AL1 version 2016.03 release notes - Amazon Linux 1

AL1 version 2016.03 release notes

Warning

Amazon Linux 1 (AL1, formerly Amazon Linux AMI) is no longer supported. This guide is available only for reference purposes.

Note

AL1 is no longer the current version of Amazon Linux. AL2023 is the successor to AL1 and Amazon Linux 2. For more information about what's new in AL2023, see Comparing AL1 and AL2023 section in the AL2023 User Guide and the list of Package changes in AL2023.

This topic includes AL1 release notes updates for the 2016.03 release.

Upgrading to AL1 version 2016.03

We recommend that you upgrade to AL1 version 2016.03 from earlier versions.

Although previous versions of the AMI and its packages will continue to be available for launch in Amazon EC2 even as new AL1 versions are released, we encourage users to migrate to the latest version of the AMI and to keep their systems updated. In some cases, customers who seek support for an previous version of AL1 through AWS Support might be asked to move to newer versions as part of the support process.

To upgrade to AL1 version 2016.03 from 2011.09 or later, run sudo yum update. When the upgrade is complete, reboot your instance.

Remember that the AL1 repository structure is configured to deliver a continuous flow of updates that allow you to roll from one version of AL1 to the next. For more information, see our lock-on-launch FAQ for a discussion of how you can lock an instance (either a new launch or one already running) to a particular version of the AL1 repositories.

2016.03.3 point release

Released on June 28, 2016

We've added support for the newly launched Elastic Network Adapter (ENA), the next generation network interface for Amazon EC2 instances, including version 0.6.6 of the open source ENA drivers.

2016.03.2 point release

Released on June 9, 2016

We've updated the base AMI to include all bug fix and security updates that have were available in our repositories since the 2016.03.1 point release.

This point release includes the 4.4.11 kernel.

The Amazon Linux AMI with NVIDIA GRID GPU Driver now includes NVIDIA driver version 352.79 and CUDA 7.5.18.

2016.03.1 point release

Released on May 4, 2016

We've updated the base AMI to include all bugfix and security updates that have been made available in our repositories since the 2016.03 release.

This point release includes the 4.4.8 kernel.

We've made a number of changes that improve AMI reboot time performance.

New Features

Kernel 4.4

Having spent the past release tracking the 4.1 kernel series, for this release we moved the kernel to version 4.4, which is the most recent long-term stable release kernel.

SSLv3 protocol disabled by default

The SSLv3 protocol has been disabled by default in OpenSSL in favor of TLS. Server applications that have SSL/TLS protocol lists in their configuration have been updated to exclude SSLv3 by default.

For this release, SSLv3 support has not been entirely removed from any cryptographic libraries, so you can override this decision on an application-by-application basis, where supported.

SSL-related changes to individual applications are described below:

Apache: mod_ssl, mod24_ssl

Note

This section applies to Apache 2.2, through the httpd and mod_ssl packages, and to Apache 2.4, through the httpd24 and mod24_ssl packages.

SSLv3 support in Apache is controlled by the SSLProtocol and SSLProxyProtocol settings in /etc/httpd/conf.d/ssl.conf, part of the mod_ssl or mod24_ssl packages. If you're performing a new install, or if you're upgrading and you haven't modified ssl.conf, you'll get this change automatically. If you're upgrading and you've modified ssl.conf, you can add the following lines to /etc/httpd/conf.d/ssl.conf and restart httpd to ensure you're using TLS.

Example ssl.conf Example
SSLProtocol all -SSLv3 SSLProxyProtocol all -SSLv3

If you need to enable SSLv3, you can change -SSLv3 to -SSLv2 in those lines and restart httpd.

Apache: mod_nss, mod24_nss

Note

This section applies to Apache 2.2, through the httpd and mod_nss packages, and to Apache 2.4, through the httpd24 and mod24_nss packages.

SSLv3 support in mod_nss is similar to mod_ssl (see previous section) but the relevant configuration option is NSSProtocol in /etc/httpd/conf.d/nss.conf. In this release, SSLv3 has been removed from this list by default. If you're performing a new install, or if you're upgrading and you haven't modified nss.conf, you'll get this change automatically. If you're upgrading and you have modified nss.conf, you can add the following line to /etc/httpd/conf.d/nss.conf and restart httpd to ensure you're using TLS.

Example nss.conf Example
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2

If you need to enable SSLv3, you can add SSLv3 to that list and restart httpd.

nginx

SSLv3 support in nginx is controlled by the ssl_protocols setting in the http and server contexts in your configuration. The default (commented) configuration for SSL servers in AL1 now includes an ssl_protocols line specifying only TLS, as a suggestion for users setting up a new secure server.

If you're upgrading nginx and want to ensure you only use TLS, include the following line in the server context of your configuration and restart nginx.

Example nginx configuration enforcing TLS
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

If you need to enable SSLv3, you can add SSLv3 to this line and restart nginx.

lighttpd

SSLv3 is disabled by default if not specified in the lighttpd configuration file. If you need to enable SSLv3, you can add the following line to /etc/lighttpd/lighttpd.conf and restart lighttpd.

Example Enabling SSLv3 in lighttpd
ssl.use-sslv3 = "enable"

tomcat

Tomcat uses the JVM for TLS. All versions of OpenJDK in AL1 have SSLv3 support disabled.

openldap and 389

New installations of openldap include the parameter TLSProtocolMin 3.1 in slapd.conf, which is used to populate the initial configuration in cn=config.

New installations of 389 include the parameter sslVersionMin: TLS1.0 in cn=config.

Users upgrading to this release can change the relevant parameter using ldapmodify.

dovecot

dovecot now includes the following line in /etc/dovecot/conf.d/10-ssl.conf.

Example dovecot configuration snippet disabling SSLv2 and SSLv3
ssl_protocols = !SSLv2 !SSLv3

If you're newly installing dovecot, or if you're upgrading and haven't modified 10-ssl.conf, you'll get this change automatically. If you're upgrading dovecot and you have modified 10-ssl.conf, you can add the line above to /etc/dovecot/conf.d/10-ssl.conf and restart dovecot to ensure you're using TLS.

If you need to enable SSLv3, remove !SSLv3 from that line and restart dovecot.

postfix, sendmail, postgresql, mysql, tomcat-native, haproxy, cyrus-imapd, stunnel, vsftpd, fetchmail

These applications inherit their settings from OpenSSL and will no longer use SSLv3.

DNS resolution retries faster

The default DNS resolution options were chqnged from two retries with a five second timeout to five retries with a two second timeout.

Retries for DNS resolution in glibc are configured to happen faster because the distance to the Amazon EC2 resolvers is known to be short. This is configured in the AMI rather than in a package, so the change is not brought in unexpectedly by a yum update.

To apply the same change to existing instances, append the following options to the appropriate configuration files:

  1. $ echo 'RES_OPTIONS="timeout:2 attempts:5"' | sudo tee -a /etc/sysconfig/network-scripts/ifcfg-eth0
  2. $ echo 'options timeout:2 attempts:5' | sudo tee -a /etc/resolv.conf

NUMA balancing disabled by default

In this release, NUMA balancing has been disabled by default in the kernel to avoid unexpected performance degradation. This change only affects the following instance types which support NUMA:

  • cr1.8xlarge

  • c3.8xlarge

  • r3.8xlarge

  • i2.8xlarge

  • c4.8xlarge

  • d2.8xlarge

  • g2.8xlarge

  • m4.10xlarge

If you prefer the previous behavior, you can enable NUMA balancing using sysctl:

  1. $ sudo sysctl -w 'kernel.numa_balancing=1'
  2. $ echo 'kernel.numa_balancing = 1' | sudo tee /etc/sysctl.d/50-numa-balancing.conf

OpenLDAP 2.4.40

OpenLDAP 2.4.40 was in the preview repository since our 2015.09 release. OpenLDAP 2.4.40 is now available in the main repository. In addition to numerous bug fixes and stability enhancements, OpenLDAP now supports the Lightning Memory-Mapped Database (LMDB) format.

Ruby 2.3

Although Ruby 2.0 remains our default Ruby interpreter, we have added ruby23 packages to this AL1 release. Core rubygems have also been updated.

Rust 1.9 (preview)

We continue to track upstream releases of the Rust compiler, and in this release we've included version 1.7. You can install the Rust compiler by running sudo yum --enablerepo=amzn-preview install rust.

Update 2016-06-08: Rust 1.9 is now available in our preview repository.

Fresh packages

Many of our packages have been re-synced to newer upstream versions. Some of the more popular packages in 2016.03 are:

  • aalib-1.4.0

  • aws-cli-1.10.33

  • clamav-0.99

  • docker-1.9.1

  • dovecot-2.2.10

  • elfutils-0.163

  • git-2.7.4

  • glibc-2.17-106.167

  • httpd24-2.4.18

  • iproute-4.4.0

  • java-1.7.0-openjdk-1.7.0.101

  • java-1.8.0-openjdk-1.8.0.91

  • kernel-4.4.11

  • lz4-r131

  • mariadb-connector-java-1.3.6

  • mysql55-5.5.46

  • mysql56-5.6.27

  • nmap-6.40

  • nginx-1.8.1

  • openldap-2.4.40

  • php55-5.5.33

  • php56-5.6.19

  • pngcrush-1.8.0

  • postgresql93-9.3.11

  • postgresql94-9.4.6

  • python-boto-2.39.0

  • python-botocore-1.4.23

  • ruby20-2.0.0.648

  • ruby21-2.1.8

  • ruby22-2.2.4

  • ruby23-2.3.0

  • samba-4.2.10

  • systemtap-3.0

  • tomcat7-7.0.68

  • tomcat8-8.0.32

Supported Instance Types

This compatibility table shows which 2016.03 AMIs launch on each Amazon EC2 instance type.