Comparing Amazon Linux 2 and Amazon Linux 2023
The following outline key differences between Amazon Linux 2 and Amazon Linux 2023.
Topics
- Support for each release
- Naming and versioning changes
- Optimizations
- Security updates
- Deterministic upgrades for stability
- Built on Fedora
- AMI root filesystem
- Networking system service
- Packages for glibc, gcc, and binutils
- Package manager
- SSH server default configuration changes
- Extra Packages for Enterprise Linux (EPEL)
- Using cloud-init
Support for each release
For Amazon Linux 2023 (AL2023), we offer five years of support.
For more information, see Release cadence.
Naming and versioning changes
AL2023 supports the same mechanisms that Amazon Linux 2 supports for platform identification. AL2023 also introduces new files for platform identification.
For more information, see Naming and versioning.
Optimizations
AL2023 optimizes boot time to reduce the time from instance launch to running the customer
workload. These optimizations span the Amazon EC2 instance kernel configuration,
cloud-init
configurations, and features that are built into packages in the OS
such askmod
and systemd
.
For more information about optimizations, see Performance and operational optimizations.
Security updates
SELinux
By default, Security Enhanced Linux (SELinux) for AL2023 is
enabled
and set to permissive
mode. In permissive
mode, permission denials are logged but not enforced.
SELinux is a security feature of the Amazon Linux kernel, which was
disabled
in Amazon Linux 2. SELinux is a collection of kernel features
and utilities that provides mandatory access control (MAC) architecture into
the major subsystems of the kernel.
For more information, see Setting SELinux modes.
For more information about SELinux repositories, tools, and policies, see
SELinux Notebook
OpenSSL 3
AL2023 features the Open Secure Sockets Layer version 3 (OpenSSL 3) cryptography toolkit. AL2023 uses the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols. It also uses the required cryptography standards.
By default, Amazon Linux 2 comes with OpenSSL 1.0.2. You can build applications against OpenSSL 1.1.1.
For more information about OpenSSL, see the OpenSSL migration guide
For more information about security, see Security updates and features.
IMDSv2
By default, any instances launched with the AL2023 AMI will require the use of IMDSv2-only and
your default hop limit will be set to 2 to allow for containerized workload support. This is done by setting the
imds-support
parameter to v2.0
. For more information, see Configure the AMI in the Amazon EC2 User Guide for Linux Instances.
The session token's time of validity can be anywhere between 1 second and 6 hours. The addresses to direct the API requests for IMDSv2 queries are the following:
-
IPv4: 169.254.169.254
-
IPv6: fd00:ec2::254
You can still manually override these settings and enable IMDSv1 using Instance Metadata option launch properties. You can also still use IAM controls to enforce different IMDS settings. For more information about setting up and using the Instance Metadata Service, see Use IMDSv2, Configure instance metadata options for new instances, and Modify instance metadata options for existing instances, in the Amazon EC2 User Guide for Linux Instances.
Deterministic upgrades for stability
With the deterministic upgrades through versioned repositories feature, every AL2023 Amazon Machine Image (AMI) by default is locked to a specific repository version. You can use deterministic upgrades to achieve greater consistency among package versions and updates. Each release, major or minor, includes a specific repository version.
New with AL2023, deterministic upgrading by default is enabled. This is an improvement over the manual, incremental method of locking that's used in Amazon Linux 2 and other earlier versions.
For more information, see Using Deterministic upgrades through versioned repository.
Built on Fedora
AL2023 is based on Fedora, but isn't directly compatible with any particular release of Fedora. Amazon Linux 2 was built on several upstream sources including Fedora.
For more information, see Relationship to Fedora.
AMI root filesystem
The AL2023 AMI and Amazon Linux 2 both use the XFS filesystem on the root filesystem.
AL2023 also supports a number of other filesystems that you can use on other volumes to meet your specific requirements.
Networking system service
The systemd-networkd
system service manages the network interfaces in AL2023.
This is a change from Amazon Linux 2, which uses ISC dhclient or
dhclient
.
For more information, see Networking service.
Packages for glibc, gcc, and binutils
AL2023 includes many of the same core packages as Amazon Linux 2.
We updated the following three core toolchain packages for AL2023.
Package name | Amazon Linux 2 | AL2023 |
---|---|---|
glibc |
2.26 |
2.34 |
gcc |
7.3 |
11.3 |
binutils |
2.29 |
2.39 |
For more information, see Core toolchain packages glibc, gcc, binutils.
Package manager
The default software package management tool on AL2023 is DNF. DNF is the successor to YUM, the package management tool in Amazon Linux 2.
For more information, see Package management tool.
SSH server default configuration changes
For the AL2023 AMI, we changed the types of sshd
host keys that we generate
with the release. We also dropped some legacy key types to avoid generating them at launch
time. Clients must support the rsa-sha2-256
and rsa-sha2-512
protocols or ssh-ed25519
with use of an ed25519
key. By default,
ssh-rsa
signatures are disabled.
Additionally, AL2023 configuration settings in the default sshd_config
file
contain UseDNS=no
. This new setting means that DNS impairments are
less likely to block your ability to establish ssh
sessions with your instances.
The tradeoff is that the
"from=
line entries in your hostname.domain
,hostname.domain
"authorized_keys
files won't be resolved. Because
sshd
no longer attempts to resolve the DNS names, each comma separated
value must be translated to a
corresponding IP address.hostname.domain
For more information, see Default SSH server configuration.
Extra Packages for Enterprise Linux (EPEL)
Extra Packages for Enterprise Linux (EPEL) is a project in the Fedora community with the objective of creating a large array of packages for enterprise-level Linux operating systems. The project has primarily produced RHEL and CentOS packages. Amazon Linux 2 features a high level of compatibility with CentOS 7. As a result, many EPEL7 packages work on Amazon Linux 2. However, AL2023 doesn't support EPEL or EPEL-like repositories.
Using cloud-init
In AL2023, cloud-init manages the package repository. By default, in
earlier versions of Amazon Linux, cloud-init installed security updates. This isn't the
default for AL2023. The new deterministic upgrading features for updating
releasever
at launch describe the AL2023 way to enable package updates at
launch. For more information, see Managing packages and operating system updates and Deterministic upgrades for stability.
With AL2023, you can use cloud-init with SELinux. For more information, see Use cloud-init to enable enforcing mode.
Cloud-init loads configuration content with cloud-init from remote locations using HTTP(S). In earlier versions, Amazon Linux doesn't alert you when remote resources are unavailable. In AL2023, unavailable remote resources creates a fatal error and fails the cloud-init execution. This change in behavior from Amazon Linux 2, provides a safer "fail closed" default behavior.
For more information, see Customized cloud-init and the
cloud-init
Documentation