功

5. 迁移后验证

检查系统版本

hostnamectl

验证关键软件包

rpm -qa | grep -E ‘rocky|release’

检查软件源

yum repolist

预期输出：

Operating System: Rocky Linux 9.x
Kernel: Linux 5.14.0-x86_64
Rocky packages: rocky-release, rocky-repos, rocky-gpg-keys
Enabled repos: rocky-baseos, rocky-appstream

6. 重启系统

安全重启reboot

重启后二次验证

uname -a

cat /etc/redhat-release