SysWard
CentOS to Rocky Linux Migration: Patching Considerations
The end of CentOS as a stable, free RHEL downstream fundamentally changed Linux patching strategy for thousands of organizations. CentOS 7 reached end of life on June 30, 2024. CentOS 8 was already cut short when Red Hat shifted it to CentOS Stream in December 2021. If you are still running CentOS systems — and many organizations are — you are running unpatched infrastructure that accumulates vulnerabilities with every passing month.
Rocky Linux emerged as the most direct replacement: a community-driven, RHEL-compatible distribution that restores the stability and patching model that CentOS originally provided. But migration is not just swapping one OS for another. Your patching tools, repository configurations, automation scripts, and compliance processes all need updating. This guide covers the patching-specific considerations that determine whether your migration succeeds or creates new operational risks.
Planning a CentOS migration? Start with SysWard’s free tier to audit your current CentOS patch debt and track patching continuity through the migration to Rocky Linux.
The CentOS End-of-Life Landscape
Understanding the full timeline is critical for prioritizing migration work:
| Distribution | Status | EOL Date | Security Patches |
|---|---|---|---|
| CentOS 7 | End of life | June 30, 2024 | None available |
| CentOS 8 | End of life | December 31, 2021 | None available |
| CentOS Stream 8 | End of life | May 31, 2024 | None available |
| CentOS Stream 9 | Active (rolling) | ~2027 | Available but rolling release |
| Rocky Linux 8 | Active | May 31, 2029 | Full security support |
| Rocky Linux 9 | Active | May 31, 2032 | Full security support |
The critical point: Every CentOS 7 and CentOS 8 system in your environment has been accumulating unpatched vulnerabilities since its EOL date. These are not theoretical risks — CISA’s Known Exploited Vulnerabilities catalog regularly adds CVEs affecting RHEL/CentOS packages, and without repository access, you cannot patch them.
Migration Path Options
Organizations have several paths forward:
- Rocky Linux (most common): Bug-for-bug RHEL compatible, free, community governed
- AlmaLinux: Another RHEL-compatible option, backed by CloudLinux
- RHEL: Commercial subscription, direct from Red Hat
- CentOS Stream: Rolling release, ahead of RHEL (not a stable downstream)
- Ubuntu/Debian: Complete distribution family change
This guide focuses on the Rocky Linux path because it provides the closest operational continuity with CentOS.
Pre-Migration Patch Assessment
Before migrating, assess the current patch state of your CentOS systems. This baseline matters for compliance documentation and risk assessment.
Audit Current Patch Debt
# CentOS 7: Check last successful update
yum history list | head -20
# Check for any cached updates (even though repos are EOL)
yum check-update 2>/dev/null
# List all installed packages with versions
rpm -qa --queryformat '%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}\n' | sort
# Check kernel version
uname -r
# Count packages that would need security updates
# (Compare against Rocky Linux 8/9 package versions)
rpm -qa --queryformat '%{NAME}\n' | sort > /tmp/installed-packages.txt
Document Your Environment
Create a migration inventory for each CentOS system:
| Field | What to Capture |
|---|---|
| Hostname | Server identifier |
| CentOS Version | 7.x or 8.x |
| Kernel Version | uname -r |
| Custom Repos | /etc/yum.repos.d/ contents |
| Third-Party Packages | Packages not from CentOS base repos |
| Custom Kernel Modules | lsmod output, DKMS packages |
| SELinux Status | getenforce |
| Firewall Rules | iptables-save or firewall-cmd --list-all |
| Cron Jobs | /etc/crontab, /var/spool/cron/ |
| Services | systemctl list-unit-files --state=enabled |
This inventory becomes your validation checklist after migration.
Migration Execution: CentOS to Rocky Linux
In-Place Migration with migrate2rocky
Rocky Linux provides an official migration script that converts a CentOS installation in place:
# Download the migration script
curl -O https://raw.githubusercontent.com/rocky-linux/rocky-tools/main/migrate2rocky/migrate2rocky.sh
# Make it executable
chmod +x migrate2rocky.sh
# Run the migration (CentOS 8 to Rocky Linux 8)
sudo bash migrate2rocky.sh -r
# After completion, verify
cat /etc/os-release
rpm -qa | grep rocky
In-place migration caveats:
- Works reliably for CentOS 8 to Rocky Linux 8
- CentOS 7 to Rocky Linux 8 is not supported in-place (requires fresh install or intermediate steps)
- Third-party packages may need manual intervention
- Custom kernel modules may need rebuilding
- Test on a non-production system first
Fresh Installation Approach
For CentOS 7 systems or environments where you want a clean slate:
- Provision new Rocky Linux 9 server alongside the existing CentOS system
- Install application stack using your configuration management (Ansible, Puppet, etc.)
- Migrate data from CentOS to Rocky Linux
- Validate functionality with your test suite
- Switch traffic from CentOS to Rocky Linux
- Decommission the CentOS system
This approach is more work but produces a cleaner result, especially for the CentOS 7 to Rocky Linux 9 jump that spans two major versions.
Handling CentOS 7 Specifically
CentOS 7 presents unique challenges because it uses older tooling:
| Component | CentOS 7 | Rocky Linux 8⁄9 |
|---|---|---|
| Package Manager | yum (yum 3.x) | dnf (yum 4.x symlink) |
| Init System | systemd (older) | systemd (current) |
| Python | 2.7 default | 3.6+ / 3.9+ |
| OpenSSL | 1.0.2 | 1.1.1 / 3.0 |
| Kernel | 3.10 | 4.18 / 5.14 |
| Firewall | firewalld / iptables | firewalld (nftables backend) |
Applications built for CentOS 7 may need updates to work with the newer library versions in Rocky Linux 8 or 9. Plan for application testing time in your migration schedule.
Patching Differences: CentOS vs Rocky Linux
DNF vs YUM
Rocky Linux 8 and 9 use dnf as the primary package manager. The yum command still exists as a symlink to dnf for compatibility, but your automation should transition to dnf commands:
# YUM (CentOS 7 style) → DNF (Rocky Linux style)
# Update package metadata
yum check-update → dnf check-update
yum makecache → dnf makecache
# Install updates
yum update -y → dnf update -y
yum update --security → dnf update --security
# Package information
yum info <package> → dnf info <package>
yum list installed → dnf list installed
# Repository management
yum repolist → dnf repolist
yum-config-manager → dnf config-manager
# History and rollback
yum history → dnf history
yum history undo <id> → dnf history undo <id>
Key behavioral differences:
dnfhas better dependency resolution and is significantly fasterdnfuses module streams for packages with multiple versions (e.g., PHP 7.4 vs 8.1)dnfautomatic plugin replacesyum-cronfor automated updatesdnfhas built-in--securityflag support without additional plugins
Repository Structure
Rocky Linux repositories mirror the RHEL structure but with Rocky Linux-specific packages:
# List enabled repositories
dnf repolist
# Typical Rocky Linux 9 repositories
# rocky-baseos - Base operating system packages
# rocky-appstream - Application packages with module streams
# rocky-extras - Additional packages
# rocky-crb - CodeReady Builder (development packages)
Security advisory tracking: Rocky Linux publishes security advisories (RLSA) that correspond to RHEL security advisories (RHSA). Your vulnerability scanning tools need to recognize RLSA identifiers.
# List available security updates
dnf updateinfo list security
# Show details about a specific advisory
dnf updateinfo info RLSA-2026:1234
# Apply only security updates
dnf update --security -y
# Check for critical/important updates only
dnf updateinfo list security --severity=Critical
dnf updateinfo list security --severity=Important
Automated Patching with DNF Automatic
Rocky Linux uses dnf-automatic instead of CentOS 7’s yum-cron:
# Install dnf-automatic
sudo dnf install dnf-automatic
# Configure: /etc/dnf/automatic.conf
[commands]
upgrade_type = security # Only security updates
apply_updates = yes # Actually install them
download_updates = yes
[emitters]
emit_via = email,stdio
[email]
email_from = [email protected]
email_to = [email protected]
email_host = localhost
# Enable the timer
sudo systemctl enable --now dnf-automatic-install.timer
# Verify timer is active
systemctl status dnf-automatic-install.timer
SysWard supports both CentOS and Rocky Linux patching from a single dashboard, making it straightforward to manage mixed environments during migration. You can track which servers have been migrated and monitor patching compliance on both distributions simultaneously.
Post-Migration Patching Strategy
Immediate Post-Migration Tasks
After migrating each server, validate the patching infrastructure:
# 1. Verify all Rocky Linux repos are active
dnf repolist -v
# 2. Confirm no CentOS repos remain
ls /etc/yum.repos.d/ | grep -i centos
# 3. Run a full update to catch up
sudo dnf update -y
# 4. Verify GPG keys are correct
rpm -qa gpg-pubkey*
# 5. Install and enable automatic security updates
sudo dnf install dnf-automatic
sudo systemctl enable --now dnf-automatic-install.timer
# 6. Verify SELinux is enforcing
getenforce
# 7. Check for packages that need attention
dnf list extras # Packages not in any repo (leftover CentOS packages)
Cleaning Up CentOS Artifacts
After migration, remove CentOS-specific packages and configurations:
# Find remaining CentOS-branded packages
rpm -qa | grep -i centos
# Remove CentOS release packages (should be replaced by rocky-release)
# Verify first:
rpm -qa | grep -E "centos-(release|logos|gpg)"
# Remove old CentOS repo files if any remain
ls /etc/yum.repos.d/*.rpmsave
Module Stream Configuration
Rocky Linux 8 and 9 use module streams, which CentOS 7 did not have. After migration, verify your module stream selections:
# List all module streams
dnf module list
# Check enabled streams
dnf module list --enabled
# Example: ensure PHP 8.1 stream is active
dnf module enable php:8.1
dnf module install php:8.1
# Reset a module stream
dnf module reset php
Module streams affect which package versions receive security updates. An unselected or incorrectly configured module stream can result in missed security patches.
Managing Mixed CentOS and Rocky Linux Environments
During migration, you will have both CentOS and Rocky Linux systems. This transitional period requires careful management.
Unified Patching Dashboard
Track both distributions from a single pane of glass. Key metrics to monitor:
- Number of remaining CentOS systems (should trend to zero)
- Patch compliance on Rocky Linux systems (should meet SLAs from day one)
- Outstanding vulnerabilities by distribution
- Migration completion percentage by environment (dev, staging, prod)
SysWard’s vulnerability management provides this unified view, supporting CentOS 7, CentOS 8, Rocky Linux 8, and Rocky Linux 9 simultaneously.
Automation Script Compatibility
Update your patching automation to handle both distributions:
#!/bin/bash
# Distribution-aware patching script
OS_ID=$(grep "^ID=" /etc/os-release | cut -d= -f2 | tr -d '"')
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | cut -d= -f2 | tr -d '"')
case "$OS_ID" in
centos)
if [[ "$OS_VERSION" == 7* ]]; then
echo "WARNING: CentOS 7 is EOL. Schedule migration immediately."
# Attempt update from vault repos (limited)
yum update -y 2>/dev/null
else
echo "WARNING: CentOS 8 is EOL. Schedule migration immediately."
dnf update -y 2>/dev/null
fi
;;
rocky)
echo "Applying security updates to Rocky Linux $OS_VERSION"
dnf update --security -y
;;
*)
echo "Unsupported distribution: $OS_ID"
exit 1
;;
esac
# Check for reboot requirement
if [ -f /var/run/needs-restarting ] || needs-restarting -r &>/dev/null; then
echo "REBOOT REQUIRED"
fi
Migration Timeline and Planning
Recommended Migration Schedule
| Phase | Duration | Activities |
|---|---|---|
| Assessment | 1-2 weeks | Inventory all CentOS systems, document applications, identify dependencies |
| Proof of Concept | 2-3 weeks | Migrate 1-2 non-critical dev servers, validate application compatibility |
| Development/Staging | 2-4 weeks | Migrate all non-production environments, update CI/CD pipelines |
| Production (non-critical) | 2-4 weeks | Migrate production servers with low blast radius, phased rollout |
| Production (critical) | 2-4 weeks | Migrate critical production systems with full rollback plans |
| Cleanup | 1-2 weeks | Decommission all CentOS systems, update documentation, audit compliance |
Total estimated timeline: 10-17 weeks for a medium-sized environment (50-200 servers).
Risk Mitigation Checklist
- [ ] Full backup of every CentOS system before migration
- [ ] Application compatibility testing on Rocky Linux completed
- [ ] Configuration management updated to support Rocky Linux
- [ ] Monitoring and alerting updated to recognize Rocky Linux systems
- [ ] Patching automation updated for dnf commands
- [ ] Security scanning tools configured for Rocky Linux advisories (RLSA)
- [ ] Rollback procedure documented and tested for each server class
- [ ] Compliance documentation updated to reflect new distribution
- [ ] Third-party vendor support confirmed for Rocky Linux
- [ ] DNS, load balancer, and service discovery updated as needed
RHEL Compatibility and Upstream Considerations
Rocky Linux tracks RHEL releases closely, typically releasing updates within days of RHEL. This has implications for your patching timeline:
- RHEL publishes a security advisory (RHSA)
- Rocky Linux rebuilds and tests the packages (typically 24-72 hours)
- Rocky Linux publishes a corresponding advisory (RLSA)
- Packages appear in Rocky Linux repositories
This lag means Rocky Linux security patches are typically available within 1-3 days of RHEL patches. For most organizations, this delay is negligible. If your compliance requirements demand same-day patches, you may need RHEL subscriptions for your most critical systems.
Also note that Red Hat patching through SysWard is supported alongside Rocky Linux, so you can manage both commercial RHEL subscriptions and Rocky Linux systems from a single platform.
Frequently Asked Questions
Can I migrate directly from CentOS 7 to Rocky Linux 9? There is no supported in-place migration from CentOS 7 to Rocky Linux 9. You need either a fresh installation of Rocky Linux 9 or a two-step migration (CentOS 7 to Rocky Linux 8, then Rocky Linux 8 to Rocky Linux 9). For most environments, a fresh install with configuration management redeployment is the cleanest approach.
Will my CentOS 7 RPM packages work on Rocky Linux 8 or 9? Packages built for CentOS 7 (EL7) will generally not work on Rocky Linux 8 or 9 due to different library versions, Python version changes, and other system-level differences. You need packages built for EL8 or EL9 respectively. Most upstream projects provide appropriate packages for each major version.
How does Rocky Linux handle security advisory tracking differently from CentOS? Rocky Linux publishes RLSA (Rocky Linux Security Advisories) that map 1:1 to RHEL’s RHSA advisories. The advisory format, severity classification, and CVSS scoring are identical. Your vulnerability scanning tools need to be updated to parse RLSA identifiers, but the substance is the same.
Should I use CentOS Stream instead of Rocky Linux? CentOS Stream is a rolling release that sits ahead of RHEL, meaning it receives changes before they are validated in a RHEL release. It is suitable for development and testing but not recommended for production servers that need the stability and predictable patching cadence of a point release distribution.
How do I handle EPEL packages during migration?
EPEL (Extra Packages for Enterprise Linux) supports Rocky Linux. After migration, install the Rocky Linux version of EPEL: dnf install epel-release. Packages from EPEL should work identically on Rocky Linux as they did on CentOS, since they target the same EL major version.
Does SysWard support both CentOS and Rocky Linux during the migration period? Yes. SysWard supports CentOS 7, CentOS 8, Rocky Linux 8, and Rocky Linux 9 simultaneously. You can track migration progress, monitor patch compliance on both distributions, and generate audit reports that cover your entire mixed environment from a single dashboard.
Next Steps
Every day your CentOS systems remain unpatched increases your exposure to known vulnerabilities. Start your migration assessment today by auditing what you are running, identifying the highest-risk systems, and building your migration timeline.
Get started with SysWard’s free tier to get immediate visibility into your CentOS patch debt and track your Rocky Linux migration progress. SysWard supports CentOS, Rocky Linux, RHEL, and all major Linux distributions, giving you a single platform for patching across your entire infrastructure — before, during, and after migration.
Related Articles
Self-Hosted vs Cloud Patch Management: Pros and Cons
Should you run patch management on-premises or in the cloud? We break down the security, cost, compliance, and operational trade-offs of each approach.
Ubuntu Server Patching: Complete Automation Guide
Master Ubuntu server patching automation with unattended-upgrades, kernel livepatch, LTS lifecycle planning, and fleet-wide orchestration strategies.
How to Automate Linux Server Patching
Manual patching doesn't scale. Learn proven automation strategies for Linux server patching including staged rollouts, testing pipelines, and continuous monitoring.