Secure Your Patch Future: The Technical Path to Oracle Linux 8 for E-Business Suite (on OCI)

In Part 1 of this series, we discussed why staying on Oracle Linux 7 (OL7) is no longer sustainable – especially if you want to apply ORDS 25.1 or later. Now, let’s talk about the "how."

In this post, we’ll walk through the upgrade process for the Oracle E-Business Suite Apps and DB Tier, using the leapp utility to move from OL7 to OL8 with minimal disruption. Note that this only applies to EBS DB tiers which are self-managed and "just" running on an Oracle compute node. Updating the operating system of DB tiers running on Oracle Cloud Database services work differently and will not be covered in this series.

This upgrade isn't just a "lift and shift." It’s a carefully coordinated operation with multiple parts: OS libraries, EBS tech stack components, customizations, and third-party agents.

Let’s break it down.

Pre-Upgrade Preparation: What to Know Before You Leapp

Oracle has certified in-place OS upgrades using leapp on EBS application and database tier nodes in the same way they do for general purpose servers (see Doc ID 1330701.1). That said, in real-world environments, many infrastructure teams have successfully used leapp on EBS app tier VMs – with proper precautions and testing.

Key Pre-checks

• Make sure your EBS installation is compatible with OL8 (see Doc ID 1330701.1).
• Apply the latest EBS Technology Stack patches. Pay special attention to WebLogic, Java, and Oracle HTTP Server updates. For us we had the following patches missing; since etcc does not show them make sure to apply them; especially you should apply 37913870 and 31090393 (weblogic EG54) if you have not yet done so
• Review any custom apps or third-party integrations for OS-level dependencies.
• Validate storage, snapshots, and rollback capabilities before proceeding.

Step-by-Step: Using leapp to Upgrade the Apps Tier

This guide provides you a step-by-step process on how to upgrade your OS. Make sure you create several backups along the way. In a multi-node-environment those steps have to be performed on every application server node as well as on the database node.

1. (Eventually) Switch to OSMH

Before running leapp preupgrade, ensure you've switched from the legacy OS Management Service Agent to the newer OS Management Hub Agent, as the former has reached end of life (see https://docs.oracle.com/en-us/iaas/os-management/home.htm). This step is critical to maintain continued integration with Oracle Cloud Infrastructure (OCI) management services post-upgrade and continued OS upgrades.

Disable OSMS

And enable OSMH

Once switched, ensure that you add the leapp repository to OSMH.

Afterwards, make sure you restart Oracle Cloud Agent and wait until its running.

sudo systemctl restart oracle-cloud-agent

OSMH shown as running

2. Install and Prepare leapp on OL7 App and DB Tier

sudo yum upgrade
sudo yum install -y leapp-upgrade

3. Before the upgrade

From this point onwards, you need to ensure your EBS managers and APEX are stopped.

Afterwards, uninstall the current version of your ORDS and remove other no longer needed packages. Some of them may be installed again at a later stage.

sudo yum remove ords

Then we need to remove old kernel versions:

rpm -qa | grep kernel-devel # select the old versions from the list
sudo yum -y remove <old kernels>

Next, comment out all NFS mounts from /etc/fstab. Those will be added back again after the upgrade.

Afterwards, enable root login. This is recommended when running EBS on OCI to ensure you still have access to the machine through the OCI Cloud Console.

sudo vi /etc/ssh/sshd_config # uncomment PermitRootLogin yes

Now restart the machine.

sudo reboot

4. Leapp Pre-Upgrade Checks

Now run the leapp pre-upgrade checks. This might fail a couple of times with an HTTP 429 error as it seems that the endpoints that leapp is using are rate limited. If you encounter an HTTP 429 error, simply try again.

Do not hesitate to run the command multiple times in succession.

sudo leapp preupgrade

This generates a report (/var/log/leapp/leapp-report.txt) listing:

• Unsupported drivers
• Conflicting packages
• Remediation steps

Carefully review and resolve every item flagged. Also, ensure to answer the questions in the report. In our case, we had to answer three questions like so:

sudo leapp answer --section remove_pam_pkcs11_module_check.confirm=True
sudo leapp answer --section os_management_hub_agent_check.confirm=True
sudo leapp answer --section osmh_post_check.confirm=True

leapp pre-upgrade report

Once there are no more inhibitors and you are sure that all other reported items are OK, continue with the next steps.

As the next step will be the upgrade itself, it is wise to create a backup now.

5. Execute the OS Upgrade

Run the upgrade command as follows. Again, this might fail a couple of times with an HTTP 429 error as it seems that the endpoints that leapp is using are rate limited. If you encounter an HTTP 429 error, simply try again. Do not hesitate to run the command multiple times in succession.

sudo leapp upgrade

This will:

• Download required packages
• Set up a new boot environment for OL8
• Schedule a reboot into the upgrade phase

leapp upgrade report

Once there are no more inhibitors and you are sure that all other reported items are OK, continue with the next steps.

To ensure access through the OCI Cloud Console in case of errors or simply to follow the upgrade process, set a root password for login.

sudo passwd # you are prompted to enter the password and confirm it

6. Reboot and Upgrade Automatically

sudo reboot

Your system will boot into a temporary upgrade OS environment where leapp completes the OL8 transition.

Now you can follow the process through OCI Cloud Console as ssh will be unavailable for a while. The upgrade can take up to 30 minutes.

Post-Upgrade: Validations, Cleanup, and Starting EBS

After the system reboots into OL8:

1. Validate OS-Level Services

Check that networking, mount points, and systemd services are functioning. Verify kernel version and key packages.

2. Perform Cleanup Operations

First, if your leapp report suggested to set another alternative to Python, do so.

sudo alternatives --set python /usr/bin/python3

Then mount all external drives again and set SELINUX to enforcing.

sudo vi /etc/fstab # uncomment all lines from above again
sudo mount -a
sudo vi /etc/selinux/config # SELINUX=enforcing

Download the new dhclient script from Oracle to the following location.

/etc/dhcp/exit-hooks.d/dhclient-exit-hook-set-hostname.sh

Remove old MySQL packages if required by /var/log/leapp/leapp-report.txt.

sudo yum remove mysql-release-el8.x86_64 mysql-community-client-plugins.x86_64 postfix-mysql.x86_64

Upgrade your DNF config.

sudo nano /etc/dnf/dnf.conf

Comment out the following line.

#exclude=python2-leapp,snactor,leapp-upgrade-el7toel8,leap

Remove old OL7 packages.

rpm -qa | grep el7 # lists all OL7 packages which need to be removed
sudo yum remove <insert packages from previous command>
rpm -qa | grep el7 # should now be empty

Uninstall leapp.

rpm -qa | grep leap # lists all leapp packages to remove
sudo yum remove <insert leapp packages here>
rpm -qa | grep leap # should now be empty
sudo rm -rf /root/tmp_leapp_py3 # remove temporary leapp folder

Attach your machine to an OSMH OL8 group in OCI.

Upgraded instance re-attached to group (in this case OL8-Test)

Disable root login again and delete root password.

sudo vi /etc/ssh/sshd_config # comment out PermitRootLogin yes
sudo passwd -d root

Perform another reboot. After the reboot, wait until OSMH did run for the first time. OSMH runs approximately every 10 minutes, so it can take up to 10 minutes for it to run for the first time. Once OSMH did run, check the repolist.

sudo yum repolist

It should now only contain OL8 repositories. All OL7 repositories should have been removed by OSMH. Now perform another round of package updates and reboot the system afterwards.

sudo yum upgrade

The upgrade process should update the kernel to version 5.15 at least. Verify the kernel version after rebooting the system.

uname -a # needs to print kernel version 5.15 at least

To ensure proper accessibility of your EBS, update the FirewallBackend from nftables to iptables. See Doc-ID 1330701.1.

sudo vi /etc/firewalld/firewalld.conf # FirewallBackend=iptables
sudo systemctl restart firewalld

3. Install new ORDS

Now install the latest ORDS on the apps tier.

sudo yum install ords

4. Re-link E-Business Suite Executables

Now you need to relink the executables after the OS upgrade.

. ~/setenv_run.sh
adadmin # enter EBS system and apps passwords

Select option 2 (Maintain Applications Files menu), then option 1 (Relink Applications programs). Select defaults for all prompts and exit once done.

5. Run cleanup-Patch

Run the cleanup122.sh script according to the README of Patch 35090694 (TECHP:Cleanup script to remove Ilog files in EBS R12.2 distribution).

6. Start EBS Services

Start your EBS services and APEX again and check that everything is running as expected.

Perform Application Health Checks

• Login to EBS home page.
• Launch key modules and verify form rendering (especially for Java and OA Framework).
• Monitor logs ($LOG_HOME, WebLogic domain logs) for errors or missing libraries.

Caveats & Lessons from the Field

There are several things that need to be done after a successful upgrade to OL8 to ensure EBS running smoothly.

Leapp does not preserve third-party kernel modules or proprietary drivers. If you rely on those, you will need to reinstall OL8 compatible versions manually.

Additionally, the yet unresolved bug 37954142 hinders administrators from being able to clone EBS after the upgrade when running /u01 on a shared NFS drive (in OCI managed through E-Business Suite Cloud Manager).

As a workaround running the following command helps to complete the clone:

semanage fcontext -a -t nfs_t “/u01(/.*)?”

Summary: Your EBS Patch Future Depends on OL8

With Oracle tightening compatibility and tooling requirements in every quarterly CPU cycle, running EBS on OL8 is becoming table stakes. The leapp utility provides a practical, low-risk path for upgrading the application tier without rebuilding from scratch.

If you’re serious about staying secure, supportable, and compliant, there’s no time to wait.