# Using AL2023 on AWS
You can set up AL2023 for use with other AWS services. For example, you can choose an AL2023 AMI when you launch an [Amazon Elastic Compute Cloud](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/) (Amazon EC2) instance.
For these setup procedures, you use the AWS Identity and Access Management (IAM) service. For complete information about IAM, see the following reference materials:
+ [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/iam/)
+ [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/)
**Topics**
+ [Getting started with AWS](#getting-started-aws)
+ [AL2023 on Amazon EC2](ec2.md)
+ [Using AL2023 in containers](container.md)
+ [AL2023 on AWS Elastic Beanstalk](beanstalk.md)
+ [Using AL2023 in AWS CloudShell](cloudshell.md)
+ [Using AL2023 based Amazon ECS AMIs to host containerized workloads](ecs.md)
+ [Using Amazon Elastic File System on AL2023](efs.md)
+ [Using Amazon EMR built on AL2023](emr.md)
+ [Using AL2023 in AWS Lambda](lambda.md)
## Getting started with AWS
### Sign up for an AWS account
If you do not have an AWS account, complete the following steps to create one.
**To sign up for an AWS account**
1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup).
1. Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad.
When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks).
AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**.
### Create a user with administrative access
After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.
**Secure your AWS account root user**
1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.
For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*.
1. Turn on multi-factor authentication (MFA) for your root user.
For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*.
**Create a user with administrative access**
1. Enable IAM Identity Center.
For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*.
1. In IAM Identity Center, grant administrative access to a user.
For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*.
**Sign in as the user with administrative access**
+ To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.
For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.
**Assign access to additional users**
1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.
For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*.
1. Assign users to a group, and then assign single sign-on access to the group.
For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*.
### Granting programmatic access
Users need programmatic access if they want to interact with AWS outside of the AWS Management Console. The way to grant programmatic access depends on the type of user that's accessing AWS.
To grant users programmatic access, choose one of the following options.
****
| Which user needs programmatic access? | To | By |
| --- | --- | --- |
| IAM | (Recommended) Use console credentials as temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/linux/al2023/ug/aws.html) |
| Workforce identity (Users managed in IAM Identity Center) | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/linux/al2023/ug/aws.html) |
| IAM | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions in [Using temporary credentials with AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) in the IAM User Guide. |
| IAM | (Not recommended)Use long-term credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/linux/al2023/ug/aws.html) |
# AL2023 on Amazon EC2
Use one of the following procedures to launch an Amazon EC2 instance with an AL2023 AMI. You can choose either the standard AMI, or the minimal AMI. For more information about the differences between the standard AMI and the minimal AMI, see [Comparing AL2023 standard (default) and minimal AMIs](AMI-minimal-and-standard-differences.md).
**Topics**
+ [Launching AL2023 using the Amazon EC2 console](#launch-from-ec2-console)
+ [Launching AL2023 using the SSM parameter and AWS CLI](#launch-via-aws-cli)
+ [Launching the latest AL2023 AMI using CloudFormation](#launch-from-cloudformation)
+ [Launching AL2023 using a specific AMI ID](#launch-by-ami-id)
+ [AL2023 AMI deprecation and life cycle](#ami-deprecation)
+ [Connecting to AL2023 instances](connecting-to-instances.md)
+ [Comparing AL2023 standard and minimal AMIs](AMI-minimal-and-standard-differences.md)
## Launching AL2023 using the Amazon EC2 console
Use the Amazon EC2 console to launch an AL2023 AMI.
**Note**
For Arm-based instances, AL2023 only supports instance types that use Graviton2 or later processors. AL2023 doesn't support A1 instances.
Use the following steps to launch an Amazon EC2 instance with an AL2023 AMI from the Amazon EC2 console.
**To launch an EC2 instance with an AL2023 AMI**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **AMIs**.
1. From the filter drop-down, choose **Public images**.
1. In the search field, enter **al2023-ami**.
**Note**
Make sure that **amazon** appears in the **Owner alias** column.
1. Select an image from the list. Under **Source**, you can determine whether the AMI is standard or minimal. An AL2023 AMI name can be interpreted by using this format:
`'al2023-[ami || ami-minimal]-2023.0.[release build date].[build number]-kernel-[version number]-[arm64 || x86_64]'`
1. The following image shows a partial list of AL2023 AMIs.
![\[A listing of AL2023 AMIs under the Source column.\]](http://docs.aws.amazon.com/linux/al2023/ug/images/launch-instance.png)
For more information about launching Amazon EC2 instances, see [Get started with Amazon EC2 Linux instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html) in the *Amazon EC2 User Guide*.
## Launching AL2023 using the SSM parameter and AWS CLI
In the AWS CLI, you can use an AMI's SSM parameter value to launch a new instance of AL2023. More specifically, use one of the dynamic SSM parameter values from the following list, and add `/aws/service/ami-amazon-linux-latest/` before the SSM parameter value/. You use this to launch the instance in the AWS CLI.
+ `al2023-ami-kernel-default-arm64` for arm64 architecture
+ `al2023-ami-minimal-kernel-default-arm64` for arm64 architecture (minimal AMI)
+ `al2023-ami-kernel-default-x86_64` for x86\$164 architecture
+ `al2023-ami-minimal-kernel-default-x86_64` for x86\$164 architecture (minimal AMI)
**Note**
Each of the *italic* items is an example parameter. Replace them with your own information.
```
$ aws ec2 run-instances \
--image-id \
resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-x86_64 \
--instance-type m5.xlarge \
--region us-east-1 \
--key-name aws-key-us-east-1 \
--security-group-ids sg-004a7650
```
The `--image-id` flag specifies the SSM parameter value.
The `--instance-type` flag specifies the type and size of the instance. This flag must be compatible with the AMI type that you selected.
The `--region` flag specifies the AWS Region where you create your instance.
The `--key-name` flag specifies the AWS Region's key that's used to connect to the instance. If you don't provide a key that exists in the Region where you create the instance, you can't connect to the instance using SSH.
The `--security-group-ids` flag specifies the security group that determines the access permissions for inbound and outbound network traffic.
**Important**
The AWS CLI requires that you specify an existing security group that allows access to the instance from your remote machine over port TCP:22. Without a specified security group, your new instance are placed in a default security group. In a default security group, your instance can only connect with the other instances within your VPC.
For more information, see [Launching, listing, and terminating Amazon EC2 instances](https://docs.aws.amazon.com/cli/latest/userguide/cli-services-ec2-instances.html) in the *AWS Command Line Interface User Guide*.
## Launching the latest AL2023 AMI using CloudFormation
To launch an AL2023 AMI using CloudFormation, use one of the following templates.
**Note**
The `x86_64` and `Arm64` AMIs each require different instance types. For more information, see [Amazon EC2 Instance Types](https://aws.amazon.com/ec2/instance-types/)
`JSON` template:
```
{
"Parameters": {
"LatestAmiId": {
"Type": "AWS::SSM::Parameter::Value",
"Default": "/aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-default-x86_64"
}
},
"Resources": {
"MyEC2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"InstanceType": "t2.large",
"ImageId": {
"Ref": "LatestAmiId"
}
}
}
}
}
```
`YAML` template:
```
Parameters:
LatestAmiId:
Type: 'AWS::SSM::Parameter::Value'
Default: '/aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-default-x86_64'
Resources:
Instance:
Type: 'AWS::EC2::Instance'
Properties:
InstanceType: 't2.large'
ImageId: !Ref LatestAmiId
```
Make sure to replace the AMI parameter at the end of the "Default" section, if needed. The following parameter values are available:
+ `al2023-ami-kernel-6.1-arm64` for arm64 architecture
+ `al2023-ami-minimal-kernel-6.1-arm64` for arm64 architecture (minimal AMI)
+ `al2023-ami-kernel-6.1-x86_64` for x86\$164 architecture
+ `al2023-ami-minimal-kernel-6.1-x86_64` for x86\$164 architecture (minimal AMI)
The following are dynamic kernel specifications. The default kernel version automatically changes with each major kernel version update.
+ `al2023-ami-kernel-default-arm64` for arm64 architecture
+ `al2023-ami-minimal-kernel-default-arm64` for arm64 architecture (minimal AMI)
+ `al2023-ami-kernel-default-x86_64` for x86\$164 architecture
+ `al2023-ami-minimal-kernel-default-x86_64` for x86\$164 architecture (minimal AMI)
## Launching AL2023 using a specific AMI ID
You can launch a specific AL2023 AMI using the AMI ID. You can determine which AL2023 AMI ID is needed by looking at the AMI list in the Amazon EC2 console. Or, you can use AWS Systems Manager. If you're using Systems Manager, make sure to select the AMI alias from those that are listed in the previous section. For more information, see [Query for the latest Amazon Linux AMI IDs using AWS Systems Manager Parameter Store](https://aws.amazon.com/blogs/compute/query-for-the-latest-amazon-linux-ami-ids-using-aws-systems-manager-parameter-store/).
## AL2023 AMI deprecation and life cycle
Each new AL2023 release includes a new AMI. When the AMI is registered, it's marked with a deprecation date. The deprecation date for each AL2023 AMI is 90 days from the time it was released to match the time period that [Kernel Live Patching on AL2023](live-patching.md) is offered for each individual kernel release.
**Note**
The 90 day deprecation date refers to an individual AMI and doesn’t refer to the AL2023 [Release cadence](release-cadence.md) or product support period.
For more information about AMI deprecation, see [Deprecate an AMI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-deprecate.html) in the *Amazon EC2 User Guide*.
Regularly using an updated AMI to launch an instance ensures that the instance starts with the latest security updates, including an updated kernel. If you launch a previous version of an AMI and apply updates, there is a period of time that the instance doesn't have the latest security updates. To ensure you're using the latest AMI, we recommend that you use SSM parameters.
For more information about using SSM parameters to launch an instance, see:
+ [Launching AL2023 using the SSM parameter and AWS CLI](#launch-via-aws-cli)
+ [Launching the latest AL2023 AMI using CloudFormation](#launch-from-cloudformation)
# Connecting to AL2023 instances
Use SSH or AWS Systems Manager to connect to your AL2023 instance.
**Connect to your instance using SSH**
For instructions on how to use SSH to connect to an instance, see [Connect to your Linux instance using SSH](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html) in the *Amazon EC2 User Guide*.
**Connect to your instance using AWS Systems Manager**
For instructions on how to use AWS Systems Manager to connect to an AL2023 instance, see [Connect to your Linux instance using Session Manager](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/session-manager.html) in the *Amazon EC2 User Guide*.
**Using Amazon EC2 Instance Connect**
The AL2023 AMI, excluding the minimal AMI, comes with the EC2 Instance Connect agent installed by default. To use EC2 Instance Connect with an AL2023 instance launched from the minimal AMI, you must install the `ec2-instance-connect` package. For instructions on using EC2 Instance Connect, see [Connect to your Linux instance with EC2 Instance Connect](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect-linux-inst-eic.html) in the *Amazon EC2 User Guide*.
# Comparing AL2023 standard and minimal AMIs
You can launch an Amazon EC2 instance with either a standard (default) or minimal AL2023 AMI. For instructions on how to launch an Amazon EC2 instance with the standard or minimal AMI type, see [AL2023 on Amazon EC2](ec2.md).
The standard AL2023 AMI comes with all of the most commonly used applications and tools installed. We recommend the standard AMI if you want to get started quickly and aren't interested in customizing the AMI.
The minimal AL2023 AMI is the basic, streamlined version that contains only the most basic tools and utilities necessary to run the operating system (OS). We recommend the minimal AMI if you want to have the smallest OS footprint possible. The minimal AMI offers slightly reduced disk space utilization and better long-term cost efficiency. The minimal AMI is suitable if you want a smaller OS and don't mind manually installing tools and applications.
The Container image is closer to the AL2023 minimal AMI in package set.
# Comparing packages installed on Amazon Linux 2023 Images
A comparison of the RPMs present on the AL2023 AMI, Minimal AMI, and Container images.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/linux/al2023/ug/image-comparison.html)
# Using AL2023 in containers
**Note**
For more information about how to use AL2023 to host containerized workloads on Amazon ECS, see [AL2023 for Amazon ECS container hosts](ecs.md).
There are several ways that AL2023 can be used inside containers depending on the use case. The [AL2023 Base Container Image](base-container.md) is most similar to an Amazon Linux 2 container image and the AL2023 minimal AMI.
For advanced users, we offer a minimal container image, introduced in the AL2023.2 release, along with documentation that describes how to build [bare-bones containers](barebones-containers.md).
AL2023 can also be used to host containerized workloads, either of AL2023 based container images, or containers based on other Linux distributions. You can use [AL2023 for Amazon ECS container hosts](ecs.md), or use the provided container runtime packages directly. The `docker`, `containerd`, and `nerdctl` packages are available to be installed and used on AL2023.
**Topics**
+ [Using the AL2023 base container image](base-container.md)
+ [AL2023 Minimal container image](minimal-container.md)
+ [Building bare-bones AL2023 container images](barebones-containers.md)
+ [Comparing packages installed on Amazon Linux 2023 Container Images](al2023-container-image-types.md)
+ [Comparing packages installed on Amazon Linux 2023 Minimal AMI and Container Images](al2023-container-ami.md)
# Using the AL2023 base container image
The AL2023 container image is built from the same software components that are included in the AL2023 AMI. It's available for use in any environment as a base image for Docker workloads. If you're using the Amazon Linux AMI for applications in [Amazon Elastic Compute Cloud](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/) (Amazon EC2), you can containerize your applications with the Amazon Linux container image.
Use the Amazon Linux container image in your local development environment and then push your application to AWS using [Amazon Elastic Container Service](https://docs.aws.amazon.com/AmazonECS/latest/userguide/) (Amazon ECS). For more information, see [Using Amazon ECR images with Amazon ECS](https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_on_ECS.html) in the *Amazon Elastic Container Registry User Guide*.
The Amazon Linux container image is available on Amazon ECR Public. You can provide feedback for AL2023 through your designated AWS representative or by filing an issue in the [amazon-linux-2023 repo](https://github.com/amazonlinux/amazon-linux-2023/issues) on GitHub.
****To pull the Amazon Linux container image from Amazon ECR Public****
1. Authenticate your Docker client to the Amazon Linux Public registry. Authentication tokens are valid for 12 hours. For more information, see [Private registry authentication](https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html) in the *Amazon Elastic Container Registry User Guide*.
**Note**
The **get-login-password** command is supported using the latest version of AWS CLI version 2. For more information, see [Installing the AWS Command Line Interface](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*.
```
$ aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
```
The output is as follows.
```
Login succeeded
```
1. Pull the Amazon Linux container image by running the **docker pull** command. To view the Amazon Linux container image on the Amazon ECR Public Gallery, see [Amazon ECR Public Gallery - amazonlinux](https://gallery.ecr.aws/amazonlinux/amazonlinux).
**Note**
When you pull the AL2023 Docker container image, you can use the tags in one of the following formats:
To get the latest version of the AL2023 container image, use the `:2023` tag.
To get a specific version of AL2023, you can use the following format:
`:2023.[0-7 release quarter].[release date].[build number]`
The following examples use the tag `:2023` and pull the most recent available container image of AL2023.
```
$ docker pull public.ecr.aws/amazonlinux/amazonlinux:2023
```
1. (Optional) Run the container locally.
```
$ docker run -it --security-opt seccomp=unconfined public.ecr.aws/amazonlinux/amazonlinux:2023 /bin/bash
```
**To pull the AL2023 container image from Docker Hub**
1. Pull the AL2023 container image using the **docker pull** command.
```
$ docker pull amazonlinux:2023
```
1. (Optional) Run the container locally.
```
$ docker run -it amazonlinux:2023 /bin/bash
```
**Note**
The container image of AL2023 uses only the `dnf` package manager to install software packages. This means that there's no `amazon-linux-extras` or equivalent command to use for additional software.
# AL2023 Minimal container image
**Note**
The standard AL2023 container images are suitable for most use cases, and adapting to the minimal container image is likely to be more work than adapting to the AL2023 base container image.
The AL2023 minimal container image, introduced in AL2023.2, differs from the base container image because it contains only the bare minimum packages needed to install other packages. The minimal container image is designed to be a minimal set of packages, not a convenient set of packages .
The AL2023 minimal container image is built from software components already available in AL2023. The key difference in the minimal container image is using `microdnf` to provide the `dnf` package manager rather than the fully featured Python based `dnf`. This enables the minimal container image to be smaller with the trade-off of not having the full feature set of the `dnf` package manager which is included in the AL2023 AMIs and base container image.
The AL2023 minimal container image forms the base of the `provided.al2023` AWS Lambda runtime environment.
For a detailed list of packages included in the minimal container image, see [Comparing packages installed on Amazon Linux 2023 Container Images](al2023-container-image-types.md).
## Minimal Container image size
Because the AL2023 minimal container image contains fewer packages than the AL2023 base container image, it is also significantly smaller. The following table compares the container image options of current and past releases of Amazon Linux.
**Note**
Image Size is as-shown on [ Amazon Linux on Amazon ECR Public Gallery](https://gallery.ecr.aws/amazonlinux/amazonlinux).
| Image | Version | Image Size | Note |
| --- | --- | --- | --- |
| Amazon Linux 1 (AL1) | 2018.03.0.20230918.0 | 62.3MB | x86-64 only |
| Amazon Linux 2 | 2.0.20230926.0 | 64.2MB | aarch64 is 1.6MB larger than x86-64 |
| Amazon Linux 2023 base container image | 2023.2.20231002.0 | 52.4MB | |
| Amazon Linux 2023 minimal container image | 2023.2.20231002.0-minimal | 35.2MB | |
## Using the AL2023 Minimal Container image
The AL2023 minimal container image is available on ECR and the `2023-minimal` tag will always point to the latest AL2023 based minimal container image, while the `minimal` tag may be updated to a newer version of Amazon Linux than AL2023.
You can pull these tags using `docker` with the following example:
```
$ docker pull public.ecr.aws/amazonlinux/amazonlinux:minimal
```
```
$ docker pull public.ecr.aws/amazonlinux/amazonlinux:2023-minimal
```
The following example shows a `Dockerfile` that takes the minimal container image and installs GCC on top of it :
```
FROM public.ecr.aws/amazonlinux/amazonlinux:2023-minimal
RUN dnf install -y gcc && dnf clean all
```
# Building bare-bones AL2023 container images
The AL2023 container image is built from the same software components that are included in the AL2023 AMI. It includes a software that enables the base container layer to behave similarly to running on an Amazon EC2 instance, such as the package manager `dnf`. This section explains how you can construct a container from scratch that includes only the bare minimum dependencies needed for an application.
**Note**
The standard AL2023 container images are suitable for most use cases. Using the standard container image makes it easy to build on top of your image. A bare-bones container image makes it more difficult to build on top of your image.
**To create a container with bare minimum dependencies for an application**
1. Determine your runtime dependencies. This will vary based on your application.
1. Construct a `Dockerfile` / `Containerfile` that builds `FROM scratch`. The following example of a `Dockerfile` can be used to build a container that contains only the `bash` shell and its dependencies.
```
FROM public.ecr.aws/amazonlinux/amazonlinux:2023 as build
RUN mkdir /sysroot
RUN dnf --releasever=$(rpm -q system-release --qf '%{VERSION}') \
--installroot /sysroot \
-y \
--setopt=install_weak_deps=False \
install bash
FROM scratch
COPY --from=build /sysroot /
WORKDIR /
ENTRYPOINT ["/bin/bash"]
```
1. This `Dockerfile` works by:
1. Starting a AL2023 container named `build`. This container will be used to bootstrap the barebones container, this container is not deployed itself, but generates the container to be deployed.
1. Creating the `/sysroot` directory. This directory will be where the `build` container will install the dependencies needed for the barebones container. In a subsequent step, the `/sysroot` path will be packaged up to be the root directory of our barebones image.
Using the `--installroot` option to `dnf` in this manner is how we create the other AL2023 images. It's a feature of `dnf` that allows installers and image creation tooling to work.
1. Invoking `dnf` to install packages into `/sysroot`.
The `rpm -q system-release --qf '%{VERSION}'` command queries (`-q`) the `system-release` package, setting the query format (`--qf`) to print out the version of the package being queried (the `%{VERSION}` variable is the `rpm` variable for the version of the `RPM`).
By setting the `--releasever` argument of `dnf` to the version of `system-release` in the `build` container, this `Dockerfile` can be used to rebuild the barebones container whenever an updated container base image of Amazon Linux is released.
It is possible to set the `--releasever` to any Amazon Linux 2023 version, such as 2023.11.20260413. Doing this would mean that the `build` container would run as the latest AL2023 version, but build the barebones container from 2023.11.20260413 regardless of what was the current AL2023 release.
The `--setopt=install_weak_deps=False` configuration option tells `dnf` to only install dependencies that are *required* rather than recommended or suggested.
1. Copying the installed system into the root of a blank (`FROM scratch`) container.
1. Setting the `ENTRYPOINT` to be the desired binary, in this case `/bin/bash`.
1. Create an empty directory and add the content of the example in Step 2 to a file named `Dockerfile`.
```
$ mkdir al2023-barebones-bash-example
$ cd al2023-barebones-bash-example
$ cat > Dockerfile < hello-world.c <
int main(void)
{
printf("Hello World!\n");
return 0;
}
EOF
$ cat > Dockerfile <
A comparison of the RPMs present on the AL2023 base container image compared with the RPMs present on the AL2023 minimal container image.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/linux/al2023/ug/al2023-container-image-types.html)
# Comparing packages installed on Amazon Linux 2023 Minimal AMI and Container Images
A comparison of the RPMs present on the AL2023 Minimial AMI to the RPMs present on the AL2023 base and minimal container images.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/linux/al2023/ug/al2023-container-ami.html)
# AL2023 on AWS Elastic Beanstalk
AWS Elastic Beanstalk is a service for deploying and scaling web applications and services. Upload your code and Elastic Beanstalk automatically handles the deployment — from capacity provisioning, load balancing, and auto scaling to application health monitoring. For more information, see [AWS Elastic Beanstalk](https://aws.amazon.com/elasticbeanstalk/).
To use Elastic Beanstalk, you create an application, upload an application version in the form of an application source bundle (for example, a Java .war file) to Elastic Beanstalk, and then provide some information about the application. Elastic Beanstalk automatically launches an environment and creates and configures the AWS resources needed to run your code. For more information, see the [AWS Elastic Beanstalk Developer Guide](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/Welcome.html).
Elastic Beanstalk Linux platforms use Amazon EC2 instances, and these instances run Amazon Linux. As of August 4, 2023, Elastic Beanstalk offers the following platform branches based on Amazon Linux 2023: Docker, Tomcat, Java SE, Node.js, PHP, and Python. Elastic Beanstalk is working on releasing support for AL2023 to more Elastic Beanstalk platforms.
The full list of Elastic Beanstalk platform support and current platforms built on top of AL2023 can be found in the [Elastic Beanstalk Linux platforms](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/platforms-linux.html) section of the [https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/Welcome](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/Welcome).
You can find the Release Notes for new Elastic Beanstalk platforms and versions of existing platforms in the [Elastic Beanstalk Release Notes](https://docs.aws.amazon.com/elasticbeanstalk/latest/relnotes/relnotes.html).
# Using AL2023 in AWS CloudShell
AWS CloudShell is a browser-based, pre-authenticated shell that you can launch directly from the AWS Management Console. You can navigate to CloudShell from the AWS Management Console a few different ways. For more information, see [How to get started with AWS CloudShell?](https://docs.aws.amazon.com/cloudshell/latest/userguide/welcome.html#how-to-get-started)
AWS CloudShell, which is currently based on Amazon Linux 2, will migrate to AL2023. The migration to AL2023 will begin to roll out in all AWS Regions starting on December 4, 2023. For more information about CloudShell migrating to AL2023, see [AWS CloudShell migrating from Amazon Linux 2 to Amazon Linux 2023](https://docs.aws.amazon.com/cloudshell/latest/userguide/cloudshell-AL2023-migration.html).
# Using AL2023 based Amazon ECS AMIs to host containerized workloads
**Note**
For more information on how to use AL2023 inside a container, see [AL2023 in containers](container.md).
Amazon Elastic Container Service (Amazon ECS) is a fully managed container orchestration service that helps you easily deploy, manage, and scale containerized applications. As a fully managed service, Amazon ECS comes with AWS configuration and operational best practices built-in. It's integrated with both AWS and third-party tools, such as Amazon Elastic Container Registry (Amazon ECR) and Docker. This integration makes it easier for teams to focus on building the applications, not the environment. You can run and scale your container workloads across AWS Regions in the cloud, without the complexity of managing a control plane.
You can host containerized workloads on AL2023 using the AL2023 based Amazon ECS‐optimized AMI. For more information, see the [Amazon ECS-optimized AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html)
## Changes in AL2023 for Amazon ECS compared to AL2
As with AL2, AL2023 provides the base packages required to run as an Amazon ECS Linux instance. In AL2 the `containerd`, `docker`, and `ecs-init` packages were available through `amazon-linux-extras`, whereas AL2023 includes these packages in the core repositories.
With the deterministic upgrades through versioned repositories feature, every AL2023 AMI by default is locked to a specific repository version. This is also true for the AL2023 Amazon ECS optimized AMI. All updates to your environment can be carefully managed and tested prior to deployment, as well as providing an easy way to revert to the content of a prior AMI in the event of an issue. For more information on this AL2023 feature, see [Deterministic upgrades through versioned repositories on AL2023](deterministic-upgrades.md).
AL2023 switches to cgroup v2 over the cgroup v1 interface supported in AL2. For more information, see [Unified Control Group hierarchy (cgroup v2)](cgroupv2.md).
**Note**
AL2023 versions prior to [2023.2.20230920](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.2.20230920.html) (the first AL2023.2 release) contained a bug in `systemd` for Out-of-Memory (OOM) handling inside a cgroup. All processes in the cgroup were always killed instead of the OOM-Killer choosing one process at a time, which is the intended behavior.
This was a regression when compared to AL2 behavior, and is fixed as of the 2023.2.20230920 release of AL2023.
The code to build the Amazon ECS-optimized AMI is available on the [amazon-ecs-ami GitHub project](https://github.com/aws/amazon-ecs-ami). The [release notes](https://github.com/aws/amazon-ecs-ami/releases) describe which AL2023 version maps to which Amazon ECS AMI version.
## Customizing the AL2023 based Amazon ECS-optimized AMI
**Important**
We recommend that you use the Amazon ECS optimized AL2023 AMI. For more information, see [Amazon ECS-optimized AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html) in the *Amazon Elastic Container Service Developer Guide*.
You can use the same build scripts that Amazon ECS uses to create custom AMIs. For more information, see [Amazon ECS-optimized Linux AMI build script](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-ami-build-scripts.html).
# Using Amazon Elastic File System on AL2023
Amazon Elastic File System (Amazon EFS) provides serverless, fully elastic file storage so that you can share file data without provisioning or managing storage capacity and performance. Amazon EFS is built to scale on demand to petabytes without disrupting applications, growing and shrinking automatically as you add and remove files. Because Amazon EFS has a simple web services interface, you can create and configure file systems quickly and easily. The service manages all the file storage infrastructure for you, meaning that you can avoid the complexity of deploying, patching, and maintaining complex file system configurations.
Amazon EFS supports the Network File System version 4 (NFSv4.1 and NFSv4.0) protocol, so the applications and tools that you use today work seamlessly with Amazon EFS. Multiple compute instances, including Amazon EC2, Amazon ECS, and AWS Lambda, can access an Amazon EFS file system at the same time. Therefore, an EFS file system can provide a common data source for workloads and applications that are running on more than one compute instance or server.
## Installing `amazon-efs-utils` on AL2023
The `amazon-efs-utils` package is available in the AL2023 repositories to be installed and used to access Amazon EFS file systems.
**Install the `amazon-efs-utils` package on AL2023**
+ Install `amazon-efs-utils` using the following command.
```
$ dnf -y install amazon-efs-utils
```
## Mounting an Amazon EFS file system on AL2023
After `amazon-efs-utils` is installed, you can mount an Amazon EFS file system on your AL2023 instance.
**Mount an Amazon EFS file system on AL2023**
+ To mount using the file system id, use the following command.
```
sudo mount -t efs file-system-id efs-mount-point/
```
You can also mount the file system so that data in transit is encrypted using TLS, or by using the DNS name or mount target IP instead of the file system id. For more information, see [Mounting on Amazon Linux instances using the EFS mount helper](https://docs.aws.amazon.com/efs/latest/ug/mounting-fs-mount-helper-ec2-linux.html).
# Using Amazon EMR built on AL2023
Amazon EMR is a web service that makes it easy to process vast amounts of data efficiently using Apache Hadoop and services offered by AWS.
## AL2023 based Amazon EMR releases
Amazon EMR release 7.0.0 was the first release built on AL2023. With this release, AL2023 is the base operating system for Amazon EMR, bringing all the advantages of AL2023 to Amazon EMR. For more information, see the [Amazon EMR 7.0.0 release notes](https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-700-release.html).
## AL2023 based Amazon EMR on EKS
Amazon EMR on EKS 6.13 was the first release introducing AL2023 as an option. With this release, you can launch Spark with AL2023 as the operating system, together with Java 17 runtime. For more information, see the [Amazon EMR on EKS 6.13 release notes](https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/emr-eks-6.13.0.html), and all [Amazon EMR on EKS release notes](https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/emr-eks-releases.html).
# Using AL2023 in AWS Lambda
With AWS Lambda, you can run code without provisioning or managing servers. You pay only for the compute time that you consume–there's no charge when your code isn't running. You can run code for virtually any type of application or backend service–all with zero administration. Just upload your code and Lambda takes care of everything required to run and scale your code with high availability.
## AL2023 `provided.al2023` managed runtime and container image
The `provided.al2023` base runtime is based on the [AL2023 minimal container image](https://docs.aws.amazon.com/linux/al2023/ug/minimal-container.html), and provides an AL2023 based Lambda managed runtime and [container base image](https://gallery.ecr.aws/lambda/provided). Because the `provided.al2023` runtime is based on the AL2023 minimal container image, it is substantially smaller at less than 40 MB than the `provided.al2` runtime at around 109 MB.
For more information, see [Lambda runtimes](https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html) and [Working with Lambda container images](https://docs.aws.amazon.com/lambda/latest/dg/images-create.html).
## AL2023 based Lambda runtimes
Future releases of managed language runtimes, such as Node.js 20, Python 3.12, Java 21, and .NET 8, are based on AL2023 and will use `provided.al2023` as the base image as described in the [announcement of AL2023 based runtimes](https://aws.amazon.com/blogs/compute/introducing-the-amazon-linux-2023-runtime-for-aws-lambda/) .
**AL2023 based Lambda functions**
+ [AL2023 Lambda functions written in Go](go.md#lambda-go)
+ [AL2023 Lambda functions written in Rust](rust.md#lambda-rust)
For more information, see [Lambda runtimes](https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html) in the *AWS Lambda Developer Guide*.