Manage package and operating system updates in AL2023
Unlike previous versions of Amazon Linux, AL2023 AMIs are locked to a specific version of the Amazon Linux repository. To apply both security and bug fixes to an AL2023 instance, update the DNF configuration to the latest available release version. Alternatively, launch a newer AL2023 instance.
This section describes how to manage DNF
packages and repositories on a running instance. It also describes how to configure DNF from a user
data script to enable the latest available Amazon Linux repository at launch time. For more information, see DNF Command Reference
It is recommended to apply all updates available in a new AL2023 release. Picking just security updates, or only specific updates should be the exception rather than rule. For listing which Security advisories are relevant to a particular instance, see Listing applicable Advisories. For information on installing only updates relevant to a specific Advisory, see Applying security updates in-place.
Important
If you want to report a vulnerability or have a security concern
regarding AWS cloud services or open source projects, contact
AWS Security using the
Vulnerability Reporting page
Topics
Checking for available package updates
You can use the dnf check-update command to check for any updates for your system. For AL2023, we
recommend that you add the --releasever= option to the
command.version-number
When you add this option, DNF also checks for updates for a later version of
the repository. For example, after you run the dnf check-update command, use the
latest returned version as the value for the
version-number
If the instance is updated to use the latest version of the repository, the output includes a list of all the packages to be updated.
Note
If you don't specify the release version with the optional flag to the dnf check-update command,
only the currently configured repository version is checked. This means that packages in the later version of the
repository aren't checked.
In this example we are going to look at what updates are available in the 2023.1.20230628 release if we launched a container of the 2023.0.20230315 release.
Note
This example uses the 2023.0.20230315 and 2023.1.20230628 releases, and these are not the latest release of AL2023 See the AL2023 Release Notes for the latest releases, which contain the latest security updates.
In this example we will be starting with a container image for the 2023.0.20230315 release.
First, we fetch this container image from the container registry.
The .0 at the end indicates the version of the image for a particular release; this image version is usually zero.
$ docker pull public.ecr.aws/amazonlinux/amazonlinux:2023.0.20230315.0
2023.0.20230315.0: Pulling from amazonlinux/amazonlinux
b76f3b09316a: Pull complete
Digest: sha256:94e7183b0739140dbd5b639fb7600f0a2299cec5df8780c26d9cb409da5315a9
Status: Downloaded newer image for public.ecr.aws/amazonlinux/amazonlinux:2023.0.20230315.0
public.ecr.aws/amazonlinux/amazonlinux:2023.0.20230315.0We can now spawn a shell inside the container, from which we will check for updates.
$ docker run -it public.ecr.aws/amazonlinux/amazonlinux:2023.0.20230315.0
bash-5.2#
The dnf check-update command is now used to check updates available
in the 2023.1.20230628
release.
Note
Applying package updates is a priviledged operation. Although elevating privileges is typically not required when running in a container, if running in a non-containerized environment such as an Amazon EC2 instance, you can check for updates without elevating privileges.
$dnf check-update --releasever=2023.1.20230628Amazon Linux 2023 repository 60 MB/s | 15 MB 00:00 Last metadata expiration check: 0:00:02 ago on Mon Jul 22 17:25:34 2024. amazon-linux-repo-cdn.noarch 2023.1.20230628-0.amzn2023 amazonlinux ca-certificates.noarch 2023.2.60-1.0.amzn2023.0.2 amazonlinux curl-minimal.x86_64 8.0.1-1.amzn2023 amazonlinux glib2.x86_64 2.74.7-688.amzn2023.0.1 amazonlinux glibc.x86_64 2.34-52.amzn2023.0.3 amazonlinux glibc-common.x86_64 2.34-52.amzn2023.0.3 amazonlinux glibc-minimal-langpack.x86_64 2.34-52.amzn2023.0.3 amazonlinux gnupg2-minimal.x86_64 2.3.7-1.amzn2023.0.4 amazonlinux keyutils-libs.x86_64 1.6.3-1.amzn2023 amazonlinux libcap.x86_64 2.48-2.amzn2023.0.3 amazonlinux libcurl-minimal.x86_64 8.0.1-1.amzn2023 amazonlinux libgcc.x86_64 11.3.1-4.amzn2023.0.3 amazonlinux libgomp.x86_64 11.3.1-4.amzn2023.0.3 amazonlinux libstdc++.x86_64 11.3.1-4.amzn2023.0.3 amazonlinux libxml2.x86_64 2.10.4-1.amzn2023.0.1 amazonlinux ncurses-base.noarch 6.2-4.20200222.amzn2023.0.4 amazonlinux ncurses-libs.x86_64 6.2-4.20200222.amzn2023.0.4 amazonlinux openssl-libs.x86_64 1:3.0.8-1.amzn2023.0.3 amazonlinux python3-rpm.x86_64 4.16.1.3-12.amzn2023.0.6 amazonlinux rpm.x86_64 4.16.1.3-12.amzn2023.0.6 amazonlinux rpm-build-libs.x86_64 4.16.1.3-12.amzn2023.0.6 amazonlinux rpm-libs.x86_64 4.16.1.3-12.amzn2023.0.6 amazonlinux rpm-sign-libs.x86_64 4.16.1.3-12.amzn2023.0.6 amazonlinux system-release.noarch 2023.1.20230628-0.amzn2023 amazonlinux tzdata.noarch 2023c-1.amzn2023.0.1 amazonlinux bash-5.2#
The version of the system-release package shows the release that
a dnf upgrade command would update to, which is the
2023.1.20230628
release that was requested in the
dnf check-update --releasever=
command.
2023.1.20230628
For this command, if there are newer packages available, the return code is 100. If there aren't any newer packages available, the return code is 0. In addition, the output also lists all the packages to update.
Applying security updates using DNF and repository
versions
New package updates and security updates are made available to new repository versions only. For instances that
you launched from earlier AL2023 AMI versions, you must update the repository version before you can install security
updates. The dnf check-release-update command includes an example update command that updates all the
packages that are installed on the system to versions in a newer repository.
Note
If you don't specify the release version with the optional flag to the dnf check-update command,
only the currently configured repository version is checked. This means that any update to installed packages
present in any later version of the repository aren't applied.
This section covers the recommended upgrade path of applying all available updates rather than picking and choosing individual updates or only ones marked as security updates. By applying all updates, existing instances are moved to the same package set as launching an updated AMI. This consistency reduces the variation of package versions across a fleet. For more information on applying specific updates, see Applying security updates in-place.
In this example we are going to apply updates available in the 2023.1.20230628 release if we launched a container of the 2023.0.20230315 release.
Note
This example uses the 2023.0.20230315 and 2023.1.20230628 releases, and these are not the latest release of AL2023 See the AL2023 Release Notes for the latest releases, which contain the latest security updates.
In this example we will be starting with a container image for the 2023.0.20230315 release.
First, we fetch this container image from the container registry.
The .0 at the end indicates the version of the image for a particular release; this image version is usually zero.
$ docker pull public.ecr.aws/amazonlinux/amazonlinux:2023.0.20230315.0
2023.0.20230315.0: Pulling from amazonlinux/amazonlinux
b76f3b09316a: Pull complete
Digest: sha256:94e7183b0739140dbd5b639fb7600f0a2299cec5df8780c26d9cb409da5315a9
Status: Downloaded newer image for public.ecr.aws/amazonlinux/amazonlinux:2023.0.20230315.0
public.ecr.aws/amazonlinux/amazonlinux:2023.0.20230315.0We can now spawn a shell inside the container, from which we will apply updates.
$ docker run -it public.ecr.aws/amazonlinux/amazonlinux:2023.0.20230315.0
bash-5.2#
The dnf upgrade command is now used to apply all of the updates present
in the 2023.1.20230628
release.
Note
Applying package updates is a priviledged operation.
Although elevating privileges is typically not required when running in a container,
if running in a non-containerized environment such as an Amazon EC2 instance,
you will need to run the dnf upgrade command as the root
user. This can be done using the sudo or su commands.
$dnf upgrade --releasever=2023.1.20230628Amazon Linux 2023 repository 38 MB/s | 15 MB 00:00 Last metadata expiration check: 0:00:02 ago on Mon Jul 22 17:49:08 2024. Dependencies resolved. ================================================================================= Package Arch Version Repository Size ================================================================================= Upgrading: amazon-linux-repo-cdn noarch 2023.1.20230628-0.amzn2023 amazonlinux 18 k ca-certificates noarch 2023.2.60-1.0.amzn2023.0.2 amazonlinux 829 k curl-minimal x86_64 8.0.1-1.amzn2023 amazonlinux 150 k glib2 x86_64 2.74.7-688.amzn2023.0.1 amazonlinux 2.7 M glibc x86_64 2.34-52.amzn2023.0.3 amazonlinux 1.9 M glibc-common x86_64 2.34-52.amzn2023.0.3 amazonlinux 307 k glibc-minimal-langpack x86_64 2.34-52.amzn2023.0.3 amazonlinux 35 k gnupg2-minimal x86_64 2.3.7-1.amzn2023.0.4 amazonlinux 421 k keyutils-libs x86_64 1.6.3-1.amzn2023 amazonlinux 33 k libcap x86_64 2.48-2.amzn2023.0.3 amazonlinux 67 k libcurl-minimal x86_64 8.0.1-1.amzn2023 amazonlinux 249 k libgcc x86_64 11.3.1-4.amzn2023.0.3 amazonlinux 105 k libgomp x86_64 11.3.1-4.amzn2023.0.3 amazonlinux 280 k libstdc++ x86_64 11.3.1-4.amzn2023.0.3 amazonlinux 744 k libxml2 x86_64 2.10.4-1.amzn2023.0.1 amazonlinux 706 k ncurses-base noarch 6.2-4.20200222.amzn2023.0.4 amazonlinux 60 k ncurses-libs x86_64 6.2-4.20200222.amzn2023.0.4 amazonlinux 328 k openssl-libs x86_64 1:3.0.8-1.amzn2023.0.3 amazonlinux 2.2 M python3-rpm x86_64 4.16.1.3-12.amzn2023.0.6 amazonlinux 88 k rpm x86_64 4.16.1.3-12.amzn2023.0.6 amazonlinux 486 k rpm-build-libs x86_64 4.16.1.3-12.amzn2023.0.6 amazonlinux 90 k rpm-libs x86_64 4.16.1.3-12.amzn2023.0.6 amazonlinux 309 k rpm-sign-libs x86_64 4.16.1.3-12.amzn2023.0.6 amazonlinux 21 k system-release noarch 2023.1.20230628-0.amzn2023 amazonlinux 29 k tzdata noarch 2023c-1.amzn2023.0.1 amazonlinux 433 k Transaction Summary ================================================================================= Upgrade 25 Packages Total download size: 12 M Is this ok [y/N]:
The version of the system-release package shows the release that
a dnf upgrade command would update to, which is the
2023.1.20230628
release that was requested in the
dnf upgrade --releasever=
command.
2023.1.20230628
By default, dnf will ask you to confirm you wish to apply the updates.
You can bypass this prompt by using the -y flag to dnf.
for this example, the dnf upgrade -y --releasever=
command would not ask for confirmation before applying the updates. This is useful
in scripts or other automation environments.
2023.1.20230628
Once confirming you want to apply the updates, dnf applies them.
Is this ok [y/N]:yDownloading Packages: (1/25): libcap-2.48-2.amzn2023.0.3.x86_64.rpm 1.5 MB/s | 67 kB 00:00 (2/25): python3-rpm-4.16.1.3-12.amzn2023.0.6.x86 2.1 MB/s | 88 kB 00:00 (3/25): libcurl-minimal-8.0.1-1.amzn2023.x86_64. 2.6 MB/s | 249 kB 00:00 (4/25): glib2-2.74.7-688.amzn2023.0.1.x86_64.rpm 26 MB/s | 2.7 MB 00:00 (5/25): glibc-minimal-langpack-2.34-52.amzn2023. 1.3 MB/s | 35 kB 00:00 (6/25): rpm-build-libs-4.16.1.3-12.amzn2023.0.6. 2.8 MB/s | 90 kB 00:00 (7/25): rpm-libs-4.16.1.3-12.amzn2023.0.6.x86_64 6.6 MB/s | 309 kB 00:00 (8/25): libgcc-11.3.1-4.amzn2023.0.3.x86_64.rpm 3.9 MB/s | 105 kB 00:00 (9/25): glibc-common-2.34-52.amzn2023.0.3.x86_64 11 MB/s | 307 kB 00:00 (10/25): glibc-2.34-52.amzn2023.0.3.x86_64.rpm 31 MB/s | 1.9 MB 00:00 (11/25): rpm-sign-libs-4.16.1.3-12.amzn2023.0.6. 877 kB/s | 21 kB 00:00 (12/25): gnupg2-minimal-2.3.7-1.amzn2023.0.4.x86 15 MB/s | 421 kB 00:00 (13/25): openssl-libs-3.0.8-1.amzn2023.0.3.x86_6 35 MB/s | 2.2 MB 00:00 (14/25): libxml2-2.10.4-1.amzn2023.0.1.x86_64.rp 14 MB/s | 706 kB 00:00 (15/25): curl-minimal-8.0.1-1.amzn2023.x86_64.rp 4.2 MB/s | 150 kB 00:00 (16/25): rpm-4.16.1.3-12.amzn2023.0.6.x86_64.rpm 11 MB/s | 486 kB 00:00 (17/25): libgomp-11.3.1-4.amzn2023.0.3.x86_64.rp 7.0 MB/s | 280 kB 00:00 (18/25): libstdc++-11.3.1-4.amzn2023.0.3.x86_64. 14 MB/s | 744 kB 00:00 (19/25): keyutils-libs-1.6.3-1.amzn2023.x86_64.r 1.6 MB/s | 33 kB 00:00 (20/25): ncurses-libs-6.2-4.20200222.amzn2023.0. 10 MB/s | 328 kB 00:00 (21/25): tzdata-2023c-1.amzn2023.0.1.noarch.rpm 11 MB/s | 433 kB 00:00 (22/25): amazon-linux-repo-cdn-2023.1.20230628-0 781 kB/s | 18 kB 00:00 (23/25): ca-certificates-2023.2.60-1.0.amzn2023. 16 MB/s | 829 kB 00:00 (24/25): system-release-2023.1.20230628-0.amzn20 1.5 MB/s | 29 kB 00:00 (25/25): ncurses-base-6.2-4.20200222.amzn2023.0. 3.1 MB/s | 60 kB 00:00 --------------------------------------------------------------------------------- Total 28 MB/s | 12 MB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Upgrading : libgcc-11.3.1-4.amzn2023.0.3.x86_64 1/50 Running scriptlet: libgcc-11.3.1-4.amzn2023.0.3.x86_64 1/50 Upgrading : system-release-2023.1.20230628-0.amzn2023.noarch 2/50 Upgrading : amazon-linux-repo-cdn-2023.1.20230628-0.amzn2023.no 3/50 Upgrading : ncurses-base-6.2-4.20200222.amzn2023.0.4.noarch 4/50 Upgrading : tzdata-2023c-1.amzn2023.0.1.noarch 5/50 Upgrading : glibc-common-2.34-52.amzn2023.0.3.x86_64 6/50 Running scriptlet: glibc-2.34-52.amzn2023.0.3.x86_64 7/50 Upgrading : glibc-2.34-52.amzn2023.0.3.x86_64 7/50 Running scriptlet: glibc-2.34-52.amzn2023.0.3.x86_64 7/50 Upgrading : glibc-minimal-langpack-2.34-52.amzn2023.0.3.x86_64 8/50 Upgrading : libcap-2.48-2.amzn2023.0.3.x86_64 9/50 Upgrading : gnupg2-minimal-2.3.7-1.amzn2023.0.4.x86_64 10/50 Upgrading : libgomp-11.3.1-4.amzn2023.0.3.x86_64 11/50 Running scriptlet: ca-certificates-2023.2.60-1.0.amzn2023.0.2.noarch 12/50 Upgrading : ca-certificates-2023.2.60-1.0.amzn2023.0.2.noarch 12/50 Running scriptlet: ca-certificates-2023.2.60-1.0.amzn2023.0.2.noarch 12/50 Upgrading : openssl-libs-1:3.0.8-1.amzn2023.0.3.x86_64 13/50 Upgrading : libcurl-minimal-8.0.1-1.amzn2023.x86_64 14/50 Upgrading : curl-minimal-8.0.1-1.amzn2023.x86_64 15/50 Upgrading : rpm-libs-4.16.1.3-12.amzn2023.0.6.x86_64 16/50 Upgrading : rpm-4.16.1.3-12.amzn2023.0.6.x86_64 17/50 Upgrading : rpm-build-libs-4.16.1.3-12.amzn2023.0.6.x86_64 18/50 Upgrading : rpm-sign-libs-4.16.1.3-12.amzn2023.0.6.x86_64 19/50 Upgrading : python3-rpm-4.16.1.3-12.amzn2023.0.6.x86_64 20/50 Upgrading : glib2-2.74.7-688.amzn2023.0.1.x86_64 21/50 Upgrading : libxml2-2.10.4-1.amzn2023.0.1.x86_64 22/50 Upgrading : libstdc++-11.3.1-4.amzn2023.0.3.x86_64 23/50 Upgrading : keyutils-libs-1.6.3-1.amzn2023.x86_64 24/50 Upgrading : ncurses-libs-6.2-4.20200222.amzn2023.0.4.x86_64 25/50 Cleanup : glib2-2.73.2-680.amzn2023.0.3.x86_64 26/50 Cleanup : libstdc++-11.3.1-4.amzn2023.0.2.x86_64 27/50 Cleanup : libxml2-2.10.3-2.amzn2023.0.1.x86_64 28/50 Cleanup : python3-rpm-4.16.1.3-12.amzn2023.0.5.x86_64 29/50 Cleanup : rpm-build-libs-4.16.1.3-12.amzn2023.0.5.x86_64 30/50 Cleanup : rpm-sign-libs-4.16.1.3-12.amzn2023.0.5.x86_64 31/50 Cleanup : rpm-libs-4.16.1.3-12.amzn2023.0.5.x86_64 32/50 Cleanup : libcap-2.48-2.amzn2023.0.2.x86_64 33/50 Cleanup : gnupg2-minimal-2.3.7-1.amzn2023.0.3.x86_64 34/50 Cleanup : ncurses-libs-6.2-4.20200222.amzn2023.0.3.x86_64 35/50 Cleanup : libgomp-11.3.1-4.amzn2023.0.2.x86_64 36/50 Cleanup : rpm-4.16.1.3-12.amzn2023.0.5.x86_64 37/50 Cleanup : curl-minimal-7.88.1-1.amzn2023.0.1.x86_64 38/50 Cleanup : libcurl-minimal-7.88.1-1.amzn2023.0.1.x86_64 39/50 Cleanup : openssl-libs-1:3.0.8-1.amzn2023.0.1.x86_64 40/50 Cleanup : keyutils-libs-1.6.1-2.amzn2023.0.2.x86_64 41/50 Cleanup : amazon-linux-repo-cdn-2023.0.20230315-1.amzn2023.no 42/50 Cleanup : system-release-2023.0.20230315-1.amzn2023.noarch 43/50 Cleanup : ca-certificates-2023.2.60-1.0.amzn2023.0.1.noarch 44/50 Cleanup : ncurses-base-6.2-4.20200222.amzn2023.0.3.noarch 45/50 Cleanup : glibc-minimal-langpack-2.34-52.amzn2023.0.2.x86_64 46/50 Cleanup : glibc-2.34-52.amzn2023.0.2.x86_64 47/50 Cleanup : glibc-common-2.34-52.amzn2023.0.2.x86_64 48/50 Cleanup : tzdata-2022g-1.amzn2023.0.1.noarch 49/50 Cleanup : libgcc-11.3.1-4.amzn2023.0.2.x86_64 50/50 Running scriptlet: libgcc-11.3.1-4.amzn2023.0.2.x86_64 50/50 Running scriptlet: ca-certificates-2023.2.60-1.0.amzn2023.0.2.noarch 50/50 Running scriptlet: rpm-4.16.1.3-12.amzn2023.0.6.x86_64 50/50 Running scriptlet: libgcc-11.3.1-4.amzn2023.0.2.x86_64 50/50 Verifying : libcurl-minimal-8.0.1-1.amzn2023.x86_64 1/50 Verifying : libcurl-minimal-7.88.1-1.amzn2023.0.1.x86_64 2/50 Verifying : libcap-2.48-2.amzn2023.0.3.x86_64 3/50 Verifying : libcap-2.48-2.amzn2023.0.2.x86_64 4/50 Verifying : glib2-2.74.7-688.amzn2023.0.1.x86_64 5/50 Verifying : glib2-2.73.2-680.amzn2023.0.3.x86_64 6/50 Verifying : python3-rpm-4.16.1.3-12.amzn2023.0.6.x86_64 7/50 Verifying : python3-rpm-4.16.1.3-12.amzn2023.0.5.x86_64 8/50 Verifying : glibc-minimal-langpack-2.34-52.amzn2023.0.3.x86_64 9/50 Verifying : glibc-minimal-langpack-2.34-52.amzn2023.0.2.x86_64 10/50 Verifying : rpm-libs-4.16.1.3-12.amzn2023.0.6.x86_64 11/50 Verifying : rpm-libs-4.16.1.3-12.amzn2023.0.5.x86_64 12/50 Verifying : rpm-build-libs-4.16.1.3-12.amzn2023.0.6.x86_64 13/50 Verifying : rpm-build-libs-4.16.1.3-12.amzn2023.0.5.x86_64 14/50 Verifying : glibc-2.34-52.amzn2023.0.3.x86_64 15/50 Verifying : glibc-2.34-52.amzn2023.0.2.x86_64 16/50 Verifying : libgcc-11.3.1-4.amzn2023.0.3.x86_64 17/50 Verifying : libgcc-11.3.1-4.amzn2023.0.2.x86_64 18/50 Verifying : glibc-common-2.34-52.amzn2023.0.3.x86_64 19/50 Verifying : glibc-common-2.34-52.amzn2023.0.2.x86_64 20/50 Verifying : rpm-sign-libs-4.16.1.3-12.amzn2023.0.6.x86_64 21/50 Verifying : rpm-sign-libs-4.16.1.3-12.amzn2023.0.5.x86_64 22/50 Verifying : openssl-libs-1:3.0.8-1.amzn2023.0.3.x86_64 23/50 Verifying : openssl-libs-1:3.0.8-1.amzn2023.0.1.x86_64 24/50 Verifying : gnupg2-minimal-2.3.7-1.amzn2023.0.4.x86_64 25/50 Verifying : gnupg2-minimal-2.3.7-1.amzn2023.0.3.x86_64 26/50 Verifying : libxml2-2.10.4-1.amzn2023.0.1.x86_64 27/50 Verifying : libxml2-2.10.3-2.amzn2023.0.1.x86_64 28/50 Verifying : curl-minimal-8.0.1-1.amzn2023.x86_64 29/50 Verifying : curl-minimal-7.88.1-1.amzn2023.0.1.x86_64 30/50 Verifying : rpm-4.16.1.3-12.amzn2023.0.6.x86_64 31/50 Verifying : rpm-4.16.1.3-12.amzn2023.0.5.x86_64 32/50 Verifying : libstdc++-11.3.1-4.amzn2023.0.3.x86_64 33/50 Verifying : libstdc++-11.3.1-4.amzn2023.0.2.x86_64 34/50 Verifying : libgomp-11.3.1-4.amzn2023.0.3.x86_64 35/50 Verifying : libgomp-11.3.1-4.amzn2023.0.2.x86_64 36/50 Verifying : keyutils-libs-1.6.3-1.amzn2023.x86_64 37/50 Verifying : keyutils-libs-1.6.1-2.amzn2023.0.2.x86_64 38/50 Verifying : ncurses-libs-6.2-4.20200222.amzn2023.0.4.x86_64 39/50 Verifying : ncurses-libs-6.2-4.20200222.amzn2023.0.3.x86_64 40/50 Verifying : ca-certificates-2023.2.60-1.0.amzn2023.0.2.noarch 41/50 Verifying : ca-certificates-2023.2.60-1.0.amzn2023.0.1.noarch 42/50 Verifying : tzdata-2023c-1.amzn2023.0.1.noarch 43/50 Verifying : tzdata-2022g-1.amzn2023.0.1.noarch 44/50 Verifying : amazon-linux-repo-cdn-2023.1.20230628-0.amzn2023.no 45/50 Verifying : amazon-linux-repo-cdn-2023.0.20230315-1.amzn2023.no 46/50 Verifying : system-release-2023.1.20230628-0.amzn2023.noarch 47/50 Verifying : system-release-2023.0.20230315-1.amzn2023.noarch 48/50 Verifying : ncurses-base-6.2-4.20200222.amzn2023.0.4.noarch 49/50 Verifying : ncurses-base-6.2-4.20200222.amzn2023.0.3.noarch 50/50 Upgraded: amazon-linux-repo-cdn-2023.1.20230628-0.amzn2023.noarch ca-certificates-2023.2.60-1.0.amzn2023.0.2.noarch curl-minimal-8.0.1-1.amzn2023.x86_64 glib2-2.74.7-688.amzn2023.0.1.x86_64 glibc-2.34-52.amzn2023.0.3.x86_64 glibc-common-2.34-52.amzn2023.0.3.x86_64 glibc-minimal-langpack-2.34-52.amzn2023.0.3.x86_64 gnupg2-minimal-2.3.7-1.amzn2023.0.4.x86_64 keyutils-libs-1.6.3-1.amzn2023.x86_64 libcap-2.48-2.amzn2023.0.3.x86_64 libcurl-minimal-8.0.1-1.amzn2023.x86_64 libgcc-11.3.1-4.amzn2023.0.3.x86_64 libgomp-11.3.1-4.amzn2023.0.3.x86_64 libstdc++-11.3.1-4.amzn2023.0.3.x86_64 libxml2-2.10.4-1.amzn2023.0.1.x86_64 ncurses-base-6.2-4.20200222.amzn2023.0.4.noarch ncurses-libs-6.2-4.20200222.amzn2023.0.4.x86_64 openssl-libs-1:3.0.8-1.amzn2023.0.3.x86_64 python3-rpm-4.16.1.3-12.amzn2023.0.6.x86_64 rpm-4.16.1.3-12.amzn2023.0.6.x86_64 rpm-build-libs-4.16.1.3-12.amzn2023.0.6.x86_64 rpm-libs-4.16.1.3-12.amzn2023.0.6.x86_64 rpm-sign-libs-4.16.1.3-12.amzn2023.0.6.x86_64 system-release-2023.1.20230628-0.amzn2023.noarch tzdata-2023c-1.amzn2023.0.1.noarch Complete! bash-5.2#
To discover AL2023 updates, do one or more of the following:
-
Run the
dnf check-updatecommand. This checks for any unapplied updates in the version of Amazon Linux which you are locked to. This may show updates if you updated only thesystem-releasepackage, moving what version of the repositories the instance is locked to but not applying any of the updates available in it. -
Subscribe to the Amazon Linux repository update SNS topic (
arn:aws:sns:us-east-1:137112412989:amazon-linux-2023-ami-updates). For more information, see Subscribing to an Amazon SNS topic in the Amazon Simple Notification Service Developer Guide. -
Regularly refer to the AL2023 release notes.
-
Discover new versions by Checking for newer repository versions with dnf check-release-update.
Important
New versions of AL2023 containing security updates are released frequently. Be sure to keep up to date with relevant security patches.
Automatic service restart after (security) updates
Amazon Linux now ships with the smart-restartSmart-restart restarts systemd services on
system updates whenever a package is installed or deleted using the systems package manager. This occurs whenever
dnf (update|upgrade|downgrade) is executed.
Smart-restart uses the needs-restarting
package from dnf-utils and a custom denylisting mechanism to determine which services need to be restarted
and whether a system reboot is advised.
If a system reboot is advised, a reboot hint marker file is generated (/run/smart-restart/reboot-hint-marker).
To install smart-restart
Run the following DNF command (as you would with any other package).
$sudo dnf install smart-restart
After the installation, the subsequent transactions will trigger the smart-restart logic.
Denylist
Smart-restart can be instructed to block certain services from being restarted. The blocked services won't contribute to the decision
of whether a reboot is required. To block additional services, add a file with the suffix -denylist in /etc/smart-restart-conf.d/ as shown in the following example.
$ cat /etc/smart-restart-conf.d/custom-denylist
# Some comments
myservice.serviceNote
All *-denylist files are read and evaluated when making the decision of whether a reboot is required.
Custom hooks
In addition to denylisting, smart-restart provides a mechanism to run custom scripts before and after the attempts to restart the service.
The custom scripts can be used to manually perform preparation steps or to inform other components of a remaining or completed restart.
All scripts in /etc/smart-restart-conf.d/ with the suffix -pre-restart or -post-restartare executed. If the order is important, prefix all of the scripts with
a number to ensure the execution order as shown in the following example.
$ls /etc/smart-restart-conf.d/*-pre-restart001-my-script-pre-restart 002-some-other-script-pre-restart
When is a reboot required to apply security updates?
In some situations, Amazon Linux requires a reboot to apply updates:
-
Updates to the Linux kernel package require a reboot to activate the new kernel with latest security updates. Kernel livepatching may allow you to postpone security updates for a limited period of time. For details, consult Kernel Live Patching on AL2023.
-
On EC2 Metal instances, Amazon Linux provides microcode updates (through the
microcode_ctlpackage for Intel CPUs and theamd-ucode-firmwarepackage for AMD CPUs.) These microcode updates will only be activated on subsequent instance reboots. For virtualized EC2 instances, the underlying AWS Nitro system handles microcode updates for you. -
Some running systemd services will only function correctly after a full system restart. The
smart-restartmechanism will inform you about such situations by leaving reboot hints. See Automatic service restart after (security) updates.
Launching an instance with the latest repository version
enabled
You can add DNF commands to a user-data script to control what RPM packages are installed on an Amazon Linux AMI when it's launched. In the following example, a user-data script is used to make sure that any instance launched with the user-data script has the same package updates installed.
#!/bin/bash
dnf upgrade --releasever=2023.0.20230210
# Additional setup and install commands below
dnf install httpd php7.4 mysql80You must run this script as superuser (root). To do this, run the following command.
$sudo sh -c "bashnameofscript.sh"
For more information, see User data and shell scripts in the Amazon EC2 User Guide.
Note
Instead of using a user-data script, launch the latest Amazon Linux AMI or a custom AMI that's based on the Amazon Linux AMI. The latest Amazon Linux AMI has all the necessary updates installed and is configured to point at a particular repository version.
Getting package support information
AL2023 incorporates many different open-source software projects. Each of these projects is managed
independently from Amazon Linux and have different release and end-of-support schedules. To provide you with Amazon Linux specific
information about these different packages, the DNF
supportinfo plugin provides metadata about a package. In the following example, the dnf
supportinfo command returns metadata for the glibc package.
$sudo dnf supportinfo --pkgglibcLast metadata expiration check: 0:07:56 ago on Wed Mar 1 23:21:49 2023. Name : glibc Version : 2.34-52.amzn2023.0.2 State : installed Support Status : supported Support Periods : from 2023-03-15 : supported : from 2028-03-15 : unsupported Support Statement : Amazon Linux 2023 End Of Life Link : https://aws.amazon.com/amazon-linux-ami/faqs/ Other Info : This is the support statement for AL2023. The ...: end of life of Amazon Linux 2023 would be March 2028. ...: From this point, the Amazon Linux 2023 packages (listed ...: below) will no longer, receive any updates from AWS.
Package support information is also available in the support statements section of the AL2023 Release Notes.
Checking for newer repository versions with dnf check-release-update
In an AL2023 instance, you can use the DNF utility to manage repositories and apply updated
RPM packages. These packages are available in the Amazon Linux repositories. You can use the
DNF command dnf check-release-update to check for new versions of the DNF
repository.
Note
AL2023 container images do not include the dnf check-release-update command by default.
$ dnf check-release-update
No such command: check-release-update. Please use /usr/bin/dnf --help
It could be a DNF plugin command, try: "dnf install 'dnf-command(check-release-update)'"
When dnf install 'dnf-command(check-release-update)' is run, dnf will install the package which provides the check-release-update command, which is the dnf-plugin-release-notification package. In the below example, the -q argument is given to dnf for it to have quiet output.
$ dnf -y -q install 'dnf-command(check-release-update)'
Installed:
dnf-plugin-release-notification-1.2-1.amzn2023.0.2.noarch
In non-containerized environments such as an Amazon EC2 instance,
the check-release-update command is included
by default.
$ sudo dnf check-release-update
WARNING:
A newer release of "Amazon Linux" is available.
Available Versions:
Version 2023.0.20230210:
Run the following command to update to 2023.0.20230210:
dnf upgrade --releasever=2023.0.20230210
Release notes:
https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes.htmlThis returns a full list of all the newer versions of the DNF repositories that are available. If
nothing's returned, this means that DNF is currently configured to use the latest available version.
The version of the currently installed system-release package sets the releasever
DNF variable. To check the current repository version, run the following command.
$ rpm -q system-release --qf "%{VERSION}\n"When you run DNF package transactions (such as install, update, or remove commands), a warning
message notifies you of any new repository versions. For example, if you install the httpd package on an
instance that was launched from an older version of AL2023, the following output is returned.
$sudo dnf install httpd -yLast metadata expiration check: 0:16:52 ago on Wed Mar 1 23:21:49 2023. Dependencies resolved. ==================================================================== Package Arch Version Repository Size ==================================================================== Installing: httpd x86_64 2.4.54-3.amzn2023.0.4 amazonlinux 46 k Installing dependencies: apr x86_64 1.7.2-2.amzn2023.0.2 amazonlinux 129 k apr-util x86_64 1.6.3-1.amzn2023.0.1 amazonlinux 98 k generic-logos-httpd noarch 18.0.0-12.amzn2023.0.3 amazonlinux 19 k httpd-core x86_64 2.4.54-3.amzn2023.0.4 amazonlinux 1.3 M httpd-filesystem noarch 2.4.54-3.amzn2023.0.4 amazonlinux 13 k httpd-tools x86_64 2.4.54-3.amzn2023.0.4 amazonlinux 80 k libbrotli x86_64 1.0.9-4.amzn2023.0.2 amazonlinux 315 k mailcap noarch 2.1.49-3.amzn2023.0.3 amazonlinux 33 k Installing weak dependencies: apr-util-openssl x86_64 1.6.3-1.amzn2023.0.1 amazonlinux 17 k mod_http2 x86_64 1.15.24-1.amzn2023.0.3 amazonlinux 152 k mod_lua x86_64 2.4.54-3.amzn2023.0.4 amazonlinux 60 k Transaction Summary ==================================================================== Install 12 Packages Total download size: 2.3 M Installed size: 6.8 M Downloading Packages: (1/12): apr-util-openssl-1.6.3-1.am 212 kB/s | 17 kB 00:00 (2/12): apr-1.7.2-2.amzn2023.0.2.x8 1.1 MB/s | 129 kB 00:00 (3/12): httpd-core-2.4.54-3.amzn202 8.9 MB/s | 1.3 MB 00:00 (4/12): mod_http2-1.15.24-1.amzn202 1.9 MB/s | 152 kB 00:00 (5/12): apr-util-1.6.3-1.amzn2023.0 1.7 MB/s | 98 kB 00:00 (6/12): mod_lua-2.4.54-3.amzn2023.0 1.4 MB/s | 60 kB 00:00 (7/12): httpd-2.4.54-3.amzn2023.0.4 1.5 MB/s | 46 kB 00:00 (8/12): libbrotli-1.0.9-4.amzn2023. 4.4 MB/s | 315 kB 00:00 (9/12): mailcap-2.1.49-3.amzn2023.0 753 kB/s | 33 kB 00:00 (10/12): httpd-tools-2.4.54-3.amzn2 978 kB/s | 80 kB 00:00 (11/12): httpd-filesystem-2.4.54-3. 210 kB/s | 13 kB 00:00 (12/12): generic-logos-httpd-18.0.0 439 kB/s | 19 kB 00:00 -------------------------------------------------------------------- Total 6.6 MB/s | 2.3 MB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : apr-1.7.2-2.amzn2023.0.2.x86_64 1/12 Installing : apr-util-openssl-1.6.3-1.amzn2023.0.1. 2/12 Installing : apr-util-1.6.3-1.amzn2023.0.1.x86_64 3/12 Installing : mailcap-2.1.49-3.amzn2023.0.3.noarch 4/12 Installing : httpd-tools-2.4.54-3.amzn2023.0.4.x86_ 5/12 Installing : generic-logos-httpd-18.0.0-12.amzn2023 6/12 Running scriptlet: httpd-filesystem-2.4.54-3.amzn2023.0.4 7/12 Installing : httpd-filesystem-2.4.54-3.amzn2023.0.4 7/12 Installing : httpd-core-2.4.54-3.amzn2023.0.4.x86_6 8/12 Installing : mod_http2-1.15.24-1.amzn2023.0.3.x86_6 9/12 Installing : libbrotli-1.0.9-4.amzn2023.0.2.x86_64 10/12 Installing : mod_lua-2.4.54-3.amzn2023.0.4.x86_64 11/12 Installing : httpd-2.4.54-3.amzn2023.0.4.x86_64 12/12 Running scriptlet: httpd-2.4.54-3.amzn2023.0.4.x86_64 12/12 Verifying : apr-1.7.2-2.amzn2023.0.2.x86_64 1/12 Verifying : apr-util-openssl-1.6.3-1.amzn2023.0.1. 2/12 Verifying : httpd-core-2.4.54-3.amzn2023.0.4.x86_6 3/12 Verifying : mod_http2-1.15.24-1.amzn2023.0.3.x86_6 4/12 Verifying : apr-util-1.6.3-1.amzn2023.0.1.x86_64 5/12 Verifying : mod_lua-2.4.54-3.amzn2023.0.4.x86_64 6/12 Verifying : libbrotli-1.0.9-4.amzn2023.0.2.x86_64 7/12 Verifying : httpd-2.4.54-3.amzn2023.0.4.x86_64 8/12 Verifying : httpd-tools-2.4.54-3.amzn2023.0.4.x86_ 9/12 Verifying : mailcap-2.1.49-3.amzn2023.0.3.noarch 10/12 Verifying : httpd-filesystem-2.4.54-3.amzn2023.0.4 11/12 Verifying : generic-logos-httpd-18.0.0-12.amzn2023 12/12 Installed: apr-1.7.2-2.amzn2023.0.2.x86_64 apr-util-1.6.3-1.amzn2023.0.1.x86_64 apr-util-openssl-1.6.3-1.amzn2023.0.1.x86_64 generic-logos-httpd-18.0.0-12.amzn2023.0.3.noarch httpd-2.4.54-3.amzn2023.0.4.x86_64 httpd-core-2.4.54-3.amzn2023.0.4.x86_64 httpd-filesystem-2.4.54-3.amzn2023.0.4.noarch httpd-tools-2.4.54-3.amzn2023.0.4.x86_64 libbrotli-1.0.9-4.amzn2023.0.2.x86_64 mailcap-2.1.49-3.amzn2023.0.3.noarch mod_http2-1.15.24-1.amzn2023.0.3.x86_64 mod_lua-2.4.54-3.amzn2023.0.4.x86_64 Complete!
Adding, enabling, or disabling new repositories
Warning
Only add repositories designed to be used with AL2023.
While repositories designed for other distributions may work today, there is no guarantee they will continue to do so with any package update in AL2023 or the repository not designed for use with AL2023.
To install a package from a different repository than the default Amazon Linux repositories, you will need to configure the DNF package management system to know where the repostiory is
To tell dnf about a package repository, add the
repository information to a configuration file for that repository
in the /etc/yum.repos.d/ directory. Many
third-party repositories provide either the configuration file
content or an installable package which includes the configuration file.
Note
While repositories can be configured directly in the /etc/dnf/dnf.conf file, this is not recommended. It is recommended that each repository be configured in its own file in /etc/yum.repos.d/.
To find out what repositories are currently enabled, you can run the following command:
$dnf repolist all --verboseLoaded plugins: builddep, changelog, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, groups-manager, needs-restarting, playground, release-notification, repoclosure, repodiff, repograph, repomanage, reposync, supportinfo DNF version: 4.12.0 cachedir: /var/cache/dnf Last metadata expiration check: 0:00:02 ago on Wed Mar 1 23:40:15 2023. Repo-id : amazonlinux Repo-name : Amazon Linux 2023 repository Repo-status : enabled Repo-revision : 1677203368 Repo-updated : Fri Feb 24 01:49:28 2023 Repo-pkgs : 12632 Repo-available-pkgs: 12632 Repo-size : 12 G Repo-mirrors : https://al2023-repos-us-west-2-de612dc2.s3.dualstack.us-west-2.amazonaws.com/core/mirrors/2023.0.20230222/x86_64/mirror.list Repo-baseurl : https://al2023-repos-us-west-2-de612dc2.s3.dualstack.us-west-2.amazonaws.com/core/guids/cf9296325a6c46ff40c775a8e2d632c4c3fd9d9164014ce3304715d61b90ca8e/x86_64/ : (0 more) Repo-expire : 172800 second(s) (last: Wed Mar 1 23:40:15 : 2023) Repo-filename : /etc/yum.repos.d/amazonlinux.repo Repo-id : amazonlinux-debuginfo Repo-name : Amazon Linux 2023 repository - Debug Repo-status : disabled Repo-mirrors : https://al2023-repos-us-west-2-de612dc2.s3.dualstack.us-west-2.amazonaws.com/core/mirrors/2023.0.20230222/debuginfo/x86_64/mirror.list Repo-expire : 21600 second(s) (last: unknown) Repo-filename : /etc/yum.repos.d/amazonlinux.repo Repo-id : amazonlinux-source Repo-name : Amazon Linux 2023 repository - Source packages Repo-status : disabled Repo-mirrors : https://al2023-repos-us-west-2-de612dc2.s3.dualstack.us-west-2.amazonaws.com/core/mirrors/2023.0.20230222/SRPMS/mirror.list Repo-expire : 21600 second(s) (last: unknown) Repo-filename : /etc/yum.repos.d/amazonlinux.repo Repo-id : kernel-livepatch Repo-name : Amazon Linux 2023 Kernel Livepatch repository Repo-status : disabled Repo-mirrors : https://al2023-repos-us-west-2-de612dc2.s3.dualstack.us-west-2.amazonaws.com/kernel-livepatch/mirrors/al2023/x86_64/mirror.list Repo-expire : 172800 second(s) (last: unknown) Repo-filename : /etc/yum.repos.d/kernel-livepatch.repo Repo-id : kernel-livepatch-source Repo-name : Amazon Linux 2023 Kernel Livepatch repository - : Source packages Repo-status : disabled Repo-mirrors : https://al2023-repos-us-west-2-de612dc2.s3.dualstack.us-west-2.amazonaws.com/kernel-livepatch/mirrors/al2023/SRPMS/mirror.list Repo-expire : 21600 second(s) (last: unknown) Repo-filename : /etc/yum.repos.d/kernel-livepatch.repo Total packages: 12632
Note
If you don't add the --verbose option flag, the output only includes the Repo-id,
Repo-name, and Repo-status information.
To add a yum repository to /etc/yum.repos.d
directory:
-
Find the location of the
.repofile. In this example, the.repofile is athttps://www.example.com/repository.repo -
Add the repository with the
dnf config-managercommand.
$sudo dnf config-manager --add-repohttps://www.example.com/repository.repoLoaded plugins: priorities, update-motd, upgrade-helper adding repo from:https://www.example.com/repository.repograbbing filehttps://www.example.com/repository.repoto /etc/yum.repos.d/repository.reporepository.repo| 4.0 kB 00:00 repo saved to /etc/yum.repos.d/repository.repo
After you install a repository, you must enable it as described in the next procedure.
To enable a yum repository in /etc/yum.repos.d, use the
dnf config-manager command with the --enable flag and
repository name.
$sudo dnf config-manager --enablerepository
Note
To disable a repository, use the same command syntax, but replace --enable with
--disable in the command.
Adding repositories with cloud-init
In addition to adding a repository using the previous method, you can also add a new repository using the
cloud-init framework.
To add a new package repository, we recommend the use of the following template. Consider saving this file locally.
#cloud-config
yum_repos:
repository.repo:
baseurl: https://www.example.com/
enabled: true
gpgcheck: true
gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EXAMPLE
name: Example RepositoryNote
One advantage to using cloud-init is that you can add a packages: section to your
configuration file. In this section, you can include the names of the packages that you want to install. You can
install packages from either the default repository or the new repository that you added in the
cloud-config file.
For more specific information about the structure of the YAML file, see Adding a YUM
repositorycloud-init documentation.
After you set up the YAML format file, you can run it in the cloud-init framework in the AWS CLI.
Make sure to include the --userdata option and the name of the .yml file to call the
desired operations.
$aws ec2 run-instances \ --image-id \ resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-x86_64\ --instance-typem5.xlarge\ --regionus-east-1\ --key-nameaws-key-us-east-1\ --security-group-idssg-004a7650\ --user-data file://cloud-config.yml
