Comparing Amazon Linux 2 and Amazon Linux 2023
The following topics outline key differences between Amazon Linux 2 (AL2) and Amazon Linux 2023 (AL2023).
Topics
- Added, upgraded, and removed packages
- Support for each release
- Naming and versioning changes
- Optimizations
- Python 2.7 has been replaced with Python 3
- Security updates
- Deterministic upgrades for stability
- Sourced from multiple upstreams
- AMI root file system and default Amazon EBS volume type
- Networking system service
- Task scheduling
- Packages for glibc, gcc, and binutils
- Package manager
- Logging system
- Package changes for curl and libcurl
- GNU Privacy Guard (GNUPG)
- Amazon Corretto as the default JVM
- AWS CLI v2
- UEFI Preferred
- SSH server default configuration changes
- Extra Packages for Enterprise Linux (EPEL)
- Using cloud-init
- Graphical desktop support
- Compiler Triplet
- 32bit x86 (i686) Packages
- Kernel configuration changes
- lsb_release and the system-lsb-core package
- Comparing packages installed on Amazon Linux 2 and Amazon Linux 2023 AMIs
- Comparing packages installed on Amazon Linux 2 and Amazon Linux 2023 Minimal AMIs
- Comparing packages installed on Amazon Linux 2 and Amazon Linux 2023 base container images
Added, upgraded, and removed packages
AL2023 contains thousands of software packages available for use. For a full list of all packages added, upgraded, or removed in AL2023 when compared to prior Amazon Linux versions, see Package changes in AL2023.
To request a package to be added or changed in AL2023, you can do so by filing an issue in the amazon-linux-2023 repo
Support for each release
For AL2023, we offer five years of support.
For more information, see Release cadence.
Naming and versioning changes
AL2023 supports the same mechanisms that AL2 supports for platform identification. AL2023 also introduces new files for platform identification.
For more information, see Naming and versioning.
Optimizations
AL2023 optimizes boot time to reduce the time from instance launch to running the customer
workload. These optimizations span the Amazon EC2 instance kernel configuration,
cloud-init
configurations, and features that are built into packages in the OS
such askmod
and systemd
.
For more information about optimizations, see Performance and operational optimizations.
Python 2.7 has been replaced with Python 3
AL2 provides support and security patches for Python 2.7 until June 2025, as part of our long-term support (LTS) commitment for AL2 core packages. This support extends beyond the upstream Python community declaration of Python 2.7 end-of-life of January 2020.
Amazon Linux 2 uses the yum
package manager, which has a hard dependency
on Python 2.7. In AL2023 the dnf
package manager has migrated to Python 3,
and no longer requires Python 2.7. AL2023 has completely moved to Python 3.
Note
AL2023 removed Python 2.7, so any OS components requiring Python are written to work with Python 3. To continue to use a version of Python provided by and supported by Amazon Linux, convert Python 2 code to Python 3.
For more information on Python on Amazon Linux, see Python in AL2023.
Security updates
SELinux
By default, Security Enhanced Linux (SELinux) for AL2023 is
enabled
and set to permissive
mode. In permissive
mode, permission denials are logged but not enforced.
SELinux is a security feature of the Amazon Linux kernel, which was
disabled
in AL2. SELinux is a collection of kernel features
and utilities that provides mandatory access control (MAC) architecture into
the major subsystems of the kernel.
For more information, see Setting SELinux modes.
For more information about SELinux repositories, tools, and policies, see
SELinux Notebook
OpenSSL 3
AL2023 features the Open Secure Sockets Layer version 3 (OpenSSL 3) cryptography toolkit. AL2023 uses the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols. It also uses the required cryptography standards.
By default, AL2 comes with OpenSSL 1.0.2. You can build applications against OpenSSL 1.1.1.
For more information about OpenSSL, see the OpenSSL migration guide
For more information about security, see Security updates and features.
IMDSv2
By default, any instances launched with the AL2023 AMI will require the use of IMDSv2-only and
your default hop limit will be set to 2 to allow for containerized workload support. This is done by setting the
imds-support
parameter to v2.0
. For more information, see Configure the AMI in the Amazon EC2 User Guide for Linux Instances.
Note
The session token's time of validity can be anywhere between 1 second and 6 hours. The addresses to direct the API requests for IMDSv2 queries are the following:
-
IPv4: 169.254.169.254
-
IPv6: fd00:ec2::254
You can still manually override these settings and enable IMDSv1 using Instance Metadata option launch properties. You can also still use IAM controls to enforce different IMDS settings. For more information about setting up and using the Instance Metadata Service, see Use IMDSv2, Configure instance metadata options for new instances, and Modify instance metadata options for existing instances, in the Amazon EC2 User Guide for Linux Instances.
Removal of log4j hotpatch (log4j-cve-2021-44228-hotpatch
)
Note
AL2023 doesn't ship with the log4j-cve-2021-44228-hotpatch
package.
In response to CVE-2021-44228
The hotpatch was a mitigation to allow time to patch log4j
. The first
General Availability (GA) release of AL2023 was 15 months after CVE-2021-44228
Customers running their own log4j
versions on Amazon Linux are
advised to ensure they have updated to versions not affected by
CVE-2021-44228
AL2023 provides guidance on Updating Amazon Linux 2023 so
that you can keep up to date with security patches. Security advisories are published on the
Amazon Linux Security Center
Deterministic upgrades for stability
With the deterministic upgrades through versioned repositories feature, every AL2023 Amazon Machine Image (AMI) by default is locked to a specific repository version. You can use deterministic upgrades to achieve greater consistency among package versions and updates. Each release, major or minor, includes a specific repository version.
New with AL2023, deterministic upgrading by default is enabled. This is an improvement over the manual, incremental method of locking that's used in AL2 and other earlier versions.
For more information, see Using Deterministic upgrades through versioned repository.
Sourced from multiple upstreams
AL2023 is RPM-based and includes components sourced from multiple versions of Fedora and other distributions, such as CentOS 9 Stream. The Amazon Linux kernel is sourced from the long-term support (LTS) releases directly from kernel.org, chosen independently from other distributions.
For more information, see Relationship to Fedora.
AMI root file system and default Amazon EBS volume type
The AL2023 AMI and AL2 both use the XFS file system on the root file
system. For AL2023, the mkfs
options for the root device file system are further
optimized for Amazon EC2. AL2023 also supports a number of other file systems that you can use on
other volumes to meet your specific requirements.
AL2023 AMIs use Amazon EBS gp3
volumes by default, whereas AL2 AMIs use Amazon EBS
gp2
volumes by default. You can change the volume type when you launch an instance.
For more information about Amazon EBS volume types, see Amazon EBS General Purpose Volumes
Networking system service
The systemd-networkd
system service manages the network interfaces in AL2023.
This is a change from AL2, which uses ISC dhclient or
dhclient
.
For more information, see Networking service.
Task scheduling
The cronie
package was installed by default on the AL2 AMI,
providing support for the traditional crontab
way of scheduling periodic tasks.
In AL2023, we use systemd
timer units and cronie
extensively.
Support for crontab
is no longer provided by default, as cronie
is
not included by default on AL2023 AMIs.
You can optionally install the cronie
package to use classic cron
jobs. We recommend that you migrate to systemd
timers due to the added functionality
provided by systemd
.
Packages for glibc, gcc, and binutils
AL2023 includes many of the same core packages as AL2.
We updated the following three core toolchain packages for AL2023.
Package name | Amazon Linux 2 | AL2023 |
---|---|---|
glibc |
2.26 |
2.34 |
gcc |
7.3 |
11.3 |
binutils |
2.29 |
2.39 |
For more information, see Core toolchain packages glibc, gcc, binutils.
Package manager
The default software package management tool on AL2023 is DNF. DNF is the successor to YUM, the package management tool in AL2.
For more information, see Package management tool.
Logging system
In AL2023 the logging system package has changed from AL2. AL2023 doesn't install
rsyslog
by default, so the text based log files such as
/var/log/messages
that were available in AL2 aren't available by default. The
default configuration for AL2023 is systemd-journal
, which can be examined
using journalctl
. Although rsyslog
is an optional package in
AL2023, we recommend the new systemd
based journalctl
interface
and related packages. For more information, see the journalctl
Package changes for curl
and libcurl
AL2023 separates out the common protocols and functionality of the curl
and libcurl
packages into curl-minimal
and libcurl-minimal
. This reduces the disk, memory, and
dependency footprint for most users, and is the default package for AL2023 AMIs and containers.
If the full functionality of curl
is required, for example for
gopher://
support, run the following commands to install the
curl-full
and libcurl-full
packages.
$
dnf swap libcurl-minimal libcurl-full
$
dnf swap curl-minimal curl-full
GNU Privacy Guard (GNUPG)
AL2023 separates out minimal and complete functionality for the gnupg2
package into
gnupg2-minimal
and gnupg2-full
packages. By default, only the gnupg2-minimal
package is installed. This provides the minimal functionality required to verify
the digital signatures on rpm
packages.
For more functionality from gnupg2
, such as the ability to download keys from a key server,
ensure that the gnupg2-full
package is installed. Run the following command to swap gnupg2-minimal
for gnupg2-full
.
$
dnf swap gnupg2-minimal gnupg2-full
Amazon Corretto as the default JVM
AL2023 ships with Amazon Corretto
Users coming from AL2 will be able to smoothly transition from the equivalent OpenJDK
version on
AL2 over to Amazon Corretto.
AWS CLI v2
AL2023 ships with AWS CLI version 2, while AL2 continues to ship with version 1 of the AWS CLI.
UEFI Preferred
By default, any instances launched with the AL2023 AMI on instance types that support UEFI firmware
will launch in UEFI mode. This is done by setting the Boot Mode AMI parameter to uefi-preferred
.
For more information, see
Boot Modes in the Amazon EC2 User Guide for Linux Instances.
SSH server default configuration changes
For the AL2023 AMI, we changed the types of sshd
host keys that we generate
with the release. We also dropped some legacy key types to avoid generating them at launch
time. Clients must support the rsa-sha2-256
and rsa-sha2-512
protocols or ssh-ed25519
with use of an ed25519
key. By default,
ssh-rsa
signatures are disabled.
Additionally, AL2023 configuration settings in the default sshd_config
file
contain UseDNS=no
. This new setting means that DNS impairments are
less likely to block your ability to establish ssh
sessions with your instances.
The tradeoff is that the
"from=
line entries in your hostname.domain
,hostname.domain
"authorized_keys
files won't be resolved. Because
sshd
no longer attempts to resolve the DNS names, each comma separated
value must be translated to a
corresponding IP address.hostname.domain
For more information, see Default SSH server configuration.
Extra Packages for Enterprise Linux (EPEL)
Extra Packages for Enterprise Linux (EPEL) is a project in the Fedora community with the objective of creating a large array of packages for enterprise-level Linux operating systems. The project has primarily produced RHEL and CentOS packages. AL2 features a high level of compatibility with CentOS 7. As a result, many EPEL7 packages work on AL2. However, AL2023 doesn't support EPEL or EPEL-like repositories.
Using cloud-init
In AL2023, cloud-init manages the package repository. By default, in
earlier versions of Amazon Linux, cloud-init installed security updates. This isn't the
default for AL2023. The new deterministic upgrading features for updating
releasever
at launch describe the AL2023 way to enable package updates at
launch. For more information, see Managing packages and operating system updates and Deterministic upgrades for stability.
With AL2023, you can use cloud-init with SELinux. For more information, see Use cloud-init to enable enforcing mode.
Cloud-init loads configuration content with cloud-init from remote locations using HTTP(S). In earlier versions, Amazon Linux doesn't alert you when remote resources are unavailable. In AL2023, unavailable remote resources creates a fatal error and fails the cloud-init execution. This change in behavior from AL2, provides a safer "fail closed" default behavior.
For more information, see Customized cloud-init and the
cloud-init
Documentation
Graphical desktop support
AL2023 is cloud-centered and optimized for Amazon EC2 usage and currently does not
include a graphical or desktop environment. To provide feedback on GitHub, see https://github.com/
Compiler Triplet
AL2023 sets the compiler triplet for GCC and LLVM
to
indicate that amazon
is the vendor.
Thus, the AL2 aarch64-redhat-linux-gcc
becomes aarch64-amazon-linux-gcc
on AL2023.
This should be completely transparent for users, and only possibly affects those who are building compilers on AL2023.
32bit x86 (i686) Packages
As part of the 2014.09 release of Amazon Linux 1 (AL1)
If you need to run 32-bit binaries on AL2023, it is possible to use the 32-bit user-space from AL2 inside an AL2 container running on top of AL2023.
Kernel configuration changes
AL2023 changes several kernel configuration options from AL2. For the overwhelming majority of users, this should be completely transparent and only visible though less disk space used by the kernel package.
Amazon Linux 2 | Amazon Linux 2023 |
---|---|
CONFIG_HZ=250 | CONFIG_HZ=100 |
CONFIG_NR_CPUS=8192 | CONFIG_NR_CPUS=512 |
Included ext3 and ext4 code | Uses ext4 codebase to read older ext3 and ext2 file systems |
Limited PANIC_ON settings |
CONFIG_PANIC_ON_OOPS is now turned on for all hangs. |
CONFIG_LDISC_AUTOLOAD enabled |
CONFIG_LDISC_AUTOLOAD is disabled, new line disciplines will not be auto-loaded. |
Removed CDROM support
Removed PS2 support
Removed support for NFS versions prior to NFSv3
Removed support for older CIFS versions
Removed
v4l2
supportRemoved support for unused
arm64
platforms
lsb_release
and the system-lsb-core
package
Historically, some software invoked the lsb_release
command
(provided in AL2 by the system-lsb-core
package)
to get information about the Linux distribution that it was being run on.
The Linux Standards Base (LSB) introduced this command and Linux
distributions adopted it. Linux distributions have evolved to use the simpler
standard of holding this information in /etc/os-release
and other related files.
The os-release
standard comes out of systemd
.
For more information, see
systemd os-release documentation
AL2023 doesn't ship with the lsb_release
command, and
doesn't include the system-lsb-core
package. Software
should complete the transition to the os-release
standard to maintain compatibility with Amazon Linux and other major Linux
distributions.