Managing packages and operating system updates - Amazon Linux 2023

Managing packages and operating system updates

Unlike previous versions of Amazon Linux, Amazon Linux 2023 (AL2023) Amazon Machine Images (AMIs) are locked to a specific version of the Amazon Linux repository. To apply both security and bug fixes to an AL2023 instance, update the DNF configuration. Alternatively, launch a newer AL2023 instance. This section describes how to manage DNF packages and repositories on a running instance. It also describes how to configure DNF from a user data script to enable the latest available Amazon Linux repository at launch time. For more information, see DNF Command Reference.

Checking for available package updates

You can use the dnf check-update command to check for any updates for your system. For AL2023, we recommend that you add the --releasever=version-number option to the command.

When you add this option, DNF also checks for updates for a later version of the repository. For example, after you run the dnf check-update command, use the latest returned version as the value for the version-number.

If the instance is updated to use the latest version of the repository, a list of all the packages to update is included in the output.


If you don't specify the release version with the optional flag to the dnf check-update command, only the currently configured repository version is checked. This means that packages in the later version of the repository aren't checked.

$ sudo dnf check-update --releasever=2023.0.20230210 Last metadata expiration check: 0:06:13 ago on Mon 13 Feb 2023 10:39:32 PM UTC. bind-libs.x86_64 32:9.16.27-1.amzn2023 amazonlinux bind-license.noarch 32:9.16.27-1.amzn2023 amazonlinux bind-utils.x86_64 32:9.16.27-1.amzn2023 amazonlinux cloud-init.noarch 22.2.2-1.amzn2023.1.4 amazonlinux dnf.noarch 4.12.0-2.amzn2023.0.1 amazonlinux dnf-data.noarch 4.12.0-2.amzn2023.0.1 amazonlinux dracut.x86_64 055-6.amzn2023.0.4 amazonlinux dracut-config-generic.x86_64 055-6.amzn2023.0.4 amazonlinux glib2.x86_64 2.73.2-678.amzn2023 amazonlinux gmp.x86_64 1:6.2.1-2.amzn2023 amazonlinux grep.x86_64 3.8-1.amzn2023.0.1 amazonlinux kpatch-runtime.noarch 0.9.4-7.amzn2023 amazonlinux libgcc.x86_64 11.3.1-2.amzn2023.0.6 amazonlinux libgomp.x86_64 11.3.1-2.amzn2023.0.6 amazonlinux libpkgconf.x86_64 1.7.3-7.amzn2023.0.1 amazonlinux libstdc++.x86_64 11.3.1-2.amzn2023.0.6 amazonlinux lz4-libs.x86_64 1.9.4-1.amzn2023 amazonlinux pkgconf.x86_64 1.7.3-7.amzn2023.0.1 amazonlinux pkgconf-m4.noarch 1.7.3-7.amzn2023.0.1 amazonlinux pkgconf-pkg-config.x86_64 1.7.3-7.amzn2023.0.1 amazonlinux python3-dnf.noarch 4.12.0-2.amzn2023.0.1 amazonlinux python3-rpm.x86_64 amazonlinux rpm.x86_64 amazonlinux rpm-build-libs.x86_64 amazonlinux rpm-libs.x86_64 amazonlinux rpm-plugin-selinux.x86_64 amazonlinux rpm-plugin-systemd-inhibit.x86_64 amazonlinux rpm-sign-libs.x86_64 amazonlinux slang.x86_64 2.3.2-9.amzn2023.0.1 amazonlinux system-release.noarch 2023.0.20230210-0.amzn2023 amazonlinux systemd.x86_64 250.8-1.amzn2023.0.1 amazonlinux systemd-libs.x86_64 250.8-1.amzn2023.0.1 amazonlinux systemd-networkd.x86_64 250.8-1.amzn2023.0.1 amazonlinux systemd-pam.x86_64 250.8-1.amzn2023.0.1 amazonlinux systemd-resolved.x86_64 250.8-1.amzn2023.0.1 amazonlinux systemd-udev.x86_64 250.8-1.amzn2023.0.1 amazonlinux vim-common.x86_64 2:9.0.327-1.amzn2023.0.1 amazonlinux vim-data.noarch 2:9.0.327-1.amzn2023.0.1 amazonlinux vim-enhanced.x86_64 2:9.0.327-1.amzn2023.0.1 amazonlinux vim-filesystem.noarch 2:9.0.327-1.amzn2023.0.1 amazonlinux vim-minimal.x86_64 2:9.0.327-1.amzn2023.0.1 amazonlinux wget.x86_64 1.21.3-1.amzn2023 amazonlinux yum.noarch 4.12.0-2.amzn2023.0.1 amazonlinux

For this command, if there are newer packages available, the return code is 100. If there aren't any newer packages available, the return code is 0. In addition, the output also lists all the packages to update.

Applying security updates using DNF and repository versions

New package updates and security updates are made available to new repository versions only. For instances that you launched from earlier AL2023 AMI versions, you must update the repository version before you can install security updates. The dnf check-release-update command includes an example update command that updates all the packages that are installed on the system to versions in a newer repository.

$ sudo dnf update --releasever=2023.0.20230210 Last metadata expiration check: 0:01:40 ago on Mon 13 Feb 2023 10:39:32 PM UTC. Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Upgrading: bind-libs x86_64 32:9.16.27-1.amzn2023 amazonlinux 1.2 M bind-license noarch 32:9.16.27-1.amzn2023 amazonlinux 16 k bind-utils x86_64 32:9.16.27-1.amzn2023 amazonlinux 202 k cloud-init noarch 22.2.2-1.amzn2023.1.4 amazonlinux 1.1 M dnf noarch 4.12.0-2.amzn2023.0.1 amazonlinux 454 k dnf-data noarch 4.12.0-2.amzn2023.0.1 amazonlinux 42 k dracut x86_64 055-6.amzn2023.0.4 amazonlinux 345 k dracut-config-generic x86_64 055-6.amzn2023.0.4 amazonlinux 8.5 k glib2 x86_64 2.73.2-678.amzn2023 amazonlinux 2.7 M gmp x86_64 1:6.2.1-2.amzn2023 amazonlinux 324 k grep x86_64 3.8-1.amzn2023.0.1 amazonlinux 316 k kpatch-runtime noarch 0.9.4-7.amzn2023 amazonlinux 30 k libgcc x86_64 11.3.1-2.amzn2023.0.6 amazonlinux 121 k libgomp x86_64 11.3.1-2.amzn2023.0.6 amazonlinux 296 k libpkgconf x86_64 1.7.3-7.amzn2023.0.1 amazonlinux 37 k libstdc++ x86_64 11.3.1-2.amzn2023.0.6 amazonlinux 758 k lz4-libs x86_64 1.9.4-1.amzn2023 amazonlinux 81 k pkgconf x86_64 1.7.3-7.amzn2023.0.1 amazonlinux 41 k pkgconf-m4 noarch 1.7.3-7.amzn2023.0.1 amazonlinux 15 k pkgconf-pkg-config x86_64 1.7.3-7.amzn2023.0.1 amazonlinux 11 k python3-dnf noarch 4.12.0-2.amzn2023.0.1 amazonlinux 415 k python3-rpm x86_64 amazonlinux 89 k rpm x86_64 amazonlinux 487 k rpm-build-libs x86_64 amazonlinux 92 k rpm-libs x86_64 amazonlinux 311 k rpm-plugin-selinux x86_64 amazonlinux 18 k rpm-plugin-systemd-inhibit x86_64 amazonlinux 19 k rpm-sign-libs x86_64 amazonlinux 22 k slang x86_64 2.3.2-9.amzn2023.0.1 amazonlinux 410 k system-release noarch 2023.0.20230210-0.amzn2023 amazonlinux 25 k systemd x86_64 250.8-1.amzn2023.0.1 amazonlinux 4.2 M systemd-libs x86_64 250.8-1.amzn2023.0.1 amazonlinux 615 k systemd-networkd x86_64 250.8-1.amzn2023.0.1 amazonlinux 614 k systemd-pam x86_64 250.8-1.amzn2023.0.1 amazonlinux 335 k systemd-resolved x86_64 250.8-1.amzn2023.0.1 amazonlinux 277 k systemd-udev x86_64 250.8-1.amzn2023.0.1 amazonlinux 1.9 M vim-common x86_64 2:9.0.327-1.amzn2023.0.1 amazonlinux 7.2 M vim-data noarch 2:9.0.327-1.amzn2023.0.1 amazonlinux 27 k vim-enhanced x86_64 2:9.0.327-1.amzn2023.0.1 amazonlinux 1.8 M vim-filesystem noarch 2:9.0.327-1.amzn2023.0.1 amazonlinux 21 k vim-minimal x86_64 2:9.0.327-1.amzn2023.0.1 amazonlinux 764 k wget x86_64 1.21.3-1.amzn2023 amazonlinux 813 k yum noarch 4.12.0-2.amzn2023.0.1 amazonlinux 39 k Transaction Summary ================================================================================ Upgrade 43 Packages ...

You can add the --security option to update the packages with security features only.

$ sudo dnf update --releasever=2023.0.20230210 --security Amazon Linux 2023 repository 18 MB/s | 11 MB 00:00 Last metadata expiration check: 0:00:02 ago on Mon 13 Feb 2023 10:39:32 PM UTC. Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Upgrading: bind-libs x86_64 32:9.16.27-1.amzn2023 amazonlinux 1.2 M bind-license noarch 32:9.16.27-1.amzn2023 amazonlinux 16 k bind-utils x86_64 32:9.16.27-1.amzn2023 amazonlinux 202 k gmp x86_64 1:6.2.1-2.amzn2023 amazonlinux 324 k lz4-libs x86_64 1.9.4-1.amzn2023 amazonlinux 81 k vim-common x86_64 2:9.0.327-1.amzn2023.0.1 amazonlinux 7.2 M vim-data noarch 2:9.0.327-1.amzn2023.0.1 amazonlinux 27 k vim-enhanced x86_64 2:9.0.327-1.amzn2023.0.1 amazonlinux 1.8 M vim-filesystem noarch 2:9.0.327-1.amzn2023.0.1 amazonlinux 21 k vim-minimal x86_64 2:9.0.327-1.amzn2023.0.1 amazonlinux 764 k wget x86_64 1.21.3-1.amzn2023 amazonlinux 813 k Transaction Summary ================================================================================ Upgrade 11 Packages ...

To discover AL2023 package versions, do one or more of the following:

  • Run the dnf check-update command.

  • Subscribe to the Amazon Linux repository update SNS topic (arn:aws:sns:us-east-1:137112412989:amazon-linux-2023-ami-updates). For more information, see Subscribing to an Amazon SNS topic in the Amazon Simple Notification Service Developer Guide.

  • Regularly refer to the AL2023 release notes.

When applying security updates to a running instance, it's important to make sure that DNF is pointing at the latest repository version.

Launching an instance with the latest repository version enabled

You can add DNF commands to a user-data script to control what RPM packages are installed on an Amazon Linux AMI when it's launched. In the following example, a user-data script is used to make sure that any instance launched with the user-data script has the same package updates installed.

#!/bin/bash dnf update --releasever=2023.0.20230210 # Additional setup and install commands below dnf install httpd php7.4 mysql80

You must run this script as superuser (root). To do this, run the following command.

$ sudo sh -c "bash"

For more information, see User data and shell scripts in the Amazon EC2 User Guide for Linux Instances.


Instead of using a user-data script, launch the latest Amazon Linux AMI or a custom AMI that's based on the Amazon Linux AMI. The latest Amazon Linux AMI has all the necessary updates installed and is conīŦgured to point at a particular repository version.

Getting package support information

AL2023 incorporates many different open-source software projects. Each of these projects is managed independently from Amazon Linux and have different release and end-of-support schedules. To provide you with Amazon Linux specific information about these different packages, the DNF supportinfo plugin provides metadata about a package. In the following example, the dnf supportinfo command returns metadata for the glibc package.

$ sudo dnf supportinfo --pkg glibc Last metadata expiration check: 0:07:56 ago on Wed Mar 1 23:21:49 2023. Name : glibc Version : 2.34-52.amzn2023.0.2 State : installed Support Status : supported Support Periods : from 2023-03-15 : supported : from 2028-03-15 : unsupported Support Statement : Amazon Linux 2023 End Of Life Link : Other Info : This is the support statement for AL2023. The ...: end of life of Amazon Linux 2023 would be March 2028. ...: From this point, the Amazon Linux 2023 packages (listed ...: below) will no longer, receive any updates from AWS.

Checking for newer repository versions

In an AL2023 instance, you can use the DNF utility to manage repositories and apply updated RPM packages. These packages are available in the Amazon Linux repositories. You can use the DNF command dnf check-release-update to check for new versions of the DNF repository.

$ sudo dnf check-release-update WARNING: A newer release of "Amazon Linux" is available. Available Versions: Version 2023.0.20230210: Run the following command to update to 2023.0.20230210: dnf update --releasever=2023.0.20230210 Release notes:

This returns a full list of all the newer versions of the DNF repositories that are available. If nothing's returned, this means that DNF is currently configured to use the latest available version. The version of the currently installed system-release package sets the releasever DNF variable. To check the current repository version, run the following command.

$ rpm -q system-release --qf "%{VERSION}\n"

When you run DNF package transactions (such as install, update, or remove commands), a warning message notifies you of any new repository versions. For example, if you install the httpd package on an instance that was launched from an older version of AL2023, the following output is returned.

$ sudo dnf install httpd -y Last metadata expiration check: 0:16:52 ago on Wed Mar 1 23:21:49 2023. Dependencies resolved. ==================================================================== Package Arch Version Repository Size ==================================================================== Installing: httpd x86_64 2.4.54-3.amzn2023.0.4 amazonlinux 46 k Installing dependencies: apr x86_64 1.7.2-2.amzn2023.0.2 amazonlinux 129 k apr-util x86_64 1.6.3-1.amzn2023.0.1 amazonlinux 98 k generic-logos-httpd noarch 18.0.0-12.amzn2023.0.3 amazonlinux 19 k httpd-core x86_64 2.4.54-3.amzn2023.0.4 amazonlinux 1.3 M httpd-filesystem noarch 2.4.54-3.amzn2023.0.4 amazonlinux 13 k httpd-tools x86_64 2.4.54-3.amzn2023.0.4 amazonlinux 80 k libbrotli x86_64 1.0.9-4.amzn2023.0.2 amazonlinux 315 k mailcap noarch 2.1.49-3.amzn2023.0.3 amazonlinux 33 k Installing weak dependencies: apr-util-openssl x86_64 1.6.3-1.amzn2023.0.1 amazonlinux 17 k mod_http2 x86_64 1.15.24-1.amzn2023.0.3 amazonlinux 152 k mod_lua x86_64 2.4.54-3.amzn2023.0.4 amazonlinux 60 k Transaction Summary ==================================================================== Install 12 Packages Total download size: 2.3 M Installed size: 6.8 M Downloading Packages: (1/12): 212 kB/s | 17 kB 00:00 (2/12): apr-1.7.2-2.amzn2023.0.2.x8 1.1 MB/s | 129 kB 00:00 (3/12): httpd-core-2.4.54-3.amzn202 8.9 MB/s | 1.3 MB 00:00 (4/12): mod_http2-1.15.24-1.amzn202 1.9 MB/s | 152 kB 00:00 (5/12): apr-util-1.6.3-1.amzn2023.0 1.7 MB/s | 98 kB 00:00 (6/12): mod_lua-2.4.54-3.amzn2023.0 1.4 MB/s | 60 kB 00:00 (7/12): httpd-2.4.54-3.amzn2023.0.4 1.5 MB/s | 46 kB 00:00 (8/12): libbrotli-1.0.9-4.amzn2023. 4.4 MB/s | 315 kB 00:00 (9/12): mailcap-2.1.49-3.amzn2023.0 753 kB/s | 33 kB 00:00 (10/12): httpd-tools-2.4.54-3.amzn2 978 kB/s | 80 kB 00:00 (11/12): httpd-filesystem-2.4.54-3. 210 kB/s | 13 kB 00:00 (12/12): generic-logos-httpd-18.0.0 439 kB/s | 19 kB 00:00 -------------------------------------------------------------------- Total 6.6 MB/s | 2.3 MB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : apr-1.7.2-2.amzn2023.0.2.x86_64 1/12 Installing : apr-util-openssl-1.6.3-1.amzn2023.0.1. 2/12 Installing : apr-util-1.6.3-1.amzn2023.0.1.x86_64 3/12 Installing : mailcap-2.1.49-3.amzn2023.0.3.noarch 4/12 Installing : httpd-tools-2.4.54-3.amzn2023.0.4.x86_ 5/12 Installing : generic-logos-httpd-18.0.0-12.amzn2023 6/12 Running scriptlet: httpd-filesystem-2.4.54-3.amzn2023.0.4 7/12 Installing : httpd-filesystem-2.4.54-3.amzn2023.0.4 7/12 Installing : httpd-core-2.4.54-3.amzn2023.0.4.x86_6 8/12 Installing : mod_http2-1.15.24-1.amzn2023.0.3.x86_6 9/12 Installing : libbrotli-1.0.9-4.amzn2023.0.2.x86_64 10/12 Installing : mod_lua-2.4.54-3.amzn2023.0.4.x86_64 11/12 Installing : httpd-2.4.54-3.amzn2023.0.4.x86_64 12/12 Running scriptlet: httpd-2.4.54-3.amzn2023.0.4.x86_64 12/12 Verifying : apr-1.7.2-2.amzn2023.0.2.x86_64 1/12 Verifying : apr-util-openssl-1.6.3-1.amzn2023.0.1. 2/12 Verifying : httpd-core-2.4.54-3.amzn2023.0.4.x86_6 3/12 Verifying : mod_http2-1.15.24-1.amzn2023.0.3.x86_6 4/12 Verifying : apr-util-1.6.3-1.amzn2023.0.1.x86_64 5/12 Verifying : mod_lua-2.4.54-3.amzn2023.0.4.x86_64 6/12 Verifying : libbrotli-1.0.9-4.amzn2023.0.2.x86_64 7/12 Verifying : httpd-2.4.54-3.amzn2023.0.4.x86_64 8/12 Verifying : httpd-tools-2.4.54-3.amzn2023.0.4.x86_ 9/12 Verifying : mailcap-2.1.49-3.amzn2023.0.3.noarch 10/12 Verifying : httpd-filesystem-2.4.54-3.amzn2023.0.4 11/12 Verifying : generic-logos-httpd-18.0.0-12.amzn2023 12/12 Installed: apr-1.7.2-2.amzn2023.0.2.x86_64 apr-util-1.6.3-1.amzn2023.0.1.x86_64 apr-util-openssl-1.6.3-1.amzn2023.0.1.x86_64 generic-logos-httpd-18.0.0-12.amzn2023.0.3.noarch httpd-2.4.54-3.amzn2023.0.4.x86_64 httpd-core-2.4.54-3.amzn2023.0.4.x86_64 httpd-filesystem-2.4.54-3.amzn2023.0.4.noarch httpd-tools-2.4.54-3.amzn2023.0.4.x86_64 libbrotli-1.0.9-4.amzn2023.0.2.x86_64 mailcap-2.1.49-3.amzn2023.0.3.noarch mod_http2-1.15.24-1.amzn2023.0.3.x86_64 mod_lua-2.4.54-3.amzn2023.0.4.x86_64 Complete!

Adding, enabling, or disabling new repositories

To install a package from a different repository with the DNF package management system, add the repository information to the /etc/dnf/dnf.conf file or to its own repository.repo file in the /etc/yum.repos.d directory. You can do this manually. However, most DNF repositories provide their own repository.repo file at their repository URL.


At this time, there are no additional repositories that can be added to AL2023. This might change in the future. Also, you can write your own packages, and make those packages available to your AL2023 enterprise environment. Before you can use the packages, you must add and enable the repository where the packages are stored.

To find out what repositories are currently enabled, you can run the following command:

$ dnf repolist all --verbose Loaded plugins: builddep, changelog, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, groups-manager, needs-restarting, playground, release-notification, repoclosure, repodiff, repograph, repomanage, reposync, supportinfo DNF version: 4.12.0 cachedir: /var/cache/dnf Last metadata expiration check: 0:00:02 ago on Wed Mar 1 23:40:15 2023. Repo-id : amazonlinux Repo-name : Amazon Linux 2023 repository Repo-status : enabled Repo-revision : 1677203368 Repo-updated : Fri Feb 24 01:49:28 2023 Repo-pkgs : 12632 Repo-available-pkgs: 12632 Repo-size : 12 G Repo-mirrors : Repo-baseurl : : (0 more) Repo-expire : 172800 second(s) (last: Wed Mar 1 23:40:15 : 2023) Repo-filename : /etc/yum.repos.d/amazonlinux.repo Repo-id : amazonlinux-debuginfo Repo-name : Amazon Linux 2023 repository - Debug Repo-status : disabled Repo-mirrors : Repo-expire : 21600 second(s) (last: unknown) Repo-filename : /etc/yum.repos.d/amazonlinux.repo Repo-id : amazonlinux-source Repo-name : Amazon Linux 2023 repository - Source packages Repo-status : disabled Repo-mirrors : Repo-expire : 21600 second(s) (last: unknown) Repo-filename : /etc/yum.repos.d/amazonlinux.repo Repo-id : kernel-livepatch Repo-name : Amazon Linux 2023 Kernel Livepatch repository Repo-status : disabled Repo-mirrors : Repo-expire : 172800 second(s) (last: unknown) Repo-filename : /etc/yum.repos.d/kernel-livepatch.repo Repo-id : kernel-livepatch-source Repo-name : Amazon Linux 2023 Kernel Livepatch repository - : Source packages Repo-status : disabled Repo-mirrors : Repo-expire : 21600 second(s) (last: unknown) Repo-filename : /etc/yum.repos.d/kernel-livepatch.repo Total packages: 12632

If you don't add the --verbose option flag, the output only includes the Repo-id, Repo-name, and Repo-status information.

To add a yum repository to /etc/yum.repos.d directory:

  1. Find the location of the .repo file. In this example, the .repo file is at

  2. Add the repository with the dnf config-manager command.

$ sudo dnf config-manager --add-repo Loaded plugins: priorities, update-motd, upgrade-helper adding repo from: grabbing file to /etc/yum.repos.d/repository.repo repository.repo | 4.0 kB 00:00 repo saved to /etc/yum.repos.d/repository.repo

After you install a repository, you must enable it as described in the next procedure.

To enable a yum repository in /etc/yum.repos.d, use the dnf config-manager command with the --enable flag and repository name.

$ sudo dnf config-manager --enable repository

To disable a repository, use the same command syntax, but replace --enable with --disable in the command.

Adding repositories with cloud-init

In addition to adding a repository using the previous method, you can also add a new repository using the cloud-init framework.

To add a new package repository, we recommend the use of the following template. Consider saving this file locally.

#cloud-config yum_repos: repository.repo: baseurl: enabled: true gpgcheck: true gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EXAMPLE name: Example Repository

One advantage to using cloud-init is that you can add a packages: section to your configuration file. In this section, you can include the names of the packages that you want to install. You can install packages from either the default repository or the new repository that you added in the cloud-config file.

For more specific information about the structure of the YAML file, see Adding a YUM repository in the cloud-init documentation.

After you set up the YAML format file, you can run it in the cloud-init framework in the AWS CLI. Make sure to include the --userdata option and the name of the .yml file to call the desired operations.

$ aws ec2 run-instances \ --image-id \ resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-x86_64 \ --instance-type m5.xlarge \ --region us-east-1 \ --key-name aws-key-us-east-1 \ --security-group-ids sg-004a7650 \ --user-data file://cloud-config.yml